Testing Your Honeyd Configuration

skip navigation

honeypots for windows
Chapter 6 - Honeyd Configuration
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

First-time honeypot administrators usually spend the first few days troubleshooting runtime errors. The key to any problem troubleshooting is to isolate the problem. This means starting off with the minimal Honeyd.exe command-line syntax and maybe only one simple default template defined. Add capabilities to your runtime command line and templates to your configuration file as you resolve the early problems. Start off small, and then make baby-step changes. Once you have tested the configuration and confirmed that it’s stable, create a batch file to make the settings easy to execute.

Although you’re supposed to start Honeyd running in the locked-down user account context, start it the first few times under an administrative context. If everything works, log out and back on using the secured user account, and try again.

Once your honeypot is up and running in its full, initial configuration, attack it. Run Nmap (http://www.eeye.com/html/Research/Tools/nmapNT.html) and, if you have Unix, Xprobe2 (http://www.sys-security.com/html/projects/X.html) against it. Port-scan it. Find out how it appears to remote intruders, and see if it responds realistically to probes and fingerprinting utilities. Flood it with as much traffic as you can. See if you can cause it to crash. Make sure your Honeyd log file and monitoring tools are capturing data.

Note 

The sample configuration file presented in this chapter (Listing 6-4) will run, even though the scripts have not been defined yet. It will ignore script lines for the time being.

One of the harder components to get up and running is configuring your physical network and routers to get the appropriate traffic to and from the Honeyd honeypot. You can use the following command, or something similar to it, to test and troubleshoot Honeyd on the local host, without needing to test and attack it from afar:

 route add 10.0.0.0 mask 255.0.0.0 127.0.0.1  honeyd.exe -d -p nmaps.print -a NMAP.ASSOC -f c:\Honeyd.config -i 1   -l c:\Honeyd\Log 10.0.0.0/8 

Tip 

If you come across errors you can’t resolve, you can e-mail me at roger@banneretcs.com or e-mail the SecurityFocus honeypot mailing list (honeypots@securityfocus.com). The mailing list is fairly active, and you should get an answer to your problem within a day.

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net