Criar uma Loja Virtual Grátis
Honeytrap streaming 1440

Honeytrap. written by Tillmann Werner, is a low-interaction malware collection honeypot. Unlike the classic approach of emulating services or well-known vulnerabilities, Honeytrap takes a different approach by dynamically reacting to incoming traffics and tricks offender to send its complete payload. This dynamic server concept allows Honeytrap to respond to most network traffics and even observes zero-days attacks.

Honeytrap offers various different connection monitors in applying the dynamic server concept:

  1. A libpcap-based sniffer catches locally generated RST packets with a sequence number of zero indicating a rejected connection request. These packets indicate a rejected connection request, thus Honeytrap will need to open the source port of the RST packets to handle incoming requests in the future.
  2. Hook the ip_queue interface of iptables and create an iptables rule to deliver packets related to new connections to Honeytrap. This monitor as the advantage of catching the first try.

The latter is not as stealthy as the former connection monitor as all connection requests will be entertained whilst a libpcap-based connection monitor will only entertain persistent network connection.

Installation

I installed my Honeytrap (on my virtual machine running CentOS 6.2) using the libpcap-based connection monitor as I flavoured it more than the ip_queue connection monitor. Nonetheless, I will still show how to install a Honeytrap with the ip_queue connection monitor.

Firstly, get a copy of the tarball from sourceforge here .

Resolve dependencies:

  • $ yum install ElectricFence
     Electric Fence prevents buffer overflow bug, enabling you to operate Honeytrap securely.
  • $ yum install libpcap-devel
    If you are using the libpcap-based connection monitor.
  • $ yum install iptables-devel
    If you are using the ip_queue connection monitor. You will also need to add the following iptables rule to your iptables:
    $ iptables -A INPUT -i [monitoring-interface] -p tcp –syn -m state –state NEW -j QUEUE

Install Honeytrap:

$ ./configure –with-stream-mon=[connection-monitor-type] –with-efence

$ make && sudo make install