[Honeywall] Honeywall Digest, Vol 14, Issue 8
gayan.leo at gmail.com
Tue Jul 8 13:04:02 EDT 2008
Thank you very much for replying me back Earl. I see what you mean about
sebek. It starting to make sense to me now. cheers for that : )
But the situation with my honeywall is
When I change the status of Sebek Server to " Accept sebek packets and log"
it automatically changers to "Deny".
For my understanding I have done everything correct to retrieve sebek data
from honeypot machine.
Honeypot IP: 192.168.2.113
Management IP: 192.168.2.21
gateway IP: 192.168.2.1 (router LAN IP)
I have port forward port 80 to honeypot IP from my router so the external
http traffic redirect to honeypot.
I have configured sebek client with following as,
Destination IP: 192.168.2.1 (gateway IP)
Destination MAC = ( Internal interface MAC address of honeywall)
Destination IP: 192.168.2.1 (gateway IP) as mentioned by pakistan project
To give you a good picture of this I have enclosed a screen shot of etheral
( SEBEK - kernal data capture packet) which I have captured from honeywall
walleye interface. It shows Honeypot IP address as the source IP, but
doesn't shows the destination IP address (0.0.0.0).
Could you please tell where did made the error as I am stuck at this point
almost 2 weeks now :(
On 7/8/08, honeywall-request at public.honeynet.org <
honeywall-request at public.honeynet.org> wrote:
> Send Honeywall mailing list submissions to
> honeywall at public.honeynet.org
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> honeywall-request at public.honeynet.org
> You can reach the person managing the list at
> honeywall-owner at public.honeynet.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Honeywall digest..."
> Today's Topics:
> 1. Sebek client port changing (Gayan Sahabandu)
> 2. Re: Sebek client port changing (Earl)
> Message: 1
> Date: Tue, 8 Jul 2008 11:05:21 +0100
> From: "Gayan Sahabandu" <gayan.leo at gmail.com>
> Subject: [Honeywall] Sebek client port changing
> To: honeywall at public.honeynet.org
> <f64211650807080305t1a05bca3id83022eb041d2bd7 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> I am running IIS server on a XP machine which I am using as my honeypot.
> Even though I gather info: (walleye flow view) from honeywall (roo 1.4)
> about my Honeypot I dont see any inbound HTTP traffic from the honeypot. I
> can access my web page externally (WAN) using my public IP. I have realise
> Sebek client (windows) track UDP port 1101 only. Is this mean that I cannot
> use windows sebek client to gather HTTP traffic info: ? Any solution for
> this problem will be greatly appreciated.
> Thank you,
> -------------- next part --------------
> An HTML attachment was scrubbed...
> Message: 2
> Date: Tue, 08 Jul 2008 09:27:07 -0400
> From: "Earl" <esammons at hush.com>
> Subject: Re: [Honeywall] Sebek client port changing
> To: honeywall at public.honeynet.org
> Message-ID: <20080708132709.42A202003D at mailserver7.hushmail.com>
> Content-Type: text/plain; charset="UTF-8"
> On Tue, 08 Jul 2008 06:05:21 -0400 Gayan Sahabandu
> <gayan.leo at gmail.com> wrote:
> >I am running IIS server on a XP machine which I am using as my
> >honeypot. Even though I gather info: (walleye flow view) from
> >honeywall (roo 1.4) about my Honeypot I dont see any inbound
> >HTTP traffic from the honeypot.
> I dont use this stuff and I'm a bit out of touch on the dev side...
> (Developers) Did HwBPF_DISABLE make it so you have to explicitly
> list Honeypot IP's to get pcpap capture for them? If so, (Gayan)
> do you have the Honeypot IP in question listed in 'hwctl
> HwHPOT_PUBLIC_IP' ?
> >I have realise Sebek client (windows) track UDP port 1101 only.
> Incorrect. Sebek client uses UDP/1101 (by default) to *Transmit*
> information. The sebek server process on roo then picks it up
> (from pcap?). As I understand it (could be wrong) sebek client
> does not listen to network traffic at all - this is handled by
> tcpdump, argus, snort etc. on the roo. For clarity I do not
> mention this as being a defect. Also note, Sebek is not my
> specialty so I could be slightly off - feel free to chime in a d
> correct me...
> >Is this mean that I cannot use windows sebek client to gather
> >HTTP traffic info: ?
> HTTP destined for a Honeypot behind a roo should be traceable from
> data collected by the roo. If not, something is wrong.
> Honeywall mailing list
> Honeywall at public.honeynet.org
> End of Honeywall Digest, Vol 14, Issue 8
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Honeywall