honeyd的安装与使用
<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">参照以下文档很顺利地安装好了</span>honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">。不过有些小问题在这备注一下,另外也增加了一些文档中作者没有讲到的问题。在当向netcat致敬,没有他的文档,我不可能这么顺利的完成这个case.<br></span>
<p class="MsoNormal"> </p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">1.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">系统采用</span>Redhat
AS 5 update 4<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">完全安装版。</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">2.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">原文中</span>libdnet-1.11.tar.gz<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">的下载地址有问题,不过地址还是包括在它的链接里面的。</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">3.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">对安装顺序作一个重新安排</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">a.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">安装</span>libpcap-1.1.1.tar.gz<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">包</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">b.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">安装</span>libdnet-1.11.tar.gz<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">包</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">c.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">安装</span>libevent-1.4.14b-stable.tar.gz<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">包</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">d.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">最后再安装</span>honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">包。在这里我并没有安装文中所提到的</span>readline
readline-devel<span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">这两个包。但也没有出过文中所讲的错误。我用</span>rpm
–qa<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">查找过类似名称的包,也没有找到。不知道是不是与我安装的系统版本有关系</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">e.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">最后安装</span>arpd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">包,文中所讲的确实有用,还没来得及深究为什么要这样作</span>.</p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">4.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">上面所有软件包安装完成后,在命令行下运行</span>arpd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">命令,只要没出现</span>listening
on eth0<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">之类的提示就证明是有问题的:</span></p>
<p class="MsoListParagraph"># arpd</p>
<p class="MsoListParagraph">arpd: listening on eth0: arp<span style="mso-spacerun:yes"> </span>and not ether src 00:0c:29:89:a8:aa</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">解决方法就如文中所讲,用</span>find<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">命令找到所需要的</span>so<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">文件,然后拷贝到</span>/usr/lib<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">下面即可。</span></p>
<p class="MsoListParagraph"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">我在这里缺少两个文件,这两个文件就是上面两个软件包安装后产生的,默认不会放到</span>/usr/lib<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">下,其实应该也可以在安装前通过修改</span>configure<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">文件达到这个目的。不过拷贝也很简单了</span>.</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">5.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">根据文档,创建两个</span>log<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">文件后,使用</span>honeyd
-d -l /var/log/honeyd/honeyd.log -s /var/log/honeyd/service.log
--fix-webserver-permissions 192.168.119.100<span style="font-family:
宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:
宋体;mso-fareast-theme-font:minor-fareast;mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin" lang="ZH-CN">命令可以在网络中虚拟出一个</span>192.168.119.100<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">的虚拟主机来:</span></p>
<p class="MsoNormal" style="margin-left:.5in"># honeyd -d -l
/var/log/honeyd/honeyd.log -s /var/log/honeyd/service.log
--fix-webserver-permissions 192.168.119.100</p>
<p class="MsoNormal" style="margin-left:.5in">Honeyd V1.5c Copyright (c)
2002-2007 Niels Provos</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: started with -d -l
/var/log/honeyd/honeyd.log -s /var/log/honeyd/service.log
--fix-webserver-permissions 192.168.119.100</p>
<p class="MsoNormal" style="margin-left:.5in">Warning: Impossible SI range in
Class fingerprint "IBM OS/400 V4R2M0"</p>
<p class="MsoNormal" style="margin-left:.5in">Warning: Impossible SI range in
Class fingerprint "Microsoft Windows NT 4.0 SP3"</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: listening
promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port
68) or (ip and (host 192.168.119.100))) and not ether src 00:0c:29:89:a8:aa</p>
<p class="MsoNormal" style="margin-left:.5in"> </p>
<p class="MsoNormal" style="margin-left:.5in"> </p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:
宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:
宋体;mso-fareast-theme-font:minor-fareast;mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin" lang="ZH-CN">在客户端分别使用</span>ping ,ftp, telnet<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">命令后会在服务端产生如下连接日志:</span></p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Sending ICMP Echo
Reply: 192.168.119.100 -> 192.168.119.30</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Sending ICMP Echo
Reply: 192.168.119.100 -> 192.168.119.30</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Sending ICMP Echo
Reply: 192.168.119.100 -> 192.168.119.30</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Sending ICMP Echo
Reply: 192.168.119.100 -> 192.168.119.30</p>
<p class="MsoNormal" style="margin-left:.5in"> </p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection request:
tcp (192.168.119.30:64332 - 192.168.119.100:21)</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection
established: tcp (192.168.119.30:64332 - 192.168.119.100:21)</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection dropped
by reset: tcp (192.168.119.30:64332 - 192.168.119.100:21)</p>
<p class="MsoNormal" style="margin-left:.5in"> </p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection request:
tcp (192.168.119.30:64359 - 192.168.119.100:23)</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection
established: tcp (192.168.119.30:64359 - 192.168.119.100:23)</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Connection closed:
tcp (192.168.119.30:64359 - 192.168.119.100:23)</p>
<p class="MsoNormal" style="margin-left:.5in">honeyd: Killing unknown
