[Honeywall] Sebek client port changing
esammons at hush.com
Tue Jul 8 09:27:07 EDT 2008
On Tue, 08 Jul 2008 06:05:21 -0400 Gayan Sahabandu
<gayan.leo at gmail.com> wrote:
>I am running IIS server on a XP machine which I am using as my
>honeypot. Even though I gather info: (walleye flow view) from
>honeywall (roo 1.4) about my Honeypot I dont see any inbound
>HTTP traffic from the honeypot.
I dont use this stuff and I'm a bit out of touch on the dev side...
(Developers) Did HwBPF_DISABLE make it so you have to explicitly
list Honeypot IP's to get pcpap capture for them? If so, (Gayan)
do you have the Honeypot IP in question listed in 'hwctl
>I have realise Sebek client (windows) track UDP port 1101 only.
Incorrect. Sebek client uses UDP/1101 (by default) to *Transmit*
information. The sebek server process on roo then picks it up
(from pcap?). As I understand it (could be wrong) sebek client
does not listen to network traffic at all - this is handled by
tcpdump, argus, snort etc. on the roo. For clarity I do not
mention this as being a defect. Also note, Sebek is not my
specialty so I could be slightly off - feel free to chime in a d
>Is this mean that I cannot use windows sebek client to gather
>HTTP traffic info: ?
HTTP destined for a Honeypot behind a roo should be traceable from
data collected by the roo. If not, something is wrong.
More information about the Honeywall