Running Honeycomb

The procedure i used to install honeycomb plugin:

1.Install honeyd

2.Install libstree

3.Install honeycomb

4.Rebuild honeyd by make clean

5.#./configure –with-plugins=honeycomb

6.make

7.make install

Honeycomb plugin configuration file:

### Windows computers
create windows
set windows personality “Microsoft Windows NT 4.0 SP5-SP6″
set windows default tcp action reset
set windows default udp action reset
add windows tcp port 80 “scripts/iisemulator/iisemul8.pl”
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
add windows tcp port 110 “sh scripts/pop3.sh”
add windows tcp port 25 “sh scripts/smtp.sh”
add windows tcp port 21 “sh scripts/ftp.sh”
set windows uptime 3284460
bind 192.168.1.11 windows

# Honeycomb plugin configuration
#
# Add this to your honeyd configuration file and tweak as you see fit!
# ____________________________________________________________________

# Whether to run the plugin (1) or not (0)
option honeycomb enable 1

# What Snort alert category we use for our signatures
option honeycomb snort_alert_class alert

# The name of the output log file to which we log generated signatures
option honeycomb sig_output_file /tmp/honeycomb.log

# How many IP packets we keep in mind and search
# for matching data.
option honeycomb ip_backlog 100

# How many attempted UDP connections we maintain state for at any one time
option honeycomb udp_conns_max 1000

# How many answered UDP connections we maintain state for at any
# one time. Once a connection is answered, it is moved to a different
# hashtable. We therefore keep state for udp_conns_max attempted
# connections PLUS udp_dataconns_max answered ones.
option honeycomb udp_dataconns_max 1000

# The maximum number of bytes flowing in a single direction without
# any payload coming the other way during the UDP dialog that we
# store. More data going in one direction without any real data
# going the other way is not stored, as we’re currently not looking
# for data there.
#
# This is also the maximum string size the longest common substring
# algorithm in libstree needs to deal with, so we don’t make this
# too high to avoid performance hits.
option honeycomb udp_max_msg_size 5000

# We stop hunting for patterns at some point into a UDP exchange.
# The following defines the number of total bytes inbound before
# we stop caring.
option honeycomb udp_max_bytes 10000

# The minimum pattern length we require before we consider
# a string match in UDP payload meaningful:
option honeycomb udp_pattern_minlen 5

# How many initiated TCP connections we maintain state for at any one time.
option honeycomb tcp_conns_max 65000

# How many established TCP connections we maintain state for at any
# one time. Once a connection is established, it is moved to a different
# hashtable. We therefore keep state for tcp_conns_max unestablished
# connections PLUS tcp_dataconns_max established ones.
option honeycomb tcp_dataconns_max 1000

# The maximum number of bytes flowing in a single direction without
# any payload coming the other way during the TCP dialog that we
# store. More data going in one direction without any real data
# going the other way is not stored, as we’re currently not looking
# for data there.
#
# This is also the maximum string size the longest common substring
# algorithm in libstree needs to deal with, so we don’t make this
# too high to avoid performance hits.
option honeycomb tcp_max_msg_size 5000

# We stop hunting for patterns at some point into a TCP dialogue.
# The following defines the number of total bytes inbound before
# we stop caring.
option honeycomb tcp_max_bytes 10000

# For TCP, we also buffer the incoming payloads in one single buffer
# directly. This defines the size of that buffer.
option honeycomb tcp_max_buffering_in 1000

# The minimum pattern length we require before we consider
# a string match in TCP payload meaningful:
option honeycomb tcp_pattern_minlen 5

# The number of slots in the hashtables:
option honeycomb conns_hash_slots 199

# The connection hashtables are periodically checked for dead connections
# we’re no longer interested in (this doesn’t automatically mean terminated
# connections, as we need to keep connections around in order to be able to
# have something to compare new ones against!). This setting defines
# the interval in seconds between cleanups.
option honeycomb conns_hash_cleanup_interval 10

