[Honeywall] Re: Roo-1.3: Sebek-related Problems [Upd]

Robert Mcmillen rvmcmil at gmail.com
Fri Apr 4 08:39:07 EDT 2008


Stefan,
     I've been doing some work to attempt to identify the source ip of  
every attack so that I could correlate it with its keystrokes.  During  
this process, I have found that the ssh daemon is a pain.  There is  
one process that handles the listen and once a connection comes in, it  
forks and another handles the session.  The original goes back to  
listening.  Therefore, the process tree always sees that one listening  
ssh process as its parent.
     When you have a brute force attack, there is one parent to every  
single ssh attempt.  This is why you see so many when you click on the  
related.

On Apr 4, 2008, at 4:58 AM, Stefan Vömel wrote:

> Rob,
>
> I have analyzed a single telnet session and the problem does not  
> seem to be
> directly related to Sebek or the way Walleye displays keystrokes. I  
> fact, it
> rather seems to be a problem of the process tree mapping.
>
> When I click on the "Show me the process tree" icon for a specific
> connection, the process summary, the process tree and the related  
> network
> connections are shown. I monitor a lot of SSH brute force attempts.  
> That's
> why a lot of related network activities are displayed when I try to
> investigate a single connection. More often than not, the process  
> tree is
> not correctly drawn. This is possibly due to a browser timeout.

This is probably due to ssh having that one parent and walleye trying  
to draw all related flows in the graphic.  In a brute force attempt,  
this could be very nasty.

> I have found the perl modules in /usr/lib/perl5/vendor_perl/Walleye.  
> For my
> work, it would be sufficient to display only the process tree for  
> the given
> connection. Is this possible?

I think I am close here.  Just need some additional time to ensure my  
theory is accurate.  I think this would also fix the issue you  
mentioned above with the timeout.

Hope this helps, and please keep them coming.   It really helps,

Rob


More information about the Honeywall mailing list