connection: tcp (192.168.119.30:64359 - 192.168.119.100:23)</p>
<p class="MsoNormal" style="margin-left:.5in"> </p>
<p class="MsoNormal"> </p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">6.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">系统安装好后,主要的文件有:</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">a.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">执行文件:</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"># ll
/usr/local/bin/h*</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rwxr-xr-x 1 root root
958160 Jun 10 06:48 /usr/local/bin/honeyd</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rwxr-xr-x 1 root root<span style="mso-spacerun:yes"> </span>32810 Jun 10 06:48 /usr/local/bin/honeydctl</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rwxr-xr-x 1 root root
202203 Jun 10 06:48 /usr/local/bin/honeydstats</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rwxr-xr-x 1 root root 194658
Jun 10 06:48 /usr/local/bin/hsniff</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">b.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">配置文件:默认的配置文件都放在</span>/usr/local/share/honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">目录下的</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"># ll
/usr/local/share/honeyd</p>
<p class="MsoListParagraph" style="margin-left:1.0in">total 592</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>247 Jun 10 06:48 config.ethernet</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>1226 Jun 10 06:48 config.sample</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>45556 Jun 10 06:48 nmap.assoc</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root
451138 Jun 10 06:48 nmap.prints</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>28312 Jun 10 06:48 pf.os</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>4130 Jun 10 06:48 README</p>
<p class="MsoListParagraph" style="margin-left:1.0in">drwxrwxrwx 3<span style="mso-spacerun:yes"> </span>501<span style="mso-spacerun:yes">
</span>501<span style="mso-spacerun:yes"> </span>4096 May 28<span style="mso-spacerun:yes"> </span>2007 webserver</p>
<p class="MsoListParagraph" style="margin-left:1.0in">-rw-r--r-- 1 root root<span style="mso-spacerun:yes"> </span>45207 Jun 10 06:48 xprobe2.conf</p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"> <span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">c.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">进程文件:</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in">/var/run/honeyd.sock</p>
<p class="MsoListParagraph" style="margin-left:1.0in">/var/run/honeyd.pid</p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level2 lfo1"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">d.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">日志文件:</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;mso-hansi-font-family:
Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">这个在文档中是自己定义位置的,查看其它文档也有介绍可以使用</span>syslog<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">之类的日志系统</span>.</p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">7.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">可以使用下载的</span>honeyd_kit<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">软件包来快速使用</span>honeyd,
<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">在使用前务必先看一下</span>README<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">文档,根据你的网络更改一下</span>.<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">主要有三个文件</span></p>
<p class="MsoListParagraph">honeyd.conf , start-arpd.sh, start-honeyd.sh<span style="mso-spacerun:yes"> </span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;mso-hansi-font-family:
Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">以下是我这三个配置文件的内容:</span></p>
<p class="MsoListParagraph" style="margin-left:1.0in">[root@portaltest
honeyd_kit-1.0c-a]# cat honeyd.conf</p><span style="mso-spacerun:yes"> </span>#####<span style="mso-spacerun:yes"> </span>Honeyd Configuration File #####
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="mso-spacerun:yes"> </span># Last Updated: 31 May, 2005</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> #####################################################################</p>
<p class="MsoListParagraph" style="margin-left:1.0in">### Start with default
template.<span style="mso-spacerun:yes"> </span>If you don't assign
specifc<span style="mso-spacerun:yes"> </span>###</p>
<p class="MsoListParagraph" style="margin-left:1.0in">### behavior to a specific
honeypot, it defaults to the 'default' ###</p>
<p class="MsoListParagraph" style="margin-left:1.0in">### template.<span style="mso-spacerun:yes"> </span>You must have a template with the name
'default'.<span style="mso-spacerun:yes"> </span>###</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#####################################################################</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in">### Default Template</p>
<p class="MsoListParagraph" style="margin-left:1.0in">create default</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set default personality
"Microsoft Windows XP Home Edition"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set default default tcp
action reset</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set default default udp
action reset</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set default default icmp
action open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default tcp port 80
"sh scripts/misc/test.sh"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default tcp port 139
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default tcp port 137
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default udp port 137
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default udp port 135
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default udp port 445
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add default tcp port 445
open</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in">### Standard Windows 2000
computer</p>
<p class="MsoListParagraph" style="margin-left:1.0in">create win2k</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k personality
"Microsoft Windows 2000 Server SP3"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k default tcp
action reset</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k default udp
action reset</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k default icmp
