Question : listening to vlan interface.

2006-10-16
2013-04-26
  • How I can make honeytrap to listen to GNU/Linux's vlaned interface which connected to vlaned/segmented switch?

    Example, how I runs the honey trap

    # vconfig add eth1 10
    # vconfig add eth1 11

    # ifconfig eth1 0.0.0.0
    # ifconfig eth1.10 192.168.10.254
    # ifconfig eth1.11 192.168.11.254

    # honeytrap -i eth1
    honeytrap v0.6.3.1 - Initializing.
      Servers will run as user (null) (0).
      Servers will run as group nogroup (99).
    :
    :
      Promiscuous mode enabled.
    Segmentation fault

    If I invoke it with -i eth1.10 ... honeytrap not complaining. but, how I can monitor eth1.11 at the same time?

    TQ.

     
    • honeytrap
      honeytrap
      2006-10-16

      Could you please reproduce this with debug logging enabled? Pass '-D -t 6' to stay in foreground and do verbose logging.

      Tillmann

       
    • Here you go... gdb back trace output.

      ----

      GNU gdb 6.3
      Copyright 2004 Free Software Foundation, Inc.
      GDB is free software, covered by the GNU General Public License, and you are
      welcome to change it and/or distribute copies of it under certain conditions.
      Type "show copying" to see the conditions.
      There is absolutely no warranty for GDB.  Type "show warranty" for details.
      This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

      (gdb) set args
      (gdb) set args  -D -i eth1 -t 6
      (gdb) run
      Starting program: /root/honeytrap -D -i eth1 -t 6

