RE: Honeypot on DSL

[Andreas Rittershofer <andreas () rittershofer de>]

Am Mittwoch, den 11.05.2005, 13:33 -0700 schrieb Christian Kreibich:

> I did something similar a while ago. The simplest way was to have the
> firewall *block* everything inbound so the machine's real IP stack
> couldn't start to process the packets. Honeyd will still work because
> pcap will snoop the packets before they get dropped at the firewall.
> Besides that, I allowed outbound, and also ssh inbound from a remote
> management machine (making sure that this traffic wasn't fed into
> honeyd).

Thank you, that is an interesting idea.

When I make a

tcptrack -i ppp0

I see all the incoming traffic to my machine, for example SYN packets to
135 und 445.

My honeyd is configured with
add wurm tcp port 135 open
add wurm tcp port 445 open

but it shows no reaction on incoming packets to these ports. So I can
see these packets with tcptrack on ppp0, but honeyd does not see these
packets. honeyd is started with -i ppp0 and the ip address a.b.c.d and
with

bind a.b.c.d wurm

in its configuration file, where a.b.c.d is the ip address I have when
I'm online on my DSL-line, shown with ifconfig under ppp0.

Could it be that honeyd only react to tcp while tcpdump shows pppoe as
protocol, since I'm directly connected to DSL?

mfg ar


-- 
E-Learning in der Schule:
http://www.dbg-metzingen.de/Menschen/Lehrer/Q-T/Rittershofer/E-Learning/