[Honeywall] Sebek-packages but no data?

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Thu Jul 31 11:51:32 EDT 2008


Hi,

I think at least one of the problems may be explained by the fact that
you are creating an SSH session from your attacker INTO your honeypot.
The honeypot is sending Sebek packets out with the process that is
running, but it doesn't have any way of capturing the data from the SSH
session (since all the keystrokes are occurring on the attacker
machine.)

Why you don't see the Sebek icon in Walleye, I'm not sure about that.
Do you see a flow for your SSH session in Walleye?

Have you tried initiating a SSH session from the honeypot to the
attacker machine, to see what you can see via Walleye then?

Thanks,
Shawn

-----Original Message-----
Now when i open a ssh-connection from "Charlie" to "Victor" i see lines
like these in /var/log/iptables on "Wall-e":

Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
SRC=192.168.52.47 DST=192.168.52.55 LEN=85 TOS=0x0C PREC=0x00 TTL=31
ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65

In the Walleye Interface i see the packages, recognizing them by Dest
IP, they look like this:

July 31st 12:42:55  00:00:00
192.168.52.47  0  192.168.52.55
UDP   2743(murx) 0kb  7pkts  2543(reftek)

There's no sebek flow icon, only the magnifying glass and the disk. When
i click the glass and click snort packet decode it shows me lines like
these:

07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
type:0x800len=0x63 192.168.52.47:2743 -> 192.168.52.55:2543 UDP TTL:32
TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
Followed by the payload in Hex, but the translated contents are not
really what i've been looking for, i can't see the commands i submitted
to the honeypot by ssh, only lines like 
..K........qH..?
...0............
.......bash.....
.......P

or

..K........qH..?
...0............
.......sshd.....
.......P

it's always either bash or sshd but my commands are nowhere to be seen.

I hope somebody could give me an explanation about this and maybe a
little help, i'd appreciate it!

Thx in advance!


_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall


More information about the Honeywall mailing list