[Honeywall] Sebek problem
rvmcmil at gmail.com
Sat May 10 12:17:53 EDT 2008
I am pretty sure that the older version of sebek client will not
work with the newer version of walleye and hflow2.
On May 10, 2008, at 11:43 AM, Curt Shaffer wrote:
> I have just installed roo-1.4.hw-20080424215740.iso. I have had some
> installing sebek on 2.6 kernels so I went back to a 2.4, figured it
> probably house more vulnerability anyway. So I installed the 2.4
> 2.3.0c on a Redhat 7.3 box. The walleye interface shows the client as
> sebeked but I have yet to see any packets captured that show the
> and or files transferred outbound from the box.
Where did you get the version of sebek for linux you are having issues
with and what kernel are you trying to install it on? I have been
working on updating the sebek for linux 2.6 client and the svn repo is
located here: https://projects.honeynet.org/svn/sebek. The trac site
is located here: https://projects.honeynet.org/sebek.
I have not done any improvements in a bit because I was focusing on
releasing 1.4 and correlating sebek data with attacker ip. However,
if you are having compilation problems, feel free to open a ticket on
the trac site (but please use the code on svn).
> I logged into the management
> interface of the roo and noticed that sebekd was not running. I
> started it
> from the init script and tried again and still no luck.
One of the major changes in 1.4 is the integration of hflow2. Hflow2
now handles grabbing the sebek packets off the wire and sticking them
into the db. sebekd is no longer required. The sebekd rpm is
installed so the sbk_extract and sbk_ks_log programs are still
available for command line interaction with sebek data.
> I installed a
> Windows XP honeypot and put the Windows version on it and found the
Where did you get the sebek client for windows and what kind of
service pack/patches have you applied to the windows OS? Mainly
curious to see if the sebek client for windows still works.
> Back on the linux box, I put the sebek in test mode and the MAC
> address as the broadcast MAC. The module does load and the
> destination port
> is 1101 which sebekd is setup to look for. I will add that my
> honeypots are
> VMWare hosts. They are able to communicate out and walleye does in
> fact see
> all of the traffic going in and out, it just doesn't seem to be
> the captured packets. Also, I have run sbk_extract -i eth0 -p 1101 |
> sbk_ks_log.pl manually (I also tried br0). This does not produce any
> other than 1 packet received every time.
eth0 is the internet facing interface and depending on how you have
things configured, sebek packets may not be visible there. Try using
eth1 instead. Actually, just try sniffing for sebek packets to see if
they are going out (tcpdump -vnni eth1 port 1101) and make sure there
is some network interaction with the host from the internet like ssh
into it or something. You have to ensure the client connecting is not
considered part of the honeynet network by the honeywall (depends on
how you configured it).
> Does anyone have any suggestions as to where I can go from here to
> troubleshoot this further?
This will probably be the best place. I've been thinking about
screencasts or something like that... but we probably should start by
updating the documentation.
More information about the Honeywall