Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Honeyd responds with a ttl of 0??

From: "Compton, Rich" <RCompton () chartercom com>
Date: Fri, 21 Feb 2003 11:16:45 -0600
Hello, 
I'm trying to set up a honeypot using honeyd and when I enable my config
file, all traffic that responds from the honey pot never gets back to
the host because all traffic from the honeypot IP has a ttl of 0.  Has
anyone run into this problem before?
 
Thanks,
Rich Compton
 
------------------------------------------------------------------------
------------------------------------------------
 
Here is how I start honeyd (I've removed the IP from the configs)
 
/usr/local/bin/honeyd -l /var/log/honeyd  -p /etc/honeyd/win2k.print -f
/etc/honeyd/honeyd.conf x.x.x.x
 
 
and my honeyd.conf file looks like this:
================================================================
annotate "Windows 2000 server SP2" fragment old
create template
set template personality "Windows 2000 server SP2"
add template tcp port 21 "sh /etc/honeyd/scripts/ftp.sh $ipsrc $sport"
add template tcp port 22 "sh /etc/honeyd/scripts/test.sh $ipsrc $dport"
add template tcp port 23 "perl /etc/honeyd/scripts/router-telnet.pl
$ipsrc $dport"
add template tcp port 25 "sh /etc/honeyd/scripts/smtp.sh $ipsrc $sport"
add template tcp port 53 "sh /etc/honeyd/scripts/test.sh $ipsrc $dport"
add template tcp port 80 "perl
/etc/honeyd/scripts/iisemulator-0.95/iisemul8.pl"
add template tcp port 110 "sh /etc/honeyd/scripts/test.sh $ipsrc $sport"
add template tcp port 443 "sh /etc/honeyd/scripts/web.sh"
set template default tcp action reset
set template uid 32767 gid 32767
 
bind x.x.x.x template
set x.x.x.x uptime 3133
=================================================================
 
and my win2k.print file is copied from the nmap fingerprint file and
looks like this:
=================================================================
Fingerprint Windows 2000 server SP2
TSeq(Class=RI%gcd=<6%SI=<25224&>22C%IPID=I)
T1(DF=Y%W=5B4|B68%ACK=S++%Flags=AS%Ops=MNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=5B4|B68%ACK=S++%Flags=AS%Ops=MNNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
====================================================================
 
 
Any help would be greatly appriceated!  Also, what is the set template
uid/gid for??  Do I have to have this UID or GID set up already?
 
Thanks,
Rich Compton
Previous By Date Next
Previous By Thread Next

Current thread: