KFSensor Vs Honeyd Honeyot Sy!te" Sunil #urung $hur!day% &ove"'er (5% (004 Table of Contents ). Introduction (. Honeyot $echnology (.) Attac*er! (.( Honeyot +. K,Sen!or 4. Honeyd 4.) Product detail 4.( In!tallation 4.+ So"e "a-or di..erence! 'etween K,Sen!or 4.4 How doe! honeyd wor* 4.5 /unning honeyd 4.6 $e!ting honeyd 5. 0onclu!ion 6. /e.erence! APP1&DI2 A 1. Introduction It i! !aid that a good de.en!e i! a good o..en!e. Pa!t .ew year!% co"uter !ecurity !cholar! and co""unity too* thi! idea into con!ideration and develoed a concet o. honeyot. $raditionally% the idea wa! "ore .ocu!ed on the de.en!ive !ide and they develoed the ower.ul technologie! and tool! li*e ,irewall and Intru!ion Detection Sy!te" 3IDS4 to de.end the networ* .ro" intruder!. $oday% they are "ore concerned in !tudying the tye! o. attac*!5 the variou! tool! u!ed .or attac*ing% the new *ind! o. viru! and other !ecurity threat! !o that they can de.end their !y!te" "ore !ecurely. $he idea 'ehind the honeyot i! to create a virtual or in !o"e !cenario a real !y!te"% ut the !y!te" vi!i'le to the attac*er! !o that they can co"ro"i!ed and ro'e. $he !y!te" will *ee trac* o. the activitie! and later the logged in.or"ation i! analy6ed to "a*e !ure the roduction !ervice! and networ* are !ecured with new threat!. 7ance Sit6ner de.ine! honeyot technology a! 8 A honeypot is security resource whose value lies in being probed, attacked, or compromised. 1 $oday% there are "any co""ercial honeyot !y!te"! availa'le .or e.g. Secter% K,Sen!or% Honeynet and there are al!o 'een lot o. develo"ent in 9en !ource area. $hi! aer will loo* into "ore detail the Honeyot technology% the tye! o. honeyot and the !econd hal. o. the aer will loo* into the co""ercial roduct 8 K,Sen!or and the oen !ource !o.tware honeyd. I will di!cu!! the !i"ilaritie! and di..erence! 'etween the!e !o.tware and will detail the .eature! o. honeyd. ) Sit6ner% 7ance :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4 .(+
2. Honeypot Technology (.) Attac*er! $he "ain o'-ective o. the honeyot i! to lure the 'ad guy! or attac*er!. So thi! !ection di!cu!!e! the tye! o. attac*er! and their "otive!. $here are "ainly two tye! o. attac*er!; Script Kiddies $hey are "ore li*e a"ateur% they don>t care the tye o. ho!t or networ* they are co"ro"i!ing. $hey wanted to get into !y!te" .or .un% or to rove that they are !ucce!!.ully in hac*ing into !o"e !y!te" or to try to educate the inade?uacy o. the !ecurity olicy in laced in an organi6ation. ,or !o"e% their "ain goal i! to hac* co"uter with le!! e..ort u!ing already e@i!ting !crit! or with "inor change! to !crit!. $hey are "ore intere!ted into hac*ing "ore nu"'er o. co"uter!. Blachat $he!e are "ore *nowledgea'le and "ore e@erienced with the internal wor*ing o. variou! co""unication !y!te"!% the internet and they .ocu! on !y!te" o. high value. $hey are "o!tly .inancially driven and a..ect the cororate and national level. $hey are "ore dangerou! 'ecau!e o. their !*ill! level and they oerate !ilently. A! a er!onal ho"e co"uter u!er% we have a "i!arehen!ion that we are not vulnera'le to attac*! 'ut we are wrong. :In the 'eginning o. (00(% a ho"e networ* wa! !canned on average 'y +) !y!te"! a day.< $oday everyone i! target o. attac*er!