Honeypots mailing list archives

Re: honeyd and routing

From: fleshcrawler <fleshcrawler () fleshcrawler dyndns org>
Date: Mon, 22 Dec 2003 12:04:32 +0100


Thanks for your reply!

It won't respond to pings without proper
routing. While I was tweaking the routing
table I had some strange incidents. Since
my Box has 2 ethernet devices (eth0 10.0.0.1
and eth1 192.168.0.99) sometimes the honeyd
replied to 192.168.0.99 when pinging it. It
looked to my if the devices which honeyd listened
on where swapped.

Here comes my configuration:

The arpds:
/usr/sbin/arpd -i eth0 10.0.0.0/8
/usr/sbin/arpd -i eth1 10.0.0.0/8

The honeyds:

/usr/bin/honeyd -l /var/log/honeyd.log -p /usr/share/honeyd/nmap.prints-f /usr/share/honeyd/config.my -i eth0 10.0.0.0/8/usr/bin/honeyd -l /var/log/honeyd.log -p /usr/share/honeyd/nmap.prints-f /usr/share/honeyd/config.my.192 -i eth1 192.168.0.0/16


-----------------------------------------------------

The strange routing table:

The route entries with Gateway 192.168.0.99 are for the honeyd on eth0
listening for 10.0.0.0/8 and the Gateway 10.0.0.1 vice versa for eth1
on net 192.168.0.0/16. This is the strange confusing thing I meant.

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref UseIface213.148.128.46 0.0.0.0 255.255.255.255 UH 0 0 0ppp010.0.0.0 10.0.0.1 255.255.255.0 UG 0 0 0eth010.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0eth0192.168.0.0 10.0.0.1 255.255.255.0 UG 0 0 0eth010.0.0.0 192.168.0.99 255.255.0.0 UG 0 0 0eth1192.168.0.0 10.0.0.1 255.255.0.0 UG 0 0 0eth0192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0eth110.0.0.0 192.168.0.99 255.0.0.0 UG 0 0 0eth10.0.0.0 213.148.128.46 0.0.0.0 UG 0 0 0ppp0


-----------------------------------------------------

Config for 10.0.0.0/8 network:

# Example of a simple host template and its binding

route entry 10.0.0.1 network 10.0.0.0/8
route 10.0.0.1 link 10.0.0.0/8
route 10.0.0.1 add net 10.0.1.0/24 10.0.0.100
route 10.0.0.100 link 10.0.1.0/24
route 10.0.0.100 add net 10.1.0.0/16 10.0.1.100
route 10.0.1.100 link 10.1.0.0/16

...

-----------------------------------------------------

Config for 192.168.0.0/16 network:

# Example of a simple host template and its binding

route entry 192.168.0.99 network 192.168.0.0/16
route 192.168.0.99 link 192.168.0.0/24
route 192.168.0.99 add net 192.168.1.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.5.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.19.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.39.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.64.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.99.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.118.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.143.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.177.0/24 192.168.0.100
route 192.168.0.99 add net 192.168.187.0/24 192.168.0.100

route 192.168.0.100 link 192.168.1.0/24
route 192.168.0.100 link 192.168.5.0/24
route 192.168.0.100 add net 192.168.19.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.39.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.64.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.99.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.118.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.143.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.177.0/24 192.168.5.100
route 192.168.0.100 add net 192.168.187.0/24 192.168.5.100

route 192.168.5.100 link 192.168.19.0/24
route 192.168.5.100 add net 192.168.39.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.64.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.99.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.118.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.143.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.177.0/24 192.168.19.100
route 192.168.5.100 add net 192.168.187.0/24 192.168.19.100

route 192.168.19.100 link 192.168.39.0/24
route 192.168.19.100 add net 192.168.64.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.99.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.118.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.143.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.177.0/24 192.168.39.100
route 192.168.19.100 add net 192.168.187.0/24 192.168.39.100

route 192.168.39.100 link 192.168.64.0/24
route 192.168.39.100 add net 192.168.99.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.118.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.143.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.177.0/24 192.168.64.100
route 192.168.39.100 add net 192.168.187.0/24 192.168.64.100

route 192.168.64.100 link 192.168.99.0/24
route 192.168.64.100 add net 192.168.118.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.143.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.177.0/24 192.168.99.100
route 192.168.64.100 add net 192.168.187.0/24 192.168.99.100

route 192.168.99.100 link 192.168.118.0/24
route 192.168.99.100 add net 192.168.143.0/24 192.168.118.100
route 192.168.99.100 add net 192.168.177.0/24 192.168.118.100
route 192.168.99.100 add net 192.168.187.0/24 192.168.118.100

route 192.168.118.100 link 192.168.143.0/24
route 192.168.118.100 add net 192.168.177.0/24 192.168.143.100
route 192.168.118.100 add net 192.168.187.0/24 192.168.143.100

route 192.168.143.100 link 192.168.177.0/24
route 192.168.143.100 add net 192.168.187.0/24 192.168.177.100

route 192.168.177.100 link 192.168.187.0/24

...

-----------------------------------------------------

Roshen Chandran schrieb:

Does someone have a recipe how to make the honeyd listen to networktraffic on it's specifiyed devices without strange and cryptic routing?


You could use the -i option for Honeyd to listen on a specified
interface

./honeyd -f honeyd.conf -i eth1

Another problem ist that when I redirect traffic from the inter net to

honeyd-host it won't respond to requests (for example telnet).


Does it respond to ping? Could you give more details? The relevant
section your honeyd.conf would be useful.

Thanks!
-Roshen

Roshen Chandran
Paladion Networks
http://www.paladion.net

Current thread:

honeyd and routing fleshcrawler (Dec 21)
- RE: honeyd and routing Roshen Chandran (Dec 21)
  - Re: honeyd and routing fleshcrawler (Dec 22)
    - RE: honeyd and routing Roshen Chandran (Dec 23)