1HONEYD(8)                 BSD System Manager's Manual                HONEYD(8)
2

NAME

4     honeyd — Honeypot Daemon
5

SYNOPSIS

7     honeyd [-dP] [-l logfile] [-s servicelog] [-p fingerprints] [-0 p0f-file]
8            [-x xprobe] [-a assoc] [-f file] [-i interface] [-u uid] [-g gid]
9            [-c host:port:username:password] [--webserver-address address]
10            [--webserver-port port] [--webserver-root path]
11            [--rrdtool-path path] [--disable-webserver] [--disable-update]
12            [--verify-config] [--fix-webserver-permissions] [-V|--version]
13            [-h|--help] [--include-dir] [--data-dir] [net ...]
14

DESCRIPTION

16     Honeyd creates virtual hosts for IP addresses matching the specified net.
17     The daemon simulates the networking stack of the configured hosts and can
18     simulate any TCP and UDP service.  ICMP is fully supported, too. By
19     default, all UDP ports are closed and honeyd will generate an ICMP
20     unreachable port message if the configured personality permits that.
21
22     Honeyd enables a single host to claim unused addresses on a LAN for net‐
23     work simulation.  The net argument may contain multiple addresses and
24     network ranges.  For configured templates (see below) to work all the
25     configured addreses need to be included in net.  Notice that honeyd will
26     answer to ICMP requests for all addresses defined in net if there is no
27     configured specific host or default template.
28
29     In order for honeyd to receive network traffic for IP addresses that it
30     should simulate, it is necessary to either explicitly route traffic to
31     it, use proxy arp or run arpd(8) for unassigned IP addresses on a shared
32     network.  By assigning an ethernet address to a template via
33
34       set template ethernet "<vendor|mac address>"
35
36     it is possible to integrate virtual honeypots into a production network
37     without running arpd(8).  Futhermore, Honeyd supports acquiring IP
38     addresses via DHCP.  You can ask a template to be assigned to a DHCP IP
39     address via
40
41       dhcp template on fxp0 [ethernet "<vendor|mac address>"]
42
43     Honeyd exits on an interrupt or termination signal and rotates logfiles
44     on SIGUSR1.
45
46     The options are as follows:
47
48     -d      Do not daemonize, and enable verbose debugging messages.
49
50     -P      On some operating systems, it is not possible to get event noti‐
51             fications for pcap via select(2).  In that case, honeyd needs to
52             run in polling mode.  This flag enables polling.
53
54     -l logfile
55             Log packets and connections to the logfile specified by logfile.
56
57     -s servicelog
58             Logs information from service scripts to the log file specified
59             by servicelog.
60
61     -p fingerprints
62             Read nmap style fingerprints.  The names defined after the token
63             are stored as personalities.  The personalities can be used in
64             the configuration file to modify the behaviour of the simulated
65             TCP stack.
66
67     -x xprobe
68             Read xprobe style fingerprints.  This file determines how honeyd
69             reacts to ICMP fingerprinting tools.
70
71     -a assoc
72             Read the file that associates nmap style fingerprints with xprobe
73             style fingerprints.
74
75     -0 p0f-file
76             Read the database for passive fingerprinting.  The names of the
77             operating systems specified in this file are recognized by
78             Honeyd's parser and can be used for dynamic templates.
79
80     -u uid  Set the UID that Honeyd is running as.
81
82     -g gid  Set the GID that Honeyd is running as.
83
84     -f file
85             Read the configuration in file.  It is possible to create host
86             templates with the configuration file that specify which servers
87             should run and which scripts should be started to simulate them.
88             honeyd will reread the configuration file when sent a SIGHUP sig‐
89             nal.
90
91             The syntax is as follows:
92
93             config  = creation | addition | delete | binding | set |
94                       annotate | route [config] | option
95             creation= "create" template-name | "create" "default" |
96               "dynamic" template-name
97             addition= "add" template-name proto "port" port-number action |
98               "add" template-name "subsystem" cmd-string ["shared"] |
99               "add" template-name "use" template-name "if" condition
100             delete= "delete" template-name |
101               "delete" template-name proto "port" port-number
102             binding = "bind" ip-address template-name |
103               "bind" condition ip-address template-name |
104               "bind" ip-address "to" interface-name |
105               "dhcp" template-name "on" interface-name ["ethernet" cmd-string] |
106               "clone" template-name template-name
107             set     = "set" template-name "default" proto "action" action |
108               "set" template-name "personality" personality-name |
109               "set" template-name "personality" "random"
110               "set" template-name "ethernet" cmd-string
111               "set" template-name "uptime" seconds
112               "set" template-name "droprate" "in" percent
113               "set" template-name "uid" number ["gid" number]
114               "set" template-name "spoof" ["from" ip-address] ["to" ip-address]
115               "set" template-name "maxfds" number
116               "set" ip-address "uptime" seconds
117             annotate= "annotate" personality-name [no] finscan |
118               "annotate" personality-name "fragment" ("drop" | "old" | "new")
119             route   = "route" "entry" ipaddr |
120               "route" "entry" ipaddr "network" ipnetwork |
121               "route" ipaddr "link" ipnetwork |
122               "route" ipaddr "unreach" ipnetwork |
