RE: Running Honeyd

[Mohan Chirumamilla <mohankc_2002 () yahoo com>]

Steve,
I had the same problem once and wrote a small program using libpcap and libnet.  I am attaching the source files 
here..use them at your own risk.  Basically with this program, you'll have to list the IP addresses that you want to 
use in a separate file and pass the file name as an argument to the program.  From then on, all traffic destined to 
those IP addresses will be forwarded to the host on which this program is running.  So, you would want to run this on 
your honeyd host...or, tweak the source code to redirect the traffic to other host.  
 
If this is what you are looking for...here they are..
since this was a program I developed to solve my problems, I did not have many bells and whistles ...
"Roger A. Grimes" <roger () banneretcs com> wrote:
It requires its own IP subnet, as well as IP address.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Steve Harvey [mailto:sxh12u () cs nott ac uk] 
Sent: Friday, March 18, 2005 8:15 AM
To: honeypots () securityfocus com
Subject: Fw: Running Honeyd



After reading the faq i understand that honeyd requires its own ip
address so i decided to set up a virtual ipaddress as follows:

eth0 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70
inet addr:128.243.23.175 Bcast:128.243.23.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:42552 errors:0 dropped:0 overruns:0 frame:0
TX packets:34748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:10908297 (10.4 MiB) TX bytes:3402249 (3.2 MiB)
Interrupt:5 Base address:0xe800

eth0:1 Link encap:Ethernet HWaddr 00:04:75:E9:B9:70
inet addr:128.243.23.174 Bcast:128.243.255.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0xe800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24870 errors:0 dropped:0 overruns:0 frame:0
TX packets:24870 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1016776 (992.9 KiB) TX bytes:1016776 (992.9 KiB)

i also understand that honeyd requires traffic to be forwarded to it as
it does not intercept any network traffic

so i used arpd to monitor the ipaddress of eth0:1

arpd 128.243.23.174

i can ping ip address but when i nmap the address i get the same
response as i would if i nmaped eth0 i.e

PORT STATE SERVICE
22/tcp open ssh

Why can i not get arpd to push the traffic to my honeyd...I have
noticed that everyone uses arpd for blocks of ip addresses...i cannot
really do this as i want to deploy honeyd on my university network and
the security group would not be best impressed if i stole all their
unused ips!

Thanks

Steve Harvey





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Attachment: mysniffer.c
Description: mysniffer.c

CC=gcc
CFLAGS=-g -Wall `/usr/local/Libnet-latest/libnet-config --defines`
CLIBS=-lpcap -lnet 

proxyarp:mysniffer.c
        $(CC) $(CFLAGS) mysniffer.c -o proxyarp $(CLIBS)
clean:
        rm *.o

1.2.3.4
2.3.4.5
3.4.5.6