Honeypots mailing list archives
Anyone running honeyd, arpd, and snort_inline?
From: "Jeffrey B. Murphy" <jbmurphy () gmail com>
Date: Fri, 18 Mar 2005 16:33:23 -0500
I am still try to figure all this out. I have a fedora core 3 box with one NIC (no bridge or anything) I have arpd up and running. and I have honeyd up and running. So how do I add snort_inline into the mix? My understanding about snort_inline is that you use iptables and "jump" the packet to queue. Then snort_inline takes over. But I can't figure out how to get that far. If I have my basic iptables set up to block everything (see below), and traffic destined for my honeypot still get past my INPUT chain, how can I pass the traffic to snort_inline? Wouldn't I want the traffic from my INPUT chain passed to -j QUEUE? For example: arpd IPAddyOfHoneyPot honeyd -d honeyd.conf honeyd.conf: create sticky set sticky personality "Microsoft Windows NT 4.0 SP3" set sticky default tcp action tarpit open set sticky default icmp action open bind IPAddyOfHoneyPot sticky IptablesScript: iptables -F iptables -X # Set Default Policy to drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP I send a ping from a different SourceMachine to the the destination of IPAddyOfHoneyPot. On the source machine I get: 3 packets transmitted, 0 packets received, 100% packet loss. On the honeypot I get: honeyd[PID]: Sending ICMP Echo Reply: IPAddyOfHoneyPot -> SourceMachine honeyd[PID]: couldn't send packet: Operation not permitted My take on what is going on is that the traffic to arpd is bypassing the INPUT chain, and making it to honeyd. (I don't understand how). Then the return traffic is not making it back to the SourceMachine because of the OUTPUT rule to DROP (iptables -P OUTPUT DROP). So my question is, how can I get snort_inline to work if I can control traffic flow to the honeypot (in this case, control being dropping the packet. Help? Does any one run arpd, snort_inline and honeyd? Thanks.
Current thread:
- Anyone running honeyd, arpd, and snort_inline? Jeffrey B. Murphy (Mar 18)