honeyd?

[gladbach]

Anyone gotten honeyd up and running on gentoo? I was slightly suprised that there was not an ebuild for it yet.

I am about to set it up, ill let you guys know how it works.

kev

[Proteus]

What exactly does it do?
I don't know it but if its good I could try to get it working, too
_________________
Greetings,
Proteus

[rtn]

[Proteus]

I think that package is already included in Gentoo. Just under a different name... I am currently not on my pc but when I get back I'll look it up.
_________________
Greetings,
Proteus

[Proteus]

net-misc/arpd
Latest version available: 0.1
Latest version installed: [ Not Installed ]
Size of downloaded files: 35 kB
Homepage: http://www.citi.umich.edu/u/provos/honeyd/
Description: ARP reply daemon enables a single host to claim all unassigne
d addresses on a LAN for network monitoring or simulation


I think this should be what you searched for?
_________________
Greetings,
Proteus

[gladbach]

arpd != honeyd. arpd is only what honey did uses to intercept unused ip addresses to create honeypots.

kev

[the_snark]

Hiya
I submitted honeyd and all its dependencies to Bugzilla a few months ago.
libevent, and arpd have made it in, but honeyd has not. You can see my
submitted ebuild (which works great for me and my Cray :;) at:
https://bugs.gentoo.org/show_bug.cgi?id=10889

Very cool program. ::)

-- Daniel Mannarino

[Proteus]

Were any reasons given for not committing it to portage (or unmasking it if it is in already)?
_________________
Greetings,
Proteus

[the_snark]

I think I confused the developer who first looked at it with my wave of
attachments. :;)
It's in now though, emerge it! ::)

-- Daniel Mannarino

[gladbach]

snark, think you could give a basic rundown on how you got it started and configured?

would be much apreciated.

kev

[the_snark]

No problem.
I just haven't had much time to really get familiar with honeyd yet. I
mean to set up a nice honeypot at work RSN (I work at an ISP). Here is
what I did:
First, I run arpd like so:

sudo /usr/sbin/arpd -d -i eth0 192.168.2.123

I just picked an unused ip address. Next I run honeyd, with my prepared config file ~/config.home:

sudo /usr/sbin/honeyd -d -p /usr/share/honeyd/nmap.prints -f ~/config.home -i eth0

The contents of ~/config.home follows:

# First line
annotate "Cray UNICOS/mk 8.6" fragment old
create template
set template personality "Cray UNICOS/mk 8.6"
add template tcp port 23 proxy $ipsrc:23
set template default tcp action reset
bind 192.168.2.123 template
set 192.168.2.123 uptime 518324
# Last line

And that's it. Note that in case you have a newer version of nmap,
the nmap fingerprints file can be set as
/usr/share/nmap/nmap-os-fingerprints
instead of
/usr/share/honeyd/nmap.prints

My example is pretty simple, I just wanted to impress a friend or two.
:;) I made mine based on the honeyd man page (which is complete, if
a lot to digest).
BTW, I haven't had a chance to really look at it yet, but I found this
last night, and it looks quite promising:
http://online.securityfocus.com/infocus/1659
Also note that a new version of both arpd and honeyd were just
released, though I haven't had a chance to try them. Wow, I wish I
could figure out what precisely it is that is taking up so much of my time,
as it must be pretty interesting :;)
Another note: the uptime appears to wrap after a disappointingly small
number of seconds. I had wanted my Cray to have been up for like 5
years (Hey Brad, look what I found in the basement: sudo nmap -O
xxx.xxx.xxx.xxx). Oh well, perhaps it is fixed in the new version.
Oh, one other thing (really! ::), I put the -d in for the arpd and honeyd
commands because I like to watch the connections in multiple xterms.
Leave out the -d to daemonize them.

Well, there's probably a typo in there, so don't think your setup is hosed
if it doesn't work off the bat. I was going to play with it some more
anyway, and will cut-and-paste to see if what I typed works. :;)

--Daniel Mannarino

PS To test, run "sudo nmap -O xxx.xxx.xxx.xxx from another host"

[rtn]

FYI,
honeyd 0.5 was recently released, and with that the developer has issued
the first honeyd challenge.

--rtn

[the_snark]

I just sent in ebuilds for the new arpd and honeyd. The arpd one is just
a copy, the honeyd ebuild is not. Here's the link to the honeyd ebuild:
https://bugs.gentoo.org/show_bug.cgi?id=16601

BTW, I had to specify a few extra things with the new honeyd. Modifying
my example as little as possible, add in
"-a /usr/share/honeyd/nmap.assoc -x /usr/share/honeyd/xprobe2.conf"
to the honeyd command line.

-- Daniel Mannarino

[axses]

Okay, am very interested in honeynets. Read this topic and found it is very limiting, as the default ebuild for gentoo has only a few options.

I have found a great tutorial and package from http://www.tracking-hackers.com/solutions/

here is the direct link to the precompiled package.
http://www.tracking-hackers.com/solutions/honeyd-kit-0.5.tgz

Everything you would need for honeyd and arpd is there.


If you wish to test my honeynet out email me at axses@axses.ch

[dead-eye]

hi all

ebuild with honeyd 0.5 works well, but I'd like to use version 0.6a.
who does this ebuilds ?

could you tell someone to do a newer version.

thx a lot

[devon]

Looks like the maintainer is aliz@gentoo.org