Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeyd ping problem

From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Wed, 19 Jan 2005 10:32:07 +0100
Sorry for answering to this so late but I actually had the same problem yesterday. 

brian.g.plourde () us pwc com wrote:
I was hoping someone could help me with a honeyd ping problem that I am having. My honeyd.conf file is extremely simple, a couple of addresses bound to a windows template. I run arpd, then honeyd with a -df switch pointing to the same segment of my 172 network that arpd is pointing to.
The problem is that honeyd is replying to ALL addresses within my designated range-- even when they are not bound to hosts in my conf file. For example, I can ping 172.x.x.25 (bound to windows) and 172.x.x.30 (not bound) and I receive the same reply-- even with a traceroute.
That's actually expected, but it's not evident. Honeyd will take over all the network addresses you define in the command line, no more no less. It will not answer to IP addresses if not given in the CLI even if the are bound in configuration templates and it will answer to IP addresses given in the CLI even if they are _not_ defined in configuration templates. 

So if you do

# honeyd (...) 172.16.0.0/24
And honeyd's honeyd.conf only holds templates for 172.16.0.1 and 172.16.0.2, honeyd will actually answer back ICMP requests for all of the addresses in the range, but will only allow port connections to the addresses which do have a template. That's why, if you run 'nmap -sP', all of the hosts will appear to be up and running.
Similarly, if you have in your configuration file template definitions for hosts in a 10.0.0.0/16 and 172.16.0.1 (which is a router to the subnet) and you run honeyd as: 

# honeyd (...) 172.16.0.1
Honeyd will only "claim" that IP address and you will not be able to get to the 10 network. You need to run honeyd with: 

# honeyd (...) 172.16.0.1 10.0.0.0/16

For the above configuration (multiple networks through routers) to work.
That's actually not self-evident from the configuration files, documentation available or the manpage (I'm going to report an ammendment to it). Probably most people are running honeyd without specifying an IP address/network, which would work in any case (since then it would claim _all_ IP addresses it see). 

Regards

Javier
Previous By Date Next
Previous By Thread Next

Current thread: