honeytrap-devel Mailing List for honeytrap (Page 2)
Brought to you by:
honeytrap
You can subscribe to this list here.
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
(4) |
Nov
(1) |
Dec
|
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(18) |
Aug
(1) |
Sep
|
Oct
|
Nov
(5) |
Dec
|
2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(7) |
Oct
(1) |
Nov
(1) |
Dec
|
2010 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
(3) |
Nov
(3) |
Dec
|
From: Tillmann W. <til...@gm...> - 2009-04-08 15:01:19
|
Jeremy, > Does anyone know how to use tcpdump captures to send to a nebula server to generate snort rules? I've been trying to install honeytrap, but the trunk is not available from cvs. honeytrap svn: <https://svn.carnivore.it/honeytrap/>. Nebula computes signatures from session data (the application data stream, so to speak). Raw tcpdump packet traces cannot be processed. You could reassemble session streams from a trace and submit them manually one by one. Hope that helps. Tillmann |
From: Jeremy H. <jer...@ya...> - 2009-04-08 01:15:58
|
Does anyone know how to use tcpdump captures to send to a nebula server to generate snort rules? I've been trying to install honeytrap, but the trunk is not available from cvs. Regards, Jeremy ---------------------------------------------------------------------------------------- |
From: Tillmann W. <til...@gm...> - 2009-01-22 20:14:20
|
Mark, > honeytrap v1.0.0 - Initializing. > Loading plugin ftpDownload v0.5.3 > Loading plugin tftpDownload v0.4.1 > Loading plugin b64Decode v0.3.1 > Loading plugin vncDownload v0.3 > Loading plugin SaveFile v0.2.0 > Port 2929/tcp is configured to be handled in ignore mode. > Servers will run as user (null) (0). > Servers will run as group (null) (0). > Loading default responses. > Connections will be handled in normal mode by default. > Logging to /opt/honeytrap/honeytrap.log. > Initialization complete. > > honeytrap v1.0.0 Copyright (C) 2005-2007 Tillmann Werner < > til...@gm...> > [2009-01-22 14:36:18] Error - Could not set IPQ mode: Failed to send netlink > message. > [2009-01-22 14:36:18] ---- honeytrap stopped ---- Is the ip_queue module loaded? Tillmann |
From: gsirt R. <gsi...@gm...> - 2009-01-22 14:37:30
|
Has anyone had this error message?? honeytrap v1.0.0 - Initializing. Loading plugin ftpDownload v0.5.3 Loading plugin tftpDownload v0.4.1 Loading plugin b64Decode v0.3.1 Loading plugin vncDownload v0.3 Loading plugin SaveFile v0.2.0 Port 2929/tcp is configured to be handled in ignore mode. Servers will run as user (null) (0). Servers will run as group (null) (0). Loading default responses. Connections will be handled in normal mode by default. Logging to /opt/honeytrap/honeytrap.log. Initialization complete. honeytrap v1.0.0 Copyright (C) 2005-2007 Tillmann Werner < til...@gm...> [2009-01-22 14:36:18] Error - Could not set IPQ mode: Failed to send netlink message. [2009-01-22 14:36:18] ---- honeytrap stopped ---- I'm running HT on CentOS release 5.2 (Final), Linux hostname 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 12:03:43 EST 2008 i686 i686 i386 GNU/Linux Thanks Mark |
From: Tillmann W. <til...@gm...> - 2008-11-09 21:02:05
|
> Ok > I'm completely frustrated with this package. > IT DOES NOT COMPILE > I've gotten no help whatsoever in resolving this. > really a shame but I'm sorry it's not worth considering. Calm down. We'll get it working. :) > It passes configure > IT FAILS make > > Making all in modules > make[1]: Entering directory `/usr/src/honeytrap-1.0.0/src/modules' > make[2]: Entering directory `/usr/src/honeytrap-1.0.0/src/modules' > /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H - > I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_SaveFile.lo > htm_SaveFile.c > gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c > htm_SaveFile.c -fPIC -DPIC -o .libs/htm_SaveFile.o > In function 'open', > inlined from 'save_to_file' at htm_SaveFile.c:145: > /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' > declared with attribute error: open with O_CREAT in second argument > needs 3 arguments > In function 'open', > inlined from 'save_to_file' at htm_SaveFile.c:172: > /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' > declared with attribute error: open with O_CREAT in second argument > needs 3 arguments > make[2]: *** [htm_SaveFile.lo] Error 1 > make[2]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' > make: *** [all-recursive] Error 1 Fixed in svn. Thanks for reporting it. > Now tillmann has suggested I comment out something. Yes, that was related to your previous error. Tillmann |
From: Jim K. <mac...@co...> - 2008-11-09 20:49:39
|
Ok I'm completely frustrated with this package. IT DOES NOT COMPILE I've gotten no help whatsoever in resolving this. really a shame but I'm sorry it's not worth considering. It passes configure IT FAILS make Making all in modules make[1]: Entering directory `/usr/src/honeytrap-1.0.0/src/modules' make[2]: Entering directory `/usr/src/honeytrap-1.0.0/src/modules' /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H - I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_SaveFile.lo htm_SaveFile.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_SaveFile.c -fPIC -DPIC -o .libs/htm_SaveFile.o In function 'open', inlined from 'save_to_file' at htm_SaveFile.c:145: /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments In function 'open', inlined from 'save_to_file' at htm_SaveFile.c:172: /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments make[2]: *** [htm_SaveFile.lo] Error 1 make[2]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' make: *** [all-recursive] Error 1 Now tillmann has suggested I comment out something. HUH? Jim |
From: James K. <mac...@co...> - 2008-11-08 21:19:07
|
Tillmann No I didn't get your response two days ago sorry. I installed the latest version of clamav from source not the ubuntu version (which is always old) Jim On Nov 8, 2008, at 4:08 PM, hon...@li... wrote: > Jim, > > did you get my reply two days ago? > >> I'm having difficulty getting honeytrap working with Clamav >> I'm doing this on Ubuntu server 8.04 >> >> I'm able to install honeytrap using this >> ./configure --with-stream-mon=nfq --with-clamav > > I am sorry but I can't reproduce the error. The above looks ok. I > checked with Ubuntu's clamav package and with the latest version from > the project site. You can safely comment out the two lines that cause > the errors. > > Tillmann |
From: Tillmann W. <til...@gm...> - 2008-11-08 21:08:31
|
Jim, did you get my reply two days ago? > I'm having difficulty getting honeytrap working with Clamav > I'm doing this on Ubuntu server 8.04 > > I'm able to install honeytrap using this > ./configure --with-stream-mon=nfq --with-clamav I am sorry but I can't reproduce the error. The above looks ok. I checked with Ubuntu's clamav package and with the latest version from the project site. You can safely comment out the two lines that cause the errors. Tillmann |
From: Jim K. <mac...@co...> - 2008-11-08 17:16:31
|
When I do: ./configure --with-stream-mon=nfq --with-clamav It appears to complete successfully: ----- honeytrap configuration ----- General options ( ) Debugging ( ) Profiling ( ) Unstable Modules ( ) Electric Fence Connection monitor ( ) Linux ip_queue (ipq) ( ) FreeBSD ipfw (ipfw) (X) Linux libnetfilter_queue (nfq) ( ) Libpcap (pcap) Optional plugins (X) ClamAV ( ) cpuEmu ( ) CSPM ( ) PostgeSQL ( ) SpamSum ( ) submitMwserv root@honeytrap:/usr/src/honeytrap-1.0.0# but when i do make, make fails with: creating htm_b64Decode.la (cd .libs && rm -f htm_b64Decode.la && ln -s ../htm_b64Decode.la htm_b64Decode.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H - I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_ClamAV.lo htm_ClamAV.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_ClamAV.c -fPIC -DPIC -o .libs/htm_ClamAV.o htm_ClamAV.c: In function 'load_clamdb': htm_ClamAV.c:134: error: 'struct cl_limits' has no member named 'maxmailrec' htm_ClamAV.c:135: error: 'struct cl_limits' has no member named 'maxratio' make[4]: *** [htm_ClamAV.lo] Error 1 make[4]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/usr/src/honeytrap-1.0.0/src/modules' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/honeytrap-1.0.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/honeytrap-1.0.0' make: *** [all] Error 2 root@honeytrap:/usr/src/honeytrap-1.0.0# Now I've already compiled and installed clamav and it works fine. I'd appreciate it if anyone can tell me what I'm missing here. Jim |
From: tatooin <ta...@fr...> - 2008-08-01 08:40:03
|
Tillmann Werner wrote: > Vincent, > > >> For testing purpose, and until you release a patch addressing this >> (assuming you want to do it !), is there any way I could force a >> specific IP address to bind to, in the source code maybe ? >> > > Please check out the latest revision from svn into a clean tree and > reinstall from there. Then use the freshly introduced configuration > option "bind_address" as shown below: > > bind_address = "127.0.0.1" > > Hi Tillmann, I am glad to tell you that it's working just fine now ! Thank you so much for your amazing support ! I will play with honeytrap now, and let you know if I find any issues related to this new feature. Thanks again. Vincent |
From: Tillmann W. <til...@gm...> - 2008-07-31 19:28:14
|
Vincent, > For testing purpose, and until you release a patch addressing this > (assuming you want to do it !), is there any way I could force a > specific IP address to bind to, in the source code maybe ? Please check out the latest revision from svn into a clean tree and reinstall from there. Then use the freshly introduced configuration option "bind_address" as shown below: bind_address = "127.0.0.1" Thanks, Tillmann |
From: Tillmann W. <til...@gm...> - 2008-07-31 19:27:58
|
Vincent, > For testing purpose, and until you release a patch addressing this > (assuming you want to do it !), is there any way I could force a > specific IP address to bind to, in the source code maybe ? Please check out the latest revision from svn into a clean tree and reinstall from there. Then use the freshly introduced configuration option "bind_address" as shown below: bind_address = "127.0.0.1" Thanks, Tillmann |
From: tatooin <ta...@fr...> - 2008-07-31 16:27:08
|
Tillmann Werner wrote: > Vincent, > > here's the problem: You have "something" running on your other IP > addresses. Honeytrap is kind of lazy and always binds to INADDR_ANY, > means to _all_ available IP addresses on your box. That fails sometimes > because you have other services running. For 1234/tcp it did not as that > port was not bound by any other process. > > It is discussable whether that strategy is good or bad. In your case > it's probably not what you expected. I guess I'm gonna introduce a > configuration switch for changing the behavior. > > In the meantime you might either want to disable the other services or > move honeytrap to another box. > > Sorry, not really satisfying, I know... :( > > Tillmann > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Honeytrap-devel mailing list > <Hon...@li...> > <https://lists.sourceforge.net/lists/listinfo/honeytrap-devel> > Hi Tillmann, Thanks for your answer. Ok, maybe I should have explained a bit more about what I'm trying to achieve there before explaining the problem.. my apologizes for this lack of clarification. I am trying to setup a honeypot box. There is several honeypots available out there (amun, honeytrap, nepenthes, etc..) and I was thinking of giving each of them a try on this linux box. So I wanted to assign a different IP to each honeypot, while keeping one IP for administration purpose. This would also have been a great way of comparing how each of them was behaving in case of attacks. It was also my understanding that the "-a" flag was a way of achieving this; by forcing a single IP address, honeytrap would have answered only on this particular IP. So I assumed it was listening on this sole IP... Now I understand the problem. I unfortunately can't move honeytrap to another machine yet, because there is none available at the moment. And it's a corporate network, so I can't just install it on any machine. It has to be a dedicated machine. For testing purpose, and until you release a patch addressing this (assuming you want to do it !), is there any way I could force a specific IP address to bind to, in the source code maybe ? I wish I could do more by submitting a patch myself, but unfortunately my programming skills are simply non existing at the moment. :-( In all case, thank you very much for your help and assistance by trying to understand and fix this problem ! Thanks again Vincent |
From: Tillmann W. <til...@gm...> - 2008-07-31 16:04:52
|
Vincent, here's the problem: You have "something" running on your other IP addresses. Honeytrap is kind of lazy and always binds to INADDR_ANY, means to _all_ available IP addresses on your box. That fails sometimes because you have other services running. For 1234/tcp it did not as that port was not bound by any other process. It is discussable whether that strategy is good or bad. In your case it's probably not what you expected. I guess I'm gonna introduce a configuration switch for changing the behavior. In the meantime you might either want to disable the other services or move honeytrap to another box. Sorry, not really satisfying, I know... :( Tillmann |
From: Tillmann W. <til...@gm...> - 2008-07-31 15:35:25
|
> Doh ! Ok, from another machine, it's working on port 1234: Good! > Now, the strange thing... if I try on any other ports: > > [jaussaudv@thor ~]$ nc 172.17.20.72 5000 > > The logs says: > [2008-07-31 16:16:06] 26583 159.215.21.216:34609 requesting tcp > connection on 172.17.20.72:5000. > [2008-07-31 16:16:06] 27024 159.215.21.216:34609 requesting tcp > connection on 172.17.20.72:5000. > [2008-07-31 16:16:06] 26583 Port 5000/tcp has no explicit configuration. > [2008-07-31 16:16:06] 27024 Port 5000/tcp has no explicit configuration. > [2008-07-31 16:16:06] 27085 Requesting tcp socket. > [2008-07-31 16:16:06] 27085 Unable to bind to port 5000/tcp: Address > already in use. > [2008-07-31 16:16:06] 27086 Requesting tcp socket. > [2008-07-31 16:16:06] 27086 Unable to bind to port 5000/tcp: Address > already in use. Could you start sudo tcpdump -ni eth0 'tcp port 5000' and netcat to honeytrap at 5000/tcp again? How many SYN segments do you see? Do you receive an answer? > I tried on various ports, 139,25,445,80,etc... always the same result... > while: > > darkstar@linuxpowaaa:~$ sudo netstat -tpan | grep 172.17.20.72 All ports you tried are typical candidates for problems. With the above grep you would miss if a service listens on some port at 0.0.0.0. Can you check the output of sudo netstat -an --inet && sudo netstat -an --inet6 We're getting closer... :) Tillmann |
From: tatooin <ta...@fr...> - 2008-07-31 14:29:41
|
> You run netcat on the same machine (172.17.20.72). That does not work as > packets are not sent via the NIC and thus honeytrap's stream monitor has > no chance to catch the SYN segment (unless you listen on a loopback > interface). Try from a remote host. > > Doh ! Ok, from another machine, it's working on port 1234: [jaussaudv@thor ~]$ nc 172.17.20.72 1234 [jaussaudv@thor ~]$ darkstar@linuxpowaaa:~$ netstat -tan | grep 1234 tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN tcp 0 0 172.17.20.72:1234 159.215.21.216:34607 ESTABLISHED Now, the strange thing... if I try on any other ports: [jaussaudv@thor ~]$ nc 172.17.20.72 5000 The logs says: [2008-07-31 16:16:06] 26583 159.215.21.216:34609 requesting tcp connection on 172.17.20.72:5000. [2008-07-31 16:16:06] 27024 159.215.21.216:34609 requesting tcp connection on 172.17.20.72:5000. [2008-07-31 16:16:06] 26583 Port 5000/tcp has no explicit configuration. [2008-07-31 16:16:06] 27024 Port 5000/tcp has no explicit configuration. [2008-07-31 16:16:06] 27085 Requesting tcp socket. [2008-07-31 16:16:06] 27085 Unable to bind to port 5000/tcp: Address already in use. [2008-07-31 16:16:06] 27086 Requesting tcp socket. [2008-07-31 16:16:06] 27086 Unable to bind to port 5000/tcp: Address already in use. [2008-07-31 16:16:06] 27024 Process 27024 received signal 17 on pipe. [2008-07-31 16:16:06] 27024 SIGCHILD received. [2008-07-31 16:16:06] 27024 Process 27086 terminated. [2008-07-31 16:16:06] 27024 Warning - Process 27086 exited on failure. [2008-07-31 16:16:06] 27024 Signal handler for SIGCHLD reinstalled. [2008-07-31 16:16:06] 26583 Process 26583 received signal 17 on pipe. [2008-07-31 16:16:06] 26583 SIGCHILD received. [2008-07-31 16:16:06] 26583 Process 27085 terminated. [2008-07-31 16:16:06] 26583 Warning - Process 27085 exited on failure. [2008-07-31 16:16:06] 26583 Signal handler for SIGCHLD reinstalled. I tried on various ports, 139,25,445,80,etc... always the same result... while: darkstar@linuxpowaaa:~$ sudo netstat -tpan | grep 172.17.20.72 darkstar@linuxpowaaa:~$ Why would it work on port 1234 while not on any other ports ?! My interface says: darkstar@linuxpowaaa:~$ /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1A:A0:48:8D:83 inet addr:172.17.20.38 Bcast:172.17.23.255 Mask:255.255.248.0 inet6 addr: fe80::21a:a0ff:fe48:8d83/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:97151143 errors:0 dropped:0 overruns:0 frame:0 TX packets:2703747 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1336909461 (1.2 GB) TX bytes:187518818 (178.8 MB) Interrupt:16 darkstar@linuxpowaaa:~$ /sbin/ifconfig eth0:3 eth0:3 Link encap:Ethernet HWaddr 00:1A:A0:48:8D:83 inet addr:172.17.20.72 Bcast:172.17.23.255 Mask:255.255.248.