Honeyd and exclusion

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

I seem to have gotten my head on backwards.  I've got a honeyd install
(0.8b) that I'm trying to set up as a worm trap.  The goal is to have
the network cruf be directed to the honeypot and have it reply to nearly
everything so the IDS can see actual payloads instead of bare SYNs.

I've got it set up so that it responds to everything, but I'm having
problems with the exclusions.  For example, since the honeypot's default
router points its default route at the honeypot, I don't want the
honeypot to reply to anything that was sourced by an unrouted (i.e. not
our) address.  Also, in its current configuration, it sources packets
from 224.0.0.2 in response to the router's HSRP requests.  Since
sourcing something from a multicast address isn't exactly kosher, I'd
like to keep this from happening, too.

So far, the best I've been able to manage is to use iptables to drop the
outbound packets, but that prods honeyd to create syslog messages like
"couldn't send packet: Operation not permitted".  Is there a
configuration in honeyd that I can tell it to do everything _except_
certain networks?

Thanks.

Jon