Re: Unusually problems with honeywall

[Stephan Holtwisch <shfh () immutec com>]

Hi Ivica,

i am pretty much in the same situation as you, i am writing a thesis
about Honeynets as well and also use Roo as a starting point.

The p0f Startup script is broken in that it reads 2 variables instead of
one, however the Process starts neverless. So that is more a cosmetic 
issue.

I cant really help you with that other issue, havent encountered it yet,
but what strikes me about Roo is its total lack of actually usable
documentation. I mean the User Manual is all nice and dandy but it
doesnt help at all when you start designing a Honeynet with Roo. 
I am not sure what the State of Version 2 of Roo is, but that is 
definately a point that needs to be worked on. As it is now, you have to
dig into the Scripts yourself to see what the Variables are used for,
just to find out that the Description in honeywall.conf is misleading at
best and in some cases is plain wrong.

For example:

# This Honeywall's public IP address(es)
# [Valid argument: IP address | space delimited IP addresses]
HwHPOT_PUBLIC_IP=10.0.0.20

Is very very bad in multiple meanings. First of all its not the
"Honeywall's public IP address", since the Honeywall doesnt have any
IP-Adresses, its a Bridge, and the Management Interface is treated
seperately. If you are clever you may get the actually Meaning from the
Variable name "HPOT", saying its an IP-Address of a Honeypot. But even
then you dont know why it is declared at all (i assumed every traffic is
monitored at the internal interface and after all i defined
HwLAN_IP_RANGE too). If you eventually dig into the scipts you may find
that it has something to do with the dynamic Setup of the Firewall
Rules. The honeywall.conf Scipts also makes the Reader believe you could
setup the external Bridge Interface a Management Interface as well,
which theoretically is possible but not so in Roo.

I am very well aware that Roo is not a commercial product but it defeats
the purpose of aiming to be easy to maintain and install if you have to
check everything yourself to get it working correctly. Personally i
think it might be wise to clean up the Basic Documentation to the
Fundamentals first before designing a neat HTML-Interface that at the
end of the day is just an editor to honeywall.conf, which is sadly,
very suboptimal.

Best regards,

Stephan Holtwisch


> From: "Ivica Maric" <imaravk () gmail com>
> To: honeypots () securityfocus com
> Subject: Unusually problems with honeywall
>
> Hi all!
>
> My name is Ivica Maric and I am undergraduate student of Faculty of
> Electrical Engeneering and Computing (www.fer.hr), Zagreb, Croatia. My
> diplomma thesis is Honeynet and its usage in the real world.
> I installed Honeynet CD (latest roo release) from www.honeynet.org to
> one computer. Another computer is honeypot (Windows 2000). Honeywall
> contains 3 network interfaces-eth0, eth1, eth2 where eth2 is managment
> interface. I have read Honeywall CDROM Online manual, some whitepapers
> linked to honeypot concept etc.
>
> I have few problems with my configuration:
>
> First problem is with yum update: i update first roo-base (to bypass
> bug #423), after that I update entire honeywall (yum update). After
> system rebooted p0f (Passive OS fingerprinting) service is [FAILED]. I
> don't know why that happens.
>
> Second problem: When I remove Snort or Snort_inline rule from Walleye
> interface Snort and Snort_inline does not work anymore. I got [FAILED]
> at boot time.
>
> Third problem: My honeywall monitoring not only honeypot, but also
> another computers that are active on the network. I presume that is
> not desirable behavior. I properly connected honeypot, trough switch,
> to eth1 (internally interface) and eth0 to public network.
>
> I appreciate any assistance or advice! Thank you for your time!
>
> Best regards,
>
> Ivica Maric
> FER (www.fer.hr)
> Zagreb
> Croatia