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 And honeytrap initialization phase says: darkstar@linuxpowaaa:~$ sudo /usr/local/sbin/honeytrap -a 172.17.20.72 -u root -t 6 -C /usr/local/etc/honeytrap/honeytrap.conf -p -D [sudo] password for darkstar: honeytrap v1.0.0 - Initializing. Saving old working directory. Reading configuration from /usr/local/etc/honeytrap/honeytrap.conf. Not daemonizing - staying in foreground. Setting logfile to /var/log/honeytrap/honeytrap.log. Setting process id file to /var/run/honeytrap.pid. Loading default responses from /usr/local/etc/honeytrap/responses. Setting promiscuous mode to on. Setting user to honeyd Setting group to honeyd Setting read limit to 20971520. Loading plugins from /usr/local/etc/honeytrap/plugins. Looking for plugin ftpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_ftpDownload.so Loading plugin ftpDownload v0.5.3 Initializing plugin ftpDownload. Hooking plugin ftpDownload to 'unload_plugins'. ftpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin ftpDownload: Registering hooks. Hooking ftpDownload::cmd_parse_for_ftp() to 'process_attack' (priority: 1). ftpDownload::cmd_parse_for_ftp() hooked to 'process_attack' (priority: 1). Plugin ftpDownload: Registering hooks. Looking for plugin tftpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_tftpDownload.so Loading plugin tftpDownload v0.4.1 Initializing plugin tftpDownload. Hooking plugin tftpDownload to 'unload_plugins'. tftpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin tftpDownload: Registering hooks. Hooking tftpDownload::cmd_parse_for_tftp() to 'process_attack' (priority: 1). tftpDownload::cmd_parse_for_tftp() hooked to 'process_attack' (priority: 1). Looking for plugin httpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_httpDownload.so Loading plugin httpDownload v0.0.2 Initializing plugin httpDownload. Hooking plugin httpDownload to 'unload_plugins'. httpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin httpDownload: Registering hooks. Hooking httpDownload::cmd_parse_for_http_url() to 'process_attack' (priority: 3). httpDownload::cmd_parse_for_http_url() hooked to 'process_attack' (priority: 3). Plugin httpDownload: Registering hooks. Looking for plugin b64Decode in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_b64Decode.so Loading plugin b64Decode v0.3.1 Initializing plugin b64Decode. Hooking plugin b64Decode to 'unload_plugins'. b64Decode::plugin_unload() hooked to 'unload_plugins'. Plugin b64Decode: Registering hooks. Hooking b64Decode::b64_decode() to 'process_attack' (priority: 0). b64Decode::b64_decode() hooked to 'process_attack' (priority: 0). Looking for plugin vncDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_vncDownload.so Loading plugin vncDownload v0.3 Initializing plugin vncDownload. Hooking plugin vncDownload to 'unload_plugins'. vncDownload::plugin_unload() hooked to 'unload_plugins'. Plugin vncDownload: Registering hooks. Hooking vncDownload::cmd_parse_for_vnc() to 'process_attack' (priority: 1). vncDownload::cmd_parse_for_vnc() hooked to 'process_attack' (priority: 1). Looking for plugin SaveFile in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_SaveFile.so Loading plugin SaveFile v0.2.0 Initializing plugin SaveFile. Hooking plugin SaveFile to 'unload_plugins'. SaveFile::plugin_unload() hooked to 'unload_plugins'. Plugin SaveFile: Registering hooks. Hooking SaveFile::save_to_file() to 'process_attack' (priority: 2). SaveFile::save_to_file() hooked to 'process_attack' (priority: 2). Plugin SaveFile: Registering hooks. Looking for plugin ClamAV in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_ClamAV.so Loading plugin ClamAV v0.1.0 Initializing plugin ClamAV. Hooking plugin ClamAV to 'unload_plugins'. ClamAV::plugin_unload() hooked to 'unload_plugins'. Plugin ClamAV: Registering hooks. Hooking ClamAV::clamscan() to 'process_attack' (priority: 3). ClamAV::clamscan() hooked to 'process_attack' (priority: 3). Plugin ClamAV: Registering hooks. ClamAV - Loading signature database, be patient. ClamAV - Loaded 378802 signatures. ClamAV - Signature database initialized. Port 22/tcp is configured to be handled in ignore mode. Port 21/tcp is configured to be handled in normal mode. Port 23/tcp is configured to be handled in normal mode. Port 80/tcp is configured to be handled in normal mode. Port 110/tcp is configured to be handled in normal mode. Port 135/tcp is configured to be handled in normal mode. Port 139/tcp is configured to be handled in normal mode. Port 143/tcp is configured to be handled in normal mode. Port 443/tcp is configured to be handled in normal mode. Port 445/tcp is configured to be handled in normal mode. Handler for signal 17 installed. Handler for signal 1 installed. Handler for signal 4 installed. Handler for signal 2 installed. Handler for signal 3 installed. Handler for signal 11 installed. Handler for signal 15 installed. No device given, trying to use default device. Default device is eth0. Servers will run as user root (0). Servers will run as group honeyd (120). Loading default responses. Searching for response files in /usr/local/etc/honeytrap/responses Response file found: /usr/local/etc/honeytrap/responses/80_tcp Loading default response for port 80/tcp. Default response string for port 80/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/5900_tcp Loading default response for port 5900/tcp. Default response string for port 5900/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/5060_tcp Loading default response for port 5060/tcp. Default response string for port 5060/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/4899_tcp Loading default response for port 4899/tcp. Default response string for port 4899/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/445_tcp Loading default response for port 445/tcp. Default response string for port 445/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/4444_tcp Loading default response for port 4444/tcp. Default response string for port 4444/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/3306_tcp Loading default response for port 3306/tcp. Default response string for port 3306/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/25_tcp Loading default response for port 25/tcp. Default response string for port 25/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/21_tcp Loading default response for port 21/tcp. Default response string for port 21/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/21000_tcp Loading default response for port 21000/tcp. Default response string for port 21000/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/1433_tcp Loading default response for port 1433/tcp. Default response string for port 1433/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/139_tcp Loading default response for port 139/tcp. Default response string for port 139/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/135_tcp Loading default response for port 135/tcp. Default response string for port 135/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/110_tcp Loading default response for port 110/tcp. Default response string for port 110/tcp successfully loaded. Connections will be handled in normal mode by default. Using libpcap version 0.9.7. Promiscuous mode enabled. Processing interface eth0. Interface eth0 has unknown address family 17. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has unknown address family 10. BPF string is '((tcp[13] & 0x04 != 0 and tcp[4:4] == 0) or (icmp[0] == 3 and icmp[1] == 3)) and (src host 172.17.20.72)'. Logging to /var/log/honeytrap/honeytrap.log. Initialization complete. honeytrap v1.0.0 Copyright (C) 2005-2007 Tillmann Werner <til...@gm...> [2008-07-31 16:23:24] 27158 Master process pid written to /var/run/honeytrap.pid. [2008-07-31 16:23:24] 27158 Creating pcap connection monitor. [2008-07-31 16:23:24] 27158 Looking up device properties for eth0. [2008-07-31 16:23:24] 27158 Creating pcap sniffer on eth0. [2008-07-31 16:23:24] 27158 Using a 14 bytes offset for EN10MB. [2008-07-31 16:23:24] 27158 ---- Trapping attacks on eth0 via PCAP. ---- > Send the output of ifconfig and honeytrap's initialization phase if it > still fails. Make sure the IP address in the BPF string matches the one > of the interface you want to listen on. > > Tillmann > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Honeytrap-devel mailing list > <Hon...@li...> > <https://lists.sourceforge.net/lists/listinfo/honeytrap-devel> > |
From: Tillmann W. <til...@gm...> - 2008-07-31 14:02:43
|
Vincent, > My apologizes, I should have guessed that ! > Ok, now I was able to build it.I ran the honeytrap command on the > loopback interface, and indeed it works: That's good news. > However, If I launch the same command on eth0 (or using the flag "-a > 172.17.20.72; because I want honeytrap to only catch traffic coming to > the virtual interface; eth0:2 which own IP 172.17.20.72), then nothing > happens... > > darkstar@linuxpowaaa:~$ netcat 172.17.20.72 1234 > (UNKNOWN) [172.17.20.72] 1234 (?) : Connection refused You run netcat on the same machine (172.17.20.72). That does not work as packets are not sent via the NIC and thus honeytrap's stream monitor has no chance to catch the SYN segment (unless you listen on a loopback interface). Try from a remote host. Send the output of ifconfig and honeytrap's initialization phase if it still fails. Make sure the IP address in the BPF string matches the one of the interface you want to listen on. Tillmann |
From: tatooin <ta...@fr...> - 2008-07-31 13:04:00
|
Tillmann Werner wrote: > Vincent, > > >> OK, I downloaded a fresh new svn version (rev 1673) to a clean directory, and >> tried to regenerate the config files. But now I have the following problem: >> >> darkstar@linuxpowaaa:~/honeytrap-svn$ autoreconf -i >> configure.in:19: error: possibly undefined macro: AC_PROG_LD >> If this token and others are legitimate, please use m4_pattern_allow. >> See the Autoconf documentation. >> configure.in:20: error: possibly undefined macro: AC_PROG_LIBTOOL >> autoreconf: /usr/bin/autoconf failed with exit status: 1 >> >> I am not really familliar with Makefiles generation, so I'm sorry if it's a >> newbie problem. I tried to google for an answer, but without luck :( >> >> Any idea ? >> > > Yes, you need to install the libtool package. > > Regards, > Tillmann > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Honeytrap-devel mailing list > <Hon...@li...> > <https://lists.sourceforge.net/lists/listinfo/honeytrap-devel> > Hi Tillmann, My apologizes, I should have guessed that ! Ok, now I was able to build it.I ran the honeytrap command on the loopback interface, and indeed it works: darkstar@linuxpowaaa:~$ netcat 172.17.20.72 1234 (UNKNOWN) [172.17.20.72] 1234 (?) : Connection refused While in the log, I have: [2008-07-31 14:44:03] 26432 127.0.0.1:38597 requesting tcp connection on 127.0.0.1:1234. [2008-07-31 14:44:03] 26432 Port 1234/tcp has no explicit configuration. [2008-07-31 14:44:03] 26434 Requesting tcp socket. [2008-07-31 14:44:03] 26434 Socket created, file descriptor is 15. [2008-07-31 14:44:03] 26434 Server is now running with user id 109 and group id 120. [2008-07-31 14:44:03] 26434 Listening on port 1234/tcp. However, If I launch the same command on eth0 (or using the flag "-a 172.17.20.72; because I want honeytrap to only catch traffic coming to the virtual interface; eth0:2 which own IP 172.17.20.72), then nothing happens... darkstar@linuxpowaaa:~$ netcat 172.17.20.72 1234 (UNKNOWN) [172.17.20.72] 1234 (?) : Connection refused While in the log: honeytrap v1.0.0 Copyright (C) 2005-2007 Tillmann Werner <til...@gm...> [2008-07-31 14:51:07] 26507 Master process pid written to /var/run/honeytrap.pid. [2008-07-31 14:51:07] 26507 Creating pcap connection monitor. [2008-07-31 14:51:07] 26507 Looking up device properties for eth0. [2008-07-31 14:51:07] 26507 Creating pcap sniffer on eth0. [2008-07-31 14:51:07] 26507 Using a 14 bytes offset for EN10MB. [2008-07-31 14:51:07] 26507 ---- Trapping attacks on eth0 via PCAP. ---- And netstat command doesn't give anything either: darkstar@linuxpowaaa:~$ sudo netstat -tpan | grep 172.17.20.72 [sudo] password for darkstar: darkstar@linuxpowaaa:~$ Thanks for your help ! Vincent |
From: Tillmann W. <til...@gm...> - 2008-07-31 11:53:58
|
Vincent, > OK, I downloaded a fresh new svn version (rev 1673) to a clean directory, and > tried to regenerate the config files. But now I have the following problem: > > darkstar@linuxpowaaa:~/honeytrap-svn$ autoreconf -i > configure.in:19: error: possibly undefined macro: AC_PROG_LD > If this token and others are legitimate, please use m4_pattern_allow. > See the Autoconf documentation. > configure.in:20: error: possibly undefined macro: AC_PROG_LIBTOOL > autoreconf: /usr/bin/autoconf failed with exit status: 1 > > I am not really familliar with Makefiles generation, so I'm sorry if it's a > newbie problem. I tried to google for an answer, but without luck :( > > Any idea ? Yes, you need to install the libtool package. Regards, Tillmann |
From: <ta...@fr...> - 2008-07-31 07:47:57
|
Quoting Tillmann Werner <til...@gm...>: > Vincent, > Hi Tillman, > ok, let's try to figure out what the problem is. > > I don't see a "autoreconf -i" after you checked out from subversion. > Have you checked out into a new local directory? If not, do so and build > the configure script with the above command. > OK, I downloaded a fresh new svn version (rev 1673) to a clean directory, and tried to regenerate the config files. But now I have the following problem: darkstar@linuxpowaaa:~/honeytrap-svn$ autoreconf -i configure.in:19: error: possibly undefined macro: AC_PROG_LD If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.in:20: error: possibly undefined macro: AC_PROG_LIBTOOL autoreconf: /usr/bin/autoconf failed with exit status: 1 I am not really familliar with Makefiles generation, so I'm sorry if it's a newbie problem. I tried to google for an answer, but without luck :( Any idea ? Thanks ! > Also, to prevent confusions with parts of earlier installations, install > honeytrap in a different location, i.e. with > > ./configure --with-stream-mon=pcap --prefix=/tmp/honeytrap > > After that, change into /tmp/honeytrap, adjust > etc/honeytrap/honeytrap.conf to your needs (just commenting out the > ClamAV plugin should be fine) and start the daemon with the stream > monitor attached to localhost: > > sudo ./sbin/honeytrap -C etc/honeytrap/honeytrap.conf -pi lo -Dt 6 > > After that, connect to any port on your loopback device: > > $ netcat localhost 1234 > localhost [127.0.0.1] 1234 (?) : Connection refused > > Honeytrap should log something like the following: > > [2008-07-30 18:56:43] 12603 ---- Trapping attacks on lo via PCAP. ---- > [2008-07-30 18:56:45] 12603 127.0.0.1:42133 requesting tcp > connection on 127.0.0.1:1234. > [2008-07-30 18:56:45] 12603 Port 1234/tcp has no explicit configuration. > [2008-07-30 18:56:45] 12605 Requesting tcp socket. > [2008-07-30 18:56:45] 12605 Socket created, file descriptor is 14. > [2008-07-30 18:56:45] 12605 Server is now running with user id 65534 > and group id 65534. > [2008-07-30 18:56:45] 12605 Listening on port 1234/tcp. > > If you get that far, the daemon runs fine and you should be able to > configure it so that it runs on your external device, too. > > > Thanks, > Tillmann > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Honeytrap-devel mailing list > <Hon...@li...> > <https://lists.sourceforge.net/lists/listinfo/honeytrap-devel> > |
From: Tillmann W. <til...@gm...> - 2008-07-30 17:16:38
|
Vincent, ok, let's try to figure out what the problem is. I don't see a "autoreconf -i" after you checked out from subversion. Have you checked out into a new local directory? If not, do so and build the configure script with the above command. Also, to prevent confusions with parts of earlier installations, install honeytrap in a different location, i.e. with ./configure --with-stream-mon=pcap --prefix=/tmp/honeytrap After that, change into /tmp/honeytrap, adjust etc/honeytrap/honeytrap.conf to your needs (just commenting out the ClamAV plugin should be fine) and start the daemon with the stream monitor attached to localhost: sudo ./sbin/honeytrap -C etc/honeytrap/honeytrap.conf -pi lo -Dt 6 After that, connect to any port on your loopback device: $ netcat localhost 1234 localhost [127.0.0.1] 1234 (?) : Connection refused Honeytrap should log something like the following: [2008-07-30 18:56:43] 12603 ---- Trapping attacks on lo via PCAP. ---- [2008-07-30 18:56:45] 12603 127.0.0.1:42133 requesting tcp connection on 127.0.0.1:1234. [2008-07-30 18:56:45] 12603 Port 1234/tcp has no explicit configuration. [2008-07-30 18:56:45] 12605 Requesting tcp socket. [2008-07-30 18:56:45] 12605 Socket created, file descriptor is 14. [2008-07-30 18:56:45] 12605 Server is now running with user id 65534 and group id 65534. [2008-07-30 18:56:45] 12605 Listening on port 1234/tcp. If you get that far, the daemon runs fine and you should be able to configure it so that it runs on your external device, too. Thanks, Tillmann |