action block</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k uptime 3567</p>
<p class="MsoListParagraph" style="margin-left:1.0in">set win2k droprate in 13</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 21
"sh scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 25
"sh scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 80
"sh scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 110
"sh scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 143
"sh scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 389
"sh scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 5901
"sh scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport"</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k udp port 161
"perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># This will redirect
incomming windows-filesharing back to the source</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k udp port 137
proxy $ipsrc:137</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k udp port 138
proxy $ipsrc:138</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k udp port 445
proxy $ipsrc:445</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 137
proxy $ipsrc:137</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 138
proxy $ipsrc:138</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 139
proxy $ipsrc:139</p>
<p class="MsoListParagraph" style="margin-left:1.0in">add win2k tcp port 445
proxy $ipsrc:445</p>
<p class="MsoListParagraph" style="margin-left:1.0in">bind 192.168.115.201 win2k</p>
<p class="MsoListParagraph" style="margin-left:1.0in">bind 192.168.114.201 win2k</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> ============================================</p>
<p class="MsoListParagraph" style="margin-left:1.0in">[root@portaltest
honeyd_kit-1.0c-a]# cat start-arpd.sh </p>
<p class="MsoListParagraph" style="margin-left:1.0in">#!/bin/sh</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Aprd startup script.</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Marcus Ranum/Lance
Spitzner 3 Jan, 2003</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># PURPOSE: To start the
Arpd process</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Add '-d' to command line
for debug information</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in">set -x</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Monitor entire network</p>
<p class="MsoListParagraph" style="margin-left:1.0in">./arpd -i eth1<span style="mso-spacerun:yes"> </span>192.168.114.201</p>
<p class="MsoListParagraph" style="margin-left:1.0in">./arpd -i eth2<span style="mso-spacerun:yes"> </span>192.168.115.201</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in"> ==========================================================</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#
cat start-honeyd.sh </p>
<p class="MsoListParagraph" style="margin-left:1.0in">#!/bin/sh</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Honeyd startup script.</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Marcus Ranum/Lance
Spitzner 3 Jan, 2003</p>
<p class="MsoListParagraph" style="margin-left:1.0in">#</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># PURPOSE: To start the
Honeyd process</p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Add '-d' to command line
for debug information</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in">set -x</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in"># Launch Honeyd</p>
<p class="MsoListParagraph" style="margin-left:1.0in">./honeyd -f honeyd.conf -p
nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -l
/var/log/honeyd/honeyd114.log -s /var/log/honeyd/service.log<span style="mso-spacerun:yes"> </span>-i eth1 192.168.114.201</p>
<p class="MsoListParagraph" style="margin-left:1.0in">./honeyd -f honeyd.conf -p
nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -l /var/log/honeyd/honeyd115.log
-s /var/log/honeyd/service.log<span style="mso-spacerun:yes"> </span>-i eth2 192.168.115.201</p>
<p class="MsoListParagraph" style="margin-left:1.0in"> </p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;mso-hansi-font-family:
Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">使用以上这些</span>honeyd_kit配置文件<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">时需要注意以下几点:</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in;text-indent:-.25in;
mso-list:l0 level1 lfo2"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">a.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">要先创建相关的日志文件。</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in;text-indent:-.25in;
mso-list:l0 level1 lfo2"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">b.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">对创建的日志文件赋给</span>nobody<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">权限</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in;text-indent:-.25in;
mso-list:l0 level1 lfo2"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">c.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">以上两个</span>start<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">脚本运行后,会有两个</span>arpd,<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">两个</span>honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">进程在后台运行,可以用</span>ps
<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">命令来查看。至于退出好像没有什么命令。我是直接用</span>kill<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">的。</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in;text-indent:-.25in;
mso-list:l0 level1 lfo2"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">d.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">如果想开机就运行,哪就把这两个</span>start<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">脚本放到</span>/etc/rc.local<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">里就好了。</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in;text-indent:-.25in;
mso-list:l0 level1 lfo2"><span style="mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-bidi-font-family:Calibri;
mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">e.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">最后一点要提到的是,用</span>start-arpd.sh,
start-honeyd.sh<span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">这两个脚本启动</span>arpd,
honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">进程后,</span>192.168.114.201,