% a! they are e@loiting variou! "ean! to get into er!onal co"uter! to get in.or"ation li*e er!onal data% credit card in.or"ation and in higher level .or any 'u!ine!! their data and !y!te" re!ource!. (.( Honeyot $he "ain value o. honeyot lie! on 'eing attac*ed !o that the ad"ini!trator can !tudy their attac*er! and *ind! o. attac*!. $here.ore we could !ay that honeyot i! a tool to !tudy the current world o. !ecurity% the variou! threat! and "ean!. $he honeyot alone can>t !olve or i"rove the !ecurity o. the networ*. It ha! to wor* along with the e@i!ting de.en!ive "echani!" to "a*ing the .ort !tronger. ,ro" the introduction% we *now that the "ain o'-ective o. the honeyot i! to collect in.or"ation. $he ad"ini!trator "ight u!e honeyot .or two rea!on! a! a roduction or re!earch uro!e!. $he roduction honeyot will "ea!ure their e@i!ting networ* vulnera'ility with out!ide threat. A! a re!earch% they want to !tudy the attac*er! !o that they can 'e 'etter e?uied .or the .uture attac*!. So why are there !o "any tal*! a'out the honeyotA $he an!wer to thi! i!; we have to *now who our ene"y i!. I. .ollow! the !aying again 'e!t de.en!e to our !ecurity i! to have 'e!t o..en!e. Bore one i! aware o. the current i!!ue! that are going around% "ore one get e@erienced. $he other a!ect o. the honey ot i! we don>t have to go around hac*er!> co"uter to loo* .or the in.or"ation% it>! very a!!ive. It>! li*e a 'ee hive% we !etu a ot .ull o. honey or !ugar than 'ee will co"e loo*ing .or it. Si"ilarly% we !etu a !y!te" !o"ewhere on a networ*% and wait .or hac*er! to co"e and co"ro"i!e our !y!te". (.+ $ye! o. Honeyot Deending uon the need o. the organi6ation and what the a"ount o. in.or"ation they want to gather .ro" the !y!te"% a co"any can i"le"ent honeyot in two .or"!; 7ow Interaction and High Interaction Honeyot )4 7ow Interaction Honeyot Sy!te" A! the na"e indicate!% we give out!ider a! "uch a! le!! nu"'er o. activity to er.or" on the !y!te". $hey have li"ited nu"'er o. acce!! and interaction with the virtual !ervice! and oerating !y!te". It i! very !i"le to i"le"ent 'y in!talling o.. the !helve! roduct li*e Secter or K,Sen!or or 'y i"le"enting oen !ource roduct honeyd. It i! le!! ri!*y a! hac*er! won>t have acce!! to the "ain 9S and only lay around with the e"ulated !ervice!. ,or e.g. =e !etu an e"ulated ,$P !ervice to run on the ort () and *ee the !y!te" oen on the networ*. $he hac*er! will try to log into it. $he !y!te" will record all the activitie! 'etween two artie!. =e could !et u our honeyot to accet !o"e co""and to "a*e the attac* real. $he di!advantage o. the low interaction i! that are li"ited with a"ount o. in.or"ation we can cature% "o!tly the logging in.or"ation and .ew other a.ter that and we can only *ee trac* o. the activitie! that early e@i!t!. $he e@i!tence o. the low interaction o. the honeyot i! detected 'y e@erience hac*er!. (4 High Interaction Honeyot Sy!te" $he "ain o'-ective o. thi! !y!te" to do .ull !tudy o. the attac*er! !o in!tead o. roviding e"ulated !ervice% real !y!te" in rovided to ro'e. =e give the hac*er! a real interaction with the !ervice and the oeration !y!te". =e can collect "ore in.or"ation and we can .ind new in.or"ation on variou! tool! and viru!e!. :An e@cellent e@a"le o. thi! i! how a Honeynet catured encoded 'ac* door co""and! on a non-!tandard IP rotocol 3!eci.ically IP rotocol ))% &etwor* Coice Protocol4.