From: <ta...@fr...> - 2008-07-30 09:57:33
|
> I've upgraded to the svn version, but unfortunately I still have the > same error. :-( > > Can you please provide more details? Ideally all commands and their > output from "svn co" on? > > Thanks, > Tillmann Hi Tillmann, Please find below all the informations I could gather. If you need anything else, please let me know. Hope that helps Vincent ----------- // SVN Checkout darkstar@linuxpowaaa:~$ svn co https://svn.mwcollect.org/honeytrap/trunk/ honeytrap-svn Error validating server certificate for 'https://svn.mwcollect.org:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate has expired. Certificate information: - Hostname: *.mwcollect.org - Valid: from Sat, 12 Aug 2006 00:17:46 GMT until Sun, 12 Aug 2007 00:17:46 GMT - Issuer: Development, mwcollect.org, Amsterdam, NL - Fingerprint: 05:e3:9a:54:d8:a2:83:72:91:89:35:f4:49:5e:ec:2d:c3:c2:fc:c4 (R)eject, accept (t)emporarily or accept (p)ermanently? t A honeytrap-svn/tools A honeytrap-svn/tools/bin2hex.c A honeytrap-svn/tools/hex2bin.c A honeytrap-svn/tools/htprox.c A honeytrap-svn/tools/ngram.c A honeytrap-svn/tools/base64decode.c A honeytrap-svn/tools/edist.c A honeytrap-svn/tools/ngtrie.c A honeytrap-svn/LICENSE A honeytrap-svn/AUTHORS A honeytrap-svn/TODO A honeytrap-svn/doc A honeytrap-svn/doc/honeytrap.8 A honeytrap-svn/doc/Makefile.am A honeytrap-svn/INSTALL A honeytrap-svn/configure.in A honeytrap-svn/ChangeLog A honeytrap-svn/src A honeytrap-svn/src/sock.c A honeytrap-svn/src/pcapmon.h A honeytrap-svn/src/ipqmon.c A honeytrap-svn/src/sha512.c A honeytrap-svn/src/sock.h A honeytrap-svn/src/attack.c A honeytrap-svn/src/ipqmon.h A honeytrap-svn/src/sha512.h A honeytrap-svn/src/honeytrap.c A honeytrap-svn/src/attack.h A honeytrap-svn/src/util.c A honeytrap-svn/src/honeytrap.h A honeytrap-svn/src/proxy.c A honeytrap-svn/src/readconf.c A honeytrap-svn/src/util.h A honeytrap-svn/src/md5.c A honeytrap-svn/src/proxy.h A honeytrap-svn/src/readconf.h A honeytrap-svn/src/modules A honeytrap-svn/src/modules/htm_ftpDownload.h A honeytrap-svn/src/modules/htm_SpamSum.h A honeytrap-svn/src/modules/htm_submitNebula.c A honeytrap-svn/src/modules/htm_submitPostgres.c A honeytrap-svn/src/modules/htm_cpuEmu.c A honeytrap-svn/src/modules/htm_SaveFile.c A honeytrap-svn/src/modules/htm_b64Decode.c A honeytrap-svn/src/modules/htm_submitNebula.h A honeytrap-svn/src/modules/htm_submitPostgres.h A honeytrap-svn/src/modules/htm_cpuEmu.h A honeytrap-svn/src/modules/htm_SaveFile.h A honeytrap-svn/src/modules/htm_ClamAV.c A honeytrap-svn/src/modules/htm_b64Decode.h A honeytrap-svn/src/modules/htm_tftpDownload.c A honeytrap-svn/src/modules/htm_httpDownload.c A honeytrap-svn/src/modules/htm_submitMWserv.c A honeytrap-svn/src/modules/htm_ClamAV.h A honeytrap-svn/src/modules/htm_tftpDownload.h A honeytrap-svn/src/modules/htm_httpDownload.h A honeytrap-svn/src/modules/htm_submitMWserv.h A honeytrap-svn/src/modules/htm_vncDownload.c A honeytrap-svn/src/modules/Makefile.am A honeytrap-svn/src/modules/htm_ftpDownload.c A honeytrap-svn/src/modules/htm_cspm A honeytrap-svn/src/modules/htm_cspm/sc_buffer.c A honeytrap-svn/src/modules/htm_cspm/connectback.h A honeytrap-svn/src/modules/htm_cspm/htm_cspm.h A honeytrap-svn/src/modules/htm_cspm/sc_shellcodes.h A honeytrap-svn/src/modules/htm_cspm/sc_action.c A honeytrap-svn/src/modules/htm_cspm/sc_buffer.h A honeytrap-svn/src/modules/htm_cspm/signature_parser.y A honeytrap-svn/src/modules/htm_cspm/signature_scanner.l A honeytrap-svn/src/modules/htm_cspm/sc_parser.h A honeytrap-svn/src/modules/htm_cspm/sc_action.h A honeytrap-svn/src/modules/htm_cspm/sc_shellcode.c A honeytrap-svn/src/modules/htm_cspm/Makefile.am A honeytrap-svn/src/modules/htm_cspm/connectback.c A honeytrap-svn/src/modules/htm_cspm/htm_cspm.c A honeytrap-svn/src/modules/htm_vncDownload.h A honeytrap-svn/src/modules/htm_SpamSum.c A honeytrap-svn/src/md5.h A honeytrap-svn/src/plugin.c A honeytrap-svn/src/nfqmon.c A honeytrap-svn/src/response.c A honeytrap-svn/src/signals.c A honeytrap-svn/src/plugin.h A honeytrap-svn/src/nfqmon.h A honeytrap-svn/src/connectmon.c A honeytrap-svn/src/response.h A honeytrap-svn/src/ctrl.c A honeytrap-svn/src/conftree.c A honeytrap-svn/src/signals.h A honeytrap-svn/src/connectmon.h A honeytrap-svn/src/ctrl.h A honeytrap-svn/src/conftree.h A honeytrap-svn/src/parseconf.c A honeytrap-svn/src/tcpip.h A honeytrap-svn/src/parseconf.h A honeytrap-svn/src/dynsrv.c A honeytrap-svn/src/logging.c A honeytrap-svn/src/plughook.c A honeytrap-svn/src/Makefile.am A honeytrap-svn/src/dynsrv.h A honeytrap-svn/src/logging.h A honeytrap-svn/src/plughook.h A honeytrap-svn/src/pcapmon.c A honeytrap-svn/COPYING A honeytrap-svn/Makefile.am A honeytrap-svn/etc A honeytrap-svn/etc/honeytrap.conf.dist A honeytrap-svn/etc/responses A honeytrap-svn/etc/responses/1433_tcp A honeytrap-svn/etc/responses/5060_tcp A honeytrap-svn/etc/responses/3306_tcp A honeytrap-svn/etc/responses/139_tcp A honeytrap-svn/etc/responses/445_tcp A honeytrap-svn/etc/responses/4899_tcp A honeytrap-svn/etc/responses/5900_tcp A honeytrap-svn/etc/responses/4444_tcp A honeytrap-svn/etc/responses/110_tcp A honeytrap-svn/etc/responses/21000_tcp A honeytrap-svn/etc/responses/21_tcp A honeytrap-svn/etc/responses/25_tcp A honeytrap-svn/etc/responses/80_tcp A honeytrap-svn/etc/responses/135_tcp A honeytrap-svn/etc/ports.conf.dist A honeytrap-svn/NEWS A honeytrap-svn/README Checked out revision 1671. // Configure darkstar@linuxpowaaa:~/honeytrap-svn$ ./configure --with-stream-mon=pcap checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking dependency style of gcc... none checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking dependency style of gcc... (cached) none checking for flex... no checking for lex... no checking for bison... no checking for byacc... no checking for a sed that does not truncate output... /bin/sed checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognise dependent libraries... pass_all checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... none checking how to run the C++ preprocessor... g++ -E checking for g77... no checking for xlf... no checking for f77... no checking for frt... no checking for pgf77... no checking for cf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for xlf90... no checking for f90... no checking for pgf90... no checking for pghpf... no checking for epcf90... no checking for gfortran... no checking for g95... no checking for xlf95... no checking for f95... no checking for fort... no checking for ifort... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for ftn... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag "CXX" to libtool checking for ld used by g++... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes checking for g++ option to produce PIC... -fPIC checking if g++ PIC flag -fPIC works... yes checking if g++ static flag -static works... yes checking if g++ supports -c -o file.o... yes checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate appending configuration tag "F77" to libtool checking whether byte ordering is bigendian... no checking for sparc alignment... no checking for strings.h... (cached) yes checking for string.h... (cached) yes checking for stdlib.h... (cached) yes checking for unistd.h... (cached) yes checking sys/sockio.h usability... no checking sys/sockio.h presence... no checking for sys/sockio.h... no checking pcap-bpf.h usability... yes checking pcap-bpf.h presence... yes checking for pcap-bpf.h... yes checking net/bpf.h usability... no checking net/bpf.h presence... no checking for net/bpf.h... no checking for inet_ntoa in -lnsl... yes checking for socket in -lsocket... no checking for snprintf... yes checking for strerror... yes checking for __FUNCTION__... yes checking pcap.h usability... yes checking pcap.h presence... yes checking for pcap.h... yes checking for pcap_datalink in -lpcap... yes checking for dlsym in -ldl... yes checking for u_int8_t... yes checking for u_int16_t... yes checking for u_int32_t... yes checking for a BSD-compatible install... /usr/bin/install -c configure: