Powered by Sourceforge. Valid XHTML 1.0
Compiling honeytrap is pretty straight forward. The configure shell script included in the source distribution must be told to compile one of the connection monitors into the program. This is done via the --with-[type]-mon option where [type] is one of the following:
| nfq | On recent Linux systems one should use the netfilter_queue-based stream monitor. Packets get delivered to honeytrap by invoking an iptables rule like iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE. |
| ipq | This enables the libipq-based connection monitoring on Linux systems. Use a rule like iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW -j QUEUE to make iptables deliver incoming connection requests to honeytrap |
| pcap | The libpcap-based connection monitor is available for every system that is pcap compatible. It uses a sniffer to detect incoming connection requests. |
Please note that you have to choose one of the above options, otherwise configure would stop. Additionally, you can enable the Electric Fence malloc debugger by passing the --with-efence option to the script (does not work on Xen). An example call would be
./configure --with-efence --with-pcap-mon
To compile honeytrap, simply do a make in the source directory after configure completed without errors. You can install required files in proper locations by doing a make install.
The main configuration file honeytrap.conf and is normally located in /etc/honeytrap. You can split up your configuration into multiple files and include them into the main file by adding an include directive and its full path.This comes in handy when using many explicit mode configurations for specific ports. The block
port = 25,mirror port = 80,normal port = 443,proxy,example.com:80 port = 1433,ignore
could be stored in /etc/honeytrap/ports.conf and included by adding the following line to your honeytrap.conf:
include = /etc/honeytrap/ports.conf
All available configuration options are explained in the distribution configuration file. Examples are given to show their usage. A typical honeytrap.conf could look like this:
pidfile = /var/run/honeytrap.pid logfile = /var/log/honeytrap.log response_dir = /etc/honeytrap/responses attacks_dir = /var/spool/honeytrap/attacks dlsave_dir = /var/spool/honeytrap/downloads user = honeytrap_user group = honeytrap_group read_limit = 10485760
The read_limit line tells honeytrap to process attacks only up to 10MB to prevent memory exhaustion. If you want to make the mirror mode a default, simply add the following line to your configuration:
mirror
When using the pcap-based connection monitor you can tell honeytrap to put network interfaces into promiscuous mode by adding the following line:
promisc
Honeytrap first passes an initialization phase after startup to configure itself. This contains loading of plugins which are normally located in /etc/honeytrap/plugins and default responses for connection handling in normal mode, generally placed in /etc/honeytrap/responses. You can start the program by simply calling honeytrap from the command line (assumed that your $PATH variable contains the path to the honeytrap binary). Please refer to the man page for a list of available command line options. The following command triggers a re-initialization, including loading additional plugins and new default responses:
kill -HUP `cat /var/run/honeytrap.pid`
In some cases honeytrap fails to properly use the user and group parameters. As a workaround you can use the command line options -u and -g. If you encounter any problems, please help improving the software and report any installation problems to me.
honeytrap was written by Tillmann Werner.
Powered by Sourceforge. Valid XHTML 1.0