Honeypots mailing list archives
RE: Running Honeyd
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 18 Mar 2005 08:21:31 -0500
It requires its own IP subnet, as well as IP address. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Steve Harvey [mailto:sxh12u () cs nott ac uk] Sent: Friday, March 18, 2005 8:15 AM To: honeypots () securityfocus com Subject: Fw: Running Honeyd After reading the faq i understand that honeyd requires its own ip address so i decided to set up a virtual ipaddress as follows: eth0 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70 inet addr:128.243.23.175 Bcast:128.243.23.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:42552 errors:0 dropped:0 overruns:0 frame:0 TX packets:34748 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:10908297 (10.4 MiB) TX bytes:3402249 (3.2 MiB) Interrupt:5 Base address:0xe800 eth0:1 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70 inet addr:128.243.23.174 Bcast:128.243.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:5 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:24870 errors:0 dropped:0 overruns:0 frame:0 TX packets:24870 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1016776 (992.9 KiB) TX bytes:1016776 (992.9 KiB) i also understand that honeyd requires traffic to be forwarded to it as it does not intercept any network traffic so i used arpd to monitor the ipaddress of eth0:1 arpd 128.243.23.174 i can ping ip address but when i nmap the address i get the same response as i would if i nmaped eth0 i.e PORT STATE SERVICE 22/tcp open ssh Why can i not get arpd to push the traffic to my honeyd...I have noticed that everyone uses arpd for blocks of ip addresses...i cannot really do this as i want to deploy honeyd on my university network and the security group would not be best impressed if i stole all their unused ips! Thanks Steve Harvey
Current thread:
- Fw: Running Honeyd Steve Harvey (Mar 18)
- <Possible follow-ups>
- RE: Running Honeyd Roger A. Grimes (Mar 18)
- RE: Running Honeyd Mohan Chirumamilla (Mar 19)