192.168.115.201<span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">这两个虚拟出来的机器大概需要半小时到一小时后才能被其它机器侦测到。刚开始我就是有点心急,服务起来后就去测试,怎么也扫描不到这两台机器。还反复在找文档,看配置,是不是有问题。要不是有一次服务起来了,正好别人找我有其它事耽误我了一个多小时,回来一测试居然好了,害我也浪费很多时间。</span></p>
<p class="MsoListParagraph" style="margin-left:1.25in"> </p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo1"><span style="mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">8.<span style="font:7.0pt " times="" new="" roman""=""> </span></span></span><span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">报表的产生</span></p>
<p class="MsoListParagraph"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">扫描出来的日志估计可看性太差了。以下是我写的一个小脚本来过滤统计</span>honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">产生的日志。主要是根据端口进行分类统计的。</span></p>
<p class="MsoListParagraph"># cat create_honeyd_report.sh
</p>
<p class="MsoListParagraph">#!/bin/bash</p>
<p class="MsoListParagraph">DT=`date +%F-%T`</p>
<p class="MsoListParagraph"><a href="mailto:MAILBOX=your_name@your_domain.com" target="_blank" target="_blank">MAILBOX=your_name@your_domain.com</a></p>
<p class="MsoListParagraph"> cd /var/log/honeyd</p>
<p class="MsoListParagraph"> echo "==================Begin 445 Port Scan
Report===============================" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph"> cat honeyd114.log | grep 445 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">cat honeyd115.log | grep 445 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph"> echo "==================Begin 138 Port Scan
Report===============================" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo honeyd114.log | grep 138 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo honeyd115.log | grep 138 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph">echo "==================Begin 139 Port Scan
Report===============================" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo honeyd114.log | grep 139 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo "" >> rpfile.txt</p>
<p class="MsoListParagraph">echo honeyd115.log | grep 139 | awk '{print
$4,"\t\t" ,$6}' | sort | uniq -c | sort -n -r >> rpfile.txt</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph">echo "==================End
Report===============================" >> rpfile.txt</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph">mail -s "honeyd 445 port Scan reprot $DT" <span style="mso-spacerun:yes"> </span>$MAILBOX < rpfile.txt</p>
<p class="MsoListParagraph">cp honeyd114.log archive_log/honeyd114_$DT.log</p>
<p class="MsoListParagraph">cp honeyd115.log archive_log/honeyd115_$DT.log</p>
<p class="MsoListParagraph">echo "" > honeyd114.log</p>
<p class="MsoListParagraph">echo "" > honeyd115.log</p>
<p class="MsoListParagraph">rm -rf rpfile.txt</p>
<p class="MsoListParagraph"> </p>
<p class="MsoListParagraph"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">产生的报表如下:</span></p>
<p class="MsoPlainText" style="text-indent:.5in">==================Begin 445 Port
Scan Report===============================</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText"><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span><span style="mso-spacerun:yes"> </span>16 <span style="mso-tab-count:1"> </span>192.168.118.80
<span style="mso-tab-count:2"> </span><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span>192.168.114.201</p>
<p class="MsoPlainText"><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span><span style="mso-spacerun:yes"> </span>16<span style="mso-tab-count:1"> </span>
192.168.118.28 <span style="mso-tab-count:2"> </span><span style="mso-spacerun:yes"> </span>192.168.114.201</p>
<p class="MsoPlainText"><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span>15<span style="mso-tab-count:1"> </span>
192.168.118.41 <span style="mso-tab-count:2"> </span><span style="mso-spacerun:yes"> </span>192.168.114.201</p>
<p class="MsoPlainText"><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span>12<span style="mso-tab-count:1"> </span>
192.168.117.109 <span style="mso-tab-count:2"> </span><span style="mso-spacerun:yes"> </span>192.168.114.201</p>
<p class="MsoPlainText"><span style="mso-spacerun:yes"> </span><span style="mso-tab-count:1"> </span><span style="mso-spacerun:yes"> </span>8<span style="mso-tab-count:1"> </span>
192.168.118.44 <span style="mso-tab-count:2"> </span><span style="mso-spacerun:yes"> </span>192.168.114.201</p>
<p class="MsoListParagraph"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">其中第一个数字为次数,第二个为源</span>IP<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">,第三个为目的</span>IP<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">。也就是源</span>IP<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">尝试连接目的</span>IP
<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">端</span>445<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">口总共多少次。</span></p>
<p class="MsoNormal"> <br></p>
<p class="MsoNormal">============================================================================================</p>
<p class="MsoNormal"> linux<span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">下安装</span>honeyd<span style="font-family:宋体;mso-ascii-font-family:Calibri;mso-ascii-theme-font:
minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">蜜罐系统【原创】</span></p>
<p class="MsoNormal"> <span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">标签:</span><a href="http://blog.51cto.com/tagindex.php?keyword=linux" target="_blank" target="_blank">linux</a>
<a href="http://blog.51cto.com/tagindex.php?keyword=honeyd" target="_blank" target="_blank">honeyd</a>
<a href="http://blog.51cto.com/tagindex.php?keyword=%C3%DB%B9%DE%CF%B5%CD%B3" target="_blank" target="_blank"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">蜜罐系统</span></a>
</p>
<p class="MsoNormal"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">原创作品,允许转载,转载时请务必以超链接形式标明文章</span><span lang="ZH-CN"> </span><a href="http://297020555.blog.51cto.com/1396304/538183" target="_blank" target="_blank"><span style="font-family:宋体;mso-ascii-font-family:
Calibri;mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">原始出处</span></a>
<span style="font-family:宋体;mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:宋体;mso-fareast-theme-font:
minor-fareast;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin" lang="ZH-CN">、作者信息和本声明。否则将追究法律责任。</span><a href="http://297020555.blog.51cto.com/1396304/538183" target="_blank" target="_blank">http://297020555.blog.51cto.com/1396304/538183</a>
