Monkey.org Developments
Honeyd Frequently Asked Questions

Honeyd Resources

Main - News - Forums - New
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Live Statistics - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 
Here are some frequently encountered problems and questions when running Honeyd. Parts of this FAQ have been contributed by Shaheem Motlekar.

What is Honeyd?

Honeyd is a small daemon that runs both on UNIX-like and Windows platforms. It is used to create multiple virtual honeypots on a single machine. Entire networks can be simulated using honeyd. Honeyd can be configured to run a range of services like FTP, HTTP, or SMTP. Furthermore, a personality can be configured to simulate a certain operating system. Honeyd allows a single host to claim as many as 65536 IP addresses.

Is there a list of all operating systems I can emulate with Honeyd?

Honeyd emulates operating systems by responding with appropriate packets to Nmap and Xprobe fingerprinting packets. Thus the list of operating systems that honeyd emulates can be found in nmap.prints and xprobe2.conf.

Where can I get more scripts to emulate services in Honeyd?

Scripts are used in Honeyd to simulate a particular service like telnet, http and smtp. Honeyd comes with scripts for a set of default services. In order to simulate other services, people from the security community have contributed scripts for other services. These include telnet, pop, IIS among others.

These scripts can be downloaded from the following website:

Where can I get sample configuration templates for Honeyd?

Configuration templates provide a quick way to get your Honeyd up and running. Sample configuration templates can be found at

What's the fastest way to get up and running with Honeyd?

For Linux, you could use the precompiled version of Honeyd available as toolkit from http://www.tracking-hackers.com/solutions/honeyd/. It contains a collection of scripts and ready to use templates that you can customize to your needs.

What do I do if configure fails when checking for addr_cmp in libdnet?

Make sure that you have the latest version of libdnet. After installing lidnet you might have to run 
# ldconfig -m /usr/local/lib
to update your list of shared libraries. Also, make sure that /usr/local/lib has been added to /etc/ld.so.conf.

Why do I get errors when compiling Honeyd?

Some people do not have Python development libraries installed and the compilation of pyextend.c fails. Try running configure as follows: 
$ ./configure --without-python

Sometimes autoconf generates the following errors. 

$ make
cd . && aclocal
cd . && automake --foreign Makefile
cd . && autoconf
autoconf: Undefined macros:
configure.in:145:AC_FUNC_FORK
configure.in:147:AC_FUNC_MALLOC
configure.in:177:AC_CONFIG_FILES([Makefile])
configure.in:3:AC_CONFIG_SRCDIR(honeyd.c)
make: *** [configure] Error 1

To fix this you need to install a newer version of autoconf. I do not know why automake causes everything to be regenerated.

Why does Honeyd not know any personalities?

When starting honeyd on the sample configuration file, you get the following error: 
config.sample:2: Unknown personality "AIX 4.0 - 4.2"
config.sample:4: Unknown personality "AIX 4.0 - 4.2"
honeyd: parsing configuration file failed
This means that you did not specify the correct name of the Fingerprint in your configuration file. You should check check the Fingerprint: line in the Nmap database and make sure that the Honeyd's configuration matches that name precisely. To get a list of fingerprints, execute the following command: 
grep "^Fingerprint" nmap.prints | more

It is also possible that you did not install the nmap fingerprint database. In that case, you need to specify a fingerprint file on the command line. Start honeyd like this: 

./honeyd -d -p nmap.prints -f config.sample -i fxp0

Is there a Windows version of Honeyd?

Honeyd 0.5 has been ported to Windows by Mike Davis. See also, Why does Honeyd 0.5 running on Windows fail to detect the network interface?.

Honeyd does not seem to answer to any packets. What is going wrong?

Honeyd does not intercept any network traffic. It is your responsibility to direct network traffic towards the Honeyd machine.

There are three different methods to direct traffic to Honeyd:

  • Add a route on your router that directs parts of your network to Honeyd.
  • Use proxy-arp so that your hosts answers arp requests for IP addresses that Honeyd should control.
  • Use arpd to get Honeyd to respond to all unused IP addresses on your network. This often causes DHCP to stop working.

How do I test Honeyd without a network?

Since Honeyd 0.4, it is possible to interact with Honeyd over the software loopback network interface.

Use config.localhost, and type the following commands to start Honeyd: 

$ route -n add -net 10.0.0.0/8 127.0.0.1
$ ./honeyd -d -p nmap.prints -f config.localhost -i lo0 10.0.0.0/8
Now, it is possible to use commands like 
$ traceroute -n 10.3.0.10
or nmap, etc.