# How many generated signatures we keep around before we
# start to forget some.
option honeycomb sighist_max_size 200

# Detected signatures are kept in a history structure and reported
# periodically. This settings defines how long to wait between those
# reports. During the waiting period, existing signatures can be
# improved upon through new traffic flows.
option honeycomb sighist_interval 10

Honeycomb getting work!
root@jason-desktop:/usr/local/share/honeyd# honeyd -df test1.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -i eth0 192.168.1.0/24
Honeyd V1.5b Copyright (c) 2002-2004 Niels Provos
honeyd[645]: started with -df test1.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -i eth0 192.168.1.0/24
Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0″
Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3″honeyd[645]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 192.168.1.0/24))) and not ether src 00:17:31:b6:9a:a1
honeyd[645]: registering plugin ‘Honeycomb’ (0.7)
honeyd[645]: Demoting process privileges to uid 65534, gid 65534
honeyd[645]: Killing unknown connection: tcp (208.65.153.253:80 – 192.168.1.11:52826)

Expose honeypot to internet

I use this simple configuration file as my virtual machine.

————————————————————————————————

### Windows computers
create windows
set windows personality “Microsoft Windows NT 4.0 SP5-SP6″
set windows default tcp action reset
set windows default udp action reset
add windows tcp port 80 “scripts/iisemulator/iisemul8.pl”
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows uptime 3284460
bind 192.168.1.11 windows

—————————————————————————————

At router site,i edit the routing table:

destination : 192.168.1.11 (Virtual machine)
netmask : 255.255.255.0
gateway : 192.168.1.2 (My box)

Enable the DMZ point to virtual machine (192.168.1.11).

————————————————————————————————

root@jason-desktop:/usr/local/share/honeyd# honeyd -df test1.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -s /var/log/honeyd2 -i eth0 192.168.1.0/24
Honeyd V1.5b Copyright (c) 2002-2004 Niels Provos
honeyd[6805]: started with -df test1.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -s /var/log/honeyd2 -i eth0 192.168.1.0/24
Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0″
Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3″honeyd[6805]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 192.168.1.0/24))) and not ether src 00:17:31:b6:9a:a1
honeyd[6805]: Demoting process privileges to uid 65534, gid 65534
honeyd[6805]: Killing attempted connection: tcp (60.50.82.35:2394 – 192.168.1.11:445)
honeyd[6805]: Killing attempted connection: tcp (60.50.82.35:3735 – 192.168.1.11:135)
honeyd[6805]: Killing attempted connection: tcp (60.50.82.35:3735 – 192.168.1.11:135)
honeyd[6805]: Killing attempted connection: tcp (60.50.122.40:3575 – 192.168.1.11:445)
honeyd[6805]: Killing attempted connection: tcp (60.50.122.40:3575 – 192.168.1.11:445)
honeyd[6805]: Killing attempted connection: tcp (60.50.122.40:3575 – 192.168.1.11:445)
honeyd[6805]: Connection to closed port: udp (151.245.156.124:30576 – 192.168.1.11:1026)
honeyd[6805]: Killing attempted connection: tcp (60.50.251.93:3435 – 192.168.1.11:445)
honeyd[6805]: Killing attempted connection: tcp (60.50.251.93:3435 – 192.168.1.11:445)
honeyd[6805]: Connection to closed port: udp (125.78.181.59:20359 – 192.168.1.11:13547)
honeyd[6805]: Connection to closed port: udp (94.227.252.221:30576 – 192.168.1.11:1026)
honeyd[6805]: Killing attempted connection: tcp (60.50.82.35:1939 – 192.168.1.11:445)

Honeypot working properly.

When i use the NMAP scan the virtual host created by honeyd,below is the log.

honeyd[7397]: Connection request: tcp (192.168.1.2:52097 – 10.2.0.1:80)
honeyd[7397]: Connection established: tcp (192.168.1.2:52097 – 10.2.0.1:80) <-> sh scripts/web.sh
honeyd[7397]: Connection dropped by reset: tcp (192.168.1.2:52097 – 10.2.0.1:80)
honeyd[7397]: Killing attempted connection: tcp (192.168.1.2:41582 – 10.2.0.1:800)
honeyd[7397]: Killing attempted connection: tcp (192.168.1.2:37857 – 10.2.0.1:10005)
honeyd[7397]: Killing attempted connection: tcp (192.168.1.2:42293 – 10.2.0.1:30

…

I able to scan the virtual host using NMAP Front End,but it failed when i use command in terminal.Now trying to figure out whats wrong is it.

