[Honeywall] Sebek-packages but no data?

Rene Perschon perschon at itso-berlin.de
Thu Jul 31 09:59:15 EDT 2008


Hi!

I'm new to Honeynet and i have the following configuration:

Hostname:	Oscar
OS:		Windows XP SP3
Function:	VMware-Server Host


Hostname:	Wall-e
OS:		Fedora Core 6
Function:	HoneyWall roo 1.4
eth0:		VMNet2 (Host-Only) 192.168.52.0/24 (external)
eth1:		VMNet1 (Host-Only) 192.168.52.0/24 (honeynet)
br0:		Bridge for eth0 + eth1
eth2:		VMNet8 (Host-Only) 192.168.142.50/24 (Management Iface)


Hostname:	Victor
OS:		Ubuntu 7.10 Server
Function:	Honeypot with Sebek-Client
eth0:		VMNet1 (Host-Only) 192.168.52.0/24 (honeynet)


Hostname:	Charlie
OS:		Ubuntu 8.04
Function:	Attacker
eth0:		VMNet2 (Host-Only) 192.168.52.70/24


The net works, i have 2 VMNets (1+2) with the same net-address
(192.168.52.0/24) connected by the HoneyWall. All traffic between the
Virtual nets goes through the HoneyWall. Sebek is configured to send to
192.168.52.55:2543 from sourceport 2743 to the MAC of the HoneyWall
(internal Iface eth1).

The Sebek-client is inserted into the Kernel of "Victor" with the same
config as in the sebek-server on "Wall-e".

Now when i open a ssh-connection from "Charlie" to "Victor" i see lines
like these in /var/log/iptables on "Wall-e":

Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
SRC=192.168.52.47 DST=192.168.52.55 LEN=85 TOS=0x0C PREC=0x00 TTL=31
ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65

In the Walleye Interface i see the packages, recognizing them by Dest
IP, they look like this:

July 31st 12:42:55  00:00:00
192.168.52.47  0  192.168.52.55
UDP   2743(murx) 0kb  7pkts  2543(reftek)

There's no sebek flow icon, only the magnifying glass and the disk. When
i click the glass and click snort packet decode it shows me lines like
these:

07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
type:0x800len=0x63 192.168.52.47:2743 -> 192.168.52.55:2543 UDP TTL:32
TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
Followed by the payload in Hex, but the translated contents are not
really what i've been looking for, i can't see the commands i submitted
to the honeypot by ssh, only lines like 
..K........qH..?
...0............
.......bash.....
.......P

or

..K........qH..?
...0............
.......sshd.....
.......P

it's always either bash or sshd but my commands are nowhere to be seen.

I hope somebody could give me an explanation about this and maybe a
little help, i'd appreciate it!

Thx in advance!




More information about the Honeywall mailing list