123               "route" ipaddr "add" "net" ipnetwork \
124                              "tunnel" ipaddr(src) ipaddr(dst) |
125               "route" ipaddr "add" "net" ipnetwork ipaddr \
126                             ["latency" number"ms"] ["loss" percent] \
127                             ["bandwidth" number["Mbps"|"Kbps"] \
128                             ["drop" "between" number "ms" "-" number "ms" ]
129             proto   = "tcp" | "udp" | "icmp"
130             action  = ["tarpit"] ("block" | "open" | "reset" | cmd-string | \
131               "internal" cmd-string \
132               "proxy" ipaddr":"port )
133             condition = "source os =" cmd-string |
134               "source ip =" ipaddr | "source ip =" ipnetwork |
135               "time " timecondition | "proto" protocol | "otherwise"
136             timecondition = "between" time "-" time
137             option  = "option" plugin option value
138
139             The cmd-string and the personality-name are arbitrary strings
140             enclosed with quotation marks.  Variable expansion on the tokens
141             $ipsrc, $ipdst, $sport, $dport and $date is performed when exe‐
142             cuting the command string or when resolving the proxy address.
143             Additionally, the environment variables HONEYD_IP_SRC,
144             HONEYD_IP_DST, HONEYD_DST_PORT, HONEYD_SRC_PORT,
145             HONEYD_PERSONALITY and HONEYD_REMOTE_OS are available, too.
146
147             If the internal key word is use, honeyd interprets the command
148             string as Python module.  These modules are executed within
149             honeyd without forking a new process.  As a result, internal
150             scripts are very fast and cheap to execute.
151
152             The special keyword tarpit is used to slow down the progress of a
153             TCP connection.  This is used to hold network resources of the
154             connecting computer.
155
156             If an IP address is not bound to a template, the actions speci‐
157             fied in the default template are executed.
158
159             Personalities need to be annotated before they are assigned to a
160             template or an IP address.
161
162             The default fragment policy is to accept fragment and resolve
163             overlaps in favor of old data.  If the personality returns TCP
164             timestamps, the default uptime is a randomly chosen between zero
165             and twenty days.
166
167             The special include directive may be used to include other con‐
168             figuration files, for example to keep all personality annotations
169             separate from the main configuration file.
170
171             All honeyd plugins can be configured via the configuration file.
172             Each configuration option goes in one line, indicated by the
173             option keyword.  It is followed by three items: the name of the
174             plugin, the name of the configuration option, and a value.  The
175             value can be either an integer, a float, or a character string.
176             The options are picked up when honeyd reads the configuration
177             file and can then be queried by the plugins.
178
179     -i interface
180             Listen on interface.  It is possible to specify multiple inter‐
181             faces.
182
183     -c hostname:port:username:password
184             Using this flag, Honeyd functions as a traffic statistic collec‐
185             tor.  Collected statistics get propagated upstream to an aggrega‐
186             tor running at the specified hostname and port.  The username and
187             password is used to create a signature on the data packet that
188             can be used to verify the integrity of the data.  The statistics
189             can be used to automatically detect anomalies like worm propaga‐
190             tion.
191
192     --webserver-address address
193             Specifies the address on which the web server should listen.  By
194             default, this is 127.0.0.1 so that only local requests are
195             served.  By specifying 0.0.0.0, the webserver is going to answer
196             to external requests, too.
197
198     --webserver-port port
199             Specifies the port on which the web server should listen.
200
201     --webserver-root path
202             The path to the document tree of the webserver.  This is usually
203             {prefix}/shared/honeyd/webserver/htdocs/.
204
205     --rrdtool-path path
206             Specifies the path for rrdtool(1).  Without rrdtool no traffic
207             graphs can be generated.
208
209     --disable-webserver
210             Disables the builtin webserver.
211
212     --disable-update
213             Prevents Honeyd from checking if there are any security problems
214             with the current version of the application.
215
216     --verify-config
217             Verifies that Honeyd can parse the configuration correctly.  This
218             does not require any special permissions, although some configu‐
219             rations that require direct access to interfaces might fail to
220             validate.
221
222     --fix-webserver-permissions
223             Changes the ownership of the web server files to the user, Honeyd
224             is going to run as.
225
226     -V|--version
227             Print version information and exit.
228
229     -h|--help
230             Print summary of command line options and exit.
231
232     --include-dir
233             For plugin development.  Reports the directory in which honeyd
234             stores its header files.
235
236     --data-dir
237             Reports the directory in which honeyd stores data files like
238             Python modules.
239
240     net     The IP address or network (specified in CIDR notation) or IP
241             address ranges to claim (e.g. ``10.0.0.3'', ``10.0.0.0/16'' or
242             ``10.0.0.5-10.0.0.15'').  If unspecified, honeyd will attempt to
243             claim any IP address it sees traffic for.
244

