Vmware and Hybrid Honeynet

[Zapatisthack <zapatisthack () yahoo it>]

Ok, it's been a few months now that i have been
playing around with Roo and honeynet.

My set-up is as follows:
Base router is connected to the honeywall through eth2
to the management interface of the hwall, it is also
connected to a switch that then goes to eth0.

The switch also connects the various *production*
machines (there are only 2 :-) 

Ok so far so good, my prod. machines are connected i
see traffic in the logs and management interface
provides connectivity to the Honeywall itself for
updates etc.

Now .. eth1 is connected to another switch that then
connects to a box running WinXP as host and 2
(soemtime more) VMware guests (both XP at the moment).

I have notice severe erratic behaviour from the
connection of the vmware honeypots.  
Until a couple of weeks ago i was getting a number of
exploits/code dropped on the guests pretty regularly.
Now I can only see a great amount of UDP traffic
toward the gateway (base router) and to the broadcast
adress as well as 239.255.255.0 ...

The Host machine has an IP not in the range of IPS i
specified as honeypots so it does not have internet
connectivity, The Vmware boxes are connecting
correctly to the internet. I can also see attempts to
contact the Host IP which is what is worring me.

How can i et traffic to route correctly from the
Honeypots (both guests are bridged) to the gateway and
log correctly.

The purpose ihere is to collect malware and being able
to analyse.

Can someone help me ut figure what could be wrong and
if there are any special considerations to take when
running VMware honeypots?

If there are any questions feel free to write :-)
I would really appreciate,

Thanks
Pat



                
___________________________________ 
Bolletta salata? Passa a Yahoo! Messenger with Voice 
http://it.messenger.yahoo.com