</p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">经过一上午的不懈努力,终于把</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">给装上了,虽然途中报错无数,但我还是成功了。之所以能成功,还是多亏</span>baidu<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">和</span>google<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">的帮忙,更重要的是那些肯分享技术的人。正所谓取之于网络,回报于网络。所以我也就把我的经验拿出来和大家分享。</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">一</span>. <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">安装环境:</span>centos
5.5</p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">需要的软件:</span></p>
<p><a href="http://www.honeyd.org/uploads/honeyd-1.5c.tar.gz" target="_blank" target="_blank"><span style="color:purple">honeyd-1.5c.tar.gz</span></a></p>
<p><a href="http://cdnetworks-kr-1.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz" target="_blank" target="_blank"><span style="color:purple">libdnet-1.11.tar.gz</span></a></p>
<p><a href="http://www.monkey.org/%7Eprovos/libevent-1.4.14b-stable.tar.gz" target="_blank" target="_blank"><span style="color:purple">libevent-1.4.14b-stable.tar.gz</span></a></p>
<p><a href="http://www.monkey.org/%7Eprovos/libdnsres-0.1a.tar.gz" target="_blank" target="_blank"><span style="color:purple">libdnsres-0.1a.tar.gz</span></a></p>
<p><a href="http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz" target="_blank" target="_blank"><span style="color:purple">libpcap-1.1.1.tar.gz</span></a></p>
<p><a href="http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz" target="_blank" target="_blank"><span style="color:purple">arpd-0.2.tar.gz</span></a></p>
<p><a href="http://www.citi.umich.edu/u/provos/honeyd/honeyd_kit-1.0c-a.tgz" target="_blank" target="_blank"><span style="color:purple">honeyd_kit-1.0c-a.tgz</span></a></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">二</span>. <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">下载上边的软件包,可以点击下载,也可以到附件中下载。</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">三</span>. <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">安装</span></p>
<p> <span style="color:red"> tar zxvf honeyd-1.5c.tar.gz</span></p>
<p><span style="color:red"> cd honeyd-1.5c</span></p>
<p><span style="color:red"> ./configure</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">出错了:</span><span style="color:blue">configure: error: libpcap not found</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">原因是没有安装</span><span style="color:blue">libpcap</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">包,现在开始安装。</span></p>
<p><span style="color:red">tar zxvf libpcap-1.1.1.tar.gz</span></p>
<p><span style="color:red">cd libpcap-1.1.1</span></p>
<p><span style="color:red">./configure ;make;make install</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">安装完</span>libpcap<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">后再回来安装</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">。</span></p>
<p><span style="color:red">./configure</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">又出错了:</span></p>
<p><span style="color:blue">checking for dnet-config... no<br>
configure: error: dnet-config not found</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">缺少</span><span style="color:blue">libdnet</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">包。</span></p>
<p><span style="color:red">tar zxvf libdnet-1.11.tar.gz</span></p>
<p><span style="color:red">cd libdnet-1.11</span></p>
<p><span style="color:red">./configure ;make;make install</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">再回来安装</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">。</span></p>
<p> </p>
<p><span style="color:red">./configure </span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">出错:</span></p>
<p><span style="color:blue">checking for libevent... no<br>
configure: error: libevent not found</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">缺少</span><span style="color:blue">libevent</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">包。</span></p>
<p><span style="color:red"> tar zxvf libevent-1.4.14b-stable.tar.gz</span></p>
<p><span style="color:red"> cd libevent-1.4.14b-stable</span></p>
<p><span style="color:red">./configure ;make;make install</span></p>
<p> </p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">再回来安装</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">。</span></p>
<p> </p>
<p><span style="color:red">./configure </span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">出错了:</span><span style="color:blue">configure: error: need either libedit or libreadline;
install one of them</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">解决办法:</span></p>
<p><span style="color:red"> yum install -y readline readline-devel</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">再回来安装</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">。</span></p>
<p> </p>
<p><span style="color:red">./configure ;make;make install</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">安装完</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">后接下来安装</span>arpd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">包。</span></p>
<p><span style="color:red">tar zxvf arpd-0.2.tar.gz</span></p>
<p><span style="color:red">cd arpd</span></p>
<p><span style="color:red">./configure</span></p>
<p><span style="color:red">make</span></p>
<p><span style="color:blue">make</span><span style="font-family:
宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">的时候出错了:</span></p>
<p><span style="color:blue">arpd.c: In function 'arpd_send':<br>
arpd.c:268: error: expected ')' before string constant<br>
arpd.c: In function 'arpd_lookup':<br>
arpd.c:285: error: expected ')' before string constant<br>
arpd.c:294: error: expected ')' before string constant<br>
arpd.c:297: error: expected ')' before string constant<br>
arpd.c: In function 'arpd_recv_cb':<br>
arpd.c:426: error: expected ')' before string constant<br>
make: *** Error 1</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">解决方法:</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">在</span><span style="color:red">arpd/arpd.c</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:red" lang="ZH-CN">文件中添加</span><span style="color:red"> #define
__FUNCTION__ ""</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">然后在编译</span></p>
<p><span style="color:red">make</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:red" lang="ZH-CN">;</span><span style="color:red">make install
</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">现在基本上就安装成功了。</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">四</span>.