ROUTING TOPOLOGY

246     honeyd supports the creation of a complete network topology including
247     routing.  In order to enable the simulation of a network topology, a
248     router entry point has to be configured with
249
250       route entry <IP address>
251
252     By adding a network to a router entry point, honeyd is told about the
253     network addresses this entry point is responsible for.  This enables mul‐
254     tiple entry points into the routing topology.
255
256     Every route add net directive creates the specified gateway as a new
257     router.  In the case of tunneling, no new router is created, instead
258     packets are gre(4) encapsulated and sent to the tunnel destination
259     address.  It is assumed that the tunnel destination address routes the
260     encapsulated packets to a honeyd machine.
261
262     The virtual machines that can be directly accessed by a router are
263     defined as network range in the route link command.
264
265     A link may carry attributes like latency, loss, and bandwidth.  The
266     latency specifies a constant delay for packets travelling across the
267     link.  The bandwidth on the other hand tracks the bandwidth related queu‐
268     ing delay for each link.  If a packet is still being transmitted on the
269     link then the queue delay for another packet is the propagating delay
270     depending on the bandwidth plus the time for the previous packet to clear
271     the link.
272
273     Unless the link is configured to drop packets between a configurable
274     delay threshold, Honeyd currently assumes infinite buffer space, so use
275     this option with care.
276
277     An address space can be made unrouteable via the route unreach command.
278
279     The router entry point is the first address that inspects a packet.  The
280     packet follows a path defined by the network topology until the current
281     router has the destination IP address on its local network.
282
283     It is possible to integrate real machines into the routing topology.
284     honeyd takes care of ARP requests and replies and encapsulates packets
285     that go to external machines into ethernet packets.
286
287     External machines can be configured with the following command:
288
289       bind <IP address> to <interface name>
290

SUBSYSTEM VIRTUALIZATION

292     Subsystem virtualization allows you to run regular network applications
293     under a virtual IP address controlled by honeyd.  The application's net‐
294     work calls are intercepted and virtualized to the honeypot that they are
295     configured to.  As a result, all network calls that subsytem applications
296     make appear to originate from the virtual IP address of a honeypot.  This
297     includes binding ports, accepting and initiating UDP and TCP connections.
298     Raw sockets are not supported.
299
300     Subsystem are configured as follows
301
302         set template subsystem "/usr/sbin/httpd"
303
304     and are started as a separate process for every bound template.  Applica‐
305     tions started as a honeyd subsystem need to be dynamically linked in
306     order to work under Honeyd.
307
308     It is possible to shared subsystems across different addresses if they
309     are created with the shared flag.  This allows a subsystem to bind to
310     several virtual IP addresses and may also be used to increase the perfor‐
311     mance of subsystems across addresses.
312

DYNAMIC TEMPLATES

314     Dynamic templates give Honeyd the ability to change networking behavior
315     based on several different conditions:
316
317     source address     The source address of the network connection deter‐
318                        mines which template is going to be used.
319
320     operating system   The operating system as determined by passive finger‐
321                        printing needs to be matched for the template to be
322                        activated.
323
324     time               The template is only being used between a certain time
325                        interval.  This allows Honeyd to simulate machines
326                        being turned on and off.
327
328     A dynamic template can be created with the following command:
329
330       dynamic magichost
331       add magichost use windowsxp if source os = windows
332       add magichost use linux if source ip = 192.168.0.0/16
333       add magichost use invisible if time between 12:00am - 5:00am
334       add magichost otherwise use default
335
336     As an alternative, it is possible to use a short cut in the bind command
337     to create dynamic templates:
338
339       bind source ip = 192.168.0.0/16 10.0.0.5 cisco
340       bind source ip = 10.0.0.0/8 10.0.0.5 juniper
341
342     In this example, the host on 10.0.0.5 behaves like a cisco router if it
343     is contacted from IP addresses in the 192.168 network.  If it is con‐
344     tacted from IP addresses in the 10 network, it behaves like a juniper
345     router.
346

