[Honeywall] Sebek-packages but no data?
perschon at itso-berlin.de
Thu Jul 31 09:59:15 EDT 2008
I'm new to Honeynet and i have the following configuration:
OS: Windows XP SP3
Function: VMware-Server Host
OS: Fedora Core 6
Function: HoneyWall roo 1.4
eth0: VMNet2 (Host-Only) 192.168.52.0/24 (external)
eth1: VMNet1 (Host-Only) 192.168.52.0/24 (honeynet)
br0: Bridge for eth0 + eth1
eth2: VMNet8 (Host-Only) 192.168.142.50/24 (Management Iface)
OS: Ubuntu 7.10 Server
Function: Honeypot with Sebek-Client
eth0: VMNet1 (Host-Only) 192.168.52.0/24 (honeynet)
OS: Ubuntu 8.04
eth0: VMNet2 (Host-Only) 192.168.52.70/24
The net works, i have 2 VMNets (1+2) with the same net-address
(192.168.52.0/24) connected by the HoneyWall. All traffic between the
Virtual nets goes through the HoneyWall. Sebek is configured to send to
192.168.52.55:2543 from sourceport 2743 to the MAC of the HoneyWall
(internal Iface eth1).
The Sebek-client is inserted into the Kernel of "Victor" with the same
config as in the sebek-server on "Wall-e".
Now when i open a ssh-connection from "Charlie" to "Victor" i see lines
like these in /var/log/iptables on "Wall-e":
Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
SRC=192.168.52.47 DST=192.168.52.55 LEN=85 TOS=0x0C PREC=0x00 TTL=31
ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65
In the Walleye Interface i see the packages, recognizing them by Dest
IP, they look like this:
July 31st 12:42:55 00:00:00
192.168.52.47 0 192.168.52.55
UDP 2743(murx) 0kb 7pkts 2543(reftek)
There's no sebek flow icon, only the magnifying glass and the disk. When
i click the glass and click snort packet decode it shows me lines like
07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
type:0x800len=0x63 192.168.52.47:2743 -> 192.168.52.55:2543 UDP TTL:32
TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
Followed by the payload in Hex, but the translated contents are not
really what i've been looking for, i can't see the commands i submitted
to the honeypot by ssh, only lines like
it's always either bash or sshd but my commands are nowhere to be seen.
I hope somebody could give me an explanation about this and maybe a
little help, i'd appreciate it!
Thx in advance!
More information about the Honeywall