<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">还容易遇到的问题</span></p>
<p><span style="color:blue"> arpd</span><span style="font-family:
宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">包编译成功后,连接生成</span><span style="color:blue">arpd</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">二进制程序,在</span><span style="color:blue">linux</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">下运行时,出现如下错误:</span><span style="color:blue"><br>
# arpd <br>
./arpd/arpd: error while loading shared libraries: libevent-1.4.so.2: cannot
open shared object file: No such file or directo</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">解决方法:</span><span style="color:red"><br>
</span><span style="font-family:宋体;mso-bidi-font-family:宋体;
color:red" lang="ZH-CN">方法一:直接把</span><span style="color:red">libevent-1.4.so.2</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">文件拷贝到系统指定的</span><span style="color:red">/usr/lib</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:red" lang="ZH-CN">库文件目录中。或者做符合连接</span><span style="color:
red"> </span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">方法二:设置</span><span style="color:red">/etc/ld.so.conf</span><span style="font-family:
宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">文件,编辑该文件,在文件中加入</span><span style="color:red">libevent-1.4.so.2</span><span style="font-family:
宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">所在的目录,保存后退出。需要注意的是,每次改动</span><span style="color:red">ld.so.conf</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:red" lang="ZH-CN">之后需要运行</span><span style="color:red">ldconfing</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">来确认刷新。</span></p>
<p> <span style="font-family:宋体;mso-bidi-font-family:宋体;
color:black" lang="ZH-CN">原因分析:</span><span style="color:black"><br>
arpd</span><span style="font-family:宋体;mso-bidi-font-family:宋体;
color:black" lang="ZH-CN">运行时,需要</span><span style="color:black">libevent</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:black" lang="ZH-CN">库的支持,所以在运行</span><span style="color:black">arpd</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:black" lang="ZH-CN">前,要先编译好</span><span style="color:black">libevent</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:black" lang="ZH-CN">包,并把产生的</span><span style="color:black">libevent-1.4.so.2</span><span style="font-family:
宋体;mso-bidi-font-family:宋体;color:black" lang="ZH-CN">文件拷贝到系统默认的库文件目录下,以便</span><span style="color:black">arpd</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:black" lang="ZH-CN">运行时能够连接到。</span></p>
<p> </p>
<p> </p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">五</span>.
Honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">的简单配置使用</span></p>
<p style="text-indent:24.0pt">Honeyd <span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">的命令格式如下:</span> <br>
honeyd [-dP] [-l logfile] [-s servicelog]
[-p fingerprints] [-0 p0f-file] [-x xprobe]<br>
[-a assoc] [-f file] [-i interface] [-u uid] [-g gid]<br>
[--webserver-address address] [--webserver-port port]<br>
[--webserver-root path] [--rrdtool-path path]<br>
[--disable-webserver] [--disable-update] [--verify-config]<br>
[--fix-webserver-permissions] [-V|--version] [-h|--help] [--include-dir]<br>
[--data-dir] </p>
<p style="text-indent:24.0pt"><span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">各选项的含义如下:</span> <br>
-d <span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:非守护程序的形式,允许冗长的调试信息。</span></p>
<p style="text-indent:24.0pt">-P <span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">:在一些系统中,</span>pcap <span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">不能通过</span> select(2)<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">来获得事件通知是不可能的,在这种情况下,</span>honeyd
<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">需要在轮训模式下工作,这个标志位是使论询位有效的。</span>
<br>
-l logfile<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:对日志包和日志文件的连接是被日志文件指定的。</span></p>
<p style="text-indent:24.0pt">-s servicelog<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:将</span>honeyd<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">记录的服务层日志写入到指定的服务日志文件中。</span></p>
<p style="text-indent:24.0pt">-x xprobe<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:读</span> xprobe <span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">类型的指纹,这个文件决定了</span> honeyd <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">如何响应</span> ICMP <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">指纹工具。</span></p>
<p style="text-indent:24.0pt">-a assoc<span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">:读联系</span> nmap <span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">风格指纹和</span> xprobe <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">指纹风格的文件。</span></p>
