|

nepenthes for multiple ip addresses

View: New views

4 Messages — Rating Filter: Alert me

	nepenthes for multiple ip addresses by Viktor-13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello! I'm running nepenthes on a debian OS at an universiry network with a fix IP. I managed to get a high number of unused IP addresses from the university network administrator, all traffic from these are routed to my computer. Now i'm having 200 packet/s income rate, but nepenthes only looks for the traffic addressed to my own IP. Is there a way to make nepenthes listening for all incoming packets despite the packet destination IP is not mine? I have a lot of IPs, and they are random, changing every time, so it's not an option to give alternate IPs to my interface. Thanks in advance! Viktor
	Re: nepenthes for multiple ip addresses by Sushant Sinha :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Did you try arpd to get packets to your box? -sushant. On Sat, 2009-04-18 at 17:17 +0200, Viktor wrote: > Hello! > > I'm running nepenthes on a debian OS at an universiry network with a fix IP. I managed to get a high number of unused IP addresses from the university network administrator, all traffic from these are routed to my computer. Now i'm having 200 packet/s income rate, but nepenthes only looks for the traffic addressed to my own IP. Is there a way to make nepenthes listening for all incoming packets despite the packet destination IP is not mine? > I have a lot of IPs, and they are random, changing every time, so it's not an option to give alternate IPs to my interface. > > Thanks in advance! > > Viktor > > >
	Re: nepenthes for multiple ip addresses by Gergely Révay :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, If there is no address translation in the routing process then you should have alias interfaces for those IPs which you want to listen on. For instance if the 192.168.1.0/24 network is redirected to your computer then you should use a command like this: $ for i in `seq 2 254`; do sudo ip addr add 192.168.1.$i/24 brd + dev eth0; done (or something :) ) In this case when nepenthes listens on 0.0.0.0 then it means it listen on the alias IPs as well. If there is address translation in the routing then those packet should have your IP as their destination IP and then it should work. If you don't know you can check it with tcpdump. I hope I helped. Good luck! Geri 2009/4/18 Viktor <gecko003@...>: > Hello! > > I'm running nepenthes on a debian OS at an universiry network with a fix IP. I managed to get a high number of unused IP addresses from the university network administrator, all traffic from these are routed to my computer. Now i'm having 200 packet/s income rate, but nepenthes only looks for the traffic addressed to my own IP. Is there a way to make nepenthes listening for all incoming packets despite the packet destination IP is not mine? > I have a lot of IPs, and they are random, changing every time, so it's not an option to give alternate IPs to my interface. > > Thanks in advance! > > Viktor > >
	Re: nepenthes for multiple ip addresses by Viktor-13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks for all the answers, i have profited a lot from them! Let me answer for each reply in one mail. Kashyap Timmaraju wrote: > The reason you need arpd is because you have to bind the unused IP > addresses to a MAC address in this case it will be your MAC > address(how else can u get read those packets?) which arpd does for > you. You will have to run arpd, so all the best with your experiment! I have tryed farpd to get all unused IPs, but since i'm in a /24 subnet, i could only bind IPs from my subnet (i have forgot to mention that i'm e.g 192.168.1.1/24, but i'm having traffic redirected from 192.168.0.1-192.168.255.255). It's a great package btw (thanks again Mr Provos :)) Gergely Révay wrote: > If there is no address translation in the routing process then you > should have alias interfaces for those IPs which you want to listen > on. > > For instance if the 192.168.1.0/24 network is redirected to your > computer then you should use a command like this: > > $ for i in `seq 2 254`; do sudo ip addr add 192.168.1.$i/24 brd + dev eth0; done > > (or something :) ) > > In this case when nepenthes listens on 0.0.0.0 then it means it listen > on the alias IPs as well. > Unfortunately it's a bit more complex. My box got traffic addressed to currently unused IPs, but the IPs are changing every time (if someone get one of the IPs by DHCP, than i won't get any more traffic redirected to me), and i think it would cause network conflict if i would add all 255*255 IPs to my interface (also it's a big number :)). > If there is address translation in the routing then those packet > should have your IP as their destination IP and then it should work. > If you don't know you can check it with tcpdump I'm not getting traffic by NAT, all traffic are simply redirected to my IP. But after reading your reply, i tryed to NAT all traffic locally at my computer, and it worked! I set iptables' nat to translate the destination ip of all packets, which destination ip wasn't mine originally, to my ip. Now nepenthes having it's log incremented by 0.5MB/min :))). The only problem, that now i lost all information about who received the malicious packet originally, since in the log all dest ip is mine :(. Do you think is that possible to write such a script that can delay the packets, add the originaly dest ip to my interface, move the packet (nepenthes scans it), than after a short delay remove the IP from my interface? Or if there is any simpler solution, i'm open to all suggestion :) Viktor