< ( 1@a"le! o. high interaction honeyot !y!te"! are; Sy"antec Decoy Server and Honeynet. ( Sit6ner% 7ance :Honeyot! De.inition! and Calue o. Honeyot!<% htt;DDwww.trac*ing- hac*er!.co"Daer!Dhoneyot!.ht"l !. KFSensor K,Sen!or !erve! 'oth a! the honeyot and an intru!ion detection !y!te". It i! window! 'a!ed !o.tware with a grahical u!er inter.ace "onitoring !y!te". $he K,Sen!or i! a low interaction honeyot which e"ulate! recon.igured !ervice! and al!o rogra""a'le !ervice!. $he !o.tware *ee! trac* o. all the co""unication 'etween the !erver and the out!ide arty. $he detailed .eature! and in!tallation rocedure .or thi! !o.tware are e@lained in "y .ir!t aer :K,Sen!or Honeyot and Intru!ion Detection Sy!te"<. Plea!e re.er to the aer .or detail e@lanation. In thi! I will re!ent !o"e .eature!% .unctionalitie! and te!t .or co"ari!on. $he "ain co"onent o. the K,Sen!or it K,Sen!or !erver% which li!ten to all the con.igured !ervice on 'oth the $0P and EDP ort!. $he "ain oint o. contact .or attac*er i! a !erver and it run! a! a E&I2 dae"on. $he "onitor ha! a #EI art that di!lay! the all the activitie! and all the $he con.iguring K,Sen!or i! very ea!y a! it ha! #EI and !i"le wi6ard to hel in the roce!!. $he "o!t i"ortant i! con.iguring the !cenario!. Scenario! con!i!t o. li!t o. currently running !ervice! on variou! ort! *nown a! :7i!ten<. 1ach li!ten on !cenario can 'e edited and can add a new one. $he 'a!ic !etu i! roviding the ort nu"'er% the rotocol u!ed% the 'inding IP addre!! the action to ta*e i. activity i! detected on the li!tening ort and rule can al!o 'e !et. 9ther i"ortant !etu i! the Si" Server which !tand! .or !i"ulated !erver. Fy thi! the K,Sen!or can !i"ulated oular we'% ,$P% SSH !erver. =e could choo!e .or" the re con.igured !erver li*e Aache% IIS or !o"e other ,$P !erver or we could "a*e one u!ing 'anner!. $he !o.tware can al!o 'e con.igured to ta*e care o. the D9S attac*% all the logged data can 'e i"orted in di..erent .or"at and the logged .ile! can 'e directly !aved into the data'a!e. So"e o. the other .eature! are; )4 $he #EI and ea!y wi6ard "a*e! it !i"le and it! really .le@i'le. 0an handle !i"le echo to other !erver!. (4 =e can cu!to"i6e "ultile !cenario! 'a!ed on our te!t. +4 0an li!ten to 'oth $0P and EDP ort 44 E!e o. 'anner .or rogra""a'le !erver. 54 H$$P and SB$P 64 $he event! alert! and data'a!e co"ati'ility. ". Honeyd Honeyd i! low interaction5 .reely availa'le% oen !ource reac*aged virtual honeyot !olution. $he !o.tware wa! develoed 'y &iel! Provo! o. the Eniver!ity o. Bichigan. Since it i! an 9en !ource% the rogra" i! con!tantly develoing and evolving with new .eature! and .unctionalitie! .ro" contri'utor! .ro" all around. $he !ource code! are availa'le .or download and cu!to"i6e with one>! re?uire"ent !uch a! de!igning the own e"ulated !ervice!. $he low interaction cla!!i.ication o. honeyd will only allow e"ulating the !ervice! and doe!n>t allow attac*er to interact with the oerating !y!te" o. the honeyot. Si"ilar to K,Sen!or the !ervice! can 'e ran into any $0P ort. $he "ain o'-ective o. the 'oth !o.tware i! to lure the attac*er% deceive and al!o cature their activity. Honeyd i! a dae"on alication which ena'le! the !etu o. "ultile virtual honeyot! on a !ingle "achine. $he "ain i"ortant di..erence with the K,Sen!or i! that% er!onality .eature. $hi! .eature or con.iguration will allow con.iguring the each roduction honeyot with a er!onality o. 9S IP !tac* and it 'ind! a !crit to the e"ulated ort to vi!uali6e the !ervice. $he honeyd al!o allow to e"ulate co"le@ networ* architecture and their characteri!tic!. 4.) Product Detail So.tware; honeyd Cer!ion; honeyd 0.G 7icen!e; oen !ource Download !ite; htt;DDhoneyd.org 9S; =indow!