<p style="text-indent:24.0pt">-f file<span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">:读取名为</span><span lang="ZH-CN"> </span>file <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">的配置文件。</span></p>
<p style="text-indent:24.0pt">-i interface<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:指定侦听的接口,可以指定多个接口。</span></p>
<p style="text-indent:24.0pt">[ V|--version<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:打印出版本信息同时退出。</span></p>
<p style="text-indent:24.0pt">-include-dir<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:用作插件开发,指定</span><span lang="ZH-CN"> </span>honeyd <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">存贮它的头文件的位置。</span></p>
<p style="text-indent:24.0pt">[--webserver-address address] [--webserver-port
port] [--webserver-root path] [--rrdtool-path path]
[--fix-webserver-permissions]<span style="font-family:宋体;mso-bidi-font-family:
宋体" lang="ZH-CN">指定</span>Honeyd<span style="font-family:宋体;mso-bidi-font-family:
宋体" lang="ZH-CN">软件内建</span>Web<span style="font-family:宋体;mso-bidi-font-family:
宋体" lang="ZH-CN">服务的地址、端口和根目录,以及</span>Web<span style="font-family:宋体;mso-bidi-font-family:
宋体" lang="ZH-CN">服务依赖的</span><span lang="ZH-CN"> </span>RRDTool<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">的位置,</span>--fix-webserver-permissions<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">修正</span>Web<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">目录权限设置导致网页不可读取问题。</span></p>
<p style="text-indent:24.0pt">net<span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">:指定</span>IP<span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">地址或者网络或者</span>IP<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">地址范围,如果没有指定,</span>honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">将监视它能看见的任何</span>IP<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">地址的流量。</span></p>
<p style="text-indent:24.0pt"> </p>
<p style="text-indent:24.0pt"><span style="font-family:宋体;
mso-bidi-font-family:宋体" lang="ZH-CN">在</span>Honeyd<span style="font-family:
宋体;mso-bidi-font-family:宋体" lang="ZH-CN">软件宿主主机上运行</span>arpd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">绑定同一网段中某个空闲</span>IP<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">地址,然后运行</span>Honeyd<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">软件在此空闲</span>IP<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">地址上构建虚拟蜜罐。</span><br>
#arpd 192.168.100.5<span style="mso-fareast-font-family:宋体;
mso-fareast-theme-font:minor-fareast"></span></p>
<p>#mkdir /var/log/honeyd<br>
#touch /var/log/honeyd/honeyd.log<br>
#touch /var/log/honeyd/service.log<br>
#chown nobody.nobody /var/log/honeyd/*.log<br>
# ll /var/log/honeyd<br>
<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">总计</span> 8<br>
-rw-r--r-- 1 nobody nobody 2617 12-09 17:44 honeyd.log<br>
-rw-r--r-- 1 nobody nobody 102 12-09 17:44 service.log</p>
<p style="text-indent:24.0pt"><br>
# honeyd -d -l /var/log/honeyd/honeyd.log -s
/var/log/honeyd/service.log --fix-webserver-permissions 192.168.100.100<br>
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos<br>
honeyd: started with -d -l /var/log/honeyd/honeyd.log -s
/var/log/honeyd/service.log --fix-webserver-permissions 192.168.100.100<br>
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"<br>
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT
4.0 SP3"<br>
honeyd: listening promiscuously on eth0: (arp or ip proto 47 or (udp and
src port 67 and dst port 68) or (ip and (host 192.168.100.100))) and not ether
src 00:0c:29:51:b7:f3<br>
honeyd: Demoting process privileges to uid 99, gid 99<br>
honeyd: update_check: failed to resolve host.<br>
honeyd: Sending ICMP Echo Reply: 192.168.100.100 -> 192.168.100.1<br>
honeyd: Sending ICMP Echo Reply: 192.168.100.100 -> 192.168.100.1<br>
honeyd: Sending ICMP Echo Reply: 192.168.100.100 -> 192.168.100.1<br>
honeyd: Sending ICMP Echo Reply: 192.168.100.100 -> 192.168.100.1</p>
<p> <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">如果上面的内容还不能解决您的问题,可以与我</span>qq<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">联系。</span>qq<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">:</span>297020555</p>
<p> </p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">出错:</span>configure:
error: libdnsres not found</p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:black" lang="ZH-CN">解决办法:</span></p>
<p><span style="color:red">wget </span><a href="http://www.monkey.org/%7Eprovos/libdnsres-0.1a.tar.gz" target="_blank" target="_blank"><span style="color:red">http://www.monkey.org/~provos/libdnsres-0.1a.tar.gz</span><span style="color:#0079B7"> </span></a></p>
<p><span style="color:red">tar zxvf libdnsres-0.1a.tar.gz</span></p>
<p><span style="color:red">cd libdnsres-0.1a</span></p>
<p><span style="color:red">./configure ;make;make install</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">错误:</span></p>
<p>yacc -d ./parse.y<br>
make: yacc: Command not found<br>
make: *** Error 127</p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">解决办法:</span></p>
<p><span style="color:red">yum install -y byacc</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">编译</span>libpcap<span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">时出错:</span></p>
<p>configure: error: Your operating system's lex is insufficient to compile<br>
libpcap. flex is a lex replacement that has many advantages,
including<br>
being able to compile libpcap. For more information, see<br>
<a href="http://www.gnu.org/software/flex/flex.html" target="_blank" target="_blank"><span style="color:#0079B7">http://www.gnu.org/software/flex/flex.html</span></a> .</p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">问题:</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">缺少</span><span style="color:red">flex</span><span style="font-family:宋体;mso-bidi-font-family:
宋体;color:red" lang="ZH-CN">包</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">解决办法:</span></p>
<p><span style="color:red">yum install -y flex</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:blue" lang="ZH-CN">出错:</span></p>
<p><span style="color:blue">make all-recursive <br>
make: Entering directory `/home/jlawre23/Desktop/honeyd-1.5c' <br>
Making all in . <br>
make: Entering directory `/home/jlawre23/Desktop/honeyd-1.5c' <br>
gcc -DHAVE_CONFIG_H -I. -I. -I. -I./compat/libdnet -I./compat -I/usr/local/include
-I/usr/include/pcap -I/usr/include -O2 -Wall -g
-DPATH_HONEYDINCLUDE="\"/usr/local/include/honeyd\""
-DPATH_HONEYDDATA="\"/usr/local/share/honeyd\""
-DPATH_HONEYDLIB="\"/usr/local/lib/honeyd\""
-DHONEYD_PLUGINS_DECLARE="" -DHONEYD_PLUGINS=""
-DPATH_RRDTOOL="\"\"" -c honeyd.c <br>
In file included from honeyd.c:97: <br>
tagging.h:89: error: expected declaration specifiers or ‘...’ before ‘(’ token <br>
tagging.h:89: error: expected declaration specifiers or ‘...’ before ‘(’ token <br>
In file included from stats.h:36, <br>
from honeyd.c:98: <br>
./compat/sha1.h:23: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:23: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:26: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:28: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:30: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:32: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:35: warning: ‘__bounded__’ attribute directive ignored <br>
./compat/sha1.h:35: warning: ‘__bounded__’ attribute directive ignored <br>
make: *** Error 1 <br>
make: Leaving directory `/home/jlawre23/Desktop/honeyd-1.5c' <br>
make: *** Error 1 <br>
make: Leaving directory `/home/jlawre23/Desktop/honeyd-1.5c' <br>
make: *** Error 2</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">解决办法:</span></p>
<p><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">卸掉其他版本的</span><span style="color:red">libevent</span><span style="font-family:宋体;
mso-bidi-font-family:宋体;color:red" lang="ZH-CN">包,安装本文提供的</span><span style="color:red">libevent-1.4.14b-stable</span><span style="font-family:宋体;mso-bidi-font-family:宋体;color:red" lang="ZH-CN">。</span></p>
<p> </p>
<div style="mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;
padding:0in 0in 1.0pt 0in">
<p style="border:none;mso-border-bottom-alt:double windowtext 2.25pt;
padding:0in;mso-padding-alt:0in 0in 1.0pt 0in"><span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">本文出自</span><span lang="ZH-CN"> </span>“<a href="http://297020555.blog.51cto.com/" target="_blank" target="_blank">netcat</a>” <span style="font-family:宋体;mso-bidi-font-family:宋体" lang="ZH-CN">博客,请务必保留此出处</span><a href="http://297020555.blog.51cto.com/1396304/538183" target="_blank" target="_blank">http://297020555.blog.51cto.com/1396304/538183</a><span style="mso-fareast-font-family:宋体;mso-fareast-theme-font:minor-fareast"></span></p>
</div> 你好,请教下,如果只有一个网口eth0,那么start-arp.sh,和start-honeyd.sh中的
# Monitor entire network
./arpd -i eth1192.168.114.201
./arpd -i eth2192.168.115.201
./honeyd -f honeyd.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -l /var/log/honeyd/honeyd114.log -s /var/log/honeyd/service.log-i eth1 192.168.114.201
./honeyd -f honeyd.conf -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -l /var/log/honeyd/honeyd115.log -s /var/log/honeyd/service.log-i eth2 192.168.115.201
该如何写?
页:
[1]