      honeytrap v0.6.3.1 - Initializing.
        Saving old working directory.
        Not daemonizing - staying in foreground.
        Config file parser - File reopened as stream, ready to parse.
        Config file parser - Line 24 in /etc/honeytrap/honeytrap.conf: pidfile       = /var/run/honeytrap.pid
        Pid file is /var/run/honeytrap.pid.
        Config file parser - Line 25 in /etc/honeytrap/honeytrap.conf: logfile       = /etc/honeytrap/honeytrap.log
        Logfile is /etc/honeytrap/honeytrap.log.
        Config file parser - Line 27 in /etc/honeytrap/honeytrap.conf: response_dir = /etc/honeytrap/responses
        Loading default responses from /etc/honeytrap/responses.
        Config file parser - Line 28 in /etc/honeytrap/honeytrap.conf: plugin_dir = /etc/honeytrap/plugins
        Loading plugins from /etc/honeytrap/plugins.
        Config file parser - Line 30 in /etc/honeytrap/honeytrap.conf: attacks_dir = /var/spool/honeytrap/attacks
        Storing attack strings in /var/spool/honeytrap/attacks.
        Config file parser - Line 31 in /etc/honeytrap/honeytrap.conf: dlsave_dir = /var/spool/honeytrap/downloads
        Storing downloaded files in /var/spool/honeytrap/downloads.
        Config file parser - Line 37 in /etc/honeytrap/honeytrap.conf: promisc
        Activating promiscuous mode.
        Config file parser - Line 41 in /etc/honeytrap/honeytrap.conf: group  = nogroup
        Config file parser - 41 lines successfully parsed.
        Servers will run as user (null) (0).
        Servers will run as group nogroup (99).
        Searching for plugins in /etc/honeytrap/plugins
        Plugin found: /etc/honeytrap/plugins/htm_vncDownload.so
        Loading plugin htm_vncDownload v0.1.
        Initializing plugin htm_vncDownload.
          Hooking plugin htm_vncDownload to 'unload_plugins'.
          htm_vncDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_vncDownload: Registering hooks.
          Hooking plugin htm_vncDownload to 'process_attack'.
          htm_vncDownload::cmd_parse_for_vnc() hooked to 'process_attack'.
        Plugin htm_vncDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_tftpDownload.so
        Loading plugin htm_tftpDownload v0.1.
        Initializing plugin htm_tftpDownload.
          Hooking plugin htm_tftpDownload to 'unload_plugins'.
          htm_tftpDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_tftpDownload: Registering hooks.
          Hooking plugin htm_tftpDownload to 'process_attack'.
          htm_tftpDownload::cmd_parse_for_tftp() hooked to 'process_attack'.
        Plugin htm_tftpDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_ftpDownload.so
        Loading plugin htm_ftpDownload v0.2.
        Initializing plugin htm_ftpDownload.
          Hooking plugin htm_ftpDownload to 'unload_plugins'.
          htm_ftpDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_ftpDownload: Registering hooks.
          Hooking plugin htm_ftpDownload to 'process_attack'.
          htm_ftpDownload::cmd_parse_for_ftp() hooked to 'process_attack'.
        Plugin htm_ftpDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_aSaveFile.so
        Loading plugin htm_aSaveFile v0.1.
        Initializing plugin htm_aSaveFile.
          Hooking plugin htm_aSaveFile to 'unload_plugins'.
          htm_aSaveFile::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_aSaveFile: Registering hooks.
          Hooking plugin htm_aSaveFile to 'process_attack'.
          htm_aSaveFile::save_to_file() hooked to 'process_attack'.
        Plugin htm_aSaveFile successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_aSaveBDB.so
        Loading plugin htm_aSaveBDB v0.1.
        Initializing plugin htm_aSaveBDB.
          Hooking plugin htm_aSaveBDB to 'unload_plugins'.
          htm_aSaveBDB::plugin_unload() hooked to 'unload_plugins'.
        Plugin htm_aSaveBDB successfully initialized.
        Searching for response files in /etc/honeytrap/responses
        Response file found: /etc/honeytrap/responses/80_tcp
        Loading default response for port 80/tcp.
        Default response string for port 80/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/4899_tcp
        Loading default response for port 4899/tcp.
        Default response string for port 4899/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/445_tcp
        Loading default response for port 445/tcp.
        Default response string for port 445/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/4444_tcp
        Loading default response for port 4444/tcp.
        Default response string for port 4444/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/3306_tcp
        Loading default response for port 3306/tcp.
        Default response string for port 3306/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/25_tcp
        Loading default response for port 25/tcp.
        Default response string for port 25/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/1433_tcp
        Loading default response for port 1433/tcp.
        Default response string for port 1433/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/139_tcp
        Loading default response for port 139/tcp.
        Default response string for port 139/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/135_tcp
        Loading default response for port 135/tcp.
        Default response string for port 135/tcp successfully loaded.
        Using libpcap version 0.9.4.
        Promiscuous mode enabled.
        Processing interface eth0.
        Processing interface eth1.
          Interface eth1 has unknown address family 17.
        Processing interface eth1.22.
        Processing interface eth1.23.
        Processing interface any.
        Processing interface lo.

      Program received signal SIGSEGV, Segmentation fault.
      0x0805026e in create_bpf (bpf_cmd_ext=0x0, ip_cmd_opt=0x0,
          dev=0x8089b10 "eth1") at pcapmon.c:265
      265     pcapmon.c: No such file or directory.
              in pcapmon.c
      (gdb) bt
      #0  0x0805026e in create_bpf (bpf_cmd_ext=0x0, ip_cmd_opt=0x0,
          dev=0x8089b10 "eth1") at pcapmon.c:265
      #1  0x0804e71b in configure (my_argc=6, my_argv=0xbfa6bc74) at readconf.c:322
      #2  0x0804c39f in main (argc=Cannot access memory at address 0xffffffff
      ) at honeytrap.c:86
      (gdb) bt
      #0  0x0805026e in create_bpf (bpf_cmd_ext=0x0, ip_cmd_opt=0x0,
          dev=0x8089b10 "eth1") at pcapmon.c:265
      #1  0x0804e71b in configure (my_argc=6, my_argv=0xbfa6bc74) at readconf.c:322
      #2  0x0804c39f in main (argc=Cannot access memory at address 0xffffffff
      ) at honeytrap.c:86

      ------

      Environment :
      GNU/Linux Slackware 10.1
      Linux kernel 2.6.18
      gcc 4.1.1
      libc 2.3.4
      libpcap 0.9.4
      CFLAGS=-O2 -s -fomit-frame-pointer -march=pentium4 -ffast-math
      CDEBUGFLAGS = -O2 -g -fomit-frame-pointer -march=pentium4 -ffast-math

      Any I enable to run it with -i option...

