Honeypots mailing list archives

Re: Honeywall eth0 eth1 & eth2

From: george chamales <george () overt org>
Date: Mon, 24 Apr 2006 18:18:37 -0400

Hello Omar,

Is it normal when I ifconfig from root in the honeywall I found that 
only eth2 has an IP address, wgy eth0 and eth1 don't have one


It is normal that eth0 and eth1 do not have IP addresses on the
honeywall.  Those two interfaces (eth0 connected to the outside world,
and eth1 connected to the honeynet) are configured as a layer two
bridge.  

For more information on how a bridge works please see:
http://linux-net.osdl.org/index.php/Bridge

how can the honeypots sebek send the packets to honeywall through eth1 
if it has no IP


Any traffic that is sent from the honeypots to the outside world passes
through the honeywall.  All traffic that passes through the honeywall is
recorded by sniffer programs that run on the honeywall.  If you
configure sebek on your honeypots to use an IP address that is not on
your honeynet, data sent from sebek will pass through the honeywall and 
it will be recorded by the data capture programs.  Sebekd, the sebek 
sniffer program on the honeywall, will decode the packet and enter the 
information into the hflow database where it can be viewed through the 
walleye web interface.  

The destination IP address and port number used by sebek is not meant to
be the destination system where the packets will be recorded.  Think 
of the IP address and port number combination as a unique identifier that 
the firewall on the honeywall uses to identify sebek packets.  The
firewall on the honeywall can be configured to drop any packets that
match the sebek destination IP and port number.  This way the packets
will be sent off of the honeypots, recorded by the honeywall's data
capture tools, and dropped by the firewall before they reach the outside
world.

More information on how sebek works can be found here:
http://honeynet.org/papers/sebek.pdf

I supposed eth1 is the default gateway for my honeypots so I gave an 
IP address but I can't find any way of assigning that IP to eth1 
(host only side of honeynet)


The honeywall does not affect the IP addresses and default gateways used
by your honeypots.  From the perspective of the honeypots, the honeywall
is not even there.  The honeypots should be configured with the same IP
range and default gateway of the other systems on the network they are
connected to.

Hope this clears things up.  If you have any further questions, feel
free to email me directly.

george

Current thread:

Honeywall eth0 eth1 & eth2 omarmdx (Apr 24)
- Re: Honeywall eth0 eth1 & eth2 george chamales (Apr 24)
- Re: Honeywall eth0 eth1 & eth2 Hugo Francisco González Robledo (Apr 24)
- <Possible follow-ups>
- Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 12)
  - Re: Re: Honeywall eth0 eth1 & eth2 george chamales (May 12)
- Re: Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 16)
  - Re: Re: Re: Honeywall eth0 eth1 & eth2 george chamales (May 16)
- Re: Re: Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 17)