domingo, fevereiro 15, 2009

Instalação do honeyd 1.5c com honeycomb 0.7 no CentOS 5.2 via compilação

# instala honeyd 1.5c
# install honeyd 1.5c
wget http://www.citi.umich.edu/u/provos/honeyd/honeyd-1.5c.tar.gz
tar -zxvf honeyd-1.5c.tar.gz
yum install pcre pcre-devel libpcap libpcap-devel
wget http://monkey.org/~provos/libevent-1.4.8-stable.tar.gz
tar -zxvf libevent-1.4.8-stable.tar.gz
yum install gcc
cd libevent-1.4.8-stable
./configure --prefix=/usr/local/libevent
make
make install
cd ..
wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download
tar -zxvf libdnet-1.11.tar.gz
cd libdnet-1.11
yum install gcc-c++
./configure --prefix=/usr/local/libdnet
make
make install
cd ..
cd honeyd-1.5c
yum install libtool readline-devel zlib-devel python-devel
./configure --prefix=/usr/local/honeyd --with-libevent=/usr/local/libevent --with-libdnet=/usr/local/libdnet --with-python
make
make install
cp -r scripts/ /usr/local/honeyd/
cd ..

# instala-se o honeycomb 0.7
# install the honeycomb 0.7

wget http://www.icir.org/christian/downloads/honeycomb-0.7.tar.gz
wget http://www.icir.org/christian/downloads/libstree-0.4.2.tar.gz

# instala libstree (pré-requisito para honeycomb)
# install libstree (pre-requisite for honeycomb)
tar -zxvf libstree-0.4.2.tar.gz
cd libstree-0.4.2
./configure
make
make install
cd ..
tar -zxvf honeycomb-0.7.tar.gz
cd honeycomb-0.7
./configure --with-honeyd=/usr/local/honeyd/bin/honeyd --with-libdnet=/usr/local/libdnet/bin --with-libevent=/usr/local/libevent --enable-debugging
cp -R ../honeyd-1.5c honeyd/
make
make install
# reinstala honeyd1.5c com suporte ao honeycomb
# reinstall honeyd1.5c with honeycomb support
cd honeyd
./configure --prefix=/usr/local/honeyd --with-libevent=/usr/local/libevent --with-libdnet=/usr/local/libdnet --with-python --with-plugins=honeycomb
make clean
make
make install
ln -s /usr/local/lib/libhoneycomb.so /usr/lib/libhoneycomb.so
ln -s /usr/local/lib/libstree.so.0 /usr/lib/libstree.so.0
chmod -R 766 /usr/local/honeyd/share/honeyd/webserver
chmod -R 766 /usr/local/honeyd/share/honeyd/webserver/htdocs/styles/

For the honeycomb configuration, see:
# reference: http://jsfyp.wordpress.com/2007/03/27/running-honeycomb


cd ..


8 comentários:

topimiring disse...

Hi,
It failed when I tried to configure honeycomb in centOS 5.2 :
configure: error: dnet-config not found.

what's wrong ?

but it works perfectly fine under Debian :)

Leonardo Andrade disse...

dnet-config should be in /usr/local/libdnet/bin/dnet-config.

You need install libdnet by compilation, don't install by yum or rpm.

wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download
tar -zxvf libdnet-1.11.tar.gz
cd libdnet-1.11
yum install gcc-c++
./configure --prefix=/usr/local/libdnet
make
make install
cd ..

and you need execute 'configure' with --with-libdnet=/usr/local/libdnet/bin.

Just follow the post. :)

If you have some questions, please, reply this post.

Good report that fact that works in Debian. Thanks.

topimiring disse...

Hi ,
I've been trying to generate rpc-dcom exploit (http://packetstormsecurity.org/0307-exploits/dcom.c) snort signatures by using Honeybomb+honeyd. But it failed.
Here's my honeyd configuration to simulate windows rpc service :

http://silenceisdefeat.com/~l41n/ta/honeycomb.conf

And after i attacked the honeyd host by using dcom.c exploit , I didn't get any snort signatures on my /tmp/honeycomb.log :

http://silenceisdefeat.com/~l41n/ta/honeycomb.log

Is there anything else I should do to be able to generate the rpc-dcom exploit ? and what kind of exploit-signatures that you have successfully generated by using honeycomb ?
:)
Thank you

Leonardo Andrade disse...

Hi topimiring,

My work with honeycomb about generation of NIDS' rules isn't deep. I still not generate complex or good rules with Honeycomb. But it no means that honeycomb is a poor tool, it means that i'm not probe honeycomb with care.

