oreilly.comSafari Books Online.Conferences.


Managing a Honeypot
Pages: 1, 2, 3

Using honeyd

What can you do with honeyd installed? First of all, it can detect any network activity: if someone makes an attempt to connect to a service via UDP or TCP or sends an ICMP packet, honeyd will immediately document those attempts into logfiles. It's very important to understand that there is no need to create a dedicated service for that, or to listen on a port--honeyd does everything. You can easily emulate any network service, for example, a Cisco telnet daemon or a buggy version of Sendmail. Most interestingly, every emulated service is a script written in Perl or the Bourne shell. It is very easy to create service emulators, but there is often no such need because the honeyd web site contains everything you need for emulating almost any service.

honeyd also emulates any operating system at the network stack level, so if an intruder attempts to detect your operating system with a tool such as nmap, honeyd will deceive him and provide bogus information that you have created. (This requires using the same tables for OS fingerprinting--tables from a set of properties of particular systems--that are used in sophisticated security programs).

With that in mind, I bet you want to configure your honeypot and wait for the first client! Before you can do that, you have to understand how the special networking works. First of all, it's important for honeyd to have its own address space. If you run honeyd for a C-class network, say, it will work nicely to emulate many computers and services. But you do not have to use the whole network; instead, create one fake computer. You definitely cannot run honeyd on an already existing IP address and port. The important question is: if a packet is addressed to another computer, then how can honeyd intercept it? The solution is to use an arpd daemon or add to ARP table the corresponding record:

# arp -s MAC-address pub

After such mapping, all packets addressed to will go to the network interface identified by a given MAC-address. honeyd will handle the traffic. If you decide to use arpd, it is very simple to use:

# arpd

Now start honeyd:

# honeyd -p nmap.prints -f honeyd.conf -l logfile.log

The -p flag points to files with signatures of different operating systems--it appears to be an nmap fingerprint table. This invocation also uses a honeyd.conf configuration file, logs everything into logfile.log, and emulates a machine with the address Here's honeyd.conf:

create winxp

set winxp personality "Microsoft Windows XP Professional SP1"

set winxp uptime 319671

add winxp tcp port 80 "perl scripts/"

set winxp default tcp action reset

create cisco

set router personality "Cisco 1601R router running IOS 12.1(5)"

add cisco tcp port 23 "perl scripts/"

set cisco default tcp action reset

set cisco uid 32767 gid 32767

set cisco uptime 1327650

Most of this config file contains descriptions of virtual machines to emulate. These descriptions are patterns or templates. This example creates two new patterns (using the create command): WinXP and Cisco. The first one emulates a server under Windows XP, allowing connections only to port 80 and sets scripts/ as the main handler of all connections. It will emulate Microsoft IIS 5. The personality property sets which operating system to emulate, and the whole set of OS properties will come from nmap tables.

For each UDP or TCP port, you can set a behavior model. It can be a local model for particular port, or a global model for all of them. The WinXP example uses the default behavior:

set router default tcp action reset

This means that the honeypot will refuse all connections to ports without any previously set rules by sending a packet with the RST flag. You can also set the open option (send an ACK for a connection attempt) and block (ignore any TCP or UDP request).

Port 80 for the WinXP profile has a script handler. After describing some patterns to use, the configuration binds patterns to IP addresses:

bind cisco

If someone now attempts to connect to, he will connect to honeyd emulating an old buggy Cisco router. An important point is that there always exists a default pattern. It handles all of the connections not configured in any described patterns. You can override this pattern and set a behavior such that other addresses will not handle any connections at all.

honeyd supports many other features; the documentation does a good job of describing them. After you run the daemon, honeyd will catch all packets addressed to non-existing addressees and log all connection attempts. It's worth noticing that honeyd itself does not log too much, but the emulation scripts do log quite thoroughly.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: