Honeyd, dummy interface, default actions

[LECLERCQ Eric RD-MAPS-ISS <eric.leclercq () francetelecom com>]

Hi,
I'm fiddling a bit with honeyd in a situation where I want a box with
only one IP address to listen on all ports (all but a few, SSH for 
example) with a custom script (one for tcp and udp).

So I setup a dummy0, DNAT all trafic from eth0 to an address on the 
dummy subnet and have honeyd listening on this interface.

- eth0: 10.0.0.1
- dummy0 192.168.0.100
- Honeyd template using 192.168.0.99
- DNAT with "iptables -t nat -i eth0 -j DNAT --to 192.168.0.99"

I'm facing two problems:

- In this case, packets that are DNATed have the same ethernet source 
and destination addresses, that of dummy0. However since honeyd uses a 
pcap filter to ignore "ether src $dummy0_ether_addr" it doesn't see any 
packet.

This can be dealt with by changing the hw address of dummy0 _after_
having started honeyd (or mangling mac addresses with iptables I guess). 
But it's a bit of a hack...

- But the real problem comes from the default action scripts. I'm using 
the following configuration directives:

set honey default udp action "echo udp"
set honey default tcp action" echo tcp"

However:

$ nc 10.0.0.1 80
tcp

$ nc -u 10.0.0.1 80

tcp

Seems that the default TCP action script is also used for UDP connections.

Full honeyd.conf:

create honey
set honey personality "Microsoft Windows XP Professional SP1"
set honey default icmp action open
set honey default udp action "echo udp"
set honey default tcp action" echo tcp"

Any ideas?

Also there doesn't seem to be any way for the script to know the 
protocol used for the connection, couldn't there be a HONEYD_IP_PROTO 
environment variable passed to the scripts?

Thanx!
--
Eric