nepenthes
- module-honeytrap added
the module is some kind of fallback for unknown services/unrecognized bindshells
currently pcap and libipq can be used to check the raw traffic for packets to unbound ports,
ipq is better as one can bind the port, and after binding the port, acknowledge the packet, so we get the first connection established
to back it up, the line used to put the syn packets to the QUEUE is
iptables -A INPUT -p tcp --syn -m state --state NEW --destination-port ! 22 -j QUEUE
pcap has to listen for RST packets, and once a RST packet was caught, it can open the port, that means we wont be able to accept the first connection.
fresh code, it works for me, the automake library checks for libipq libpcap libnet are todo
idea is taken from honeytrap.sf.net by Werner Tillmann
for now we don't support the mirror mode honeytrap itself offers
