Honeypots mailing list archives

RE: honeyd and cable modem

From: Christian Kreibich <christian () whoop org>
Date: 19 Dec 2003 11:47:08 +0000

Hi,


I'm not sure if this will help, but for a while I ran honeyd on the
single IP that you get via DHCP when using a cable modem. I found that
by far the simplest solution was to set up a few iptables rules on the
machine running honeyd to block all incoming traffic, to prevent that
machine's network stack to ever interfere with that traffic. Something
like

iptables -F INPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

You can of course augment that to allow ssh access from somewhere
outside etc, but make sure to adapt the filtering rule you pass to
honeyd on startup to ignore that traffic (unless you want to test your
setup, of course).

Since honeyd gets its traffic via pcap, it sees the traffic
nevertheless.

Hope this helps,
Christian.

On Wed, 2003-12-17 at 13:33, Craig Sharp wrote:

Roshen,

One other issue, what would I use as the gateway on the host?  Currently it gets its gateway from dhcp.

Craig

<roshen.chandran () paladion net> 12/16/03 10:44PM >>>

I know that honeyd relies on arpd to use all available addresses in a

network

but this wont work in my situation with only a single address.


If I got you correctly Craig, the problem seems to be that the Honeyd
virtual honeypot has to listen for an IP that is currently assigned to
the Honeyd host, and you have only 1 IP to spare between the Honeyd host
and the virtual honeypot. 

You could bind the virtual honeypot to the IP provided by the cable
modem in the honeyd.conf file, and assign just any other invalid IP to
the Honeyd host itself. You can run Arpd to respond to arp requests for
the IP provided by the cable modem, and the Honeyd host will thus pick
up the packets and hand them over to the Honeyd virtual honeypot. 

Thanks!
-Roshen

Roshen Chandran
Paladion Networks
http://www.paladion.net

-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

Current thread:

honeyd and cable modem Craig Sharp (Dec 16)
- RE: honeyd and cable modem roshen.chandran (Dec 16)
- Re: honeyd and cable modem if0ff () softhome net (Dec 17)
- <Possible follow-ups>
- RE: honeyd and cable modem Craig Sharp (Dec 17)
  - RE: honeyd and cable modem Christian Kreibich (Dec 19)
- RE: honeyd and cable modem Roshen Chandran (Dec 17)
- RE: honeyd and cable modem Craig Sharp (Dec 17)