Here you will find answers to many frequently asked questions concerning the Honeywall CDROM. Be sure to also review the documentation in the Online User Manual. Please submit any bugs/corrections for this documentation or the Honeywall CDROM to our Bugzilla Server.

Last Updated: 30 June, 2005

1.0 Getting Started

1. What is the purpose of the CDROM?
2. What OS is the CDROM based on?
3. Does the CDROM come with the honeypots?
4. Is Roo considered GenII or GenII technology?

2.0 Configuration Questions

1. How do I determine which physical ports eth0, eth1, and eth2 are on?
2. Once configured and rebooted the Honeywall, how can I launch the Menu interface again?

3.0 Data Analysis Questions

4.0 Problems and Errors

1. I've tried using yum(1) to update my Honeywall, but it gives an error complaining about not having the RPM-GPG for a certain repository.
2. I've locked myself out of the default roo account and can't login, how do I reset the password?
3. I've locked myself out of the Walleye interface, how do I reset the password?

5.0 VMWare Questions

1. Can the Honeywall CDROM run in VMware for deploying Virtual Honeynets?

1.1 What is the purpose of the CDROM?
Honeynets are time consuming to build and deploy. One of the most difficult components is the Honeywall gateway, the physicaly device that acts as Data Control and Capture. Traditionally, this was built by manuall combining a variety of tools (see Know Your Enemy: Gen2 Honeynets for more info). The Honeywall CDROM attempts to make deployments easier as all the tools and configuration files are supplied on a single CDROM ready to go. Also, the CDROM allows organizations to standardize their deployments, making them easier to manage and centralize/analyze the data they collect.

1.2 What OS is the CDROM based on?
The CDROM is based on Fedora Core 3.

1.3 Does the CDROM come with the honeypots?
No, the CDROM only boots into a layer two (or layer three if you choose) gateway that implements Data Control and Data Capture. For honeypots, you have to place them behind the Honeywall gateway.

1.4 Is Roo considered GenII or GenII technology?
This is more of a marketing question, so don't get caught up in the details. However, we consider Roo to be a GenIII technology. GenI was when honeynets were first released, crude technologies that could only monitor clear text traffic, counted outbound connection, and was based on layer three routing gateways. GenII technologies took GenI and added a great deal of new functionality, including Sebek, layer two bridging gateways, and intrusion prevention capabilities (all of which you can find on the old Honeywall CDROM Eeyore. GenIII technology takes GenII and once again adds a great deal of new technology. In this case, some of the biggest advances are automated updates, data analysis and administration GUI, and vastly improved hardware and international support. Thats why we consider it GenIII.

2.1 How do I determine which physical ports eth0, eth1, and eth2 are on?
First, keep in mind the Honeywall CDROM makes the following assumptions. You can change this behavior in the menu, but below is the default.

• eth0 is the "Internet" or outside Interface
• eth1 is the LAN interface (Honeypot side)
• eth2 is the Management interface
• br0 is the virtual bridge interface (eth0 + eth1)

So now the trick becomes, on the back of your computer, which physical port is eth0, eth1, and eth2? Tis no simple task. However, we recommend the following.

1. Bring all eth interfaces down except eth0.
2. Flood eth0 with traffic (ping, Nmap, etc... )
3. Watch which lights at which port at the back of the computer go mad, this is eth0.
4. Repeat for other eth interfaces.

2.2 Once configured and rebooted the Honeywall, how can I launch the Menu interface?
After you Setup and reboot your Honeywall, you will notice you no longer automatically given the Menu interface. This is to give your Honeywall some minimal physical security. To startup the Menu interface, as root at the command line type the command menu. Be sure that when you su(1) to root, you execute the command su -. The '-' is important, as it means you inherit roots environment variables.

4.1 I've tried using yum(1) to update my Honeywall, but it gives an error complaining about not having the RPM-GPG for a certain repository.
If this happens, identify the key that failed and its location (it should tell you in the error). If the error does not give you the location of the key, then you can find it in /etc/yum.repods.d. Then do a manual key import like this:

rpm --import http://atrpms.net/RPM-GPG-KEY.atrpms

4.2 I've locked myself out of the default roo account and can't login, how do I reset the password?
See the detaled steps documented in roo password reset.

4.3 I've locked myself out of the Walleye interface, how do I reset the password?
We will be installing a command line interface soon for reseting the Walleye password. However, until then use the following procedure. From the command line do this as roo or root:

1. mysql walleye_users_0_3 -p
- the database passwd should be 'honey'. (there is no remote access and its in every script..)

2. issue insert into user (firstname, lastname, login_name, password, role) values('kanga', 'roo', 'bailout', 'honey', 'admin');

A Walleye admin account with userid of 'bailout' will be created. Log in to the Walleye interface with the account 'bailout' and with passwd of 'honey' and you should then be able to do what you need to do.

5.1 Can the Honeywall CDROM run in VMware for deploying Virtual Honeynets?
Yes. You configure all your guest operating systems with a single host-only network adapter and Honeywall with one bridged and one host-only network adapters. To learn more, check out the paper Deploying Honeywall Using VMware.