diff options
author | Jukka Ruohonen <drear@iki.fi> | 2007-11-10 16:12:14 +0000 |
---|---|---|
committer | Jukka Ruohonen <drear@iki.fi> | 2007-11-10 16:12:14 +0000 |
commit | ca23bb687d4ae6b664733e74c7568405264e3d10 (patch) | |
tree | 88a11089819756c02e178f1c281dfdc8e9e5a089 /net-analyzer/honeytrap | |
parent | new USE flags for net-analyzer/honeytrap (diff) | |
download | sunrise-ca23bb687d4ae6b664733e74c7568405264e3d10.tar.gz sunrise-ca23bb687d4ae6b664733e74c7568405264e3d10.tar.bz2 sunrise-ca23bb687d4ae6b664733e74c7568405264e3d10.zip |
net-analyzer/honeytrap: Version bump. Thanks to aballier for help with autotools and masterdriverz for a quick review.
svn path=/sunrise/; revision=5043
Diffstat (limited to 'net-analyzer/honeytrap')
-rw-r--r-- | net-analyzer/honeytrap/ChangeLog | 6 | ||||
-rw-r--r-- | net-analyzer/honeytrap/Manifest | 9 | ||||
-rw-r--r-- | net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch | 74 | ||||
-rw-r--r-- | net-analyzer/honeytrap/files/honeytrap.conf | 157 | ||||
-rw-r--r-- | net-analyzer/honeytrap/files/honeytrap.initd | 13 | ||||
-rw-r--r-- | net-analyzer/honeytrap/honeytrap-1.0.0.ebuild | 135 |
6 files changed, 337 insertions, 57 deletions
diff --git a/net-analyzer/honeytrap/ChangeLog b/net-analyzer/honeytrap/ChangeLog index a7a8f7336..4fa67b322 100644 --- a/net-analyzer/honeytrap/ChangeLog +++ b/net-analyzer/honeytrap/ChangeLog @@ -2,6 +2,12 @@ # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 # $Header: $ + 10 Nov 2007; Jukka Ruohonen <drear@iki.fi> + +files/honeytrap-1.0.0-autoconf.patch, files/honeytrap.conf, + files/honeytrap.initd, +honeytrap-1.0.0.ebuild: + Version bump. Thanks to aballier for help with autotools and masterdriverz + for a quick review. + 24 Jun 2007; Jakub Moc <jakub@gentoo.org> honeytrap-0.6.4.ebuild: Move lots of stuff to pkg_setup; use linux-info eclass instead of ewarns, default to iptables if no monitor backend is selected, cosmetics diff --git a/net-analyzer/honeytrap/Manifest b/net-analyzer/honeytrap/Manifest index 85bc4dad4..27e1bde05 100644 --- a/net-analyzer/honeytrap/Manifest +++ b/net-analyzer/honeytrap/Manifest @@ -1,7 +1,10 @@ -AUX honeytrap.conf 2018 RMD160 d12898a960f2c6bdcd24b8efdf233e850fd8da6c SHA1 4e873da666dce22df61dae35961a6316b6e5c912 SHA256 eaac73cbb94f5f1c7b51f7c7637a2cf380c11be006cf26d4a66619a94c1588a2 +AUX honeytrap-1.0.0-autoconf.patch 2576 RMD160 f7737b643cb010e7bf8ef8338fbaa71e2b2eba46 SHA1 07cfdd86dbb252885e5912b430f6de8ba82ee54c SHA256 083be38d8f2af86fd6d576017ec35e759ce97d2601f04805e410d2441cff8a22 +AUX honeytrap.conf 2450 RMD160 17f419cbcf7f4ed89d001b655a5e7c5c91662c9e SHA1 5d0e20a62754a5dc0159edb06f9f6dfe05ad7909 SHA256 e7802927f7146dde69d8420142cf00c8e739120cf84ca8ff8f00e6b8df9033df AUX honeytrap.confd 614 RMD160 07a1eee2c255be2cdea329bc272e4d0eb08e4fc4 SHA1 35a55b503f934d8f911aa696ae220192b2d40720 SHA256 ba34016ec19f670dc679060e33eb79ca89927f67a2d8c1adf459b0486ed67974 -AUX honeytrap.initd 709 RMD160 e9e34b24b829476a337b3acc0f91408211bc074c SHA1 d86cd0d4dac74c65ec93527276b05230f086b04d SHA256 376addc165212da0db7b6887027e19f36f3846da5ae3928d4ff29aaa6418a327 +AUX honeytrap.initd 787 RMD160 db044b2b11690fa5eed0eb3aa1c9f6358d5cac7f SHA1 958b49a8026bc5dec58925c8f16217e7177cb025 SHA256 d28c0943cf9fd0f2d3c521f4864112e2ab74aae87e4c563a069cf4170737a5c4 DIST honeytrap-0.6.4.tar.bz2 253145 RMD160 00af82f6018a0d124636164fa68b14548231097e SHA1 d0a76c559d94ca97ca97a7a6b101738f0f0611c0 SHA256 e693c50dad5745e2fac594ee4e1234e9bbcd80b757b8b6d1a126d6d9381bdac4 +DIST honeytrap-1.0.0.tar.bz2 574018 RMD160 1d4901f6b91459b6ef058e766c78803cb8114dd3 SHA1 e49306c4b7a8176c497155523176a2d657c2febf SHA256 b4066fb504e76d0b060c0ab839997e743dae13ad5f41cf6d8731b7154e47f451 EBUILD honeytrap-0.6.4.ebuild 3171 RMD160 ff8cad13468be4995f92a3cfc1cb8a2e0b7caec9 SHA1 0cf18e9bb35f06632806fcc16c130a1913b2fb16 SHA256 271b05b20dc4817d35cd51db97ae9c24ecf80e511e99074ebee11a8596b1696c -MISC ChangeLog 648 RMD160 dda03d9e1d6416e76d1cded2e56f42064dfe6062 SHA1 b737500200d95e7dc049c100bb0a42fcddd4ac23 SHA256 16d1e79541954410f997da151711bf6336d21b94306b6146bfd09a370a1d222e +EBUILD honeytrap-1.0.0.ebuild 4451 RMD160 36185d22aeea78d68d18f2c2d60997cb9bb38c37 SHA1 46f43248f415d8244840aa261bd36047005b1498 SHA256 d4d89d021161a0e3c4f9faba9562851613d38db540b3c1b564fa789f7f33ab47 +MISC ChangeLog 906 RMD160 3d85471feb850e7b77a17f2ddc0c0f3a32171d50 SHA1 7102825ea61232ba70b95dfe5f66333ca2b42425 SHA256 df7005df1ff2f4e12b51093ccec28ce82661759aedfb758f3ae5889a8ea5074c MISC metadata.xml 170 RMD160 645927a396fdc21cdeb089fe42c5397332420ea6 SHA1 ac7f48a14fec325926f9ce1be8fbf1f311b4f2e4 SHA256 d797a2ec6f9dc516c9f9c1a758ee87ad3e8c43101b5dc76c2f872d5bd4639b42 diff --git a/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch b/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch new file mode 100644 index 000000000..4d569fa0d --- /dev/null +++ b/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch @@ -0,0 +1,74 @@ +diff -ur honeytrap-1.0.0/configure.in honeytrap-1.0.0.new/configure.in +--- honeytrap-1.0.0/configure.in 2007-10-27 14:22:14.000000000 +0300 ++++ honeytrap-1.0.0.new/configure.in 2007-11-10 14:40:27.000000000 +0200 +@@ -76,35 +76,41 @@ + CFLAGS="$CFLAGS -Wall" + fi + +-AC_ARG_ENABLE(debug, +-[ --enable-debug enable debugging options (bugreports and developers only)], +- [ if test -n "$GCC"; then +- CFLAGS="-O0 -DDEBUG -g" +- else +- CFLAGS="$CFLAGS -DDEBUG" +- fi +- enable_debug="X" +- ], enable_debug=" ") +- +-AC_ARG_ENABLE(profile, +-[ --enable-profile enable profiling options (developers only)], +- [ if test -n "$GCC"; then +- CFLAGS="$CFLAGS -DPROFILE -pg" +- else +- CFLAGS="$CFLAGS -DPROFILE" +- fi +- enable_profile="X" +- ], enable_profile=" ") +-AC_ARG_ENABLE(devmodules, +-[ --enable-devmodules enable unstable modules (not recommended for production setups)], +- [ if test -n "$GCC"; then +- CFLAGS="-O0 -DDEBUG -g" +- else +- CFLAGS="$CFLAGS -DDEBUG" +- fi +- enable_devmodules="X" +- ], enable_devmodules=" ") +- ++if test "${enable_debug}" = "yes" ; then ++ AC_ARG_ENABLE(debug, ++ [ --enable-debug enable debugging options (bugreports and developers only)], ++ [ if test -n "$GCC"; then ++ CFLAGS="-O0 -DDEBUG -g" ++ else ++ CFLAGS="$CFLAGS -DDEBUG" ++ fi ++ enable_debug="X" ++ ], enable_debug=" ") ++fi ++ ++if test "${enable_profile}" = "yes" ; then ++ AC_ARG_ENABLE(profile, ++ [ --enable-profile enable profiling options (developers only)], ++ [ if test -n "$GCC"; then ++ CFLAGS="$CFLAGS -DPROFILE -pg" ++ else ++ CFLAGS="$CFLAGS -DPROFILE" ++ fi ++ enable_profile="X" ++ ], enable_profile=" ") ++fi ++ ++if test "${enable_devmodules}" = "yes" ; then ++ AC_ARG_ENABLE(devmodules, ++ [ --enable-devmodules enable unstable modules (not recommended for production setups)], ++ [ if test -n "$GCC"; then ++ CFLAGS="-O0 -DDEBUG -g" ++ else ++ CFLAGS="$CFLAGS -DDEBUG" ++ fi ++ enable_devmodules="X" ++ ], enable_devmodules=" ") ++fi + + #AC_CANONICAL_HOST + linux=no diff --git a/net-analyzer/honeytrap/files/honeytrap.conf