honeytrap clone

AUTHORS

@@ -0,0 +1 @@
+Tillmann Werner, <[email protected]>

ChangeLog

@@ -0,0 +1,141 @@
+Version 1.1.0
+- Fixed a memory leak in the httpDownload plugin
+- New xmatch plugin for automatic pattern-based decoding of XOR encoded data (requires libxmatch)
+- Fix: Don't reset port mode to default, keep configured mode
+- Fix: Default port mode 'ignore' was ignored (call it irony...)
+- reworked build process to be gcc 4.3 compatible
+- store download tries in attack record
+- magicPE plugin for identifying PE files that are submitted as attack strings
+- submitMWserv plugin for submissions to the mwcollect alliance
+- support for periodic events (resolution: 1 second)
+- 'bind_address' configuration option added for binding dynamic servers
+  to a specific IP address to make it possible to run several honeytrap
+  instances in parallel on a single machine
+- Code cleanup: asprintf()
+- Error handling for failed malloc()'s where it was missing
+- Fix: Improper logging of IP address pairs
+- Nebula submission plugin
+- reworked NFQ stream monitor hooking to prevent unbinding errors
+- hex2bin tool: Command line switch for byte order swapping added
+- reworked emu plugin
+Version 1.0.0
+- Improved configure script
+- New plugin: Basic http download wrapper
+- VNC plugin redesigned to generate virtual attacks
+- Safe signal delivery and handling using per-process pipes
+- New configuration concept with hierarchically organized file format
+- Default port configuration can be set to "ignore", "normal" or "mirror"
+- New plugin: libclamav-based virus scanner module
+- New plugin: Saving attack data in files is performed by a module now
+- malloc(NULL) segfault bug in tftpDownload plugin fixed
+- Try to download from the attacking host in case of failed ftp connect()s
+- Improved connection request handling in the nfq stream monitor
+- Reconfiguration on SIGHUP fixed
+- Log addressed destination
+Version 0.7.0
+- Plugins can be prioritized
+- x86 CPU emulation module for generic shellcode analysis
+  based on libemu by Markus and Paul (unstable)
+- PostgreSQL module for commits into mwcollect database
+- SHA512 hash support
+- Performance improvements
+- Improved connection request handling in the nfq stream monitor
+- FTP download plugin is now source-based routing safe
+- Changed autotools process to make module builts optional
+Version 0.6.5
+- Introduced an nfnetlink_queue-based connection monitor
+- Some compile errors fixed
+- Configure script changed to run on MacOS X
+- Do not install htm_SpamSum by default
+Version 0.6.4
+- PoC plugin for locality sensitive hashing
+- Clean solution for giving packet control back to the kernel
+  when using the ip_queue connection monitor
+- Fixed a segfault in the bpf filter string assembling routine
+- Failed mirror connections did not fall back to normal mode sometimes
+  due to wrong return value handling for a non-blocking connect(). Fixed.
+- The dynamic server code was redesigned.
+- UDP support added.
+Version 0.6.3.1
+- The FTP download plugin supports explicit binding of data connections
+  to ip addresses or hostnames to work on NAT'ed hosts
+- Modes of operation are already determined in network stream monitors
+  to prevent gratuitous forking
+- Listener processes now have a backlog queue of size 10
+- BPF strings can include up to 2^32 characters instead of 2^8
+- Some changes and cleanups make the code more readable
+Version 0.6.3
+- A 10 second timeout is used for mirror connection attempts to prevent
