[Honeywall] Sebek-packages but no data?

Rob McMillen rvmcmil at gmail.com
Thu Jul 31 15:20:25 EDT 2008


If you are trying to view the keystrokes related to an ssh connection,
you should try looking for the ssh connection in walleye not the sebek
ports.  Therefore, you need to search for packets with a destination
ip of your honeypot and port 22.  The sebek icon will appear when a
flow has a sys_socket call associated with it.  You will not see a
sys_socket call associated with the sebek client.

Also, depending on your honeywall configuration, you may not see
traffic that is within the honeypot lan.  If this is the case, try
connecting to the honeypot through the honeywall from a machine that
is located outside the honeypot lan.

Let me know if this helps or hurts the issue,

Rob

On Thu, Jul 31, 2008 at 11:51 AM, Jefferson, Shawn
<Shawn.Jefferson at bcferries.com> wrote:
> Hi,
>
> I think at least one of the problems may be explained by the fact that
> you are creating an SSH session from your attacker INTO your honeypot.
> The honeypot is sending Sebek packets out with the process that is
> running, but it doesn't have any way of capturing the data from the SSH
> session (since all the keystrokes are occurring on the attacker
> machine.)
>
> Why you don't see the Sebek icon in Walleye, I'm not sure about that.
> Do you see a flow for your SSH session in Walleye?
>
> Have you tried initiating a SSH session from the honeypot to the
> attacker machine, to see what you can see via Walleye then?
>
> Thanks,
> Shawn
>
> -----Original Message-----
> Now when i open a ssh-connection from "Charlie" to "Victor" i see lines
> like these in /var/log/iptables on "Wall-e":
>
> Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
> SRC=192.168.52.47 DST=192.168.52.55 LEN=85 TOS=0x0C PREC=0x00 TTL=31
> ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65
>
> In the Walleye Interface i see the packages, recognizing them by Dest
> IP, they look like this:
>
> July 31st 12:42:55  00:00:00
> 192.168.52.47  0  192.168.52.55
> UDP   2743(murx) 0kb  7pkts  2543(reftek)
>
> There's no sebek flow icon, only the magnifying glass and the disk. When
> i click the glass and click snort packet decode it shows me lines like
> these:
>
> 07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
> type:0x800len=0x63 192.168.52.47:2743 -> 192.168.52.55:2543 UDP TTL:32
> TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
> Followed by the payload in Hex, but the translated contents are not
> really what i've been looking for, i can't see the commands i submitted
> to the honeypot by ssh, only lines like
> ..K........qH..?
> ...0............
> .......bash.....
> .......P
>
> or
>
> ..K........qH..?
> ...0............
> .......sshd.....
> .......P
>
> it's always either bash or sshd but my commands are nowhere to be seen.
>
> I hope somebody could give me an explanation about this and maybe a
> little help, i'd appreciate it!
>
> Thx in advance!
>
>
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>


More information about the Honeywall mailing list