[Honeywall] Sebek problem

Curt Shaffer cshaffer at gmail.com
Sat May 10 12:41:19 EDT 2008


Thanks for all of the great info:

I got the client from : http://www.honeynet.org/tools/sebek/. I did install
the 3.2.0c which looks like it's the 3.x version by that page. I also got
the windows client from there the Win32 Client 3.0.3. It installed fine, the
version of windows is XP SP2. I didn't patch it beyond that yet.

I'll try your suggestions and report back.

Curt

-----Original Message-----
From: honeywall-bounces at public.honeynet.org
[mailto:honeywall-bounces at public.honeynet.org] On Behalf Of Robert Mcmillen
Sent: Saturday, May 10, 2008 12:18 PM
To: honeywall
Subject: Re: [Honeywall] Sebek problem

Curt,

     I am pretty sure that the older version of sebek client will not  
work with the newer version of walleye and hflow2.

On May 10, 2008, at 11:43 AM, Curt Shaffer wrote:

> I have just installed roo-1.4.hw-20080424215740.iso. I have had some  
> issues
> installing sebek on 2.6 kernels so I went back to a 2.4, figured it  
> would
> probably house more vulnerability anyway. So I installed the 2.4  
> Client
> 2.3.0c on a Redhat 7.3 box. The walleye interface shows the client as
> sebeked but I have yet to see any packets captured that show the  
> commands
> and or files transferred outbound from the box.

Where did you get the version of sebek for linux you are having issues  
with and what kernel are you trying to install it on?  I have been  
working on updating the sebek for linux 2.6 client and the svn repo is  
located here: https://projects.honeynet.org/svn/sebek.  The trac site  
is located here: https://projects.honeynet.org/sebek.

I have not done any improvements in a bit because I was focusing on  
releasing 1.4 and correlating sebek data with attacker ip.  However,  
if you are having compilation problems, feel free to open a ticket on  
the trac site (but please use the code on svn).

> I logged into the management
> interface of the roo and noticed that sebekd was not running. I  
> started it
> from the init script and tried again and still no luck.

One of the major changes in 1.4 is the integration of hflow2.  Hflow2  
now handles grabbing the sebek packets off the wire and sticking them  
into the db.  sebekd is no longer required.  The sebekd rpm is  
installed so the sbk_extract and sbk_ks_log programs are still  
available for command line interaction with sebek data.

> I installed a
> Windows XP honeypot and put the Windows version on it and found the  
> same
> issue.

Where did you get the sebek client for windows and what kind of  
service pack/patches have you applied to the windows OS?  Mainly  
curious to see if the sebek client for windows still works.

> Back on the linux box, I put the sebek in test mode and the MAC
> address as the broadcast MAC. The module does load and the  
> destination port
> is 1101 which sebekd is setup to look for. I will add that my  
> honeypots are
> VMWare hosts. They are able to communicate out and walleye does in  
> fact see
> all of the traffic going in and out, it just doesn't seem to be  
> including
> the captured packets. Also, I have run sbk_extract -i eth0 -p 1101 |
> sbk_ks_log.pl manually (I also tried br0). This does not produce any  
> output
> other than 1 packet received every time.

eth0 is the internet facing interface and depending on how you have  
things configured, sebek packets may not be visible there.  Try using  
eth1 instead.  Actually, just try sniffing for sebek packets to see if  
they are going out (tcpdump -vnni eth1 port 1101) and make sure there  
is some network interaction with the host from the internet like ssh  
into it or something.  You have to ensure the client connecting is not  
considered part of the honeynet network by the honeywall (depends on  
how you configured it).

> Does anyone have any suggestions as to where I can go from here to
> troubleshoot this further?

This will probably be the best place.  I've been thinking about  
screencasts or something like that... but we probably should start by  
updating the documentation.

Rob
_______________________________________________
Honeywall mailing list
Honeywall at public.honeynet.org
https://public.honeynet.org/mailman/listinfo/honeywall

No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.14/1425 - Release Date: 5/9/2008
12:38 PM
 



More information about the Honeywall mailing list