+  simultaneous timeouts after a blocking connect() returns
+- md5 checksum calculation snprintf size parameter corrected
+- Fixed a bug with config file lines with trailing blanks, thanks to Emre
+- DESTDIR is used in Makefiles now, thanks to kanedaaa for the patch
+- Plugin installation was wrong on non-Linux systems and is fixed now
+- Attack connections are closed after a configurable byte limit
+  to prevent memory exhaustion - suggestion from kanedaaa
+- Added a plugin to decode and process base64 encoded attacks
+- Small pcap connection monitor changes
+- Fixed a segfault for zero lenght attacks in the htm_vncDownload plugin
+- Further small changes
+Version 0.6.2
+- Added a plugin for execution of HTTP downloads from VNC attacks via wget
+- Connection monitor can be chosen from "configure" parameter
+- Introduced an ip_queue based connection monitor
+  (idea from the nepenthes honeytrap module)
+- Native OS dl implementations and libdl are both supported
+- Should compile on Free/OpenBSD now, thanks to Stephen and Gary
+- Network device handling is completely done with pcap functions
+  for the pcap connection monitor
+- Trapping on device 'any' is now possible (if available)
+- Added support for other link types than ethernet
+- Logging of remote TCP port and IP address was faulty - fixed
+- Changed bpf string to filter RST packets to be more portable
+- Connections are closed before attack processor plugins are called
+- Configuration file supports includes of other files
+- Proxy mode introduced
+- Connection handling mode can be configured per port
+- Specific ports can be configured to ignore connection requests
+- Some minor bugfixes
+Version 0.6.1
+- Temporarily removed BDB stuff, a plugin will be available soon
+- Added plugin hooks 'unload_plugins' and 'process_attack'
+- Moved attack save code into a plugin
+- Moved ftp download code into a plugin
+- Moved tftp download code into a plugin
+- Establish mirror connection right after incoming SYN
+- Reload configuration on SIGHUP
+- Cleanup of TCP dynamic server code
+- Some file descriptors are closed earlier
+- Fixed bpf command line expression stuff
+- Some man page changes
+- Automake: shared libraries are only installed in plugin directory now
+Version 0.6.0
+- Support for configuration file added
+- Added a plugin interface (still a lot of work to do)
+- Mirrored connections are closed after a timeout
+Version 0.5.1
+- Fixed tftp bug - files bigger than 128k were corrupted during transfer
+- Many minor cosmetic fixes
+Version 0.5.0
+- Mirror mode added - get answers from mirror connection to the client 
+- Partial rewrite of TCP server stuff
+Version 0.4.2
+- PID file will correctly be removed if startup fails
+- Improved tftp routine
+- Made ftp command string parser more sensitive
+- Invalid IP addresses in download ressources are recognized and filtered
+Version 0.4.1
+- Retransmission of tftp packets after timeout occured
+- Silly bug in tftp routine fixed - files may also be sent from server port != 69
+- Workaround for communication with buggy ftp servers included
+- Fixed minor bugs in ftp and tftp routines
+- Improved download command parsing routine, it shouldn't fail anymore
+- Attack string naming corrected
+- Added logfile and pidfile support 
+- Switched to write() to improve logging performance
+Version 0.4.0
+- Auto download files via ftp using a fake Windows ftp dialogue
+- Auto download files via tftp
+- Improved signal handling to prevent zombie processes
+- Get IP address for bpf string from interface
+- Fixed error handling in db code