% 7inu@% Eni@ 8 Solari! 4.( In!tallation $here are other li'rarie! and ac*age! that need to 'e downloaded; )4 A/PD Download the ard-0.).tar.g6 htt;DDwww.citi.u"ich.eduDuDrovo!DhoneydDard-0.).tar.g6 (4 7i'rarie! Deendencie! - li'event-0.Ga.tar.g6 - li'ca-0.G.+.tar.g6 Fa!ic In!tallation; 9ne ha! to log in with the root u!er. 0reate a .older called Dhoneyd-ac*age! 1@tract and in!tall li'event and lica 1@tract the ac*age! libe#ent; # tar -zvxf libevent-0.8a.tar.g6 0o"ile the libe#ent; # cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a) #. /configure # make # make install Si"ilarly we can e@tract other .ile! and the !y!te" i! ready .or te!ting. Fe.ore that I will e@lain how the honeyd wor*!. 4.+ So"e "a-or di..erence! 'etween K,Sen!or Honeyd wa! originally de!igned .or Eni@ !y!te" 'ut today honey i! caa'le o. running in "o!t ver!ion o. linu@ di!tri'ution and recently it wa! orted to window! environ"ent too. K,Sen!or i! only de!igned .or =indow!. Honeyd i! ri"arily de!igned a! a roduction lower level honeyot !o to give the attac*er the elu!ion o. real !y!te" it ha! added ower.ul .eature than K,Sen!or. $he !o.tware i! very .le@i'le and ro'u!t. - 9ne o. the "ain di..erent 'etween honeyd and K,Sen!or i! that; K,Sen!or u!e! the co"uter IP a! the "ain K,Sen!or !erver. So when the ho!t i! ro'ed the IP the attac*er get! i! that o. the real !y!te" running the !erver. In other hand% honeyd u!e! one o. the unu!ed IP in the networ* and 'a!ically create a virtual ho!t with honeyot running. Pa!t .ew year!% honeyd ha! 'een te!ted o. u!ing al"o!t 60%000 IP at one ti"e. Fa!ically% honeyd "onitor! a large nu"'er o. ho!t and networ* that doe!n>t even e@i!t. + - $he honeyd only can li!ten to $0P ort a! co"are to K,Sen!or li!ten to 'oth $0P and EDP ort. - 9ne o. the "ain .eature o. the honeyd i! it e"ulate! the variou! oeration !y!te". 0urrently honeyd i! caa'le o. e"ulating al"o!t 4+7 di..erent 9S% router% !witche!. $he detail o. thi! de!ign i! de!cri'ed in !ection! 'elow. $he honeyd "a*e u!e o. the &"a .ingerrinting .or thi! roce!!. I& other word! it al!o e"ulate! the IP !tac* !o that when utilitie! li*e n"a i! u!ed to !can the ho!t% the honeyd will re!ond will con.igure 9S. K,Sen!or i! not caa'le o. e"ulating and li"ited to only creating variou! !ervice!. - Since the !o.tware i! oen !ource% "o!t o. the !cholar! in the co""unity contri'ute to the develo"ent and "a*ing the !o.tware and 'etter with e"ulated !ervice!. A! the !o.tware evolve in year! to co"e honeyd>! a'ility to detect and cature attac*! will e@onentially grow. - It! .ree o. charge while K,Sen!or co!t !o"e "oney. 4.4 How doe! Honeyd wor*! + Sit6ner% 7ance :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4 .77
