# honeyd?

## gladbach

Anyone gotten honeyd up and running on gentoo?  I was slightly suprised that there was not an ebuild for it yet.

I am about to set it up, ill let you guys know how it works.

kev

----------

## Proteus

What exactly does it do?

I don't know it but if its good I could try to get it working, too  :Wink: 

----------

## rtn

 *Proteus wrote:*   

> What exactly does it do?
> 
> I don't know it but if its good I could try to get it working, too 

 

Check out the homepage.

```
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
```

--rtn

----------

## Proteus

I think that package is already included in Gentoo. Just under a different name... I am currently not on my pc but when I get back I'll look it up.

----------

## Proteus

net-misc/arpd

      Latest version available: 0.1

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 35 kB

      Homepage:    http://www.citi.umich.edu/u/provos/honeyd/

      Description: ARP reply daemon enables a single host to claim all unassigne

d addresses on a LAN for network monitoring or simulation

I think this should be what you searched for?

----------

## gladbach

arpd != honeyd.  arpd is only what honey did uses to intercept unused ip addresses to create honeypots.

kev

----------

## the_snark

Hiya

   I submitted honeyd and all its dependencies to Bugzilla a few months ago.

libevent, and arpd have made it in, but honeyd has not.  You can see my

submitted ebuild (which works great for me and my Cray :;) at:

https://bugs.gentoo.org/show_bug.cgi?id=10889

   Very cool program.  ::)

--  Daniel Mannarino

----------

## Proteus

Were any reasons given for not committing it to portage (or unmasking it if it is in already)?

----------

## the_snark

I think I confused the developer who first looked at it with my wave of

attachments.  :;)

   It's in now though, emerge it!  ::)

-- Daniel Mannarino

----------

## gladbach

snark, think you could give a basic rundown on how you got it started and configured?

would be much apreciated.

kev

----------

## the_snark

No problem.

   I just haven't had much time to really get familiar with honeyd yet.  I

mean to set up a nice honeypot at work RSN (I work at an ISP).  Here is

what I did:

   First, I run arpd like so:

sudo /usr/sbin/arpd -d -i eth0 192.168.2.123

   I just picked an unused ip address.  Next I run honeyd, with my prepared config file ~/config.home:

sudo /usr/sbin/honeyd -d -p /usr/share/honeyd/nmap.prints -f ~/config.home -i eth0

   The contents of ~/config.home follows:

# First line

annotate "Cray UNICOS/mk 8.6" fragment old

create template

set template personality "Cray UNICOS/mk 8.6"

add template tcp port 23 proxy $ipsrc:23

set template default tcp action reset

bind 192.168.2.123 template

set 192.168.2.123 uptime 518324

# Last line

   And that's it.  Note that in case you have a newer version of nmap,

the nmap fingerprints file can be set as

/usr/share/nmap/nmap-os-fingerprints

instead of

/usr/share/honeyd/nmap.prints

   My example is pretty simple, I just wanted to impress a friend or two.

:;)  I made mine based on the honeyd man page (which is complete, if

a lot to digest).

   BTW, I haven't had a chance to really look at it yet, but I found this

last night, and it looks quite promising:

http://online.securityfocus.com/infocus/1659

   Also note that a new version of both arpd and honeyd were just

released, though I haven't had a chance to try them.  Wow, I wish I

could figure out what precisely it is that is taking up so much of my time,

as it must be pretty interesting  :;)

   Another note:  the uptime appears to wrap after a disappointingly small

number of seconds.  I had wanted my Cray to have been up for like 5

years (Hey Brad, look what I found in the basement:  sudo nmap -O

xxx.xxx.xxx.xxx).  Oh well, perhaps it is fixed in the new version.

   Oh, one other thing (really!  ::), I put the -d in for the arpd and honeyd

commands because I like to watch the connections in multiple xterms.

Leave out the -d to daemonize them.

Well, there's probably a typo in there, so don't think your setup is hosed

if it doesn't work off the bat.  I was going to play with it some more

anyway, and will cut-and-paste to see if what I typed works.  :;)

--Daniel Mannarino

PS To test, run "sudo nmap -O xxx.xxx.xxx.xxx from another host"

----------

## rtn

FYI,

   honeyd 0.5 was recently released, and with that the developer has issued

the first honeyd challenge.

--rtn

----------

## the_snark

I just sent in ebuilds for the new arpd and honeyd.  The arpd one is just

a copy, the honeyd ebuild is not.  Here's the link to the honeyd ebuild:

https://bugs.gentoo.org/show_bug.cgi?id=16601

   BTW, I had to specify a few extra things with the new honeyd.  Modifying

my example as little as possible, add in

"-a /usr/share/honeyd/nmap.assoc -x /usr/share/honeyd/xprobe2.conf"

to the honeyd command line.

-- Daniel Mannarino

----------

## axses

Okay, am very interested in honeynets. Read this topic and found it is very limiting, as the default ebuild for gentoo has only a few options. 

I have found a great tutorial and package from http://www.tracking-hackers.com/solutions/

here is the direct link to the precompiled package. 

http://www.tracking-hackers.com/solutions/honeyd-kit-0.5.tgz

Everything you would need for honeyd and arpd is there. 

 :Smile: 

If you wish to test my honeynet out email me at axses@axses.ch  :Smile: 

----------

## dead-eye

hi all

ebuild with honeyd 0.5 works well, but I'd like to use version 0.6a.

who does this ebuilds ?

could you tell someone to do a newer version.

thx a lot

----------

## devon

Looks like the maintainer is aliz@gentoo.org

```
# ChangeLog for net-analyzer/honeyd

# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2

# $Header: /home/cvsroot/gentoo-x86/net-analyzer/honeyd/ChangeLog,v 1.3 2003/07/13 11:30:11 aliz Exp $

*honeyd-0.5 (10 Mar 2003)

  10 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> :

  Version bump. Ebuild contributed by Daniel Mannarino <thesnark@operamail.com> in #16601.
```

I would file a bug report at https://bugs.gentoo.org

----------

