Honeypots mailing list archives
Vmware and Hybrid Honeynet
From: Zapatisthack <zapatisthack () yahoo it>
Date: Fri, 14 Apr 2006 09:25:35 +0200 (CEST)
Ok, it's been a few months now that i have been playing around with Roo and honeynet. My set-up is as follows: Base router is connected to the honeywall through eth2 to the management interface of the hwall, it is also connected to a switch that then goes to eth0. The switch also connects the various *production* machines (there are only 2 :-) Ok so far so good, my prod. machines are connected i see traffic in the logs and management interface provides connectivity to the Honeywall itself for updates etc. Now .. eth1 is connected to another switch that then connects to a box running WinXP as host and 2 (soemtime more) VMware guests (both XP at the moment). I have notice severe erratic behaviour from the connection of the vmware honeypots. Until a couple of weeks ago i was getting a number of exploits/code dropped on the guests pretty regularly. Now I can only see a great amount of UDP traffic toward the gateway (base router) and to the broadcast adress as well as 239.255.255.0 ... The Host machine has an IP not in the range of IPS i specified as honeypots so it does not have internet connectivity, The Vmware boxes are connecting correctly to the internet. I can also see attempts to contact the Host IP which is what is worring me. How can i et traffic to route correctly from the Honeypots (both guests are bridged) to the gateway and log correctly. The purpose ihere is to collect malware and being able to analyse. Can someone help me ut figure what could be wrong and if there are any special considerations to take when running VMware honeypots? If there are any questions feel free to write :-) I would really appreciate, Thanks Pat ___________________________________ Bolletta salata? Passa a Yahoo! Messenger with Voice http://it.messenger.yahoo.com
Current thread:
- Vmware and Hybrid Honeynet Zapatisthack (Apr 14)