GaRaGeD Style wrote:
On 10/16/07, Rob McMillen <[EMAIL PROTECTED]> wrote:
List,
I am trying to fix the issue with the lack of data showing up on
the UI after 24 hours. Can some of the folks having this issue tell
me a little about their setup and the type of activity they see on
their honeypots? The OS of the honeypots etc? Would help me recreate
this issue.
On another note, I have noticed that the IDS alerts are not
showing up on the UI. Other folks seeing this?
I have a honeypot with debian and sebek, I never saw any sebek traffic
on the web console, and even ssh to the honeypot doesn't show
anything, I think the problem was on the roo box, with tcpdump I could
see the sebek traffic, but nothing was catched, and ps showed that
sebek server was trying to be run on eth1, instead of eth2 (I think).
I never saw any snort alert either, I could only run snort on dumps.
Max
That situation could be caused by either misconfiguring the interfaces
on the honeywall. I did that in the begining and realized that.
Additionaly you can change the init script to listen on the correct
interface. But I think the problem with lack of data is more geared
towards honeywall going into sort of HUNG state where even if you
TCPDUMP the output that you get slows down considerably and tcpdump
begins to MISS packets. Its sort of like listening to traffic
selectively or not listening at all. This was my experience with
tcpdump when i couldn't get any data on walleye interface.
-Parvinder Bhasin
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
