Honeypots mailing list archives

RE: Running Honeyd

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 18 Mar 2005 08:21:31 -0500

It requires its own IP subnet, as well as IP address.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

 

-----Original Message-----
From: Steve Harvey [mailto:sxh12u () cs nott ac uk] 
Sent: Friday, March 18, 2005 8:15 AM
To: honeypots () securityfocus com
Subject: Fw: Running Honeyd



After reading the faq i understand that honeyd requires its own ip
address so i decided to set up a virtual ipaddress as follows:

eth0      Link encap:Ethernet  HWaddr 00:04:75:E9:B9:70
          inet addr:128.243.23.175  Bcast:128.243.23.255
Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
        RX packets:42552 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34748 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:10908297 (10.4 MiB)  TX bytes:3402249 (3.2 MiB)
          Interrupt:5 Base address:0xe800

 eth0:1    Link encap:Ethernet  HWaddr 00:04:75:E9:B9:70
          inet addr:128.243.23.174  Bcast:128.243.255.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5 Base address:0xe800

 lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:24870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1016776 (992.9 KiB)  TX bytes:1016776 (992.9 KiB)

 i also understand that honeyd requires traffic to be forwarded to it as
it  does not intercept any network traffic

 so i used arpd to monitor the ipaddress of eth0:1

 arpd 128.243.23.174

 i can ping ip address but when i nmap the address i get the same
response as  i would if i nmaped eth0 i.e

 PORT   STATE SERVICE
 22/tcp open  ssh

 Why can i not get arpd to push the traffic to my honeyd...I have
noticed  that everyone uses arpd for blocks of ip addresses...i cannot
really do this  as i want to deploy honeyd on my university network and
the security group  would not be best impressed if i stole all their
unused ips!

 Thanks

 Steve Harvey

Current thread:

Fw: Running Honeyd Steve Harvey (Mar 18)
- <Possible follow-ups>
- RE: Running Honeyd Roger A. Grimes (Mar 18)
- RE: Running Honeyd Mohan Chirumamilla (Mar 19)