Honeypots mailing list archives
RE: Honeyd and exclusion
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 29 Sep 2004 08:20:06 -0500
I'd figured that out, but the list gets a bit long as I want honeyd to respond to everything except: - 224.0.0.0/4 (multicast) - 169.254.0.0/16 (MS link local stuff when client doesn't get DHCP addr) - any packet sourced by an address that we don't own I could theoretically do some large block thingie for the first two, simply defining ranges that don't include those two networks, but I don't see a way to not respond based on source address. BTW, I finally figured out why my INPUT iptables filters weren't working. PCAP-based apps see the inbound packets before iptables does (i.e. iptables sits higher up on the IP stack than PCAP). That's the same reason why the OUTPUT filters worked, the packets would go through iptables before the PCAP layer on its way out from userland. Thanks. Jon -----Original Message----- From: Niels Provos [mailto:provos () citi umich edu] Sent: Tuesday, September 28, 2004 6:02 PM To: Williams Jon Cc: honeypots () securityfocus com Subject: Re: Honeyd and exclusion On Tue, Sep 28, 2004 at 11:40:16AM -0500, Williams Jon wrote:
So far, the best I've been able to manage is to use iptables to drop the outbound packets, but that prods honeyd to create syslog messages like "couldn't send packet: Operation not permitted". Is there a configuration in honeyd that I can tell it to do everything _except_ certain networks?
You can provide it with a list of networks that it should reply to. You basically make the exclusion implicit. Niels.
Current thread:
- Honeyd and exclusion Williams Jon (Sep 28)
- Re: Honeyd and exclusion Niels Provos (Sep 28)
- <Possible follow-ups>
- RE: Honeyd and exclusion Williams Jon (Sep 29)