[Honeywall] Sebek problem

Curt Shaffer cshaffer at gmail.com
Sat May 10 11:43:43 EDT 2008


I have just installed roo-1.4.hw-20080424215740.iso. I have had some issues
installing sebek on 2.6 kernels so I went back to a 2.4, figured it would
probably house more vulnerability anyway. So I installed the 2.4 Client
2.3.0c on a Redhat 7.3 box. The walleye interface shows the client as
sebeked but I have yet to see any packets captured that show the commands
and or files transferred outbound from the box. I logged into the management
interface of the roo and noticed that sebekd was not running. I started it
from the init script and tried again and still no luck. I installed a
Windows XP honeypot and put the Windows version on it and found the same
issue. Back on the linux box, I put the sebek in test mode and the MAC
address as the broadcast MAC. The module does load and the destination port
is 1101 which sebekd is setup to look for. I will add that my honeypots are
VMWare hosts. They are able to communicate out and walleye does in fact see
all of the traffic going in and out, it just doesn't seem to be including
the captured packets. Also, I have run sbk_extract -i eth0 -p 1101 |
sbk_ks_log.pl manually (I also tried br0). This does not produce any output
other than 1 packet received every time.

Does anyone have any suggestions as to where I can go from here to
troubleshoot this further?

Thanks.

Curt 



More information about the Honeywall mailing list