README
Honeytrap is a network security tool written to observe attacks against TCP or UDP services. It runs as a daemon and starts serv- er processes dynamically on requested ports. A server emulates a well-known service by simply sending captured network traffic to a connected host.
Many clients and particularly attackers will be fooled and send responses to a honeytrap server process. The arriving data is as- sembled to a string and written to a database file. Such a string is called an attack string.
Honeytrap can parse an attack string for commands advising the server to download a file from another host. If a download com- mand is found, the server tries to retrieve the corresponding file automatically. A downloaded file is stored locally with an md5 checksum in its name. Currently, only ftp and tftp are sup- ported. Honeytrap implements its own clients with the aim to be- have as similar as possible than Windows systems. Http URIs are recognized and logged. A http download routine may be added in future releases.
INSTALLATION
Installation of honeytrap is pretty straight forward. Just do a
'./configure --with-stream-mon=
WARNINGS
Honeytrap is a low-interactive honeypot and therefore detectable. It is written in C and thus potentially vulnerable to buffer overflow attacks. Take care. Running in mirror mode is dangerous. Attacks may be directed to the attacker, appearing to come from your system. Use with caution.
The program needs root privileges, but only for binding server processes to well-known ports. Use the -u and -g command line op- tions to drop privileges and switch to another user and group as early as possible.
CONTACT
If you have problems, questions, ideas or suggestions, please contact me at tillmann.werner@gmx.de. If you would like to help making honeytrap better, you are welcome.