Honeyd: The open source honeypot

The early leader in intrusion detection honeypots is still around, flexible as ever, but a bit dated

Current Job Listings

Honeyd, the brainchild of Niels Provos, is free open source software released under GNU General Public License. The first major release, 0.5, arrived in 2003, and the latest version I could track down, 1.5c, was released in 2007. Honeyd wasn't the first honeypot, but it quickly became the most accessible and flexible -- the first fully formed honeypot for the masses. For many years, Provos worked to update his honeypot, wrote a book on it ("Virtual Honeypots: From Botnet Tracking to Intrusion Detection"), and gained wide participation from the open source community in developing add-ons and scripts.

There have even been a few Windows ports of the Linux-based program over the years. Unfortunately, like most honeypot projects and Honeyd itself, they appear neglected. The Windows ports are mostly unusable, not working at all on any of Microsoft's latest operating systems.

Nonetheless, after writing my own book on honeypots, I still get more questions about Honeyd than any other honeypot I covered. Mostly that is due to the supreme difficulty in getting Honeyd installed and configured, thanks in part to Honeyd's extreme flexibility. First-time users often spend days to get it working, searching all over the Internet for help to solve arcane issues. Most users simply give up without success.

Linux versions of Honeyd can be downloaded from www.honeyd.org (the official website), although first-time installers will usually have to download and install one or more dependent packages first, such as libpcap, bison, or flex, with each component requiring the familiar ./configure, make, make install installation routine. It's easier if you have an open source OS that supports the apt-get install honeyd feature.

Honeyd configuration
After installing Honeyd, you'll have to create or borrow a honeyd.conf file, edit it for your install, and learn the syntax of the honeyd executable, which can be cumbersome. You'll also have to configure a second network on the host computer (because Honeyd works on its own network segment), as well as modify the routing tables on your network and host computers to direct the appropriate traffic to the Honeyd honeypot.

To continue reading this article register now