Guys,
I will disable sebek collection on roo. If that doesn't work, I will
uninstall sebek from honeypots and see what happens there.
My feeling is that I really would like to see sebek working with roo.
This is what tells me what an attacker is doing inside my system
(commands etc). Without this tool, roo would be stripped 50% of its
capabilities.
Will report all the findings to the list.
-Parvinder Bhasin
Rob McMillen wrote:
Nice Earl!
Pavinder... Like Earl said, can you disable sebek collection on the
honeywall and restart to see if you have the same issue? I don't
think you have to remove the clients from the honeypots. I think this
is an issue on the honeywall. Sebek collection by the honeywall
occurs by sniffing traffic and extracting the sebek packets; therefore
I don't think it is the fault of the client. This said, they are the
ones generating the traffic :)
I will do the same on my side.
Thanks for the info Stefan.
Rob
On Nov 2, 2007 7:22 AM, Earl <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So if I understand what you're saying here it sounds like we need
to investigate the way sebekd, on the honeywall, receives sebek
client data.
If anyone can produce pcap data that can be fed through a roo to
reproduce this it might speed things up. In the mean time I'll try
to get someone with sebek clue to look into this.
Parvinder,
Can you reproduce the above scenario (uninstall sebek clients and
see if things work again) maybe with a restart in between?
Thanks for the feedback!
Earl
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