A! "o!t o. the low interaction honeyot% when connection i! "ade on one o. the $0P ort the interaction with !ervice i! catured. Honeyd "a*e u!e o. the not u!ed IP addre!! on the networ*. $he "ain co"onent! o. honey are; I. Configuration file $he con.iguration .ile i! where we de.ine the er!onality o. the 9S or the router and de.ine the variou! $0P where we de.ine the virtual !ervice!. A! !aid 'e.ore in one con.ig .ile we can con.igure any nu"'er o. 9S and router with di..erent !ervice!. Felow i! the e@a"le o. the con.iguration .ile. # Example of a simple host template and its binding annotate "!" #.0 - #.$" fragment old create template set template personalit% "!" #.0 - #.$" add template tcp port 80 open add template tcp port $$ open add template tcp port $& open set template default tcp action reset bind '($.')8.'.80 template $he to level we have to create a !y!te" any 9S or% a router. So we !tart with create co""and .ollowed 'y the na"e o. the !y!te". In the e@a"le% a'ove we have the !y!te" na"ed te"late. It i! .ollowed 'y the !et o. :set< and :add< co""and to add the variou! !ervice!. A.ter the !y!te" i! na"ed we have to !et what *ind o. er!onality the !y!te" i! 8 here i! !et to AI2 4.0 8 4.0. It i! i"ortant that the !y!te" .ingerrinting !hould "a with that o. the detail! in nmap.print. $hi! i! the "ain con.iguration that .ool! the n"a when honeyot i! !canned u!ing the n"a utility. Serie! o. tc ort connection i! added a.ter the er!onality i! created. A'ove we have oened ort G0% ((% (+. A! regular tc connection we could oen% clo!ed or re!et the ort. At 'ind the na"e o. the !y!te" that i! template with the IP addre!! that i! not u!ed 'y the real !y!te" in the networ*. II. The n$ap fingerprinting files n$ap.print and %probe2 Honeyd u!e! n"a .ingerrinting .ile! to create the networ* !tac* 'ehavior o. a virtual honeyot. $he .ingerrinting are !i"ilar to one 'elow; *ingerprint !+!" ).,.',m on -.! /$ 0-e123lass4056gcd47'0#6-!47'E6!8!54!60-4$9:; 0'25*4<6=4E*$63>4-??6*lags4-6/ps4@<=<<0<<@; 0$2+esp4A65*4<6=4063>4-6*lags4+6/ps4; 0&2+esp4A65*4<6=4E*$63>4/6*lags46/ps4<<0; 0#25*4<6=4063>4/6*lags4+6/ps4; 0,25*4<6=4063>4-??6*lags4+6/ps4; 0)25*4<6=4063>4/6*lags4+6/ps4; 0B25*4<6=4063>4-6*lags4+6/ps4; 8C2+esp4< $he .ile data a'ove give! the detail initial connection rocedure o. articular !y!te". $he value! are u!ed .or the initial three way hand!ha*e "a*ing the connection. $he detail o. the i"le"entation o. the .ingerrinting can 'e .ound in the a'!tract 'y the &iel! Provo!% can 'e .ound in htt;DDniel!.@tdnet.nlDaer!Dhoneyd-ea'!tract.d. III. Scrit! .or running the !ervice!. $o run the !ervice% one ha! to rogra" the erl !crit to !i"ulate the .t or other !ervice!. $he ac*age co"e with the 5 8 6 di..erent *ind! o. !crit! and other! can 'e downloaded .or" the !ite .or .ree a! it! oen !ource. 4.5 /unning Honeyd Honeyd i! a!!igned an IP addre!! that i! not u!ed 'y any !y!te" on the networ*. $here.ore attac*er! are ro'ing the !y!te" that doe!n>t e@i!t and it i! a!!u"ed that the attac* i! u!ually ho!tile% "o!t li*e the !can or attac*. $he "ain concern now i! that how do we redirect the tra..ic to the !y!te" that doe!n>t even e@i!t. =e can>t con.igure the honeyd to do that 'ut we have to get the tra..ic to the honeyd. $here are variou! way! one can i"le"ent that. ,or the te!t uro!ed I u!ed the A/P !oo.ing% 'ut one can al!o con.igure the router to have a !tatic routing where the IP o. the ho!t running a honeyd !hould oint to the IP o. a virtual honeyot. Ard i! !o.tware develoed 'y the Dog Song% what it doe! i! that it .ind! the no e@i!ting !y!te" on the networ* and .orward! any connection to the" to honeyot% thi! rincile i! called A/P !oo.ing. 9ther way to .orward the tra..ic i! u!ing A/P ro@y. 4.6 $e!ting with honeyd $e!ting .or ,$P and H$$P !erver were conducted i! co"ared with K,Sen!or $he honeyot wa! !etu with a con.iguration that oened the ort () and ran the ,$P !crit downloaded .ro" the internet. $he honeyd wa! run in 7inu@ ,edora 'o@ !ince we didn>t have to u!e any router con.iguration .or tra..ic .orwarding. $he ard utility .ul.illed the uro!e o. it. $he router u!ed wa!. D7I&K 8 4 ort! .or DS7D0a'le. $he IP !u'net )H(.)6G.0.0D(4 $he IP addre!! o. the ho!t i! )H(.)6G.).)(( and the IP addre!! o. the virtual honeyot i! )H(.)6G.0.)(). ,ir!t ard utility wa! run to .orward all the non e@i!ting IP that i! )H(.)6G.0.)() to the honeyot. E!ing .ollowing co""and; $han the honeyot wa! run a! dae"on $he otion .or the honeyd co""and can 'e .ound in the Aendi@ A )4 /unning ,$P in honeyd re!ult. =e can !ee that we initiated a connection to the honeyot !y!te" )H(.)6G.0.)() and the !erver re!on!e with !o"e re!on!e!. $he !a"e te!t er.or"ed in K,Sen!or; ,$P e"ulation Aim; I! to interact with the ,$P !i"ulator and to !ee whether K,Sen!or !erver re!ond with correct in.or"ation; Description: u!ing telnet and we will try to e!ta'li!h the connection through ort () and er.or" !o"e .unction on decoy .t !erver IP )+7.(07.(+G.))+. Test ondition: $he !creen!hot e@lain the te!t condition. /e!ult!; onclusion: $he event wa! generated a! the connection wa! clo!ed. $he ,$P li!tener *ee! trac* o. the vi!itor in.or"ation% ort nu"'er% and do"ain. It al!o *ee trac* o. the u!erna"e and a!!word u!ed to gain acce!! and the variou! tran!action! "ade during the connection eriod. +4 H$$P connection; $he !erver re!onded with the inde@ age which had a te@t. $hi! Site i! under con!truction. ,ro" the!e te!ting I .ound out that 'oth had good re!ult! in roviding the !ervice! with right re!ult. K, !en!or wa! 'etter 'ecau!e it had a u!er .riendly #EI. $he re!ult! were ea!y to read and tran!late. 9n the other hand% honeyd wa! very hard to con.igure and there are very li"ited !ervice! availa'le at the re!ent. $he two "o!t o. the !igni.icant .eature o. the honeyd% which I wa! not a'le to er.or" a te!t !ince due to the lac* o. re!ource wa! creating a virtual networ*. I have re!ented here with the con.iguration .ile and the te!t conducted 'y the author o. the honeyd. $he !a"le e@a"le! here are ta*en .ro" hi! a'!tract. route entr% '0.0.0.' route '0.0.0.' link '0.0.0.0/$# route '0.0.0.' add net '0.'.0.0/') '0.'.0.' latenc% ,,ms loss 0.' route '0.0.0.' add net '0.$.0.0/') '0.$.0.' latenc% $0ms loss 0.' route '0.'.0.' link '0.'.0.0/$# route '0.$.0.' link '0.$.0.0/$# create routerone set routerone personalit% "3isco B$0) running !/- ''.'2$#;" set routerone default tcp action reset add routerone tcp port $& "scripts/router-telnet.pl" create netbsd set netbsd personalit% "<etD-5 '.,.$ running on a 3ommodore miga 2)80#0 processor;" set netbsd default tcp action reset add netbsd tcp port $$ prox% EipsrcF$$ add netbsd tcp port 80 "sh scripts/Geb.sh" bind '0.0.0.' routerone bind '0.'.0.$ netbsd $he con.iguration a'ove re!ent the routing toology and de.ine! two er!onality routerone and net'!d. $he re!ult .ro" the traceroute. E traceroute -n '0.&.0.'0 traceroute to '0.&.0.'0 2'0.&.0.'0;H )# hops max ' '0.0.0.' 0.#,) ms 0.'(& ms 0.(& ms $ '0.$.0.' #).B(( ms #,.,#' ms ,'.#0' ms & '0.&.0.' )8.$(& ms )(.8#8 ms )(.8B8 ms # '0.&.0.'0 B(.8B) ms B(.B(8 ms B(.($) ms
