[Honeywall] Re: Linux Sebek Client succesfully?
rvmcmil at gmail.com
Fri Apr 4 09:37:08 EDT 2008
Have you looked at sebek filtering? I think by default it only
gets socket related keystrokes due to the volume of data that would
otherwise be generated.
Also, by default, it only does sys_read. Maybe the user and
password you are seeking are in sys_write?
Currently, there is no identification of attacker source ip. I
am working on that at this time by performing some additional
processing on the resulting sebek packets.
P.S. I am learning as I go here so please bare with me. It has been
a while since I have looked at sebek.
On Apr 4, 2008, at 5:51 AM, Alvaro del Olmo wrote:
> Hi Robert.
> It works, but only If the commands are typed through an incoming
> connection, for instance, ssh. That's why we could not see the
> packets before. The commands typed locally in the honeypot are not
> being captured. That might not be a problem because the attacker is
> supposed to connect remotely after all, but there is another problem
> (probably related to this?): ftp users and passwords. If I begin a
> ftp session to the honeypot, the ftp commands like 'get', 'put',
> 'ls', and of course the 'ftp' itself in the beggining, are beeing
> captured. But neither the user nor the password in the beggining of
> the fto session are beeing captured. Have you checked this? Might
> this be because KEYSTROKE is not working after all, and it is only
> working SOCKET_TRACKING?
> I have another doubt. How do you store the IP of the incoming
> connections to the honeypots? Using honeywall snort or something?
> This is because we need a registry containing the sort of commands
> typed by each attacker's IP.
> Thank you very much.
More information about the Honeywall