Stefan,
I've been doing some work to attempt to identify the source ip of
every attack so that I could correlate it with its keystrokes. During
this process, I have found that the ssh daemon is a pain. There is
one process that handles the listen and once a connection comes in, it
forks and another handles the session. The original goes back to
listening. Therefore, the process tree always sees that one listening
ssh process as its parent.
When you have a brute force attack, there is one parent to every
single ssh attempt. This is why you see so many when you click on the
related.
On Apr 4, 2008, at 4:58 AM, Stefan Vömel wrote:
Rob,
I have analyzed a single telnet session and the problem does not
seem to be
directly related to Sebek or the way Walleye displays keystrokes. I
fact, it
rather seems to be a problem of the process tree mapping.
When I click on the "Show me the process tree" icon for a specific
connection, the process summary, the process tree and the related
network
connections are shown. I monitor a lot of SSH brute force attempts.
That's
why a lot of related network activities are displayed when I try to
investigate a single connection. More often than not, the process
tree is
not correctly drawn. This is possibly due to a browser timeout.
This is probably due to ssh having that one parent and walleye trying
to draw all related flows in the graphic. In a brute force attempt,
this could be very nasty.
I have found the perl modules in /usr/lib/perl5/vendor_perl/Walleye.
For my
work, it would be sufficient to display only the process tree for
the given
connection. Is this possible?
I think I am close here. Just need some additional time to ensure my
theory is accurate. I think this would also fix the issue you
mentioned above with the timeout.
Hope this helps, and please keep them coming. It really helps,
Rob_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
