Welcome to the Honeywall Community FAQ

Q. What is the Honeywall Community FAQ

A. It is a place for the community to help each other by answering their own questions.

Q. Why can't I edit the Honeywall Community FAQ

A. In order to edit the Honeywall Community FAQ, you must register.

Q. How to I post a message to the mailing list?

A. You first need to register for the public mailing list here:

 https://public.honeynet.org/mailman/listinfo/honeywall

Once registered, send an email to the list address honeywall@… with your message and it should soon appear on the list.

Q. Is the public mailing list archived?

A. Yes, here:

 http://public.honeynet.org/pipermail/honeywall/

Q. Why don't I see custom rules in the Walleye UI?

A. The snort and snort_inline rule management UI is no longer supported. Therefore, all rule changes must be done via the command line. The issue we have is that once you add rules to the system, snort's sid-msg.map nor the walleye signature database are being updated. Therefore, after you add new rules to the system, you need to do the following:

1. Create a new sid-msg.map. Oinkmaster comes with a perl script named create-sidmap.pl that is really easy to use. Simply point it at the snort rules directory and redirect its output to a sid-msg.map. For example, I added the rule you sent below to my local.rules. I had to change the sid because snort already has a rule with that sid (I used 70001). I then ran the perl script:

cp /etc/snort/sid-msg.map /etc/snort/sid-msg.map.bak /usr/bin/create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map

2. Load the new sid-msg.map to the walleye db. The easiest way to do this is to simply restart hflowd (/etc/init.d/hflowd) or restart the honeywall. The hflowd startup script loads the sig-msg on start.

From this point on, you should see your alerts on the walleye UI.

Q. Why can't my Honeywall allocate partitions under VMWare?

When attempting to install Honeywall v1.4 on vmware-ws-5.5.3 and vmware-ws-6.0 the error "Could not allocate requested partitions:Partitioning failed: Could not allocate partitions as primay partitions.Not enough space left to create partition for /. Press 'OK' to reboot your system" while actually I use a 8GB vm disk for it" is sometimes returned, even is the virtual hard disk created is very large.

A. You need to create the right type of virtual hard disk device. Ensure that you select the LSI SCSI device, which may not be the default device on some installations of VMWare.

Q. Why does Walleye stop reporting traffic to my honeypots?

A. There is a bug in hflow on Honeywall v1.4 that causes it's connection to the database to timeout (for details check https://projects.honeynet.org/honeywall/ticket/46). There is a fix for this issue. To update your Honeywall install, you can use yum:

1. Logon as the roo user.
2. Type "su -" to logon as root.
3. Type "yum update"

Yum should now update your Honeywall. You will be asked to confirm the update.

Q. I've forgotten the root password, how do I recover it?

A. You can reset the root password in the same way as any CentOS based system. You will need to have physical access to the Honeywall machine. See instructions here:  http://www.go2linux.org/fedora-centos-root-password-recovery

Q. How do I get Sebek on my linux honeypot to start at boot?

A. There is currently no way to do this that will be hidden from an attacker. If your honeypot is a virtual machine you can take a snapshot of the machine after Sebek is installed and running and any time you have to reboot just revert to the snapshot.