$hi! .eature "a*e! the honeyd "ore ower.ul than the K,Sen!or a! it can create a virtual networ* toograhy. &. Conclusion ,ro" all the o'!ervation! and te!ting% honeyd i! indeed a good honeyot !olution a! it rovide! with 9S "i"ic! which K,Sen!or doe!n>t and al!o the virtual networ* toograhy. In other hand it>! very hard to con.igure while K,Sen!or #EI "a*e! it ea!ier to under!tand and i"le"ent .a!ter. '. (eferences ). 7ance Sit6ner :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4 (. htt;DDwww.*ey.ocu!.netD*.!en!orD - E!er "anual - =e'!ite +. $he &orton antiviru! !o.tware we'!ite - htt;DDwww.!y"antec.co"Dinde@.ht" 4. htt;DDwww.honeyd.orgD 5. Provo! &iel!% :Honeyd; A Cirtual Honeyot Dae"on<% Eniver!ity o. Bichigan. htt;DDniel!.@tdnet.nlDaer!Dhoneyd-ea'!tract.d. )**+,-I. / ) ,)0+ hone%d - 9one%pot 5aemon S1,2*SIS hone%d I-dPWJ I-l logfileJ I-p fingerprintsJ I-x xprobeJ I-a assocJ I-f fileJ I-i interfaceJ Inet ...J -+SC(I*TI2, honeyd creates virtual hosts for !8 addresses matching the specified net.!t can simulate an% 038 and C58 service. !t replies to !3@8 echo re1uests. 3urrentl%H all C58 ports are closed b% default and honeyd Gill repl% Gith an !3@8 unreachable port message if the configured personalit% permits that. 0his enables a single host to claim addresses on a K< for netGork simulation. 0he net argument ma% contain multiple addresses and netGork ranges. !n order for honeyd to receive netGork traffic for !8 addresses that it should simulateH it is necessar% to either explicitl% route traffic to itH use prox% arp or run arpd(8) for unassigned !8 addresses on a shared netGork. honeyd exits on an interrupt or termination signal. 0he options are as folloGsF -d 5o not daemonizeH and enable verbose debugging messages. -P /n some operating s%stemsH it is not possible to get event notifications for pcap via select(3). !n that caseH honeyd needs to run in polling mode. 0his flag enables polling.
-W 8rint a list of interfaces. ** WIN32 ONLY ** -l logfile Kog packets and connections to the logfile specified b% logfile. -p fingerprints +ead nap st%le fingerprints. 0he names defined after the token are stored as personalities. 0he personalities can be used in the configuration file to modif% the behaviour of the simulated 038 stack. -x xprobe +ead xpro!e st%le fingerprints. 0his file determines hoG honeyd reacts to !3@8 fingerprinting tools. -a assoc +ead the file that associates nap st%le fingerprints Gith xpro!e st%le fingerprints. -f file +ead the configuration in file. !t is possible to create host templates Gith the configuration file that specif% Ghich servers should run and Ghich scripts should be started to simulate them. -i interface Kisten on interface. net 0he !8 address or netGork 2specified in 3!5+ notation; or !8 address ranges to claim 2e.g. LL'0.0.0.&MMHLL'0.0.0.0/')MM orL'0.0.0.,-'0.0.0.',MM;. !f unspecifiedH honeyd Gill attempt to claim an% !8 address it sees traffic for.