I have just installed roo-1.4.hw-20080424215740.iso. I have had some issues installing sebek on 2.6 kernels so I went back to a 2.4, figured it would probably house more vulnerability anyway. So I installed the 2.4 Client 2.3.0c on a Redhat 7.3 box. The walleye interface shows the client as sebeked but I have yet to see any packets captured that show the commands and or files transferred outbound from the box. I logged into the management interface of the roo and noticed that sebekd was not running. I started it from the init script and tried again and still no luck. I installed a Windows XP honeypot and put the Windows version on it and found the same issue. Back on the linux box, I put the sebek in test mode and the MAC address as the broadcast MAC. The module does load and the destination port is 1101 which sebekd is setup to look for. I will add that my honeypots are VMWare hosts. They are able to communicate out and walleye does in fact see all of the traffic going in and out, it just doesn't seem to be including the captured packets. Also, I have run sbk_extract -i eth0 -p 1101 | sbk_ks_log.pl manually (I also tried br0). This does not produce any output other than 1 packet received every time.
Does anyone have any suggestions as to where I can go from here to troubleshoot this further? Thanks. Curt _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
