module-honeytrap

1. Description

module-honeytrap is a appraoch using the honeytrap idea by Tillmann Werner in nepenthes.

It can run in three modes, pcap (should be generic), ipq (linux specific) and ipfw divert sockets (freebsd specific, maybe works on osx too?).

honeytrap’s mirrormode is not supported yet.

pcap

In pcap mode we will listen for RST packets, and open a shell on the ports which were closed. pcap mode looses every first connection attempt per port.

ipq

In ipq mode the module will check the ip_queue for syn traffic to unbound ports using /proc/net/tcp as reference. On there is a syn packet to a unbound port, it will open the port, and assign a windows command prompt emu to port. Then we left the SYN packet pass the queue, and can accept the connection.

ipfw

From what I know divert is the FreeBSD complement too ip_queue on linux. FreeBSD has a slight drawback here as there is no /proc/net/tcp to check if a port is already bound, and the code to retrieve the data from the kernel is fubar.

1.1 Links

2. Installation

configure with

–enable-pcap and set pathes for pcap with (on per default) –with-pcap-include= –with-pcap-lib=

–enable-ipq (on linux, turned on per default) set pathes for your libipq files with –with-ipq-include=/path/too –with-ipq-lib=/path/tooo

–enable-ipfw (on freebsd, off per default)

and verify you get the wished result in the configure summary:

- Packet Monitoring/Sniffing
  - linux ip_queue (ipq)      : yes
  - FBSD ipfw Divert sockets  : no
  - Packet Capture Lib (pcap) : yes

was fine for me on linux.

now add

 "modulehoneytrap.so" "module-honeytrap.conf" ""

to the modules section on your nepenthes.conf

ip queue

Default mode is ipq, this requires the kernel module ip_queue to be loaded and the SYN traffic to be pushed into the ipqueue.

iptables -A INPUT -p tcp --syn -m state --state NEW  --destination-port ! 22 -j QUEUE

If you got ssh running on a different port than 22, fix the line.

IF YOU DO NOT EXEMPT YOUR SSH PORT FROM THE QUEUE AND GOT NO APPLICATION RUNNING TO ACKNOWLEDGE THE PACKETS IN THE QUEUE YOU WONT BE ABLE TO CONNECT YOUR HOST

pcap

pcap is pretty simple, just read the next section about the config file.

ipfw

I had a look on rogness.net snort_inline on FreeBSD Howto to check how this works with ipfw, and it seems like you got to deal with something like:

 ipfw add divert 8000 tcp from any to any not 22 setup in

Thanks to Nick Rogness for helping me with the ipfw line.

3. Config File

module-honeytrap
{
        listen_mode     "ipq"; // valid values are ipq pcap and ipfw
 
 
        pcap
        {
                device  "any"; // any should be valid always
        };
        
        ipfw
        {
                divert_port     "4711";
        };
 
        
        write_pcap_files        "1";   /* creates a single pcap file per accepted connection
                                           only supported in ipq and ipfw mode */
 
        pcap_dump_options
        { 
                min_packets "3";                       // minimum of packets, else the dump gets removed
                path    "var/log/pcap/";               // path for pcap files relative to basedir
        };        
        
};

4. Dependencies

 
documentation/modules/other/module-honeytrap.txt · Last modified: 2006/11/13 21:17
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki