Alvaro,
Have you looked at sebek filtering? I think by default it only
gets socket related keystrokes due to the volume of data that would
otherwise be generated.
Also, by default, it only does sys_read. Maybe the user and
password you are seeking are in sys_write?
Currently, there is no identification of attacker source ip. I
am working on that at this time by performing some additional
processing on the resulting sebek packets.
Rob
P.S. I am learning as I go here so please bare with me. It has been
a while since I have looked at sebek.
On Apr 4, 2008, at 5:51 AM, Alvaro del Olmo wrote:
Hi Robert.
It works, but only If the commands are typed through an incoming
connection, for instance, ssh. That's why we could not see the
packets before. The commands typed locally in the honeypot are not
being captured. That might not be a problem because the attacker is
supposed to connect remotely after all, but there is another problem
(probably related to this?): ftp users and passwords. If I begin a
ftp session to the honeypot, the ftp commands like 'get', 'put',
'ls', and of course the 'ftp' itself in the beggining, are beeing
captured. But neither the user nor the password in the beggining of
the fto session are beeing captured. Have you checked this? Might
this be because KEYSTROKE is not working after all, and it is only
working SOCKET_TRACKING?
I have another doubt. How do you store the IP of the incoming
connections to the honeypots? Using honeywall snort or something?
This is because we need a registry containing the sort of commands
typed by each attacker's IP.
Thank you very much.
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
