[Honeywall] Re: Linux Sebek Client succesfully?

Robert Mcmillen rvmcmil at gmail.com
Fri Apr 4 09:37:08 EDT 2008


Alvaro,
     Have you looked at sebek filtering?  I think by default it only  
gets socket related keystrokes due to the volume of data that would  
otherwise be generated.

     Also, by default, it only does sys_read.  Maybe the user and  
password you are seeking are in sys_write?

     Currently, there is no identification of attacker source ip.  I  
am working on that at this time by performing some additional  
processing on the resulting sebek packets.

Rob

P.S.  I am learning as I go here so please bare with me.  It has been  
a while since I have looked at sebek.

On Apr 4, 2008, at 5:51 AM, Alvaro del Olmo wrote:

> Hi Robert.
> It works, but only If the commands are typed through an incoming  
> connection, for instance, ssh. That's why we could not see the  
> packets before. The commands typed locally in the honeypot are not  
> being captured. That might not be a problem because the attacker is  
> supposed to connect remotely after all, but there is another problem  
> (probably related to this?): ftp users and passwords. If I begin a  
> ftp session to the honeypot, the ftp commands like 'get', 'put',  
> 'ls', and of course the 'ftp' itself in the beggining, are beeing  
> captured. But neither the user nor the password in the beggining of  
> the fto session are beeing captured. Have you checked this? Might  
> this be because KEYSTROKE is not working after all, and it is only  
> working SOCKET_TRACKING?
>
> I have another doubt. How do you store the IP of the incoming  
> connections to the honeypots? Using honeywall snort or something?  
> This is because we need a registry containing the sort of commands  
> typed by each attacker's IP.
>
> Thank you very much.


More information about the Honeywall mailing list