MANAGEMENT CONSOLE

348     The honeydctl(1) command allows the dynamic configuration of Honeyd while
349     it is running; see honeydctl(1) for more information.
350

LOGGING

352     Honeyd has two different logging modes.  The syslog facility is used to
353     log connection establishment and termination including other relevant
354     packet events.  Most messages can be disabled when configuring
355     syslog.conf(5) to drop all messages for the LOG_DAEMON facility if the
356     log level is below LOG_NOTICE.
357
358     Services started by honeyd can cause the daemon to log data by sending
359     information to stderr.
360
361     The second way of logging network activity is by using the -l flag.  This
362     causes honeyd to log all received packets in a human readable format.
363     For UDP and TCP connections, honeyd logs the start and end of a flow
364     including the amount of data transfered.
365
366     For logging any other information, it is suggested to run a separate
367     intrusion detection system.
368

SCRIPTING WITH PYTHON

370     Honeyd supports internal service scripts that have been written in
371     Python.  To improve the performance of these services, Honeyd provides an
372     event-driven model.  The services need to indiciate when they are ready
373     to read and when they are ready to write data.  Honeyd keeps track of
374     state that is provided to the Python scripts on every invocation.
375
376     The folowing example uses a Python script to implement a simple echo
377     server:
378
379       import honeyd
380       import sys
381
382       def honeyd_init(data):
383         mydata = {}
384         honeyd.read_selector(honeyd.EVENT_ON)
385         return mydata
386
387       def honeyd_readdata(mydata, data):
388         honeyd.read_selector(honeyd.EVENT_ON)
389         honeyd.write_selector(honeyd.EVENT_ON)
390         mydata["write"] = data
391         return 0
392
393       def honeyd_writedata(mydata):
394         data = mydata["write"]
395         del mydata["write"]
396         return data
397
398       def honeyd_end(mydata):
399         del mydata
400         return 0
401

EXAMPLES

403     A sample configuration file looks as follows:
404
405     # Example of a simple host template and its binding
406     include annotations
407
408     # Set up the hosts
409     create template
410     set template personality "OpenBSD 2.6-2.7"
411     add template tcp port 80 "sh scripts/web.sh"
412     add template tcp port 22 "sh scripts/test.sh $ipsrc $dport"
413     add template udp port 53 proxy yournameserver:53
414     set template default tcp action reset
415     set template uid 32767 gid 32767
416
417     bind 10.11.69.2 template
418     set 10.11.69.2 uptime 1327650
419
420     A simple example of a routing topology:
421
422     route entry 10.0.0.1
423     route 10.0.0.1 link 10.2.0.0/24
424     route 10.0.0.1 add net 10.2.1.0/24 10.2.0.10 latency 10ms loss 3.4
425     route 10.2.0.10 link 10.2.1.0/24
426
427     For this topology to work the net value in the command line has to be
428     10.0.0.1 10.2.0.0/24 10.2.1.0/24.
429

FILES

431     /var/run/honeyd.pid                 The PID of the current daemon.
432
433     {prefix}/lib/honeyd/webserver/      Python modules and web server docu‐
434                                         ments used by the internal webserver.
435
436     {prefix}/lib/honeyd/libhoneyd.so    A shared library that can be pre‐
437                                         loaded to virtualize applications
438                                         within honeyd.
439
440     {prefix}/share/honeyd/nmap.assoc    An association file to match xprobe2
441                                         fingerprints against nmap.
442
443     {prefix}/share/honeyd/nmap.prints   Nmap fingerprints used by honeyd to
444                                         impersonate operating system stacks.
445
446     {prefix}/share/honeyd/xprobe2.conf  Xprobe fingerprints used by honeyd to
447                                         impersonsate the ICMP section of
448                                         operating system stacks.
449

SEE ALSO

451     honeydctl(1) arpd(8)
452

AUTHORS

454     Niels Provos ⟨provos@citi.umich.edu⟩
455
456                                 April 4, 2002
Impressum