Honeypots mailing list archives
Honeyd and exclusion
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Tue, 28 Sep 2004 11:40:16 -0500
I seem to have gotten my head on backwards. I've got a honeyd install (0.8b) that I'm trying to set up as a worm trap. The goal is to have the network cruf be directed to the honeypot and have it reply to nearly everything so the IDS can see actual payloads instead of bare SYNs. I've got it set up so that it responds to everything, but I'm having problems with the exclusions. For example, since the honeypot's default router points its default route at the honeypot, I don't want the honeypot to reply to anything that was sourced by an unrouted (i.e. not our) address. Also, in its current configuration, it sources packets from 224.0.0.2 in response to the router's HSRP requests. Since sourcing something from a multicast address isn't exactly kosher, I'd like to keep this from happening, too. So far, the best I've been able to manage is to use iptables to drop the outbound packets, but that prods honeyd to create syslog messages like "couldn't send packet: Operation not permitted". Is there a configuration in honeyd that I can tell it to do everything _except_ certain networks? Thanks. Jon
Current thread:
- Honeyd and exclusion Williams Jon (Sep 28)
- Re: Honeyd and exclusion Niels Provos (Sep 28)
- <Possible follow-ups>
- RE: Honeyd and exclusion Williams Jon (Sep 29)