Parvinder,
This is going to sound like a silly question, but below you state
"And still i have no data to view on walleye". Does this mean you
never see any data in the user interface (UI)? Or some data shows up
and after a while it stops? Do you freshly boot the system prior to
your pentest or has it been sitting for a while?
If you are willing to experiment further, what happens if you do a
fresh start of the honeywall and before you begin your pen test, you
stop snort and snort_inline (make sure you are not sending packets to
QUEUE). In theory, data should still go to the UI because the flows
are created by argus not snort. Snort simply does alerting.
Rob
On Nov 3, 2007 12:40 PM, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
> Ok!! So I disabled sebekd to log anything. I choose to drop everything
> sebekd restarted all the honeywall services. Issued NMAP scan against
> the network. And still i have no data to view on walleye. I stopped
> the sebekd altogether and still no data.
>
> -Parvinder Bhasin
>
>
>
> I am going to
>
> Rob McMillen wrote:
> > Pavinder,
> > Just trying to isolate the issue so we can fix it. Will get sebek
> > working again :)
> >
> > Rob
> >
> > On Nov 2, 2007 5:44 PM, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
> >> Guys,
> >>
> >> I will disable sebek collection on roo. If that doesn't work, I will
> >> uninstall sebek from honeypots and see what happens there.
> >>
> >> My feeling is that I really would like to see sebek working with roo.
> >> This is what tells me what an attacker is doing inside my system
> >> (commands etc). Without this tool, roo would be stripped 50% of its
> >> capabilities.
> >>
> >> Will report all the findings to the list.
> >>
> >> -Parvinder Bhasin
> >>
> >> Rob McMillen wrote:
> >>
> >>> Nice Earl!
> >>>
> >>> Pavinder... Like Earl said, can you disable sebek collection on the
> >>> honeywall and restart to see if you have the same issue? I don't
> >>> think you have to remove the clients from the honeypots. I think this
> >>> is an issue on the honeywall. Sebek collection by the honeywall
> >>> occurs by sniffing traffic and extracting the sebek packets; therefore
> >>> I don't think it is the fault of the client. This said, they are the
> >>> ones generating the traffic :)
> >>>
> >>> I will do the same on my side.
> >>>
> >>> Thanks for the info Stefan.
> >>>
> >>> Rob
> >>>
> >>> On Nov 2, 2007 7:22 AM, Earl <[EMAIL PROTECTED]> wrote:
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> So if I understand what you're saying here it sounds like we need
> >>>> to investigate the way sebekd, on the honeywall, receives sebek
> >>>> client data.
> >>>>
> >>>> If anyone can produce pcap data that can be fed through a roo to
> >>>> reproduce this it might speed things up. In the mean time I'll try
> >>>> to get someone with sebek clue to look into this.
> >>>>
> >>>> Parvinder,
> >>>>
> >>>> Can you reproduce the above scenario (uninstall sebek clients and
> >>>> see if things work again) maybe with a restart in between?
> >>>>
> >>>> Thanks for the feedback!
> >>>>
> >>>> Earl
> >>> _______________________________________________
> >>> Honeywall mailing list
> >>> [email protected]
> >>> https://public.honeynet.org/mailman/listinfo/honeywall
> >>>
> >>
> >
>
>
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
