Honeypots mailing list archives
Re: Help in deciphering config rules..
From: Graeme Connell <gconnell () middlebury edu>
Date: 21 Apr 2004 19:55:13 -0000
In-Reply-To: <Pine.LNX.4.56.0404201319590.8723 () pali cps cmich edu>
Just got interested in honeyd. I found sample config files on www.honeyd.org. I understand the route stuff but have a little problem with info like: ... add default udp port 53 "./scripts/dnstool.py" add default tcp port 25 "scripts/smtp.pl -n <youremailaddresshere>" add default tcp port 80 "./scripts/iis5.net/main.pl" ... On first line with add: "./scripts/dnstool.py" -- I assume it is a python script. Where does it come from? Do I have to write onea? If so, what goes in there (a sample will help)?
The lines you quoted are ports where honeyd sends incoming data to scripts. Scripts are (I believe) any executable program, although most are just perl, shell, or python scripts. Incoming data is communicated through STDIN, and outgoing data with STDOUT. For example, in a simple shell script, the script #!/bin/bash while read line do echo $line done will produce output as follows: (telnet session established by user "username" from directory "dir") <b>username dir # telnet IPADDR HONEYPORT</b> Trying 140.233.205.31... Connected to resnet-d-31.middlebury.edu (140.233.205.31). Escape character is '^]'. this is typed in input this is typed in input notice how whatever is input is returned notice how whatever is input is returned that's because every line read is sent back to STDOUT that's because every line read is sent back to STDOUT ^] telnet> close Connection closed. <b>username dir #</b> This is the type of input you'd see if IPADDR was part of honeyd and it's port HONEYPORT was directed to the simple script above. To create more complex scripts, for instance scripts that log sessions to files, you can use the variables $ipsrc, $ipdst, $sport, and $dport in the honeyd config file as arguments for your scripts. The syntax to pass the source IP to our simple script on port 23 would be add default udp port 23 "./simplescript.sh $ipsrc" A simple redoing of our script can log output to a file based on the ip source: #!/bin/bash while read line do echo $line >> /LOGDIR/$1 done This will create and append to a seperate filename (the ip address) and record all data passed to port 23 through a session. Hope this helps, Graeme Connell
Current thread:
- Re: Help in deciphering config rules.. Graeme Connell (Apr 22)