Honeypots mailing list archives
honeyd with python extensions
From: "WiM" <vulndev () vision rma ac be>
Date: Tue, 2 Mar 2004 15:50:15 +0100
There is a problem with connection termination when using python extensions
with honeyd.
Example:
In "honeyd.conf" I write the following line:
add netbsd tcp port 7 internal "echo"
The service echo.py is the basic echo example from the man page:
import honeyd
import sys
def honeyd_init(data):
mydata = {}
honeyd.read_selector(honeyd.EVENT_ON)
return mydata
def honeyd_readdata(mydata, data):
honeyd.read_selector(honeyd.EVENT_ON)
honeyd.write_selector(honeyd.EVENT_ON)
mydata["write"] = data
return 0
def honeyd_writedata(mydata):
data = mydata["write"]
del mydata["write"]
return data
def honeyd_end(mydata):
del mydata
return 0
You can connect to the echo service on port 7 only once. After that, no new
connections are possible. The incoming SYN packets are ignored by honeyd.
Furthermore, the first connection is not properly terminated, as is shown in
the following packet trace (with 172.16.100.100 being the honeypot):
15:41:41.216261 172.16.29.122.3215 > 172.16.100.100.7: P 3:5(2) ack 3 win
65533 <nop,nop,timestamp 839059 1335652> (DF)
15:41:41.216546 172.16.100.100.7 > 172.16.29.122.3215: . ack 5 win 32766
<timestamp 1335652 0,nop,nop>
15:41:41.217095 172.16.100.100.7 > 172.16.29.122.3215: . 3:5(2) ack 5 win
32768 <timestamp 1335652 0,nop,nop>
15:41:41.416460 172.16.29.122.3215 > 172.16.100.100.7: . ack 5 win 65531
<nop,nop,timestamp 839061 1335652> (DF)
15:41:44.197053 172.16.29.122.3215 > 172.16.100.100.7: F 5:5(0) ack 5 win
65531 <nop,nop,timestamp 839088 1335652> (DF)
15:41:44.197426 172.16.100.100.7 > 172.16.29.122.3215: . ack 6 win 32768
<timestamp 1335652 0,nop,nop>
15:41:44.197807 172.16.100.100.7 > 172.16.29.122.3215: F 5:5(0) ack 6 win
32768 <timestamp 1335652 0,nop,nop>
15:41:44.198454 172.16.29.122.3215 > 172.16.100.100.7: . ack 6 win 65531
<nop,nop,timestamp 839088 1335652> (DF)
At 15:44 the client terminates the connection by sending a FIN packet.
Honeyd however simply acks the FIN packets yet doesn't terminate the
connection.
Wim
Current thread:
- Project Honeynet Scan of the Month #30: Analysis Challenge Anton Chuvakin (Mar 01)
- Firewall log tool for mac os x ? Glen MacPherson (Mar 01)
- honeyd with python extensions WiM (Mar 02)
- Re: Firewall log tool for mac os x ? Bill Pennington (Mar 02)
- Firewall log tool for mac os x ? Glen MacPherson (Mar 01)