      # /opt/honeytrap/sbin/honeytrap -D -t 6 -i any

      honeytrap v0.6.3.1 - Initializing.
        Saving old working directory.
        Not daemonizing - staying in foreground.
        Config file parser - File reopened as stream, ready to parse.
        Config file parser - Line 24 in /etc/honeytrap/honeytrap.conf: pidfile       = /var/run/honeytrap.pid
        Pid file is /var/run/honeytrap.pid.
        Config file parser - Line 25 in /etc/honeytrap/honeytrap.conf: logfile       = /etc/honeytrap/honeytrap.log
        Logfile is /etc/honeytrap/honeytrap.log.
        Config file parser - Line 27 in /etc/honeytrap/honeytrap.conf: response_dir = /etc/honeytrap/responses
        Loading default responses from /etc/honeytrap/responses.
        Config file parser - Line 28 in /etc/honeytrap/honeytrap.conf: plugin_dir = /etc/honeytrap/plugins
        Loading plugins from /etc/honeytrap/plugins.
        Config file parser - Line 30 in /etc/honeytrap/honeytrap.conf: attacks_dir = /var/spool/honeytrap/attacks
        Storing attack strings in /var/spool/honeytrap/attacks.
        Config file parser - Line 31 in /etc/honeytrap/honeytrap.conf: dlsave_dir = /var/spool/honeytrap/downloads
        Storing downloaded files in /var/spool/honeytrap/downloads.
        Config file parser - Line 37 in /etc/honeytrap/honeytrap.conf: promisc
        Activating promiscuous mode.
        Config file parser - Line 41 in /etc/honeytrap/honeytrap.conf: group  = nogroup
        Config file parser - 41 lines successfully parsed.
        Servers will run as user (null) (0).
        Servers will run as group nogroup (99).
        Searching for plugins in /etc/honeytrap/plugins
        Plugin found: /etc/honeytrap/plugins/htm_vncDownload.so
        Loading plugin htm_vncDownload v0.1.
        Initializing plugin htm_vncDownload.
          Hooking plugin htm_vncDownload to 'unload_plugins'.
          htm_vncDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_vncDownload: Registering hooks.
          Hooking plugin htm_vncDownload to 'process_attack'.
          htm_vncDownload::cmd_parse_for_vnc() hooked to 'process_attack'.
        Plugin htm_vncDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_tftpDownload.so
        Loading plugin htm_tftpDownload v0.1.
        Initializing plugin htm_tftpDownload.
          Hooking plugin htm_tftpDownload to 'unload_plugins'.
          htm_tftpDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_tftpDownload: Registering hooks.
          Hooking plugin htm_tftpDownload to 'process_attack'.
          htm_tftpDownload::cmd_parse_for_tftp() hooked to 'process_attack'.
        Plugin htm_tftpDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_ftpDownload.so
        Loading plugin htm_ftpDownload v0.2.
        Initializing plugin htm_ftpDownload.
          Hooking plugin htm_ftpDownload to 'unload_plugins'.
          htm_ftpDownload::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_ftpDownload: Registering hooks.
          Hooking plugin htm_ftpDownload to 'process_attack'.
          htm_ftpDownload::cmd_parse_for_ftp() hooked to 'process_attack'.
        Plugin htm_ftpDownload successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_aSaveFile.so
        Loading plugin htm_aSaveFile v0.1.
        Initializing plugin htm_aSaveFile.
          Hooking plugin htm_aSaveFile to 'unload_plugins'.
          htm_aSaveFile::plugin_unload() hooked to 'unload_plugins'.
          Plugin htm_aSaveFile: Registering hooks.
          Hooking plugin htm_aSaveFile to 'process_attack'.
          htm_aSaveFile::save_to_file() hooked to 'process_attack'.
        Plugin htm_aSaveFile successfully initialized.
        Plugin found: /etc/honeytrap/plugins/htm_aSaveBDB.so
        Loading plugin htm_aSaveBDB v0.1.
        Initializing plugin htm_aSaveBDB.
          Hooking plugin htm_aSaveBDB to 'unload_plugins'.
          htm_aSaveBDB::plugin_unload() hooked to 'unload_plugins'.
        Plugin htm_aSaveBDB successfully initialized.
        Searching for response files in /etc/honeytrap/responses
        Response file found: /etc/honeytrap/responses/80_tcp
        Loading default response for port 80/tcp.
        Default response string for port 80/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/4899_tcp
        Loading default response for port 4899/tcp.
        Default response string for port 4899/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/445_tcp
        Loading default response for port 445/tcp.
        Default response string for port 445/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/4444_tcp
        Loading default response for port 4444/tcp.
        Default response string for port 4444/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/3306_tcp
        Loading default response for port 3306/tcp.
        Default response string for port 3306/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/25_tcp
        Loading default response for port 25/tcp.
        Default response string for port 25/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/1433_tcp
        Loading default response for port 1433/tcp.
        Default response string for port 1433/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/139_tcp
        Loading default response for port 139/tcp.
        Default response string for port 139/tcp successfully loaded.
        Response file found: /etc/honeytrap/responses/135_tcp
        Loading default response for port 135/tcp.
        Default response string for port 135/tcp successfully loaded.
        Using libpcap version 0.9.4.
        Promiscuous mode enabled.
        Processing interface eth0.
          Interface eth0 has unknown address family 17.
          Interface eth0 has an AF_INET address.
        Processing interface eth1.
          Interface eth1 has unknown address family 17.
        Processing interface eth1.10.
          Interface eth1.10 has unknown address family 17.
          Interface eth1.10 has an AF_INET address.
        Processing interface eth1.11.
          Interface eth1.11 has unknown address family 17.
          Interface eth1.11 has an AF_INET address.
        Processing interface any.
        Processing interface lo.
          Interface lo has unknown address family 17.
          Interface lo has an AF_INET address.
        BPF string is '(tcp[13] & 0x04 != 0) and (tcp[4:2] == 0) and (src host (192.168.10.254 or 192.168.11.254 or 10.0.0.1 or 127.0.0.1))'.
        Signal handler for SIGHUP installed.
        Signal handler for SIGSEGV installed.
        Signal handler for SIGINT installed.
        Signal handler for SIGQUIT installed.
        Signal handler for SIGTERM installed.
        Signal handler for SIGCHLD installed.
        Logging to /etc/honeytrap/honeytrap.log.
        Initialization complete.

