Honeypots mailing list archives
RE: question about honeyd 0.6a (linux)
From: Pascal Charest <praetori () step polymtl ca>
Date: Wed, 24 Sep 2003 11:26:57 -0400 (EDT)
I might be really far from the good answer but if I were you I would try looking toward the routing table/forwarding rules. There might be a way to either route everything toward your real-ip-address to your loop-back device (127.0.0.1) or to another adresse on which you could bind a virtual adapter. And it might explain why it might have worked once. (Change on the route)... Wild guess... Pascal Charest, Ecole Polytechnique de Montreal On Tue, 23 Sep 2003, Meidinger Chris wrote:
Hello List, i am new here, so first of all hi. Now Han, as far as your question, I may be wrong, but i thought that this was not in the functionality of honeyd to listen to its own address. If, for example, i want to trap connections to 22/tcp and also want to administer my machine over ssh, then i have a problem. So i believe that honeyd specifically does not listen for incoming attempts to its real address. If i am wrong, someone correct me please. Greetings from Germany, Chris Meidinger -----Original Message----- From: Han Xu [mailto:xuhan () cc gatech edu] Sent: Tuesday, September 23, 2003 6:31 AM To: oudot Cc: honeypots () securityfocus com Subject: Re: question about honeyd 0.6a (linux) Thanks for your reply. Your questions made me learn something. anyway, my problem kept unresolved yet. Let me re-state it in clearer way: I ran arpd and honeyd 0.6a on a host, which has IP: 10.1.1.11 The arpd and honeyd simulates 10.1.1.20-10.1.1.200 (unused IPs on LAN): ------------------------- arpd 10.1.1.20-10.1.1.200 honeyd -p nmap.prints -x xprobe2.prints -a nmap.assoc \ -l /var/log/honeyd 10.1.1.20-10.1.1.200 ------------------------- Now, I tried to telnet 10.1.1.100 from this _same_ host: $>telnet 10.1.1.100 Trying 10.1.1.100... telnet: connect to address 100.1.1.100: No route to host and honeyd didn't log anything into /var/log/honeyd so, my question is: Is that possible to let honeyd accept such connection from the hosting machine ? (actually, I believe it succeeded once, but I can't repeat it, I don't know what happened.) btw, I am not sure if this list is THE list to ask such questions, if not, would you tell me what place to go ? thanks, Han On Sun, 21 Sep 2003, oudot wrote:Han Xu a écrit: > Hi, > > I installed honeyd 0.6a on a Redhat Linux 7.1. Everything runs > well except one thing. > > I cannot let honeyd to capture the communications from the same host. > The detail is: > The host IP is 10.1.1.11, Honeyd simulates 10.1.1.1 - 10.1.1.255. Not exactly related to your problem but taken from the FAQ of honeyd (http://www.citi.umich.edu/u/provos/honeyd/faq.html) : Is it possible to run Honeyd on an exisiting IP address? Honeyd normally requires its own IP address space... > 10.1.1.100 is one of the virtual hosts that don't exist on the LAN.When I ran "telnet 10.1.1.100" from another Linux on the same LAN,the > honeyd captured the request and logged it. But when I ran thesame thing from the local host (where the honeyd is running), I got"No > route" and honeyd seems do nothing with the packet. > > I noticed that, by default, arpd and honeyd ignore the src MAC addressby> setting the filter to pcap. So I modified the source code to removethat> filter. Hmm, not a natural user :-) > Now the arpd shows it replies to "10.1.1.100", but nothing more. > Have you investigate ? I mean, what is the routing table and arp table of the honeyd host ? Have you specific firewall rules (i got strange problems with linux in the past on such a box) ? When you say that arpd replies, you mean that you saw the ARP answers worked properly ? Notice that you can also use arp to put a the MAC address in the cache without patching Arpd if you want a natural solution (put that in your rc filez for example), but if you need that for hundreds of host, that won't be funny... Have you tried to tcpdump the interface where honeyd listens (and the lo interface also..) to see where your packets go through ? > Any ideas ? Thanks in advance. I don't have so much ideas, just questions, but if it can help.. laurent oudot
Current thread:
- RE: question about honeyd 0.6a (linux) Meidinger Chris (Sep 23)
- Garrolous firewall Daniel Roth (Sep 23)
- RE: question about honeyd 0.6a (linux) Pascal Charest (Sep 24)