But, i yet read about Honeycomb's architecture and you maybe do some attempts:

* I perceived that you don't running a specific service on the port 135 (target of the vulnerability in question) for you winblows template. One fact is that, by experience, better rules can be generated when a service that handles this interactions correctly is running. Keep the 135/TCP port only "open" for connections isn't sufficient. Try write or find for scripts that can respond the exploit adequately. Other option is proxy the connection for one real service vulnerable (use 'proxy' option of Honeyd), this can generate goods results.
If you remain the 135/TCP port only open (without service), will be yield poor rules as you yet saw. This happens because only the three way handshake and few data are performed in a given connection. (remember that you honeypot is not able to reply the attacker's requests in this case).
If you desire, you can try interact manually (do it many times) with the other ports managed by other scripts available with honeyd like SMTP, POP3, etc. and observe if the rules are generated with the field "content" (this is a good signal).

* With the recommendation above, by attempts and errors, adjust the parameters of Honeycomb and see if you can obtain good/excellent rules.

If you have other question, just reply this message.

By curiosity, what's your country?

Regards.

topimiring disse...

Thank you for your suggestions . It's true that I didn't run any service on my port 135 when I tried generating snort signature for the 1st time. But not a few minutes ago , I've just tried proxying the honeyd service to the real ms-rpc dcom service ported to the real windows machine within my LAN. And the result is still the same :

# Signature report at Fri May 22 03:51:03 2009
alert tcp any 0 -> any 0 (msg: "Honeycomb Fri May 22 03h50m43 2009 "; ip_proto: "ip"; flags: F+; flow: stateless; )
alert tcp any 0 -> any 0 (msg: "Honeycomb Fri May 22 03h50m43 2009 "; ip_proto: "ip"; flags: FPA1; flow: stateless; )
alert tcp 0.0.0.0/8 0 -> any 0 (msg: "Honeycomb Fri May 22 03h50m44 2009 "; ip_proto: "ip"; flags: FSRPAU!; flow: stateless;

And at the 2nd approach , I was using IISEMULATOR for honeyd to emulate the iis service within my honeyd , and then I tried to exploit it using som IIS unicode exploit (from milw0rm.com) , and It produces quite long tcp request signs (not the exploit-sign) which you can read here :

http://silenceisdefeat.com/~l41n/iishoneycomb.log

Is it possible to use the above tcp-request signatures (not the exploit-signatures) in my NIDS ?

Do you have any other suggestions ? I mean , what kind of services did you ever emulate and exploit in order to produce the snort signature ? I am now using default honeycomb configuration , would you kindly send me your honeycomb configuration which succeeds in generating snort signture ?

Some ppl on linuxquestions.org suggested me to try honeytrap and nebula (the plugin to genereate snort signature). Do you have any experience with it ?
I'm sorry to keep bothering you , but now I am doing my thesis on this topic (nids sign generator using honeypot) . And I would really appreciate your help :)
Btw I'm from Indonesia :)

Regards,

lazytran disse...

hi, i have problem when running honeyd like this:


[root@dhcppc3 honeyd]# ./honeyd -d -i eth0 -f ./nenet
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[16363]: started with -d -i eth0 -f ./nenet
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[16363]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:0c:29:ba:18:39
honeyd[16363]: HTTP server listening on 127.0.0.1:80
honeyd[16363]: HTTP server root at /usr/local/honeyd/share/honeyd/webserver/htdocs
honeyd[16363]: registering plugin 'Honeycomb' (0.7)
honeycomb.c/72: Initializing Honeycomb 0.7
hc_file_logger.c/83: Honeycomb logging to /tmp/honeycomb.log
honeyd[16363]: Demoting process privileges to uid 99, gid 99
honeyd[16363]: update_check: failed to resolve host.
honeyd[16363]: webserver: require read access to /usr/local/honeyd/share/honeyd/webserver/htdocs/styles: Permission denied

how can i fix it?

Leonardo Andrade disse...

Hi lazytran,


What's your distro? CentOS, Debian?

Did you already checked the current permissions on the '/usr/local/honeyd/share/honeyd/webserver/htdocs/styles' directory?

lazytran disse...

Hi,

i've set permissions on the '/usr/local/honeyd/share/honeyd/webserver/htdocs/styles' directory 777, i'm using CentOS 5.7, i tried in CentOS 5.2 and got the same error!