      honeytrap v0.6.3.1 Copyright (C) 2005-2006 Tillmann Werner <tillmann.werner@gmx.de>
      [2006-10-17 08:31:19]  24595  Master process pid written to /var/run/honeytrap.pid.
      [2006-10-17 08:31:19]  24595  Creating pcap connection monitor.
      [2006-10-17 08:31:19]  24595  Looking up device properties for any.
      [2006-10-17 08:31:19]  24595  Starting pcap sniffer on any.
      [2006-10-17 08:31:19]  24595  Using a 16 bytes offset for LINUX_SLL.
      [2006-10-17 08:31:19]  24595  ---- Trapping attacks on any. ----

      TQ

       
    • honeytrap
      honeytrap
      2006-10-20

      The SEGFAULT is fixed in svn. Thanks for reporting it.

      You can use the pcap connection monitor and sniff on interface 'any' to receive connection requests on both eth1.10 and eth1.11 but there is currently no way in libpcap to exclude interfaces. Thus, you are not able to only sniff on *some* (if more than one) of your local interfaces.

      On Linux, the best way would be to use the ipq connection monitor. You then have full control over connections that should be processed with honeytrap by invoking appropriate iptables rules.

       
    • TQ. Anyway, I tried with --ipq-mon and it works like charm, I used -j NFQUEUE becaue -j QUEUE seem to be not work well with honeytrap.

      Here is the example of iptables rules for my needs.

      # iptables -A INPUT -i ethi+ -p tcp --syn -m state --state NEW -j NFQUEUE

      TQ