On a Linux system, the route command might have to look like: 

$ route -n add -net 10.0.0.0/8 lo0

Is it possible to run Honeyd on an exisiting IP address?

Honeyd normally requires its own IP address space. If only one IP address is available on a dial-up modem or DSL line, it is still possible to use Honeyd for certain ports by enabling NAT.

Use your NAT (iptables, ipf, pf, etc.) to forward traffic to a Honeyd machine running behind the NAT on a private IP address space. The traffic is forwarded by port redirection, i.e. a port for the one existing IP address is redirected to the virtual IP address of a Honeyd host and a corresponding port on that virtual machine.

How do I use Honeyd's networking features?

For sample configurations, you can check out http://www.honeyd.org/configuration.php. A tutorial for using Honeyd to simulate routers and virtual networks is available at http://www.paladion.net/papers/simulating_networks_with_honeyd.pdf.

How do I interpret the fields in Honeyd's packet log?

The -l option in Honeyd creates a flow log for all connections and packet seen by Honeyd. Example, entries look like this: 
2004-01-07-14:36:58.7132 tcp(6) - 252.214.169.203 2064 192.168.27.180 21: 48 S [MacOS 8.0-8.6 OTTCP]
2004-01-07-15:26:40.0209 tcp(6) - 244.233.22.102 61891 172.162.8.180 21: 60 S [FreeBSD 5.0-5.1 ]
2004-01-07-16:48:30.1212 tcp(6) S 192.168.21.135 33395 172.162.8.91 80 [Linux 2.6 ]
2004-01-07-16:48:41.4929 tcp(6) S 10.173.240.67 22110 192.168.14.178 81 [Windows XP SP1]
  • The first field contains the time that the event happened in sub-second resolution.
  • The second field lists the protocol, for example tcp, udp, or icmp.
  • The third field may either be S which indicates the start of a new connection, E the end of a connection or - if a packet does not belong to any connection. For E, Honeyd logs the amount of data received and sent at the end of the line.
  • The next four fields represent the connection four tuple: <src ip, src port, dst ip, dst port>.
  • For TCP packets that are not part of a connection, Honeyd logs the packet size and TCP flags after the colon.
  • Comments like operating system identification via passive fingerprinting are appended to the end of the line.

How do I make Honeyd listen to network traffic on specified interfaces?

All you need to do is run Honeyd with a config file and specify the interfaces on which Honeyd should listen, for example 
./honeyd -f honeyd.conf -i eth1 -i eth2

Why does Honeyd terminate with "bad interface configuration: not IP?"

Honeyd analyzes the address type of its listening interface. If no IP address has been assigned to the interface, it will generate the error message: bad interface configuration: not IP.

Assign an IP address to the interface to solve this problem.

Why do I receive warnings about 'Impossible SI range in Class fingerprint' when running Honeyd?

These warnings result from inconsistent entries in Nmap's fingerprint database. It is possible that the TCP Sequence number generator and the corresponding numerical ranges in the Fingerprint do not agree.

It is safe to ignore these warnings.

Why does Honeyd 0.5 running on Windows fail to detect the network interface?

Some people have been getting the following warning when running Honeyd 0.5 on Windows: 
intf_get: no such device or address
This problem might result from running vmware and can be resolved by downloading a new zip file of Honeyd 0.5-win32. The Windows port of Honeyd 0.5 was done by Mike Davis.

I think that I have installed the latest version of autoconf. Which version do I need?

You need at least the following version: 
 
$ autoconf --version
autoconf (GNU Autoconf) 2.52
Written by David J. MacKenzie.
Future releases of honeyd will hopefully work again with the older version of autoconf.

When compiling Honeyd under Solaris, I get duplicated symbols. What do I need to do?

Sometimes, libpcap seems to be linked with exported yacc symbols: 
gcc  -Wall -g  -o honeyd  honeyd.o command.o parse.o lex.o config.o
personality.o util.o ipfrag.o router.o tcp.o udp.o -L/usr/local/lib -levent
-L/usr/local/lib -lpcap -L/usr/local/lib -ldnet
parse.o: Definition of symbol `_yylhs' (multiply defined)
parse.o: Definition of symbol `_yylen' (multiply defined)
Recompiling pcap with bison instead of yacc seems to solve this problem. This problem has been solved in recent Honeyd releases.

If your question is not answered here, please let me know.
 
Last modified: December 20 2004 09:17:55 AM
Copyright (c) 1999-2004 by Niels Provos
Don't access my pirated music.