Before analysing the scan, I first download the package and check its integrity.
[gfk@cesam scan15]$ wget -q http://project.honeynet.org/scans/scan15/honeynet.tar.gz [gfk@cesam scan15]$ md5sum honeynet.tar.gz 0dff8fb9fe022ea80d8f1a4e4ae33e21 honeynet.tar.gz [gfk@cesam scan15]$ tar zxvf honeynet.tar.gz honeynet/ honeynet/honeypot.hda8.dd File size limit exceeded [gfk@cesam scan15]$ cd honeynet [gfk@cesam honeynet]$ ls -l total 40044 -rw-r----- 1 gfk gfk 40960000 Apr 30 18:05 honeypot.hda8.dd [gfk@cesam honeynet]$
Oups! Problemo! Since this is an educationnal text, those interested in knowing how I solved the problem can read this small explanation.
As you can see, the problem is that the file honeypot.hda8.dd is larger than the maximum file size for this file system. We see that the maximum file size for my system is actually 40960000 bytes (39 MB). After searching on google for a couple of minutes I found this:
From: Forrest (forrest@home.com) Subject: Re: "File size limit exceeded"---whats up with that? Newsgroups: comp.os.linux.security Date: 2001-04-25 19:17:22 PST Look in /proc/sys/fs/ file-max shows how many files you can have open super-max shows how many files the super user can have open inode-max is the max number of open inodes You should probably quadruple all of these. You will have to set up rc.local to pass these numbers at boot time. If you need help with this, let me know. Forrest
Following what was said there, here what I did to solve the problem:
[root@cesam root]# cd /proc/sys/fs/ [root@cesam fs]# cat inode-max 4096 [root@cesam fs]# echo 16384 > inode-max [root@cesam fs]# cat inode-max 16384
I also found some interestings reads about this feature at theses locations:
http://lists.plug.phoenix.az.us/pipermail/plug-discuss/2000-September/005508.html
http://www.linux-mandrake.com/en/doc/72/en/ref.html/x3916.html
Now that the problem is fixed, let's return to our regular programming...
[root@cesam scan15]# tar zxvf honeynet.tar.gz honeynet/ honeynet/honeypot.hda8.dd honeynet/README [root@cesam scan15]# md5sum honeynet/honeypot.hda8.dd 5a8ebf5725b15e563c825be85f2f852e honeynet/honeypot.hda8.dd
We now know that our kit is not corrupted, we can start analysing!