Honeypots mailing list archives
Re: question about honeyd 0.6a (linux)
From: oudot <oudot () rstack org>
Date: Sun, 21 Sep 2003 23:39:50 +0200
Han Xu a écrit: > Hi, > > I installed honeyd 0.6a on a Redhat Linux 7.1. Everything runs > well except one thing. > > I cannot let honeyd to capture the communications from the same host. > The detail is: > The host IP is 10.1.1.11, Honeyd simulates 10.1.1.1 - 10.1.1.255.Not exactly related to your problem but taken from the FAQ of honeyd (http://www.citi.umich.edu/u/provos/honeyd/faq.html) :
Is it possible to run Honeyd on an exisiting IP address? Honeyd normally requires its own IP address space... > 10.1.1.100 is one of the virtual hosts that don't exist on the LAN. > When I ran "telnet 10.1.1.100" from another Linux on the same LAN, the > honeyd captured the request and logged it. But when I ran the > same thing from the local host (where the honeyd is running), I got "No > route" and honeyd seems do nothing with the packet. > > I noticed that, by default, arpd and honeyd ignore the src MAC address by > setting the filter to pcap. So I modified the source code to remove that > filter. Hmm, not a natural user :-) > Now the arpd shows it replies to "10.1.1.100", but nothing more. > Have you investigate ? I mean, what is the routing table and arp table of the honeyd host ? Have you specific firewall rules (i got strange problems with linux in the past on such a box) ? When you say that arpd replies, you mean that you saw the ARP answers worked properly ? Notice that you can also use arp to put a the MAC address in the cache without patching Arpd if you want a natural solution (put that in yourrc filez for example), but if you need that for hundreds of host, that won't be funny...
Have you tried to tcpdump the interface where honeyd listens (and the lo interface also..) to see where your packets go through ? > Any ideas ? Thanks in advance. I don't have so much ideas, just questions, but if it can help.. laurent oudot
Current thread:
- InfoSec Writers - requesting honeypot papers Von Spangler (Sep 21)
- question about honeyd 0.6a (linux) Han Xu (Sep 21)
- Re: question about honeyd 0.6a (linux) oudot (Sep 21)
- Re: question about honeyd 0.6a (linux) Han Xu (Sep 23)
- Re: question about honeyd 0.6a (linux) Christopher J Carella (Sep 23)
- Re: question about honeyd 0.6a (linux) oudot (Sep 21)
- question about honeyd 0.6a (linux) Han Xu (Sep 21)