b/net-analyzer/honeytrap/files/honeytrap.conf index 775cec8ed..17cb56017 100644 --- a/net-analyzer/honeytrap/files/honeytrap.conf +++ b/net-analyzer/honeytrap/files/honeytrap.conf @@ -1,48 +1,109 @@ -# /etc/honeytrap/honeytrap.conf -# -# This is a sample honeytrap configuration file. -# However, the default values below should work in most installations. -# -# Copyright (C) 2006 Tillmann Werner <tillmann.werner@gmx.de> -# -# -# allowed keywords are: -# -# keyword values description -# ---------------------------------------------------------------------------------- -# pidfile path full pid file path (defaults to /var/run/honeytrap.pid if not given) -# logfile path full logfile path (defaults to /var/log/honeytrap.log if not given) -# user username user from /etc/passwd under which honeytrap should run -# group groupname group from /etc/group under which honeytrap should run -# promisc - tells honeytrap to sniff in promiscuous mode -# mirror - tells honeytrap to run in mirror mode -# response_dir path path to directory with default responses (defaults to /etc/honeytrap/responses) -# plugin_dir path path to directory with honeytrap plugins (defaults to /usr/src/honeytrap_dynamicsrc) -# attacks_dir path where to save attack strings (default is /var/log/honeytrap) -# dlsave_dir path where to save downloaded files (default is /var/log/honeytrap) -# read_limt number max. bytes to read from a socket - prevents honeytrap from memory exhaustion - -# Sane defaults for Gentoo - -logfile = /var/log/honeytrap/honeytrap.log - -response_dir = /etc/honeytrap/responses -plugin_dir = /usr/src/honeytrap_dynamicsrc - -attacks_dir = /var/log/honeytrap/attacks -dlsave_dir = /var/log/honeytrap/downloads - -# run in mirror mode - mirror connections back to the initiator (use with caution!) -# mirror - -# put network interface into promiscuous mode - only available when using the pcap connection monitor -# promisc - -# max bytes to read from an attack connection (10MB = 10485760) -read_limit = 10485760 - -# use this host (ip address) to listen for FTP data connections (you would need the htm_ftpDownload plugin version 3) -# ftp_host = example.com - -# include explicit port configuration -# include = /etc/honeytrap/ports.conf +/* + * honeytrap 1.0 configuration file template -- please adjust + * (c) Tillmann Werner <tillmann.werner@gmx.de> + */ + +// Small modifications for sane defaults in Gentoo. + +/* log to this file */ +logfile = "/var/log/honeytrap/honeytrap.log" + +/* where to look for default responses + * these are sent for connections handled in "normal mode" */ +response_dir = "/etc/honeytrap/responses" + +/* replace rfc1918 ip addresses with attacking ip address */ +replace_private_ips = "no" + +/* default port mode -- valid values are "ignore", "normal" and "mirror" +portconf_default = "normal" + +/* put network interface into promiscuous mode + * (only availabel when compiled with --with-pcap-mon) */ +//promisc = "on" + +// do not read more than 20 MB - used to prevent DoS attacks +read_limit = "20971520" + +/* include a file */ +//include = "/etc/honeytrap/ports.conf" + + +/* ----- plugin stuff below ----- */ + +/* where to look for plugins + need to be set before loading plugins */ +plugin_dir = "/usr/src/honeytrap_dynamicsrc" + + +/* include a plugin via plugin-[ModuleName] = "" */ + +plugin-ftpDownload = "" +plugin-tftpDownload = "" +plugin-b64Decode = "" +plugin-vncDownload = "" + + +/* store attacks on disk */ +plugin-SaveFile = { + attacks_dir = "/var/log/honeytrap/attacks" + downloads_dir = "/var/log/honeytrap/downloads" +} + + +/* scan downloaded samples with ClamAV engine */ +/* +plugin-ClamAV = { + temp_dir = "/tmp" + clamdb_path = "/var/lib/clamav" +} +*/ + +/* calculate locality sensitive hashes */ +/* +plugin-SpamSum = { + md5sum_sigfile = "/var/log/honeytrap/md5sum.sigs" + spamsum_sigfile = "/var/log/honeytrap/spamsum.sigs" +} +*/ + +/* store attacks in PostgeSQL database */ +/* +plugin-SavePostgres = { + db_host = "localhost" + db_name = "some_db" + db_user = "some_user" + db_pass = "some_pass" +// db_port = "some_port" // defaults to 5432/tcp if not set +} +*/ + + +/* invoke wget to download files via http */ +/* +plugin-httpDownload = { + http_program = "/usr/bin/wget" +// http_options = "-nv" + http_options = "-q" + download_dir = "/var/log/honeytrap/downloads" +} +*/ + + + +/* ----- port mode configuration below ----- */ + +// default port configuration (ignore, normal or mirror) +// ignore: just ignore connection attempts +// normal: send a default response +// mirror: mirror connections back to the initiator (use with caution!) +portconf_default = "normal" + +// explicit port configuration +portconf = { + /* ignore these ports */ + ignore = { + protocol = "tcp" + port = "22" + } +} diff --git a/net-analyzer/honeytrap/files/honeytrap.initd b/net-analyzer/honeytrap/files/honeytrap.initd index 9aa489d8e..12784caf1 100644 --- a/net-analyzer/honeytrap/files/honeytrap.initd +++ b/net-analyzer/honeytrap/files/honeytrap.initd @@ -8,8 +8,8 @@ depend() { } checkconfig() { - if [ ! -e $CONF ] ; then - eerror "You need a configuration file to run Honeytrap." + if [ ! -e ${CONF} ] ; then + eerror "You need a configuration file to run honeytrap." eerror "The example config is /etc/honeytrap/honeytrap.conf." return 1 fi @@ -17,15 +17,16 @@ checkconfig() { start() { checkconfig || return 1 - ebegin "Starting Honeytrap" + ebegin "Starting honeytrap" + # Remove --background for verbose debugging of the config file. start-stop-daemon --start --exec /usr/sbin/honeytrap \ - --pidfile ${PIDFILE} \ - -- ${HONEYTRAP_OPTS} >/dev/null 2>&1 + --pidfile ${PIDFILE} --background \ + -- -P ${PIDFILE} ${HONEYTRAP_OPTS} eend $? } stop() { - ebegin "Stopping Honeytrap" + ebegin "Stopping honeytrap" start-stop-daemon --stop --quiet --pidfile ${PIDFILE} eend $? } diff --git a/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild b/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild new file mode 100644 index 000000000..cb60460d9 --- /dev/null +++ b/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild @@ -0,0 +1,135 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +inherit eutils autotools linux-info + +DESCRIPTION="Network security tool for observing network services via low-interactive honeypot" +HOMEPAGE="http://honeytrap.mwcollect.org/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="pcap-mon ipq-mon nfq-mon clamav postgres spamsum cspm efence debug profile" + +RDEPEND="pcap-mon? ( virtual/libpcap ) + ipq-mon? ( net-firewall/iptables ) + nfq-mon? ( net-firewall/iptables net-libs/libnetfilter_queue ) + !pcap-mon? ( !nfq-mon? ( !ipq-mon? ( net-firewall/iptables ) ) ) + clamav? ( app-antivirus/clamav ) + postgres? ( dev-db/postgresql ) + cspm? ( dev-libs/libpcre )" +DEPEND="${RDEPEND} + efence? ( dev-util/efence )" + +pkg_setup() { + enewgroup honeytrap + enewuser honeytrap -1 -1 /sbin/nologin honeytrap + + if ! use pcap-mon && ! use ipq-mon && ! use nfq-mon ; then + ewarn "You did not