[Honeywall] Sebek-packages but no data?

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Thu Jul 31 15:39:26 EDT 2008


Rob,

Will you be able to see SSH keystrokes if you are making a connection
from the attacker INTO the Honeywall, like in this case?

Shawn

-----Original Message-----
From: honeywall-bounces at public.honeynet.org
[mailto:honeywall-bounces at public.honeynet.org] On Behalf Of Rob McMillen
Sent: July 31, 2008 12:20 PM
To: Mailing list for users and developers of the Honeywall
Subject: Re: [Honeywall] Sebek-packages but no data?

If you are trying to view the keystrokes related to an ssh connection,
you should try looking for the ssh connection in walleye not the sebek
ports.  Therefore, you need to search for packets with a destination
ip of your honeypot and port 22.  The sebek icon will appear when a
flow has a sys_socket call associated with it.  You will not see a
sys_socket call associated with the sebek client.

Also, depending on your honeywall configuration, you may not see
traffic that is within the honeypot lan.  If this is the case, try
connecting to the honeypot through the honeywall from a machine that
is located outside the honeypot lan.

Let me know if this helps or hurts the issue,

Rob

On Thu, Jul 31, 2008 at 11:51 AM, Jefferson, Shawn
<Shawn.Jefferson at bcferries.com> wrote:
> Hi,
>
> I think at least one of the problems may be explained by the fact that
> you are creating an SSH session from your attacker INTO your honeypot.
> The honeypot is sending Sebek packets out with the process that is
> running, but it doesn't have any way of capturing the data from the
SSH
> session (since all the keystrokes are occurring on the attacker
> machine.)
>
> Why you don't see the Sebek icon in Walleye, I'm not sure about that.
> Do you see a flow for your SSH session in Walleye?
>
> Have you tried initiating a SSH session from the honeypot to the
> attacker machine, to see what you can see via Walleye then?
>
> Thanks,
> Shawn
>
> -----Original Message-----
> Now when i open a ssh-connection from "Charlie" to "Victor" i see
lines
> like these in /var/log/iptables on "Wall-e":
>
> Jul 31 13:33:49 wall-e kernel: SEBEKIN=br0 OUT=eth2 PHYSIN=eth1
> SRC=192.168.52.47 DST=192.168.52.55 LEN=85 TOS=0x0C PREC=0x00 TTL=31
> ID=12 PROTO=UDP SPT=2743 DPT=2543 LEN=65
>
> In the Walleye Interface i see the packages, recognizing them by Dest
> IP, they look like this:
>
> July 31st 12:42:55  00:00:00
> 192.168.52.47  0  192.168.52.55
> UDP   2743(murx) 0kb  7pkts  2543(reftek)
>
> There's no sebek flow icon, only the magnifying glass and the disk.
When
> i click the glass and click snort packet decode it shows me lines like
> these:
>
> 07/31-12:42:55.595960 0:C:29:71:7E:C8 -> 0:C:29:63:2A:89
> type:0x800len=0x63 192.168.52.47:2743 -> 192.168.52.55:2543 UDP TTL:32
> TOS:0xD ID:12 IpLen:20 DgmLen:85 Len:57
> Followed by the payload in Hex, but the translated contents are not
> really what i've been looking for, i can't see the commands i
submitted
> to the honeypot by ssh, only lines like
> ..K........qH..?
> ...0............
> .......bash.....
> .......P
>
> or
>
> ..K........qH..?
> ...0............
> .......sshd.....
> .......P
>
> it's always either bash or sshd but my commands are nowhere to be
seen.
>
> I hope somebody could give me an explanation about this and maybe a
> little help, i'd appreciate it!
>
> Thx in advance!
>
>
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>
_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall


More information about the Honeywall mailing list