[Honeywall] Sebek-packages but no data?

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Thu Jul 31 11:51:32 EDT 2008


I think at least one of the problems may be explained by the fact that
you are creating an SSH session from your attacker INTO your honeypot.
The honeypot is sending Sebek packets out with the process that is
running, but it doesn't have any way of capturing the data from the SSH
session (since all the keystrokes are occurring on the attacker

Why you don't see the Sebek icon in Walleye, I'm not sure about that.
Do you see a flow for your SSH session in Walleye?

Have you tried initiating a SSH session from the honeypot to the
attacker machine, to see what you can see via Walleye then?


-----Original Message-----
Now when i open a ssh-connection from "Charlie" to "Victor" i see lines
like these in /var/log/iptables on "Wall-e":

Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
SRC= DST= LEN=85 TOS=0x0C PREC=0x00 TTL=31
ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65

In the Walleye Interface i see the packages, recognizing them by Dest
IP, they look like this:

July 31st 12:42:55  00:00:00  0
UDP   2743(murx) 0kb  7pkts  2543(reftek)

There's no sebek flow icon, only the magnifying glass and the disk. When
i click the glass and click snort packet decode it shows me lines like

07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
type:0x800len=0x63 -> UDP TTL:32
TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
Followed by the payload in Hex, but the translated contents are not
really what i've been looking for, i can't see the commands i submitted
to the honeypot by ssh, only lines like 



it's always either bash or sshd but my commands are nowhere to be seen.

I hope somebody could give me an explanation about this and maybe a
little help, i'd appreciate it!

Thx in advance!

Honeywall mailing list
Honeywall at public.honeynet.org

More information about the Honeywall mailing list