I did the tcpdump. It appears that when connections are being made( like the initial ssh into the honeypot, and test ssh out from the honeypot) are being logged. Subsequent things like when I just type commands like ls or cd, no packets are being transmitted. Maybe I will try to get a new 2.6 kernel OS up again and try the svn as you suggested.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mcmillen Sent: Saturday, May 10, 2008 12:18 PM To: honeywall Subject: Re: [Honeywall] Sebek problem Curt, I am pretty sure that the older version of sebek client will not work with the newer version of walleye and hflow2. On May 10, 2008, at 11:43 AM, Curt Shaffer wrote: > I have just installed roo-1.4.hw-20080424215740.iso. I have had some > issues > installing sebek on 2.6 kernels so I went back to a 2.4, figured it > would > probably house more vulnerability anyway. So I installed the 2.4 > Client > 2.3.0c on a Redhat 7.3 box. The walleye interface shows the client as > sebeked but I have yet to see any packets captured that show the > commands > and or files transferred outbound from the box. Where did you get the version of sebek for linux you are having issues with and what kernel are you trying to install it on? I have been working on updating the sebek for linux 2.6 client and the svn repo is located here: https://projects.honeynet.org/svn/sebek. The trac site is located here: https://projects.honeynet.org/sebek. I have not done any improvements in a bit because I was focusing on releasing 1.4 and correlating sebek data with attacker ip. However, if you are having compilation problems, feel free to open a ticket on the trac site (but please use the code on svn). > I logged into the management > interface of the roo and noticed that sebekd was not running. I > started it > from the init script and tried again and still no luck. One of the major changes in 1.4 is the integration of hflow2. Hflow2 now handles grabbing the sebek packets off the wire and sticking them into the db. sebekd is no longer required. The sebekd rpm is installed so the sbk_extract and sbk_ks_log programs are still available for command line interaction with sebek data. > I installed a > Windows XP honeypot and put the Windows version on it and found the > same > issue. Where did you get the sebek client for windows and what kind of service pack/patches have you applied to the windows OS? Mainly curious to see if the sebek client for windows still works. > Back on the linux box, I put the sebek in test mode and the MAC > address as the broadcast MAC. The module does load and the > destination port > is 1101 which sebekd is setup to look for. I will add that my > honeypots are > VMWare hosts. They are able to communicate out and walleye does in > fact see > all of the traffic going in and out, it just doesn't seem to be > including > the captured packets. Also, I have run sbk_extract -i eth0 -p 1101 | > sbk_ks_log.pl manually (I also tried br0). This does not produce any > output > other than 1 packet received every time. eth0 is the internet facing interface and depending on how you have things configured, sebek packets may not be visible there. Try using eth1 instead. Actually, just try sniffing for sebek packets to see if they are going out (tcpdump -vnni eth1 port 1101) and make sure there is some network interaction with the host from the internet like ssh into it or something. You have to ensure the client connecting is not considered part of the honeynet network by the honeywall (depends on how you configured it). > Does anyone have any suggestions as to where I can go from here to > troubleshoot this further? This will probably be the best place. I've been thinking about screencasts or something like that... but we probably should start by updating the documentation. Rob _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.14/1425 - Release Date: 5/9/2008 12:38 PM _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
