Re: Honeyd Config

[captgoodnight () acsalaska net]

On Monday 01 March 2004 08:37 am, jwoloz wrote:
> Hello all,
>  I realize that the question has probably been asked about a thousand
> times, but I cant seem to find it anywhere online.  Im trying to run a
> version of honeyd-0.8 on a Redhat 8.0 distribution.  I have been trying to
> run it with several different templates and I keep getting errors that a
> personality is not defined and that the file can not be read.  Here is a
> simplified version Im trying to run from the man himself Spitzner (the IP
> addresses are not changed to protect myself). Can anyone offer some insite
> as to why I get the personality failure, even though I have specified the
> prints file and the template is correct? Thanx
> -Jason
>
> arpd 192.168.1.0/24
> honeyd -p nmap.prints -f honeyd.conf 192.168.1.0/24
>
> ## Honeyd configuration file ##
> ### Windows computers (default)
> create defaultgrep "Fingerprint"  nmap.prints | more
> set default personality "Windows NT 4.0 Server SP5-SP6"
> set default default tcp action reset
> add default tcp port 110 "sh scripts/pop.sh"
> add default tcp port 80 "perl scripts/iis-0.95/main.pl"
> add default tcp port 25 block
> add default tcp port 21 "sh scripts/ftp.sh"
> add default tcp port 22 proxy $ipsrc:22
> add default udp port 139 drop
> set default uptime 3284460
> ### Cisco router
> create router
> set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus"
> add router tcp port 23 "/usr/bin/perl scripts/router-telnet.pl"
> set router default tcp action reset
> set router uid 32767 gid 32767
> set router uptime 1327650
> # Bind specific templates to specific IP address
> # If not bound, default to Windows template
> bind 192.168.1.150 router

Hello there, I got some clues for ya. 

look into your nmap.prints file. The line after the word Fingerprint is the 
personality. For your line; 

> set default personality "Windows NT 4.0 Server SP5-SP6"
instead use "Microsoft Windows NT 4.0 Server SP5-SP6" 

for your line
> set router personality "Cisco 4500-M running IOS 11.3(6) IP Plus" 
I couldn't find a close match with grepping the file. But, there are many 
choices to choose from. For cisco i use "Cisco IOS 11.3 - 12.0(11)", all good 
no errors.

Basically, do this.
grep "Fingerprint"  nmap.prints | more
for a list of personalities. This should solve the personality errors, but 
others errors may raise their heads, keep checking that config for the 
slightest of mistypes and conflicting configs, it's easy to have happen.

Also, make sure your line
> honeyd -p nmap.prints -f honeyd.conf 192.168.1.0/24
puts the config files into the command. Here, I use 
/usr/share/honeyd/nmap.prints and /etc/honeyd.conf. Keep those paths honest.
 
Good for you for diving into honeyd, it's way flexible and quite a tool. Good 
luck.


bests, cg