Honeypots mailing list archives

Uncertainities about router configuration in honeyd

From: Markus Schabel <markus.schabel () tgm ac at>
Date: Tue, 25 May 2004 23:38:14 +0200

If I create the following configuration and do some traceroutes to findout the layout of the network I'm not sure whether I got all thingscorrect or not...


> route entry 192.168.0.1
> route 192.168.0.1 link 192.168.0.0/24
>
> create default
> set default default tcp action block
> set default default udp action block
> set default default icmp action block
>
> create router
> set router personality "Cisco 3600 router running IOS 12.2(6c)"
>
> create solaris
> set solaris personality "Sun Solaris 2.6"
>
> bind router 192.168.0.1
> bind solaris 192.168.0.2

What does the phrase "entry point" exactly means? Is it like the
following scheme:


    +---+                                           +---+
    |   |                                           |   |
    +---+                                           +---+
   +-----+                                         +-----+
   +-----+                                         +-----+
      | .?   ?.?.?.?   .? (-) .1  192.168.0.0/24   .3 |
    --+------------------( X )------------------------+
       [which network?]   (-)
(me@localhost,       (entry point,
loopback int)           router)
[which IP?]           [which IP?]

Is it correct that the 192.168.0.0 network is behind the router? Which
network is in front of the router (especially if I use the loopback
interface)?

If I change the configuration to the following:

> route entry 192.168.0.1
> route 192.168.0.1 link 192.168.0.0/24
> route 192.168.0.1 link 192.168.1.0/24
> [..]

I get the following:

    +---+                                           +---+
    |   |                                           |   |
    +---+                                           +---+
   +-----+                                         +-----+
   +-----+                        192.168.1.0/24   +-----+
      | .?   ?.?.?.?   .? (-) .1  192.168.0.0/24   .3 |
    --+------------------( X )------------------------+
                          (-)

Is it possible to configure honeyd to simulate the following (an
additional network attached to the router):

    +---+                    192.168.1.0/24         +---+
    |   |                  +------------------      |   |
    +---+                  |                        +---+
   +-----+                 |                       +-----+
   +-----+                 |                       +-----+
      | .?   ?.?.?.?   .? (-) .1  192.168.0.0/24   .3 |
    --+------------------( X )------------------------+
                          (-)

If I add other routers to the network like the following:

> route entry 192.168.0.1
> route 192.168.0.1 link 192.168.0.0/24
> route 192.168.0.1 add net 192.168.2.0/24 192.168.2.1
> route 192.168.2.1 link 192.168.2.0/24
> [..]
> bind router 192.168.0.1
> bind router 192.168.2.1

I get the following:


    +---+
    |   |
    +---+
   +-----+
   +-----+
      |       (-) .1            .? (-) .1
    --+------( X )----------------( X )----------------
              (-)  192.168.0.0/24  (-)  192.168.2.0/24

What is the first (left) IP address of the second router? Is that router
connected over the 192.168.0.0 network or directly attached to the first
one?

If I go further and add another router here:

> route entry 192.168.0.1
> route 192.168.0.1 link 192.168.0.0/24
> route 192.168.0.1 add net 192.168.2.0/24 192.168.2.1
> route 192.168.0.1 add net 192.168.4.0/24 192.168.4.1
> route 192.168.2.1 link 192.168.2.0/24
> route 192.168.4.1 link 192.168.4.0/24
> [..]
> bind router 192.168.0.1
> bind router 192.168.2.1
> bind router 192.168.4.1

I get the following:

    +---+                    .? (-) .1
    |   |                 +----( X )-------------------
    +---+                 |     (-)  192.168.4.0/24
   +-----+                |
   +-----+                |
      |       (-) .1      |     .? (-) .1
    --+------( X )--------+-------( X )----------------
              (-)  192.168.0.0/24  (-)  192.168.2.0/24

But shouldn't look it like the following:

    +---+                    .? (-) .1
    |   |      +---------------( X )-------------------
    +---+      |                (-)  192.168.4.0/24
   +-----+     |
   +-----+     |
      |       (-) .1
    --+------( X )-------------------------------------
              (-)                    192.168.0.0/24
               |
               |
               |             .? (-) .1
               +---------------( X )-------------------
                                (-)  192.168.2.0/24

Hopefully somebody can get some light into all this stuff...

Is there anywhere a _good_ howto about this topic?

thanks & best regards
Markus
--
          \\\ ||| ///                               _\=/_
           (  @ @  )                                (o o)
+--------oOOo-(_)-oOOo--------------------------oOOo-(_)-oOOo------+
| Markus Schabel      TGM - Die Schule der Technik   www.tgm.ac.at |
| IT-Service          A-1200 Wien, Wexstrasse 19-23  net.tgm.ac.at |
| markus.schabel () tgm ac at                   Tel.: +43(1)33126/316 |
| markus.schabel () members fsf org             Fax.: +43(1)33126/154 |
| FSF Associate Member #597, Linux User #259595 (counter.li.org)   |
|        oOOo        Yet Another Spam Trap:     oOOo               |
|       (    )    oOOo    yast () tgm ac at       (   )     oOOo      |
+--------\  (----(   )--------------------------\ ( -----(   )-----+
          \_)     ) /                            \_)      ) /
                 (_/                                     (_/

Computers are like airconditioners:
  They stop working properly if you open windows.

Current thread:

Uncertainities about router configuration in honeyd Markus Schabel (May 25)
- Re: Uncertainities about router configuration in honeyd Nilesh Chaudhari (May 27)
  - Re: Uncertainities about router configuration in honeyd Niels Provos (May 28)
- Re: Uncertainities about router configuration in honeyd Nilesh Chaudhari (May 27)