RE: Honeyd and exclusion

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

I'd figured that out, but the list gets a bit long as I want honeyd to
respond to everything except:

- 224.0.0.0/4 (multicast)
- 169.254.0.0/16 (MS link local stuff when client doesn't get DHCP addr)
- any packet sourced by an address that we don't own

I could theoretically do some large block thingie for the first two,
simply defining ranges that don't include those two networks, but I
don't see a way to not respond based on source address.

BTW, I finally figured out why my INPUT iptables filters weren't
working.  PCAP-based apps see the inbound packets before iptables does
(i.e. iptables sits higher up on the IP stack than PCAP).  That's the
same reason why the OUTPUT filters worked, the packets would go through
iptables before the PCAP layer on its way out from userland.

Thanks.

Jon

-----Original Message-----
From: Niels Provos [mailto:provos () citi umich edu] 
Sent: Tuesday, September 28, 2004 6:02 PM
To: Williams Jon
Cc: honeypots () securityfocus com
Subject: Re: Honeyd and exclusion

On Tue, Sep 28, 2004 at 11:40:16AM -0500, Williams Jon wrote:
> So far, the best I've been able to manage is to use iptables to drop 
> the outbound packets, but that prods honeyd to create syslog messages 
> like "couldn't send packet: Operation not permitted".  Is there a 
> configuration in honeyd that I can tell it to do everything _except_ 
> certain networks?

You can provide it with a list of networks that it should reply to.  You
basically make the exclusion implicit.

Niels.