[Honeywall] Sebek data from Windows does not integrate with walleye

Rob McMillen rvmcmil at gmail.com
Wed Jun 11 09:40:26 EDT 2008


Cool!  Not that you are having a problem, but that you have identified
more issues.  Could you please open a ticket for this and specify what
version of sebek client you are using on your windows honeypot?

Thanks for the feedback.  Please keep them comming so we can improve
the honeywall.

Rob

P.S.  Warning, since the current method to build sebek client for
recent linux kernel versions involves disabling raw socket
replacement, if someone breaks into your linux box they could
potentially see windows sebek packets flying across the network.

On Wed, Jun 11, 2008 at 9:16 AM, Bjoern Weiland
<bjoern.weiland at rz.uni-karlsruhe.de> wrote:
> Hey Rob
>
>> P.S   Any other issues so far with the release of 1.4?
>
> Yes, actually there is :) Now thanks for your patch, sebek on my linux
> Honeypot now compiled and is working fine, also integrating with walleye
> with the process tree and related flows.
> The windows sebek client does not integrate though. I am on XP SP3, fully
> patched. What I do get in walleye is only the UDP sebek data flow to port
> 1101 listed as a normal connection initiated from the honeypot. No tree
> views or the like:
> Moreover, if you look at the screenshot provided, I don't get why the Linux
> system sends UDP to port 1025 of the pinged system as well, but this just to
> mention...
>
> Screenshot: http://bjou.de/walleye2.jpg
>
>  -best regards, bjoern
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>


More information about the Honeywall mailing list