Honeytrap, written by Tillmann Werner, is a low-interaction malware collection honeypot. Unlike the classic approach of emulating services or well-known vulnerabilities, Honeytrap takes a different approach by dynamically reacting to incoming traffics and tricks offender to send its complete payload. This dynamic server concept allows Honeytrap to respond to most network traffics and even observes zero-days attacks.
Honeytrap offers various different connection monitors in applying the dynamic server concept:
A libpcap-based sniffer catches locally generated RST packets with a sequence number of zero indicating a rejected connection request. These packets indicate a rejected connection request, thus Honeytrap will need to open the source port of the RST packets to handle incoming requests in the future.
Hook the ip_queue interface of iptables and create an iptables rule to deliver packets related to new connections to Honeytrap. This monitor has the advantage of catching the first try.
The latter is not as stealthy as the former connection monitor as all connection requests will be entertained whilst a libpcap-based connection monitor will only entertain persistent network connection.
I installed my Honeytrap (on my virtual machine running CentOS 6.2) using the libpcap-based connection monitor as I flavoured it more than the ip_queue connection monitor. Nonetheless, I will still show how to install a Honeytrap with the ip_queue connection monitor.
Firstly, get a copy of the tarball from sourceforge here.
Electric Fence prevents buffer overflow bug, enabling you to operate Honeytrap securely.
yum install ElectricFence
If you are using the libpcap-based connection monitor:
yum install libpcap-devel
If you are using the ip_queue connection monitor:
yum install iptables-devel
You will also need to add the following iptables rule to your iptables:
iptables -A INPUT -i [monitoring-interface] -p tcp --syn -m state --state NEW -j QUEUE
./configure --with-stream-mon=[connection-monitor-type] --with-efence
make && sudo make install
Honeytrap will be installed into /usr/local/etc/honeytrap by default.
You will have to configure your Honeytrap to your likings before running it. The default configuration file can be found in /usr/local/etc/honeytrap/honeytrap.conf.
Where you can find your log and PID files:
Where to find your Honeytrap activities:
attack_dir stores all data collected about the attacks against your Honeytrap.
dlsave_dir stores all malware collected by your Honeytrap.
Configure your Honeytrap responses:
Normal mode: basic emulation capabilities.
Mirror mode: mirror back all incoming data to the attacker.
Proxy mode: relay incoming connections to a different host or service.
Ignore mode: Honeytrap will simply ignore connection to that port.
Run your Honeytrap!
honeytrap -c /usr/local/etc/honeytrap/honeytrap.conf -u nobody -g nobody -t 5 -D
** For security purposes, it is important you never run Honeytrap as root!
Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter.