
           ####   Honeyd Linux Kit  #####
          Last Modified: 01 June, 2005
                Based on Honeyd 1.0c


INTRO:
------
You are reading the documentation for the Honeyd Linux Kit.
The purpose of this kit is to give you all the tools you need
to quickly get your own Honeyd honeypot running on a Linux
i386 computer.  This kit is designed for testing and research
purposes.  These are statically compiled binaries.  As such,
the honeyd binary does not support more advanced functionality,
including the webserver interface.  Honeyd is an OpenSource 
honeypot written by Niels Provos.  You can get full 
documentation and source code for this honeypot at

   Honeyd Homepage
   http://www.honeyd.org

Before using this kit, it is assumed that you have already
read and understand the Honeyd documentation from the home
website.  To learn more on how to use and leverage a honeypot,
refer to the following documentation.

   Honeypots: Definitions and Values
   http://www.tracking-hackers.com/papers/honeypots.html



RUNNING:
--------
To get Honeyd up and running should be relatively simple.

1. Change ownership of all files to 'nobody'.  This is
   what Honeyd now runs as by default.  Files have to be
   owned by 'nobody' so Honeyd can read, and sometimes 
   write to them.

   #chown -R nobody honeyd_kit

2. Create logging file /var/log/honeyd and change ownership
   to 'nobody'.

   #mkdir /var/log/honeyd
   #chown nobody /var/log/honeyd

3.  Run start-up scripts.

     ./start-arpd.sh
     ./start-honeyd.sh

Run the arpd script first for Arp spoofing (so you can get
traffic bound for non-existant systems).  Then run honeyd
startup script so you can interact with attackers.  Both
startup scripts and the honeyd.conf configuration file
assume you are on a 192.168.1.0/24 network.  You will have
to modify if you are on a different network (which is
most likely).  

By default, Honeyd looks for configuration files (and
scripts) in the directory /usr/local/share/honeyd.  This
toolkit is different.  Instead of using the standard
directory, this Toolkit uses everything locally.  In other
words, it should not matter where you install this toolkit,
the Toolkit Honeyd binary will look for all configuration
files and scripts that are local to this Toolkit.

NOTE: If you intend to have real attackers interact with
your honeypot, MAKE SURE you harden your Linux system so
it cannot be compromised!  It is also recommended you
chroot() or systrace() your Honeyd process and patch the
Linux kernel.  A great place to start is

     http://www.securityfocus.com 
     http://www.linuxsecurity.com
     http://www.grsecurity.org


FILES:
------
arpd                  Staticaly compiled 'arpd' binary, used
                      for Arp spoofing.
docs                  Directory with additional documentation developed
                      by the community.
honeyd                Statically compiled 'honeyd' binary.  Used 
                      for detecting and interacting with attackers.
honeyd.conf           Honeyd configuration file
honeyd.conf.simple    Simple Honeyd configuration file used for testing
honeyd.conf.bloat     Advanced Honeyd configuration file used for 
                      extensive virtual honeypot capabilities
honeyd.conf.networks  Advanced Honeyd configuration file used for
                      extensive networking capabilities.
logs                  Optional directory for additional logging
nmap.prints           Nmap OS fingerprint database that comes with 
                      Honeyd src
nmap.assoc            Associates specific fingerprints with general
                      operating systems.
pf.os                 Passive fingerprinting database
scripts               Scripts used by Honeyd to emulate services.
                      If you create any of your own scripts, let
                      us know!  <lance@honeynet.org>
start-arpd.sh         Script used to start arpd process.  
start-honeyd.sh       Script used to start honeyd process. 
xprobe2.conf          Xprobe2 OS fingerprint database that comes with 
                      Honeyd src
README                You figure it out.



- Put together by Lance Spitzner <lance@spitzner.net>


NOTES:
------
This Toolkit is the result of the hard work, development,
and input of the security community.  Special thanks to

 - Thanks to Niels Provos <provos@citi.umich.edu> who is actively 
   developing and maintaining Honeyd.

 - Thanks to Laurent Oudot <oudot@rstack.org> for help, support,
   and concepts concerning honeypots. 

 - Thanks to Fabian Bieker <fb@dinoex.de> for extensive amount of 
   scripts.

 - Thanks to Roshen Chandran <roshen.chandran@paladion.net> for 
   honeyd.conf.networking.