creating ./config.status config.status: creating Makefile config.status: creating doc/Makefile config.status: creating src/Makefile config.status: creating src/modules/Makefile config.status: creating src/modules/htm_cspm/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands ----- honeytrap configuration ----- General options ( ) Debugging ( ) Profiling ( ) Unstable Modules ( ) Electric Fence Connection monitor ( ) Linux ip_queue (ipq) ( ) FreeBSD ipfw (ipfw) ( ) Linux libnetfilter_queue (nfq) (X) Libpcap (pcap) Optional plugins ( ) ClamAV ( ) cpuEmu ( ) CSPM ( ) PostgeSQL ( ) SpamSum ( ) submitMwserv // make darkstar@linuxpowaaa:~/honeytrap-svn$ make make all-recursive make[1]: Entering directory `/home/darkstar/honeytrap-svn' Making all in doc make[2]: Entering directory `/home/darkstar/honeytrap-svn/doc' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/darkstar/honeytrap-svn/doc' Making all in src make[2]: Entering directory `/home/darkstar/honeytrap-svn/src' Making all in modules make[3]: Entering directory `/home/darkstar/honeytrap-svn/src/modules' make[4]: Entering directory `/home/darkstar/honeytrap-svn/src/modules' /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_SaveFile.lo htm_SaveFile.c mkdir .libs gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_SaveFile.c -fPIC -DPIC -o .libs/htm_SaveFile.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_SaveFile.c -o htm_SaveFile.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_SaveFile.la -rpath //usr/local/etc/honeytrap/plugins htm_SaveFile.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_SaveFile.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_SaveFile.so -o .libs/htm_SaveFile.so ar cru .libs/htm_SaveFile.a htm_SaveFile.o ranlib .libs/htm_SaveFile.a creating htm_SaveFile.la (cd .libs && rm -f htm_SaveFile.la && ln -s ../htm_SaveFile.la htm_SaveFile.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_ftpDownload.lo htm_ftpDownload.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_ftpDownload.c -fPIC -DPIC -o .libs/htm_ftpDownload.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_ftpDownload.c -o htm_ftpDownload.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_ftpDownload.la -rpath //usr/local/etc/honeytrap/plugins htm_ftpDownload.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_ftpDownload.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_ftpDownload.so -o .libs/htm_ftpDownload.so ar cru .libs/htm_ftpDownload.a htm_ftpDownload.o ranlib .libs/htm_ftpDownload.a creating htm_ftpDownload.la (cd .libs && rm -f htm_ftpDownload.la && ln -s ../htm_ftpDownload.la htm_ftpDownload.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_httpDownload.lo htm_httpDownload.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_httpDownload.c -fPIC -DPIC -o .libs/htm_httpDownload.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_httpDownload.c -o htm_httpDownload.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_httpDownload.la -rpath //usr/local/etc/honeytrap/plugins htm_httpDownload.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_httpDownload.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_httpDownload.so -o .libs/htm_httpDownload.so ar cru .libs/htm_httpDownload.a htm_httpDownload.o ranlib .libs/htm_httpDownload.a creating htm_httpDownload.la (cd .libs && rm -f htm_httpDownload.la && ln -s ../htm_httpDownload.la htm_httpDownload.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_tftpDownload.lo htm_tftpDownload.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_tftpDownload.c -fPIC -DPIC -o .libs/htm_tftpDownload.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_tftpDownload.c -o htm_tftpDownload.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_tftpDownload.la -rpath //usr/local/etc/honeytrap/plugins htm_tftpDownload.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_tftpDownload.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_tftpDownload.so -o .libs/htm_tftpDownload.so ar cru .libs/htm_tftpDownload.a htm_tftpDownload.o ranlib .libs/htm_tftpDownload.a creating htm_tftpDownload.la (cd .libs && rm -f htm_tftpDownload.la && ln -s ../htm_tftpDownload.la htm_tftpDownload.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_vncDownload.lo htm_vncDownload.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_vncDownload.c -fPIC -DPIC -o .libs/htm_vncDownload.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_vncDownload.c -o htm_vncDownload.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_vncDownload.la -rpath //usr/local/etc/honeytrap/plugins htm_vncDownload.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_vncDownload.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_vncDownload.so -o .libs/htm_vncDownload.so ar cru .libs/htm_vncDownload.a htm_vncDownload.o ranlib .libs/htm_vncDownload.a creating htm_vncDownload.la (cd .libs && rm -f htm_vncDownload.la && ln -s ../htm_vncDownload.la htm_vncDownload.la) /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c -o htm_b64Decode.lo htm_b64Decode.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_b64Decode.c -fPIC -DPIC -o .libs/htm_b64Decode.o gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_b64Decode.c -o htm_b64Decode.o >/dev/null 2>&1 /bin/sh ../../libtool --tag=CC --mode=link gcc -Wall -Werror -g -O2 -Wall -module -no-undefined -avoid-version -Wl,--export-dynamic -o htm_b64Decode.la -rpath //usr/local/etc/honeytrap/plugins htm_b64Decode.lo -ldl -lpcap -lnsl -ldl gcc -shared .libs/htm_b64Decode.o -lpcap -lnsl -ldl -Wl,--export-dynamic -Wl,-soname -Wl,htm_b64Decode.so -o .libs/htm_b64Decode.so ar cru .libs/htm_b64Decode.a htm_b64Decode.o ranlib .libs/htm_b64Decode.a creating htm_b64Decode.la (cd .libs && rm -f htm_b64Decode.la && ln -s ../htm_b64Decode.la htm_b64Decode.la) make[4]: Leaving directory `/home/darkstar/honeytrap-svn/src/modules' make[3]: Leaving directory `/home/darkstar/honeytrap-svn/src/modules' make[3]: Entering directory `/home/darkstar/honeytrap-svn/src' gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c honeytrap.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c logging.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c ctrl.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c signals.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c readconf.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c parseconf.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c conftree.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c plugin.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c plughook.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c util.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c connectmon.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c response.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c dynsrv.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c attack.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c sock.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c proxy.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c sha512.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c md5.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../src -export-dynamic -Wall -Werror -g -O2 -Wall -c pcapmon.c /bin/sh ../libtool --tag=CC --mode=link gcc -export-dynamic -Wall -Werror -g -O2 -Wall -Wl,--export-dynamic -o honeytrap honeytrap.o logging.o ctrl.o signals.o readconf.o parseconf.o conftree.o plugin.o plughook.o util.o connectmon.o response.o dynsrv.o attack.o sock.o proxy.o sha512.o md5.o pcapmon.o -ldl -lpcap -lnsl -ldl gcc -Wall -Werror -g -O2 -Wall -Wl,--export-dynamic -o honeytrap honeytrap.o logging.o ctrl.o signals.o readconf.o parseconf.o conftree.o plugin.o plughook.o util.o connectmon.o response.o dynsrv.o attack.o sock.o proxy.o sha512.o md5.o pcapmon.o -Wl,--export-dynamic -lpcap -lnsl -ldl make[3]: Leaving directory `/home/darkstar/honeytrap-svn/src' make[2]: Leaving directory `/home/darkstar/honeytrap-svn/src' make[2]: Entering directory `/home/darkstar/honeytrap-svn' make[2]: Leaving directory `/home/darkstar/honeytrap-svn' make[1]: Leaving directory `/home/darkstar/honeytrap-svn' // make install darkstar@linuxpowaaa:~/honeytrap-svn$ sudo make install [sudo] password for darkstar: Making install in doc make[1]: Entering directory `/home/darkstar/honeytrap-svn/doc' make[2]: Entering directory `/home/darkstar/honeytrap-svn/doc' make[2]: Nothing to be done for `install-exec-am'. test -z "/usr/local/share/man/man8" || /bin/mkdir -p "/usr/local/share/man/man8" /usr/bin/install -c -m 644 './honeytrap.8' '/usr/local/share/man/man8/honeytrap.8' make[2]: Leaving directory `/home/darkstar/honeytrap-svn/doc' make[1]: Leaving directory `/home/darkstar/honeytrap-svn/doc' Making install in src make[1]: Entering directory `/home/darkstar/honeytrap-svn/src' Making install in modules make[2]: Entering directory `/home/darkstar/honeytrap-svn/src/modules' make[3]: Entering directory `/home/darkstar/honeytrap-svn/src/modules' make[4]: Entering directory `/home/darkstar/honeytrap-svn/src/modules' /bin/sh /home/darkstar/honeytrap-svn/install-sh -d //usr/local/etc/honeytrap/plugins for module in `find .libs -name htm_*.so`; do \ [ -h $module ] || /usr/bin/install -c -m 644 "$module" //usr/local/etc/honeytrap/plugins ; \ done make[4]: Nothing to be done for `install-data-am'. make[4]: Leaving directory `/home/darkstar/honeytrap-svn/src/modules' make[3]: Leaving directory `/home/darkstar/honeytrap-svn/src/modules' make[2]: Leaving directory `/home/darkstar/honeytrap-svn/src/modules' make[2]: Entering directory `/home/darkstar/honeytrap-svn/src' make[3]: Entering directory `/home/darkstar/honeytrap-svn/src' test -z "/usr/local/sbin" || /bin/mkdir -p "/usr/local/sbin" /bin/sh ../libtool --mode=install /usr/bin/install -c 'honeytrap' '/usr/local/sbin/honeytrap' /usr/bin/install -c honeytrap /usr/local/sbin/honeytrap make[3]: Nothing to be done for `install-data-am'. make[3]: Leaving directory `/home/darkstar/honeytrap-svn/src' make[2]: Leaving directory `/home/darkstar/honeytrap-svn/src' make[1]: Leaving directory `/home/darkstar/honeytrap-svn/src' make[1]: Entering directory `/home/darkstar/honeytrap-svn' make[2]: Entering directory `/home/darkstar/honeytrap-svn' make[2]: Nothing to be done for `install-exec-am'. /bin/sh /home/darkstar/honeytrap-svn/install-sh -d //usr/local/etc /bin/sh /home/darkstar/honeytrap-svn/install-sh -d //usr/local/etc/honeytrap /bin/sh /home/darkstar/honeytrap-svn/install-sh -d //usr/local/etc/honeytrap/responses /usr/bin/install -c -m 644 etc/honeytrap.conf.dist //usr/local/etc/honeytrap/honeytrap.conf.dist test -f //usr/local/etc/honeytrap/honeytrap.conf || /usr/bin/install -c -m 644 etc/honeytrap.conf.dist //usr/local/etc/honeytrap/honeytrap.conf /usr/bin/install -c -m 644 etc/ports.conf.dist //usr/local/etc/honeytrap/ports.conf.dist /usr/bin/install -c -m 644 etc/responses/* //usr/local/etc/honeytrap/responses make[2]: Leaving directory `/home/darkstar/honeytrap-svn' make[1]: Leaving directory `/home/darkstar/honeytrap-svn' // Run honeytrap root@linuxpowaaa:/usr/local/sbin# honeytrap -a 172.17.20.72 -u honeyd -g honeyd -t 6 -C /usr/local/etc/honeytrap/honeytrap.conf -D honeytrap v1.0.0 - Initializing. Saving old working directory. Reading configuration from /usr/local/etc/honeytrap/honeytrap.conf. Not daemonizing - staying in foreground. Setting logfile to /var/log/honeytrap/honeytrap.log. Setting process id file to /var/run/honeytrap.pid. Loading default responses from /usr/local/etc/honeytrap/responses. Setting promiscuous mode to on. Setting user to honeyd Setting group to honeyd Setting read limit to 20971520. Loading plugins from /usr/local/etc/honeytrap/plugins. Looking for plugin ftpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_ftpDownload.so Loading plugin ftpDownload v0.5.3 Initializing plugin ftpDownload. Hooking plugin ftpDownload to 'unload_plugins'. ftpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin ftpDownload: Registering hooks. Hooking ftpDownload::cmd_parse_for_ftp() to 'process_attack' (priority: 1). ftpDownload::cmd_parse_for_ftp() hooked to 'process_attack' (priority: 1). Plugin ftpDownload: Registering hooks. Looking for plugin tftpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_tftpDownload.so Loading plugin tftpDownload v0.4.1 Initializing plugin tftpDownload. Hooking plugin tftpDownload to 'unload_plugins'. tftpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin tftpDownload: Registering hooks. Hooking tftpDownload::cmd_parse_for_tftp() to 'process_attack' (priority: 1). tftpDownload::cmd_parse_for_tftp() hooked to 'process_attack' (priority: 1). Looking for plugin httpDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_httpDownload.so Loading plugin httpDownload v0.0.2 Initializing plugin httpDownload. Hooking plugin httpDownload to 'unload_plugins'. httpDownload::plugin_unload() hooked to 'unload_plugins'. Plugin httpDownload: Registering hooks. Hooking httpDownload::cmd_parse_for_http_url() to 'process_attack' (priority: 3). httpDownload::cmd_parse_for_http_url() hooked to 'process_attack' (priority: 3). Plugin httpDownload: Registering hooks. Looking for plugin b64Decode in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_b64Decode.so Loading plugin b64Decode v0.3.1 Initializing plugin b64Decode. Hooking plugin b64Decode to 'unload_plugins'. b64Decode::plugin_unload() hooked to 'unload_plugins'. Plugin b64Decode: Registering hooks. Hooking b64Decode::b64_decode() to 'process_attack' (priority: 0). b64Decode::b64_decode() hooked to 'process_attack' (priority: 0). Looking for plugin vncDownload in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_vncDownload.so Loading plugin vncDownload v0.3 Initializing plugin vncDownload. Hooking plugin vncDownload to 'unload_plugins'. vncDownload::plugin_unload() hooked to 'unload_plugins'. Plugin vncDownload: Registering hooks. Hooking vncDownload::cmd_parse_for_vnc() to 'process_attack' (priority: 1). vncDownload::cmd_parse_for_vnc() hooked to 'process_attack' (priority: 1). Looking for plugin SaveFile in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_SaveFile.so Loading plugin SaveFile v0.2.0 Initializing plugin SaveFile. Hooking plugin SaveFile to 'unload_plugins'. SaveFile::plugin_unload() hooked to 'unload_plugins'. Plugin SaveFile: Registering hooks. Hooking SaveFile::save_to_file() to 'process_attack' (priority: 2). SaveFile::save_to_file() hooked to 'process_attack' (priority: 2). Plugin SaveFile: Registering hooks. Looking for plugin ClamAV in /usr/local/etc/honeytrap/plugins Plugin found: /usr/local/etc/honeytrap/plugins/htm_ClamAV.so Loading plugin ClamAV v0.1.0 Initializing plugin ClamAV. Hooking plugin ClamAV to 'unload_plugins'. ClamAV::plugin_unload() hooked to 'unload_plugins'. Plugin ClamAV: Registering hooks. Hooking ClamAV::clamscan() to 'process_attack' (priority: 3). ClamAV::clamscan() hooked to 'process_attack' (priority: 3). Plugin ClamAV: Registering hooks. ClamAV - Loading signature database, be patient. ClamAV - Loaded 378210 signatures. ClamAV - Signature database initialized. Port 22/tcp is configured to be handled in ignore mode. Port 21/tcp is configured to be handled in normal mode. Port 23/tcp is configured to be handled in normal mode. Port 80/tcp is configured to be handled in normal mode. Port 110/tcp is configured to be handled in normal mode. Port 135/tcp is configured to be handled in normal mode. Port 139/tcp is configured to be handled in normal mode. Port 143/tcp is configured to be handled in normal mode. Port 443/tcp is configured to be handled in normal mode. Port 445/tcp is configured to be handled in normal mode. Handler for signal 17 installed. Handler for signal 1 installed. Handler for signal 4 installed. Handler for signal 2 installed. Handler for signal 3 installed. Handler for signal 11 installed. Handler for signal 15 installed. No device given, trying to use default device. Default device is eth0. Servers will run as user honeyd (109). Servers will run as group honeyd (120). Loading default responses. Searching for response files in /usr/local/etc/honeytrap/responses Response file found: /usr/local/etc/honeytrap/responses/80_tcp Loading default response for port 80/tcp. Default response string for port 80/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/5900_tcp Loading default response for port 5900/tcp. Default response string for port 5900/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/5060_tcp Loading default response for port 5060/tcp. Default response string for port 5060/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/4899_tcp Loading default response for port 4899/tcp. Default response string for port 4899/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/445_tcp Loading default response for port 445/tcp. Default response string for port 445/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/4444_tcp Loading default response for port 4444/tcp. Default response string for port 4444/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/3306_tcp Loading default response for port 3306/tcp. Default response string for port 3306/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/25_tcp Loading default response for port 25/tcp. Default response string for port 25/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/21_tcp Loading default response for port 21/tcp. Default response string for port 21/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/21000_tcp Loading default response for port 21000/tcp. Default response string for port 21000/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/1433_tcp Loading default response for port 1433/tcp. Default response string for port 1433/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/139_tcp Loading default response for port 139/tcp. Default response string for port 139/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/135_tcp Loading default response for port 135/tcp. Default response string for port 135/tcp successfully loaded. Response file found: /usr/local/etc/honeytrap/responses/110_tcp Loading default response for port 110/tcp. Default response string for port 110/tcp successfully loaded. Connections will be handled in normal mode by default. Using libpcap version 0.9.7. Processing interface eth0. Interface eth0 has unknown address family 17. