Honeypots mailing list archives
honeyd with arpd
From: "Stacy Olivas" <olivas () digiflux org>
Date: Sun, 27 Oct 2002 23:59:14 +0100
One more thing:
I also tried the arpd program that was suggested on the honeyd homepage,
but it would only print:
arpd[12457]: listening on fxp0: arp and not ether src 00:ff:ff:ff:ff:ff
and then exit...
So, I took a look at the source and found that honeyd uses the same
routines as arpd receiving data, but with a few minor medications for
the -P polling mode option. So, I patched my arpd.c file and came up
with these changes that make arpd work like honeyd in polling mode (use
-P like with honeyd):
patch follows:
------------------
*** arpd.c Mon Apr 15 17:42:34 2002
--- arpd.c.new Sun Oct 27 23:53:11 2002
***************
*** 3,8 ****
--- 3,11 ----
*
* Copyright (c) 2001, 2002 Dug Song <dugsong () monkey org>
* Copyright (c) 2002 Niels Provos <provos () citi umich edu>
+ *
+ * Modified by Stacy Olivas (olivas () eurisko ws/olivas () digiflux org) on
27 Oct 2002
+ * - Added -P option for polling mode
*
* $Id: arpd.c,v 1.15 2002/04/15 15:42:34 dugsong Exp $
*/
***************
*** 30,35 ****
--- 33,40 ----
#include <dnet.h>
#include "tree.h"
+ //#define ARPD_POLL_INTERVAL {0, 10}
+ #define ARPD_POLL_INTERVAL {0, 10000}
#define ARPD_MAX_ACTIVE 600
#define ARPD_MAX_INACTIVE 300
***************
*** 66,76 ****
static eth_t *arpd_eth;
static struct intf_entry arpd_ifent;
static int arpd_sig;
static void
usage(void)
{
! fprintf(stderr, "Usage: arpd [-d] [-i interface] [net]\n");
exit(1);
}
--- 71,84 ----
static eth_t *arpd_eth;
static struct intf_entry arpd_ifent;
static int arpd_sig;
+ static int arpd_dopoll;
+
+ //struct timeval tv;
static void
usage(void)
{
! fprintf(stderr, "Usage: arpd [-d] [-P] [-i interface] [net]\n");
exit(1);
}
***************
*** 327,337 ****
static void
arpd_recv(int fd, short type, void *ev)
{
! event_add((struct event *)ev, NULL);
if (pcap_dispatch(arpd_pcap, -1, arpd_recv_cb, NULL) < 0)
syslog(LOG_ERR, "pcap_dispatch: %s",
pcap_geterr(arpd_pcap));
}
void
terminate_handler(int sig)
--- 335,356 ----
static void
arpd_recv(int fd, short type, void *ev)
{
! if (!arpd_dopoll)
! event_add((struct event *)ev, NULL);
if (pcap_dispatch(arpd_pcap, -1, arpd_recv_cb, NULL) < 0)
syslog(LOG_ERR, "pcap_dispatch: %s",
pcap_geterr(arpd_pcap));
}
+
+ static void
+ arpd_poll_recv(int fd, short type, void *ev)
+ {
+ struct timeval tv = ARPD_POLL_INTERVAL;
+
+ timeout_add(ev, &tv);
+
+ arpd_recv(fd, type, ev);
+ }
void
terminate_handler(int sig)
***************
*** 363,370 ****
dev = NULL;
debug = 0;
! while ((c = getopt(argc, argv, "di:h?")) != -1) {
switch (c) {
case 'd':
debug = 1;
break;
--- 382,392 ----
dev = NULL;
debug = 0;
! while ((c = getopt(argc, argv, "Pdi:h?")) != -1) {
switch (c) {
+ case 'P':
+ arpd_dopoll = 1;
+ break;
case 'd':
debug = 1;
break;
***************
*** 403,413 ****
chmod(PIDFILE, 0644);
event_init();
!
! event_set(&recv_ev, pcap_fileno(arpd_pcap), EV_READ,
! arpd_recv, &recv_ev);
! event_add(&recv_ev, NULL);
!
/* Setup signal handler */
if (signal(SIGINT, terminate_handler) == SIG_ERR) {
perror("signal");
--- 425,442 ----
chmod(PIDFILE, 0644);
event_init();
!
! if (!arpd_dopoll) {
! event_set(&recv_ev, pcap_fileno(arpd_pcap), EV_READ,
! arpd_recv, &recv_ev);
! event_add(&recv_ev, NULL);
! } else {
! struct timeval tv = ARPD_POLL_INTERVAL;
! syslog(LOG_INFO, "switching to polling mode");
! timeout_set(&recv_ev, arpd_poll_recv, &recv_ev);
! timeout_add(&recv_ev,&tv);
! }
!
/* Setup signal handler */
if (signal(SIGINT, terminate_handler) == SIG_ERR) {
perror("signal");
----------------- end of patch ----
You mileage may vary with this patch. I make no guarantees that it will
work, but it seems to on my system.
Enjoy!
-Stacy (olivas () digiflux org)
-----Original Message-----
From: Stacy Olivas [mailto:olivas () digiflux org]
Sent: Sunday, October 27, 2002 9:22 PM
To: mike () honeynet org; 'Alan Neville'
Cc: honeypots () securityfocus com
Subject: RE: honeyd
I had the same problem at first on my FreeBSD system. You need to turn
on polling mode with the -P switch.
Then it works.
Hope this helps
-Stacy (olivas () digiflux org)
-----Original Message-----
From: mike () honeynet org [mailto:mike () honeynet org]
Sent: Sunday, October 27, 2002 2:19 AM
To: Alan Neville
Cc: honeypots () securityfocus com
Subject: Re: honeyd
The answer to one of your questions is on the honeyd page...
"If your kqueue implementation does not support bpf file descriptors,
define the environment variable EVENT_NOKQUEUE to yes"
Not sure about the token, try removing any new lines at the end.
Mike
On Sat, 26 Oct 2002, Alan Neville wrote:
Hello: When running honeyd on my FreeBSD 4.5 system, with the following
syntax:
honeyd -d -p nmap.prints -f config.sample -i fxp0 I seem to get some strange errors which don't seem to be covered
within the
FAQ (http://www.citi.umich.edu/u/provos/honeyd/faq.html). The
following
lines are the errors produced when attempting to start honeyd as root. config.sample:11 illegal token config.sample:11 syntax error honeyd[7255]: listening on fxp0: (tcp or icmp or udp_ and not ether
src
00:a0:c 9:ad:af:07 honeyd[7255]: Kqueue does not recognize bpf filedescriptor. Oct 26 22:41:31 charlie honeyd[7255]: Kqueue does not recognize bpf filedescriptor. The following is a copy of my config.sample file: # Example of a simple host template and its binding annotate "AIX 4.0 - 4.2" fragment old create template set template personality "AIX 4.0 - 4.2" add template tcp port 80 "sh scripts/webd.sh" add template tcp port 22 "sh scripts/test.sh $ipsrc $dport" add template tcp port 21 proxy $ipsrc:23 set template default tcp action reset bind 192.168.1.4 template Any ideas? -Alan
Current thread:
- interesting article mike (Oct 24)
- honeyd Alan Neville (Oct 26)
- Re: honeyd mike (Oct 26)
- RE: honeyd Stacy Olivas (Oct 27)
- honeyd with arpd Stacy Olivas (Oct 27)
- Re: honeyd mike (Oct 26)
- honeyd Alan Neville (Oct 26)