Honeyd: The open source honeypot

The early leader in intrusion detection honeypots is still around, flexible as ever, but a bit dated.

honey jar dripper

Honeyd, the brainchild of Niels Provos, is free open source software released under GNU General Public License. The first major release, 0.5, arrived in 2003, and the latest version I could track down, 1.5c, was released in 2007. Honeyd wasn't the first honeypot, but it quickly became the most accessible and flexible -- the first fully formed honeypot for the masses. For many years, Provos worked to update his honeypot, wrote a book on it ("Virtual Honeypots: From Botnet Tracking to Intrusion Detection"), and gained wide participation from the open source community in developing add-ons and scripts.

There have even been a few Windows ports of the Linux-based program over the years. Unfortunately, like most honeypot projects and Honeyd itself, they appear neglected. The Windows ports are mostly unusable, not working at all on any of Microsoft's latest operating systems.

Nonetheless, after writing my own book on honeypots, I still get more questions about Honeyd than any other honeypot I covered. Mostly that is due to the supreme difficulty in getting Honeyd installed and configured, thanks in part to Honeyd's extreme flexibility. First-time users often spend days to get it working, searching all over the Internet for help to solve arcane issues. Most users simply give up without success.

Linux versions of Honeyd can be downloaded from www.honeyd.org (the official website), although first-time installers will usually have to download and install one or more dependent packages first, such as libpcap, bison, or flex, with each component requiring the familiar ./configure, make, make install installation routine. It's easier if you have an open source OS that supports the apt-get install honeyd feature.

Honeyd configuration
After installing Honeyd, you'll have to create or borrow a honeyd.conf file, edit it for your install, and learn the syntax of the honeyd executable, which can be cumbersome. You'll also have to configure a second network on the host computer (because Honeyd works on its own network segment), as well as modify the routing tables on your network and host computers to direct the appropriate traffic to the Honeyd honeypot.

Lastly, you'll have to download or create one or more emulation scripts (the screen image below shows a list of default scripts) if you want anything besides a basic port listener. After all of this, you'll be rewarded with hours to days of troubleshooting to get it working right -- at least the first time around. Honeyd is a lot of work.

The reward for the hard work is the most flexible and efficient honeypot program available. It's one of the few products that can easily run 130,000 ports (65,535 TCP and 65,535 UDP ports), hundreds of simulated IP addresses, and entire simulated networks.

Honeyd ports and services
Honeyd can emulate, at the network stack layer, more than 100 different types of computers, routers, and network devices. From one instance of Honeyd, you can create an entire virtual network that can easily fool the most curious hacker. Honeyd provides tarpitting abilities as well -- stumbling blocks that slow down attackers, spammers, and malware.

The different emulated computers, called "personalities," are created by using predefined keywords. You can define what OS each personality pretends to be, what ports are opened and closed, IP address, latency, uptime, and more:


If attackers run one of the popular fingerprinting tools, Honeyd will accurately mimic the network stack of the pretended OS enough to fool them. This is because Honeyd uses the attackers' own tools (Xprobe2 and Nmap) against them. The same definitions those two fingerprinting tools use to identify an operating system are employed by Honeyd to generate the response. It's a brilliant idea and the main reason why Honeyd is the only honeypot to emulate hosts at the network layer.

The open source community has produced dozens and dozens of scripts that emulate FTP, Web, Telnet, Cisco routers, and more. When creating a personality, you link the ports to the relevant scripts to provide medium interactivity. Honeyd, like KFSensor, will even allow relaying to an external host for high interaction.

Probes to Honeyd are displayed on the screen and written to text-based log files by default. Open source add-ons can be used to write to database files, display basic reports, send alerts, hook into the Snort intrusion detection system, and automate external workflows such as creating new firewall rules to block attacks or generating signatures. However, the default Honeyd install has none of this functionality built-in.

If you are going to go the Honeyd or open source honeypot route, give a visit to the Honeynet Project. It contains dozens of honeypot-related tools and a storehouse of documentation. One of the most popular tools is the Honeywall CDROM. Honeywall is a completely self-contained, bootable collection of software programs that creates a nearly invisible Layer 2 inspection device. Install Honeywall on a PC, and you have everything you need for capturing and analyzing traffic to monitored honeypots. It's the perfect companion to Honeyd.

Besides creating the Honeywall device, the Honeywall CDROM helps you implement Snort (the open source intrusion detection system) and Sebek (an open source tool for secretly recording local actions on honeypots that have been compromised by hackers) more easily than starting from scratch. The Honeywall CDROM overwrites the host PC's hard drive and installs two menuing systems: dialog drive or GUI. Of course, it also provides a command-line interface.

Together, Honeyd and Honeywall provide a feature-rich honeypot environment as long as the new user is willing to spend the time troubleshooting first-time installs. Honeyd is the first and only choice for many honeypot experts, especially those who have a Linux/Unix background. Windows admins -- and Linux/Unix admins interested in setting up a honeypot quickly with the least amount of effort -- should look into KFSensor or HoneyPoint instead.

Read the related articles:

This story, "Honeyd: The open source honeypot," was originally published at InfoWorld.com. Follow the latest developments in network security and read Roger Grimes' Security Adviser blog at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform