Re: Honeyd, dummy interface, default actions

["Hauguet, Francis" <francis.hauguet () eads com>]

LECLERCQ Eric RD-MAPS-ISS wrote:
> I don't get it :) This seems like a Honeyd bug since "echo tcp" is 
> started for both TCP and UDP connections.
> And alas there is no HONEYD_IP_PROTO variable.

Sorry for being unclear, I was answering your question about the 
protocol being used for a script, not about the honeyd behavior. The 
fact is you have to explicitly use two lines : one for tcp and one for 
udp in honeyd config file. So, if you use :
set honey default udp action "my_script.sh udp ...."
set honey default tcp action" my_script.sh tcp ...."
reading $1 will allow you to know immediatly if your script as been 
called from a tcp connection or from an udp one.

The hard way is to edit honeyd.c and change the function :
void honeyd_varexpand(struct tcp_con *con, char *line, u_int linesize)
to
void honeyd_varexpand(struct tcp_con *con, char *line, u_int linesize, 
int proto)

Change the call to honeyd_varexpand in generic_connect to :
honeyd_varexpand(con, line, sizeof(line),proto);

and add the following in honeyd_varexpand :
snprintf(asc, sizeof(asc), "%s", proto == IP_PROTO_TCP ? "tcp" : "udp");
while (strrpl(line, linesize, "$ipproto", asc) != NULL)
      ;

and add $ipproto in your config file.
Note : *totally untested hack*

I tried your honeyd conf file and get the same result. This really seems 
like a bug. You may want to use the honeyd bugzilla.

regards,

--
Francis Hauguet