next up previous
Next: The Challenge Up: Analysis of HoneyNet's scan Previous: Analysis of HoneyNet's scan

Preparation

Before analysing the scan, I first download the package and check its integrity.


[gfk@cesam scan15]$ wget -q http://project.honeynet.org/scans/scan15/honeynet.tar.gz
[gfk@cesam scan15]$ md5sum honeynet.tar.gz 
0dff8fb9fe022ea80d8f1a4e4ae33e21  honeynet.tar.gz
[gfk@cesam scan15]$ tar zxvf honeynet.tar.gz 
honeynet/
honeynet/honeypot.hda8.dd
File size limit exceeded
[gfk@cesam scan15]$ cd honeynet
[gfk@cesam honeynet]$ ls -l
total 40044
-rw-r-----   1 gfk      gfk      40960000 Apr 30 18:05 honeypot.hda8.dd
[gfk@cesam honeynet]$

Oups! Problemo! Since this is an educationnal text, those interested in knowing how I solved the problem can read this small explanation.

As you can see, the problem is that the file honeypot.hda8.dd is larger than the maximum file size for this file system. We see that the maximum file size for my system is actually 40960000 bytes (39 MB). After searching on google for a couple of minutes I found this:


From: Forrest (forrest@home.com)
Subject: Re: "File size limit exceeded"---whats up with that?
Newsgroups: comp.os.linux.security
Date: 2001-04-25 19:17:22 PST


Look in /proc/sys/fs/
file-max shows how many files you can have open
super-max shows how many files the super user can have open
inode-max is the max number of open inodes

You should probably quadruple all of these.  You will have to set up
rc.local to pass these numbers at boot time.  If you need help with this,
let me know.

Forrest

Following what was said there, here what I did to solve the problem:


[root@cesam root]# cd /proc/sys/fs/
[root@cesam fs]# cat inode-max
4096
[root@cesam fs]# echo 16384 > inode-max
[root@cesam fs]# cat inode-max
16384

I also found some interestings reads about this feature at theses locations:
http://lists.plug.phoenix.az.us/pipermail/plug-discuss/2000-September/005508.html
http://www.linux-mandrake.com/en/doc/72/en/ref.html/x3916.html

Now that the problem is fixed, let's return to our regular programming...


[root@cesam scan15]# tar zxvf honeynet.tar.gz 
honeynet/
honeynet/honeypot.hda8.dd
honeynet/README
[root@cesam scan15]# md5sum honeynet/honeypot.hda8.dd 
5a8ebf5725b15e563c825be85f2f852e  honeynet/honeypot.hda8.dd

We now know that our kit is not corrupted, we can start analysing!



Guillaume Filion
2001-05-21