[Honeywall] related to absence of data in walleye UI in roo 1.2

Parvinder Bhasin parvinder.bhasin at gmail.com
Tue Dec 4 02:30:13 EST 2007


Robert,

This fix has fixed my 1.2 roo install and I can see traffic flows back 
in walleye just fine.  Well its been 4 + hours and it has been fine. 
This would otherwise break within an hour for me.

-Parvinder Bhasin

Robert Mcmillen wrote:
> List,
>     There is now a new rpm for hflow (version 1.0-42) and walleye 
> (version 1.1-51).
> 
>     The hflow fixed an issue with improper escaping of a column name 
> that is a mysql keyword.  The lack of escape prevented hflow from 
> inserting into the sys_socket table.  This is why sebek data was not 
> available in the UI because the UI will only acknowledge sebek data 
> related to flows if there is an entry in the sys_socket table.
> 
>     The walleye fix was related to changes in the way mysql 5 handles 
> left joins.  The fix allows you to view sebek related connections in the 
> UI.
> 
>     I want to say many many thanks to Camilo for helping me with these 
> fixes over the weekend.
> 
> If you get a chance, please do yum update in your roo 1.2 honeywall and 
> let me know if these changes fix your problems.  If not, please let me 
> know as well so that we can fix them.  To be make sure the honeywall is 
> running with the latest changes after update, please do a honeywall reboot.
> 
> Thanks for your patience and support,
> 
> Rob
> 
> On Dec 3, 2007, at 1:54 PM, Parvinder Bhasin wrote:
> 
>> Hi Robert,
>>
>> Yes!! I did have sebek installed on the honeypot.  However, I did try 
>> to  disable sebek server on the Honeypot itself but without any luck.
>>
>> Sure I am open to testing a fix.
>>
>> -Parvinder Bhasin
>>
>> Robert Mcmillen wrote:
>>> Pavinder,
>>>    When you were doing your pen testing against your honeypot and you 
>>> noticed the lack of data in the UI shortly after you started, did you 
>>> have sebek installed on the honeypot?  If so, I think we may have 
>>> found the problem.  Please let me know if this is the case and if you 
>>> are willing to test the fix.
>>> Rob
>>> _______________________________________________
>>> Honeywall mailing list
>>> Honeywall at public.honeynet.org
>>> https://public.honeynet.org/mailman/listinfo/honeywall
>>
> 
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
> 



More information about the Honeywall mailing list