| 1 |
README |
|---|
| 2 |
|
|---|
| 3 |
Honeytrap is a network security tool written to observe attacks |
|---|
| 4 |
against TCP or UDP services. It runs as a daemon and starts serv- |
|---|
| 5 |
er processes dynamically on requested ports. A server emulates a |
|---|
| 6 |
well-known service by simply sending captured network traffic to |
|---|
| 7 |
a connected host. |
|---|
| 8 |
|
|---|
| 9 |
Many clients and particularly attackers will be fooled and send |
|---|
| 10 |
responses to a honeytrap server process. The arriving data is as- |
|---|
| 11 |
sembled to a string and written to a database file. Such a string |
|---|
| 12 |
is called an attack string. |
|---|
| 13 |
|
|---|
| 14 |
Honeytrap can parse an attack string for commands advising the |
|---|
| 15 |
server to download a file from another host. If a download com- |
|---|
| 16 |
mand is found, the server tries to retrieve the corresponding |
|---|
| 17 |
file automatically. A downloaded file is stored locally with an |
|---|
| 18 |
md5 checksum in its name. Currently, only ftp and tftp are sup- |
|---|
| 19 |
ported. Honeytrap implements its own clients with the aim to be- |
|---|
| 20 |
have as similar as possible than Windows systems. Http URIs are |
|---|
| 21 |
recognized and logged. A http download routine may be added in |
|---|
| 22 |
future releases. |
|---|
| 23 |
|
|---|
| 24 |
INSTALLATION |
|---|
| 25 |
|
|---|
| 26 |
Installation of honeytrap is pretty straight forward. Just do a |
|---|
| 27 |
'./configure --with-stream-mon=<type> && make && make install' |
|---|
| 28 |
where '<type>' is the connection monitor type of your choice. |
|---|
| 29 |
Please refer to the INSTALL file and to the output of './config- |
|---|
| 30 |
ure --help' for further information. |
|---|
| 31 |
|
|---|
| 32 |
WARNINGS |
|---|
| 33 |
|
|---|
| 34 |
Honeytrap is a low-interactive honeypot and therefore detectable. |
|---|
| 35 |
It is written in C and thus potentially vulnerable to buffer |
|---|
| 36 |
overflow attacks. Take care. Running in mirror mode is dangerous. |
|---|
| 37 |
Attacks may be directed to the attacker, appearing to come from |
|---|
| 38 |
your system. Use with caution. |
|---|
| 39 |
|
|---|
| 40 |
The program needs root privileges, but only for binding server |
|---|
| 41 |
processes to well-known ports. Use the -u and -g command line op- |
|---|
| 42 |
tions to drop privileges and switch to another user and group as |
|---|
| 43 |
early as possible. |
|---|
| 44 |
|
|---|
| 45 |
CONTACT |
|---|
| 46 |
|
|---|
| 47 |
If you have problems, questions, ideas or suggestions, please |
|---|
| 48 |
contact me at <tillmann.werner@gmx.de>. If you would like to help |
|---|
| 49 |
making honeytrap better, you are welcome. |
|---|
