Re: honeyd - single ip address

[Hugo Teso Torío <HugoT () mkzingenieria com>]

Hi,
arpd <IP>
honeyd -p nmap.prints -f honeyd.conf <IP>

With the above command, the arpd process will monitor the IP if it's UNUSED;
after that, the honeyd command will set the templetes that are on your
honeyd.conf "binded" to that IP, also It will load the nmap.prints that is
the actual database that the scanning tool Nmap uses to fingerprint
operating systems. You can add "-x xprobe2.prints" to load the database for
xprobe. Your honeyd.conf appears to be correct.

Take into acount that what honeyd makes is to redirect all the "calls" for
the range of IPs you used in the arpd to your box and then interact
depending on the template you asigned to that IP (in honeyd.conf with the
"bind <IP>"). You really don't add a new IP direction to your box. Arpd is
used for ARP spoofing; this is what actually monitors the unused IP space
and directs attacks to the Honeyd honeypot.

Take a look to "http://www.securityfocus.com/infocus/1659"; for more info; if
that doesn't solve your problem specify a little bit more your question.

Remeber, honeyd doesn't work over used IPs; at the FAQ
(http://www.citi.umich.edu/u/provos/honeyd/faq.html) tells you how to use
honeyd without a network.

Best regards

----- Original Message -----
From: "Mario Ohnewald" <mario.ohnewald () linux net>
To: <honeypots () securityfocus com>
Sent: Tuesday, December 16, 2003 4:18 PM
Subject: honeyd - single ip address


> Hello!
> I want to run honeyd on a host which is only allowed to have ONE ip
address.
> SO what i am trying to do now is to set up honeyd to listen to that one ip
address and some ports like telnet or IIS.
> Is this even possible?
>
> Here is what i did:
> # arpd <IP>
> # honeyd -f honeyd.conf <IP>
>
> My honeyd.conf file:
> -------------------------
> ### Windows computers (default)
> create default
> set default personality "Windows NT 4.0 Server SP5-SP6"
> set default default tcp action reset
> add default tcp port 1110 "sh pop3.sh"
> add default tcp port 125 block
> add default tcp port 121 "sh ftp.sh"
> #add default udp port 139 drop
> set default uptime 3284460
> ### Cisco router
> create router
> set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus"
> add router tcp port 23 "/usr/bin/perl router-telnet.pl"
> set router default tcp action reset
> set router uid 32767 gid 32767
> set router uptime 1327650
> # Bind specific templates to specific IP address
> # If not bound, default to Windows template
> bind <IP> router
>
>
> Cheers, Mario
>
> _____________________________________________________________
> Linux.Net -->Open Source to everyone
> Powered by Linare Corporation
> http://www.linare.com/