First-time honeypot administrators usually spend the first few days troubleshooting runtime errors. The key to any problem troubleshooting is to isolate the problem. This means starting off with the minimal Honeyd.exe command-line syntax and maybe only one simple default template defined. Add capabilities to your runtime command line and templates to your configuration file as you resolve the early problems. Start off small, and then make baby-step changes. Once you have tested the configuration and confirmed that it’s stable, create a batch file to make the settings easy to execute.
Although you’re supposed to start Honeyd running in the locked-down user account context, start it the first few times under an administrative context. If everything works, log out and back on using the secured user account, and try again.
Once your honeypot is up and running in its full, initial configuration, attack it. Run Nmap (http://www.eeye.com/html/Research/Tools/nmapNT.html) and, if you have Unix, Xprobe2 (http://www.sys-security.com/html/projects/X.html) against it. Port-scan it. Find out how it appears to remote intruders, and see if it responds realistically to probes and fingerprinting utilities. Flood it with as much traffic as you can. See if you can cause it to crash. Make sure your Honeyd log file and monitoring tools are capturing data.
The sample configuration file presented in this chapter (Listing 6-4) will run, even though the scripts have not been defined yet. It will ignore script lines for the time being.
One of the harder components to get up and running is configuring your physical network and routers to get the appropriate traffic to and from the Honeyd honeypot. You can use the following command, or something similar to it, to test and troubleshoot Honeyd on the local host, without needing to test and attack it from afar:
route add 10.0.0.0 mask 255.0.0.0 127.0.0.1 honeyd.exe -d -p nmaps.print -a NMAP.ASSOC -f c:\Honeyd.config -i 1 -l c:\Honeyd\Log 10.0.0.0/8
If you come across errors you can’t resolve, you can e-mail me at email@example.com or e-mail the SecurityFocus honeypot mailing list (firstname.lastname@example.org). The mailing list is fairly active, and you should get an answer to your problem within a day.