The previous post already discussed why it is a good thing to see connections coming in to closed ports, the approach presented was pcap with filters.
Today, we'll use iptables to detect connections to closed ports.
Tillmann Werner's project honeytrap is hosted within .mwcollect.org now too, you can access the honeytrap code via the http://svn.mwcollect.org trac interface.
Yesterday I came across http://honeytrap.sf.net written by Tillmann Werner, and after digging it a little, I think it's a good thing to talk about. honeytrap is a slightly different approach to collect malware than nepenthes, honeytrap monitors the interfaces streams with libcap and uses a bpf pattern to capture only TCP RST packets send by the localhost to a remote host.
RST means reset, and it is (in this case) used to tell the remote host there is no service listening on the port he tried to connect. Once such a RST packet is captured, honeytrap opens the port the remote asked for, and following connections to the same port will be accepted.
Furthermore honeytrap offers a so called “mirror mode”, if an attacker connects your honeytrap, honeytrap can connect the attacker on the same port, honeytrap will send the attacker everything the attacker sends him. This way it is possible to emulate weaknesses without knowing about them, using the attackers weakness as a 'mirror'.
To be able to download malware, honeytrap offers a similar shell emulation to nepenthes and can download the files via tftp and ftp too.
Really cool, you should at give it a shot.
The similar nepenthes module module-honeytrap does not offer the mirror mode yet, but allows accepting connections to unbound ports intercepting the tcp handshake using ip_queue and libipq.