Run the the Honeypot

This is my honeyd configuration:

route entry 10.0.0.1
route 10.0.0.1 link 10.0.0.0/24
route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1
route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1
route 10.0.0.1 add net 10.3.0.0/16 10.2.0.1 latency 20ms loss 0.1
route 10.1.0.1 link 10.1.0.0/24
route 10.2.0.1 link 10.2.0.0/24
route 10.2.0.1 add net 10.3.0.0/16 10.3.0.1 latency 10ms loss 0.1
route 10.3.0.1 link 10.3.0.0/16

create routerone
set routerone personality “Cisco 7206 running IOS 11.1(24)”
set routerone default tcp action reset
add routerone tcp port 23 “scripts/router-telnet.pl”
bind 10.0.0.1 routerone

create routertwo
set routertwo personality “Cisco 762 Non-IOS Software release 4.1(2) or 766 ISDN router”
set routertwo default tcp action reset
add routertwo tcp port 23 “scripts/router-telnet.pl”
bind 10.1.0.1 routertwo

# Example of a simple host template and its binding
create default
set default personality “FreeBSD 2.2.1-STABLE”
set default default tcp action reset
add default tcp port 80 “sh scripts/web.sh”
add default tcp port 22 “sh scripts/test.sh”
add default tcp port 113 open
add default tcp port 1 open
bind 10.2.0.1 default

create allopen
set allopen personality “NetBSD 1.5.2 running on a Commodore Amiga (68040 processor)”
set allopen default tcp action reset
add allopen tcp port 80 “sh scripts/web.sh”
add allopen tcp port 113 open
add allopen tcp port 1 open
bind 10.0.0.10 allopen

create template
set template personality “Check Point FireWall-1 4.0 SP-5 (IPSO build)”
add template tcp port 80 “sh scripts/web.sh”
add template tcp port 23 open
add template tcp port 22 “sh scripts/test.sh”
set template default tcp action reset
set template uid 32767
bind 10.1.0.2 template

#bind 10.3.0.1 routerone
#bind 10.2.0.5 allopen
Router site:
set destination as network to reach.gateway as machine.

ID Destination Netmask Gateway Interface
1 10.0.0.0 255.0.0.0 192.168.1.2

Run the honeyd with this command:

#honeyd -df config.localhost -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -i eth0 10.0.0.0/8 Honeyd V1.5b Copyright (c) 2002-2004 Niels Provos
honeyd[7232]: started with -df config.localhost -p nmap.prints -x xprobe2.conf -a nmap.assoc -l /var/log/honeyd -i eth0 10.0.0.0/8
Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0″
Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3″honeyd[7232]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 10.0.0.0/8))) and not ether src 00:17:31:b6:9a:a1
honeyd[7232]: Running with root privileges.

Error while loading shared libraries

After install the nmap (a free open source utility for network exploration or security auditing),i get this error:

nmap: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory

Nmap failed to load the libpcre.so.0,i found the that available in /usr/local/lib.So,i going to copy that and place in /usr/lib.

#updatedb

#locate libpcre.so.0

#cp /usr/local/lib/libpcre.so.0 /usr/lib

#nmap localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-23 22:13 MYT
Interesting ports on localhost (127.0.0.1):
Not shown: 1696 closed ports
PORT STATE SERVICE
631/tcp open ipp

Nmap finished: 1 IP address (1 host up) scanned in 0.247 seconds

Nmap working properly.

Adding startup script on Linux

This can make by adding command in /etc/rc.local.

#su

#gedit /etc/rc.local

In my case, i need to enable ip forward after PC router boot up.

So i add the command to the /etc/rc.local.

#echo 1 > /proc/sys/net/ipv4/ip_forward

Save the /etc/rc.local.

You can type #/etc/rc.local  start to test the command.

