[Honeywall] Problems with sebek on windows

Rob McMillen rvmcmil at gmail.com
Thu Jun 12 17:02:27 EDT 2008


Have you tried a remote connection to your windows box?  There are a
lot of packets that fly on the wire that are not necessarily a result
of keystrokes.

If you log on to the honeywall, and get on mysql.

mysql> use hflow
mysql> select count(*) from sys_read;
mysql> select count(*) from sys_socket;
mysql> select count(*) from process;
mysql> select count(*) from sys_open;

What do you see?

The sys_read table is the one that will contain keystrokes.  This even
includes ssh banners that are sent during initial negotiations and
that is why an ssh brute force attack slows down the sebek analysis
process.

Will get time to take a closer look soon hopefully.... need to find a
place to live and stop living out of a hotel room ;)

Rob

On Thu, Jun 12, 2008 at 4:47 PM, Jim Peterson (honeypot)
<honeypotting at gmail.com> wrote:
> Hey guys,
>
> I also have the same problem. I installed Sebek 3.0.4 from
> http://www.savidtech.com/sebek/sebek-win32-3.0.4/
>
> I have installed sebek 3.0.4 on windows xp sp2
> all i can see is udp packets on port 1101 to my arbitraty destination IP.
> I cannot see any icon tree nor the blue arrow on Walleye. I have the same
> result in walleye
> as it is presented in bjou's .jpg
>
>
> However, on the honeywall root shell, when i do tcpdump -vnni eth1 port 1101
> i can see that the packets are indeed sent.
>
>
> Thank you,
>
> Jim Peterson


More information about the Honeywall mailing list