choose any connection monitor." + ewarn "Currently pcap-based, ip_queue-based and nf_queue-based monitors are supported." + ewarn "Defaulting to ip_queue; if this is not what you want, you should add either" + ewarn "pcap-mon or nfq-mon to your USE flags and re-emerge this ebuild." + epause 3 + fi + + if use efence ; then + ewarn "You have enabled a link with Electric Fence malloc debugger." + ewarn "It is known that honeytrap will not work with efence and xen-sources." + epause 3 + fi + + if use cspm ; then + ewarn "You have enabled CSPM, shellcode pattern matching plugin." + ewarn "The CSPM plugin is still unstable and should not be used in production setups." + epause 3 + fi + + use ipq-mon && CONFIG_CHECK="IP_NF_QUEUE" + use nfq-mon && CONFIG_CHECK="NETFILTER_NETLINK_QUEUE" + linux-info_pkg_setup +} + +src_unpack() { + unpack ${A} + cd "${S}" + + # Automake files are a mess; a review of these is in the upstream todo-list. + # This patch could be nicer, but at least it prevents ugly things from happening with use_enable. + epatch "${FILESDIR}/${PN}-1.0.0-autoconf.patch" + + einfo "Regenerating autoconf/automake files." + eautoreconf +} + +src_compile() { + local myconf + + if use pcap-mon ; then + myconf="${myconf} --with-stream-mon=pcap" + elif use ipq-mon ; then + myconf="${myconf} --with-stream-mon=ipq --with-libipq-includes=/usr/include/libipq" + elif use nfq-mon ; then + myconf="${myconf} --with-stream-mon=nfq --with-libnfq-includes=/usr/include/libnetfilter_queue" + elif ! use pcap-mon && ! use ipq-mon && ! use nfq-mon ; then + myconf="${myconf} --with-stream-mon=ipq --with-libipq-includes=/usr/include/libipq" + fi + + # Note: enabling --devmodules replaces also CFLAGS; keep it this way. + if use cspm ; then + myconf="${myconf} --enable-devmodules" + fi + + econf \ + $(use_with clamav) \ + $(use_with postgres) \ + $(use_with spamsum) \ + $(use_with cspm) \ + $(use_with efence) \ + $(use_enable debug) \ + $(use_enable profile) \ + ${myconf} || die "econf failed" + + emake || die "emake failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed" + + # Unfortunately the dynamic shared plugins are installed into /etc/honeytrap/plugins by default. + # The easiest way is to just move them and put them into /usr/src/honeytrap_dynamicsrc (cf. Snort). + dodir /usr/src + mv "${D}"/etc/honeytrap/plugins "${D}"/usr/src/honeytrap_dynamicsrc || die + + # As the ebuild includes a modified version of this file, no need to copy this into the live system. + rm -f "${D}"/etc/honeytrap/honeytrap.conf* + + mv "${D}"/etc/honeytrap/ports.conf.dist "${D}"/etc/honeytrap/ports.conf + + # Note: NEWS is empty, so no need for it; man-file is installed without doman. + dodoc README TODO ChangeLog + + newinitd "${FILESDIR}"/${PN}.initd ${PN} + newconfd "${FILESDIR}"/${PN}.confd ${PN} + cp "${FILESDIR}"/honeytrap.conf "${D}"/etc/honeytrap/honeytrap.conf + + keepdir /var/log/honeytrap + keepdir /var/log/honeytrap/attacks + keepdir /var/log/honeytrap/downloads + + fowners -R honeytrap:honeytrap /var/log/honeytrap + fperms 0700 -R /var/log/honeytrap +} + +pkg_postinst() { + ewarn + ewarn "WARNING (from the README):" + ewarn "Honeytrap is a low-interactive honeypot and therefore detectable." + ewarn "It is written in C and thus potentially vulnerable to buffer" + ewarn "overflow attacks. Take care. Running in mirror mode is dangerous." + ewarn "Attacks may be directed to the attacker, appearing to come from" + ewarn "your system. Use with caution." + ewarn +} |