INSTALL

@@ -0,0 +1,253 @@
+Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002 Free Software
+Foundation, Inc.
+
+   This file is free documentation; the Free Software Foundation gives
+unlimited permission to copy, distribute and modify it.
+
+Installation
+============
+
+   The `configure' shell script must be told which connection monitor
+to use in honeytrap to monitor network interfaces for incoming
+connection requests. Currently the following options are possible:
+
+   --with-stream-mon=nfq	monitoring via libnetfilter_queue
+				(Linux only, recommended)
+
+   --with-stream-mon=ipq	monitoring via netfilter/iptables ip_queue
+				(Linux only)
+
+   --with-stream-mon=pcap	monitoring with a PCAP-based sniffer
+
+To build additional plugins use the --with-[pluginname] options.
+`configure --help' gives a full list of available options.
+
+After the configure step a `make' compiles the code. Finally `make
+install' puts all needed files in the correct places.
+
+Please refer to the generic installation instructions below for further
+information on how to compile honeytrap.
+
+Basic Installation
+==================
+
+   These are generic installation instructions.
+
+   The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation.  It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions.  Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, and a
+file `config.log' containing compiler output (useful mainly for
+debugging `configure').
+
+   It can also use an optional file (typically called `config.cache'
+and enabled with `--cache-file=config.cache' or simply `-C') that saves
+the results of its tests to speed up reconfiguring.  (Caching is
+disabled by default to prevent problems with accidental use of stale
+cache files.)
+
+   If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release.  If you are using the cache, and at
+some point `config.cache' contains results you don't want to keep, you
+may remove or edit it.
+
+   The file `configure.ac' (or `configure.in') is used to create
+`configure' by a program called `autoconf'.  You only need
+`configure.ac' if you want to change it or regenerate `configure' using
+a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+  1. `cd' to the directory containing the package's source code and type
+     `./configure' to configure the package for your system.  If you're
+     using `csh' on an old version of System V, you might need to type
+     `sh ./configure' instead to prevent `csh' from trying to execute
+     `configure' itself.
+
+     Running `configure' takes awhile.  While running, it prints some
+     messages telling which features it is checking for.
+
+  2. Type `make' to compile the package.
+
+  3. Optionally, type `make check' to run any self-tests that come with
+     the package.
+
+  4. Type `make install' to install the programs and any data files and
+     documentation.
+
+  5. You can remove the program binaries and object files from the
+     source code directory by typing `make clean'.  To also remove the
+     files that `configure' created (so you can compile the package for
+     a different kind of computer), type `make distclean'.  There is
+     also a `make maintainer-clean' target, but that is intended mainly
+     for the package's developers.  If you use it, you may have to get
+     all sorts of other programs in order to regenerate files that came
+     with the distribution.
+
+Compilers and Options
+=====================
+
+   Some systems require unusual options for compilation or linking that
+the `configure' script does not know about.  Run `./configure --help'
+for details on some of the pertinent environment variables.
+
+   You can give `configure' initial values for configuration parameters
+by setting variables in the command line or in the environment.  Here
+is an example:
+
+     ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix
+
+   *Note Defining Variables::, for more details.
+
+Compiling For Multiple Architectures
+====================================
+
+   You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory.  To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'.  `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script.  `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+   If you have to use a `make' that does not support the `VPATH'
+variable, you have to compile the package for one architecture at a
+time in the source code directory.  After you have installed the
+package for one architecture, use `make distclean' before reconfiguring
+for another architecture.
+
+Installation Names
+==================
+
+   By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc.  You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+   You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files.  If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+   In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files.  Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+   If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+   Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System).  The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+   For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+   There may be some features `configure' cannot figure out
+automatically, but needs to determine by the type of machine the package
+will run on.  Usually, assuming the package is built to be run on the
+_same_ architectures, `configure' can figure that out, but if it prints
+a message saying it cannot guess the machine type, give it the
+`--build=TYPE' option.  TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name which has the form:
+
+     CPU-COMPANY-SYSTEM
+
+where SYSTEM can have one of these forms:
+
+     OS KERNEL-OS
+
+   See the file `config.sub' for the possible values of each field.  If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the machine type.
+
+   If you are _building_ compiler tools for cross-compiling, you should
+use the `--target=TYPE' option to select the type of system they will
+produce code for.
+
+   If you want to _use_ a cross compiler, that generates code for a
+platform different from the build platform, you should specify the
+"host" platform (i.e., that on which the generated programs will
+eventually be run) with `--host=TYPE'.
+
+Sharing Defaults
+================
+
+   If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists.  Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Defining Variables
+==================
+
+   Variables not defined in a site shell script can be set in the
+environment passed to `configure'.  However, some packages may run
+configure again during the build, and the customized values of these
+variables may be lost.  In order to avoid this problem, you should set
+them in the `configure' command line, using `VAR=value'.  For example:
+
+     ./configure CC=/usr/local2/bin/gcc
+
+will cause the specified gcc to be used as the C compiler (unless it is
+overridden in the site shell script).
+
+`configure' Invocation
+======================
+
+   `configure' recognizes the following options to control how it
+operates.
+
+`--help'
+`-h'
+     Print a summary of the options to `configure', and exit.
+
+`--version'
+`-V'
+     Print the version of Autoconf used to generate the `configure'
+     script, and exit.
+
+`--cache-file=FILE'
+     Enable the cache: use and save the results of the tests in FILE,
+     traditionally `config.cache'.  FILE defaults to `/dev/null' to
+     disable caching.
+
+`--config-cache'
+`-C'
+     Alias for `--cache-file=config.cache'.
+
+`--quiet'
+`--silent'
+`-q'
+     Do not print messages saying which checks are being made.  To
+     suppress all normal output, redirect it to `/dev/null' (any error
+     messages will still be shown).
+
+`--srcdir=DIR'
+     Look for the package's source code in directory DIR.  Usually
+     `configure' can determine that directory automatically.
+
+`configure' also accepts some other, not widely useful, options.  Run
+`configure --help' for more details.
+