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has an AF_INET address. Interface eth0 has unknown address family 10. BPF string is '((tcp[13] & 0x04 != 0 and tcp[4:4] == 0) or (icmp[0] == 3 and icmp[1] == 3)) and (src host 172.17.20.72)'. Logging to /var/log/honeytrap/honeytrap.log. Initialization complete. honeytrap v1.0.0 Copyright (C) 2005-2007 Tillmann Werner <til...@gm...> [2008-07-30 10:16:13] 9895 Master process pid written to /var/run/honeytrap.pid. [2008-07-30 10:16:13] 9895 Creating pcap connection monitor. [2008-07-30 10:16:13] 9895 Looking up device properties for eth0. [2008-07-30 10:16:13] 9895 Creating pcap sniffer on eth0. [2008-07-30 10:16:13] 9895 Using a 14 bytes offset for EN10MB. [2008-07-30 10:16:13] 9895 ---- Trapping attacks on eth0 via PCAP. ---- // // Now, trying to raise honeytrap by simulating a connection on port http // [2008-07-30 10:18:28] 9895 172.17.20.6:3443 requesting tcp connection on 172.17.20.72:80. [2008-07-30 10:18:28] 9895 Port 80/tcp is configured to be handled in normal mode. [2008-07-30 10:18:28] 9928 Requesting tcp socket. [2008-07-30 10:18:28] 9928 Unable to bind to port 80/tcp: Address already in use. [2008-07-30 10:18:28] 9895 Process 9895 received signal 17 on pipe. [2008-07-30 10:18:28] 9895 SIGCHILD received. [2008-07-30 10:18:28] 9895 Process 9928 terminated. [2008-07-30 10:18:28] 9895 Warning - Process 9928 exited on failure. [2008-07-30 10:18:28] 9895 Signal handler for SIGCHLD reinstalled. [2008-07-30 10:18:28] 9895 172.17.20.6:3443 requesting tcp connection on 172.17.20.72:80. [2008-07-30 10:18:28] 9895 Port 80/tcp is configured to be handled in normal mode. [2008-07-30 10:18:28] 9929 Requesting tcp socket. [2008-07-30 10:18:28] 9929 Unable to bind to port 80/tcp: Address already in use. [2008-07-30 10:18:28] 9895 Process 9895 received signal 17 on pipe. [2008-07-30 10:18:28] 9895 SIGCHILD received. [2008-07-30 10:18:28] 9895 Process 9929 terminated. [2008-07-30 10:18:28] 9895 Warning - Process 9929 exited on failure. [2008-07-30 10:18:28] 9895 Signal handler for SIGCHLD reinstalled. [2008-07-30 10:18:29] 9895 172.17.20.6:3443 requesting tcp connection on 172.17.20.72:80. [2008-07-30 10:18:29] 9895 Port 80/tcp is configured to be handled in normal mode. [2008-07-30 10:18:29] 9930 Requesting tcp socket. [2008-07-30 10:18:29] 9930 Unable to bind to port 80/tcp: Address already in use. [2008-07-30 10:18:29] 9895 Process 9895 received signal 17 on pipe. [2008-07-30 10:18:29] 9895 SIGCHILD received. [2008-07-30 10:18:29] 9895 Process 9930 terminated. [2008-07-30 10:18:29] 9895 Warning - Process 9930 exited on failure. [2008-07-30 10:18:29] 9895 Signal handler for SIGCHLD reinstalled. // // While there is no socket open on that port of that interface // root@linuxpowaaa:/var/log/exim4# netstat -tpan | grep 172.17.20.72 root@linuxpowaaa:/var/log/exim4# // // My configuration file // /* * honeytrap 1.0 configuration file template -- please adjust * (c) Tillmann Werner <til...@gm...> */ /* log to this file */ logfile = "/var/log/honeytrap/honeytrap.log" /* PID file */ pidfile = "/var/run/honeytrap.pid" /* where to look for default responses * these are sent for connections handled in "normal mode" */ response_dir = "/usr/local/etc/honeytrap/responses" /* replace rfc1918 ip addresses with attacking ip address */ replace_private_ips = "no" /* default port mode -- valid values are "ignore", "normal" and "mirror" portconf_default = "normal" /* put network interface into promiscuous mode * (only availabel when compiled with --with-pcap-mon) */ //promisc = "on" /* the user and group under which honeytrap should run * should be set to non-root */ user = "honeyd" group = "honeyd" // do not read more than 20 MB - used to prevent DoS attacks read_limit = "20971520" /* include a file */ //include = "ports.conf" /* ----- plugin stuff below ----- */ /* where to look for plugins need to be set before loading plugins */ plugin_dir = "/usr/local/etc/honeytrap/plugins" /* include a plugin via plugin-[ModuleName] = "" */ plugin-ftpDownload = "" plugin-tftpDownload = "" plugin-httpDownload = "" plugin-b64Decode = "" plugin-vncDownload = "" // plugin-ClamAV = "" plugin-SaveFile = "" /* store attacks on disk */ plugin-SaveFile = { attacks_dir = "/var/log/honeytrap/attacks" downloads_dir = "/var/log/honeytrap/downloads" } /* scan downloaded samples with ClamAV engine */ plugin-ClamAV = { temp_dir = "/tmp" clamdb_path = "/var/lib/clamav" } /* calculate locality sensitive hashes */ //plugin-SpamSum = { // md5sum_sigfile = "/opt/honeytrap/md5sum.sigs" // spamsum_sigfile = "/opt/honeytrap/spamsum.sigs" //} /* store attacks in PostgeSQL database */ /* plugin-SavePostgres = { db_host = "localhost" db_name = "some_db" db_user = "some_user" db_pass = "some_pass" // db_port = "some_port" // defaults to 5432/tcp if not set } */ /* invoke wget to download files via http */ plugin-httpDownload = { http_program = "/usr/bin/wget" // http_options = "-nv" http_options = "-q" download_dir = "/var/log/honeytrap/downloads/" } /* ----- port mode configuration below ----- */ // default port configuration (ignore, normal or mirror) // ignore: just ignore connection attempts // normal: send a default response // mirror: mirror connections back to the initiator (use with caution!) portconf_default = "normal" // explicit port configuration portconf = { /* ignore these ports */ ignore = { protocol = "tcp" port = "22" } normal = { protocol = "tcp" port = ["21", "23", "80", "110", "135", "139", "143", "443", "445"] } } // // My kernel version // root@linuxpowaaa:/var/log/exim4# uname -a Linux linuxpowaaa 2.6.22-15-generic #1 SMP Fri Jul 11 19:25:33 UTC 2008 i686 GNU/Linux |
From: Tillmann W. <til...@gm...> - 2008-07-29 15:42:38
|
> I've upgraded to the svn version, but unfortunately I still have the > same error. :-( Can you please provide more details? Ideally all commands and their output from "svn co" on? Thanks, Tillmann |
From: tatooin <ta...@fr...> - 2008-07-29 15:01:07
|
Hi Tillmann, I've upgraded to the svn version, but unfortunately I still have the same error. :-( Thanks ! ---- Hi, > I'm trying to setup honeytrap on a debian box. I'm using honeytrap 1.0, > on a virtual interface with a private IP address. Numerous bugs were fixed since 1.0, but there is no 1.1 release yet. Do a subversion checkout like this svn co https://svn.mwcollect.org/honeytrap/trunk honeytrap and configure && make that code. > honeytrap -a 172.17.20.72 -u honeyd -g honeyd -t 6 -C > /usr/local/etc/honeytrap/honeytrap.conf -D -L > /var/log/honeytrap/honeytrap.log That looks OK. By the way, you use the pcap stream monitor, right? On Linux you might want to give the nfq stream monitor a try. Regards, Tillmann |
From: Tillmann W. <til...@gm...> - 2008-07-28 16:47:22
|
Hi, > I'm trying to setup honeytrap on a debian box. I'm using honeytrap 1.0, > on a virtual interface with a private IP address. Numerous bugs were fixed since 1.0, but there is no 1.1 release yet. Do a subversion checkout like this svn co https://svn.mwcollect.org/honeytrap/trunk honeytrap and configure && make that code. > honeytrap -a 172.17.20.72 -u honeyd -g honeyd -t 6 -C > /usr/local/etc/honeytrap/honeytrap.conf -D -L > /var/log/honeytrap/honeytrap.log That looks OK. By the way, you use the pcap stream monitor, right? On Linux you might want to give the nfq stream monitor a try. Regards, Tillmann |