One more thing:
I also tried the arpd program that was suggested on the honeyd homepage,
but it would only print:
arpd[12457]: listening on fxp0: arp and not ether src 00:ff:ff:ff:ff:ff
and then exit...
So, I took a look at the source and found that honeyd uses the same
routines as arpd receiving data, but with a few minor medications for
the -P polling mode option. So, I patched my arpd.c file and came up
with these changes that make arpd work like honeyd in polling mode (use
-P like with honeyd):
patch follows:
------------------
*** arpd.c Mon Apr 15 17:42:34 2002
--- arpd.c.new Sun Oct 27 23:53:11 2002
***************
*** 3,8 ****
--- 3,11 ----
*
* Copyright (c) 2001, 2002 Dug Song <dugsong_at_monkey.org>
* Copyright (c) 2002 Niels Provos <provos_at_citi.umich.edu>
+ *
+ * Modified by Stacy Olivas (olivas_at_eurisko.ws/olivas_at_digiflux.org) on
27 Oct 2002
+ * - Added -P option for polling mode
*
* $Id: arpd.c,v 1.15 2002/04/15 15:42:34 dugsong Exp $
*/
***************
*** 30,35 ****
--- 33,40 ----
#include <dnet.h>
#include "tree.h"
+ //#define ARPD_POLL_INTERVAL {0, 10}
+ #define ARPD_POLL_INTERVAL {0, 10000}
#define ARPD_MAX_ACTIVE 600
#define ARPD_MAX_INACTIVE 300
***************
*** 66,76 ****
static eth_t *arpd_eth;
static struct intf_entry arpd_ifent;
static int arpd_sig;
static void
usage(void)
{
! fprintf(stderr, "Usage: arpd [-d] [-i interface] [net]\n");
exit(1);
}
--- 71,84 ----
static eth_t *arpd_eth;
static struct intf_entry arpd_ifent;
static int arpd_sig;
+ static int arpd_dopoll;
+
+ //struct timeval tv;
static void
usage(void)
{
! fprintf(stderr, "Usage: arpd [-d] [-P] [-i interface] [net]\n");
exit(1);
}
***************
*** 327,337 ****
static void
arpd_recv(int fd, short type, void *ev)
{
! event_add((struct event *)ev, NULL);
if (pcap_dispatch(arpd_pcap, -1, arpd_recv_cb, NULL) < 0)
syslog(LOG_ERR, "pcap_dispatch: %s",
pcap_geterr(arpd_pcap));
}
void
terminate_handler(int sig)
--- 335,356 ----
static void
arpd_recv(int fd, short type, void *ev)
{
! if (!arpd_dopoll)
! event_add((struct event *)ev, NULL);
if (pcap_dispatch(arpd_pcap, -1, arpd_recv_cb, NULL) < 0)
syslog(LOG_ERR, "pcap_dispatch: %s",
pcap_geterr(arpd_pcap));
}
+
+ static void
+ arpd_poll_recv(int fd, short type, void *ev)
+ {
+ struct timeval tv = ARPD_POLL_INTERVAL;
+
+ timeout_add(ev, &tv);
+
+ arpd_recv(fd, type, ev);
+ }
void
terminate_handler(int sig)
***************
*** 363,370 ****
dev = NULL;
debug = 0;
! while ((c = getopt(argc, argv, "di:h?")) != -1) {
switch (c) {
case 'd':
debug = 1;
break;
--- 382,392 ----
dev = NULL;
debug = 0;
! while ((c = getopt(argc, argv, "Pdi:h?")) != -1) {
switch (c) {
+ case 'P':
+ arpd_dopoll = 1;
+ break;
case 'd':
debug = 1;
break;
***************
*** 403,413 ****
chmod(PIDFILE, 0644);
event_init();
!
! event_set(&recv_ev, pcap_fileno(arpd_pcap), EV_READ,
! arpd_recv, &recv_ev);
! event_add(&recv_ev, NULL);
!
/* Setup signal handler */
if (signal(SIGINT, terminate_handler) == SIG_ERR) {
perror("signal");
--- 425,442 ----
chmod(PIDFILE, 0644);
event_init();
!
! if (!arpd_dopoll) {
! event_set(&recv_ev, pcap_fileno(arpd_pcap), EV_READ,
! arpd_recv, &recv_ev);
! event_add(&recv_ev, NULL);
! } else {
! struct timeval tv = ARPD_POLL_INTERVAL;
! syslog(LOG_INFO, "switching to polling mode");
! timeout_set(&recv_ev, arpd_poll_recv, &recv_ev);
! timeout_add(&recv_ev,&tv);
! }
!
/* Setup signal handler */
if (signal(SIGINT, terminate_handler) == SIG_ERR) {
perror("signal");
----------------- end of patch ----
You mileage may vary with this patch. I make no guarantees that it will
work, but it seems to on my system.
Enjoy!
-Stacy (olivas_at_digiflux.org)
-----Original Message-----
From: Stacy Olivas [mailto:olivas_at_digiflux.org]
Sent: Sunday, October 27, 2002 9:22 PM
To: mike_at_honeynet.org; 'Alan Neville'
Cc: honeypots_at_securityfocus.com
Subject: RE: honeyd
I had the same problem at first on my FreeBSD system. You need to turn
on polling mode with the -P switch.
Then it works.
Hope this helps
-Stacy (olivas_at_digiflux.org)
-----Original Message-----
From: mike_at_honeynet.org [mailto:mike_at_honeynet.org]
Sent: Sunday, October 27, 2002 2:19 AM
To: Alan Neville
Cc: honeypots_at_securityfocus.com
Subject: Re: honeyd
The answer to one of your questions is on the honeyd page...
"If your kqueue implementation does not support bpf file descriptors,
define the environment variable EVENT_NOKQUEUE to yes"
Not sure about the token, try removing any new lines at the end.
Mike
On Sat, 26 Oct 2002, Alan Neville wrote:
> Hello:
>
> When running honeyd on my FreeBSD 4.5 system, with the following
syntax:
>
> honeyd -d -p nmap.prints -f config.sample -i fxp0
>
> I seem to get some strange errors which don't seem to be covered
within the
> FAQ (http://www.citi.umich.edu/u/provos/honeyd/faq.html). The
following
> lines are the errors produced when attempting to start honeyd as root.
>
> config.sample:11 illegal token
> config.sample:11 syntax error
> honeyd[7255]: listening on fxp0: (tcp or icmp or udp_ and not ether
src
> 00:a0:c
> 9:ad:af:07
> honeyd[7255]: Kqueue does not recognize bpf filedescriptor.
> Oct 26 22:41:31 charlie honeyd[7255]: Kqueue does not recognize bpf
> filedescriptor.
>
> The following is a copy of my config.sample file:
>
> # Example of a simple host template and its binding
> annotate "AIX 4.0 - 4.2" fragment old
> create template
> set template personality "AIX 4.0 - 4.2"
> add template tcp port 80 "sh scripts/webd.sh"
> add template tcp port 22 "sh scripts/test.sh $ipsrc $dport"
> add template tcp port 21 proxy $ipsrc:23
> set template default tcp action reset
>
> bind 192.168.1.4 template
>
> Any ideas?
>
> -Alan
>
>
Received on Oct 28 2002
Intro