Internetworking – PC router

Hardwares required:

CPU : PII ++
NICs: 2 or more( depends on your needs)

We using the Ubuntu 5.10 as the PC router configuration platform,Iptables as those NAT and routing configuration.

Check for iptables installed or updated: apt-get install iptables.

Before edit the iptables rules, configure the IP address on the NICs.

In my case, eth0 as the external NIC, connected to DHCP server in LAB.

eth1 as the internal NIC, connect to internal LAN.

#iptables -F –flush all the rules in the filter and nat tables.

IP masquerading:

#iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

IP forwarding:

#iptables –append FORWARD –in-interface eth1 -j ACCEPT

Forward packets by kernel:

#echo 1 > /proc/sys/net/ipv4/ip_forward

On client site, connect the PC to the PC router using cross-cable.The gateway point to eth1 address on Pc router.

Test connection : #ping <gateway address>

#ping google.com

Done!If you get response!

Check the routing tables on each site:

#netstat -rn

Some iptables command:

#iptables-save > <file directory> –export the iptables.

#iptables-restore > <file directory> –import iptables.

All the rules created with the iptables cammand are save in memory,when the system reboot,all the rules will be lost.

#/sbin/service iptables save

This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.For ubuntu,iptables configuration was saved as /etc/iptables.up.rules.

 

Install honeycomb

Honeycomb is a system that creates signatures for network intrusion  detection systems on traffic going in and out of a honeyd honeypot  in real-time. It uses protocol analysis and longest-common substring detection techniques to recognize traffic patterns. The signatures can be reported in various formats, currently only a pseudo-Snort output is supported (pseudo because Snort doesn’t support lists of  port numbers — shame on you). In the near future Bro will be the suggested signature output mode as it’s much more flexible.  To use Honeycomb, you need at least version 0.5c of honeyd. Steps to get Honeycomb running: 

- Make sure you have an existing installation of honeyd. 

-Make sure you have libstree installed, available at http://www.cl.cam.ac.uk/~cpk25/libstree-0.2.0.tar.gz. This is the library that contains the string handling algorithms necessary to build Honeycomb.  

-Build the Honeycomb plugin library, using the usual ./configure [options]; make; make install  approach. Look at ./configure –help for options,  –enable-debugging in particular may be helpful.

-After installation, rebuild honeyd, including honeycomb in the list of plugins (i.e., pass –with-plugins=honeycomb,.. plus any other honeyd plugins to honeyd’s configure script).

-Configure Honeycomb: look at the options in honeyd.cnf that come with the Honeycomb package. Add these options to your honeyd  configuration file and adjust them as you see fit.

-That’s basically it; if you’ve built Honeycomb with  –enable-debugging you should see a line like the following when   honeyd starts up:   honeycomb.c/72: Initializing Honeycomb <version>

- Signatures are reported periodically, check the file that you have configured the signatures to be dumped to. By default, this file is /tmp/honeycomb.log.

Install honeyd-1.5b

Honeyd is a small daemon that creates virtual hosts on a network. The
hosts can be configured to run arbitrary services, and their TCP
personality can be adapted so that they appear to be running certain
versions of operating systems. Honeyd enables a single host to claim
multiple addresses – I have tested up to 65536 – on a LAN for network
simulation.

It is possible to ping the virtual machines, or to traceroute them.
Any type of service on the virtual machine can be simulated according
to a simple configuration file. Instead of simulating a service, it
is also possible to proxy it to another machine.

Installation:
————-

Honeyd depends on several libraries:

- libevent – event notification
- libdnet – packet creation
- libpcap – packet sniffing
- libdnsres – non-blocking DNS resolver
- libpcre – perl regular expression library

Make sure that you have them installed.

Beside that, i had installed:

flex – A fast lexical analyzer generator

tcc – ANSI-C compiler

zlib – compression library provides in-memory compression and decompression functions

For the regression framework to run, you need to install the Python
module for libdnet. You might need Python 2.4 for the best results.

To build honeyd, run the following commands:

$ ./configure
$ make
$ make install

Linux != Windows

Linux not an alternative for Windows, but a choice!

Do you agree?