Hi Fahim
The DESTINATION_MAC should be the MAC address of the honeypot facing NIC
normally eth1, providing your honeypot and Honeywall are on the same
segment. ie there is no router between them.
The Network Interface option under System Status on the System Admin
page of Walleye will give you the MAC of eth1 on the Honeywall.
Give the module a name such as 1394vid.ko, for example:
MODULE_NAME="1394vid.ko" of course it can be any name you want.
I think that should sort you out
Dave
Fahim Abbasi wrote:
> G' Day!
>
> Did a new make & untared the tar in a separate folder. Added
> DESTINATION_PORT= 6189 & now im getting a file exists error :S
>
> sebek-lin26-3.2.0b-bin$ sudo ./sbk_install.sh
> $Installing Sebek:
> 0 1:8960:::::::::14:1694
> 1 2:36864::::::::::
> 2 0:8960:::::::::14:1131
> insmod: error inserting '826825042.o': -1 File exists
> $ 826825042.o install failed
>
>
> sebek-lin26-3.2.0b-bin$ ls
> 826825042.o compile_filter.pl filter.of filter.txt parameters.sh
> README sbk_install.sh sbk.ko
>
> &
>
> sebek-lin26-3.2.0b-bin$ cat sbk_install.sh
> #!/bin/sh
> #------------------------------------------------------------------------------
> #----- SEBEK LINUX CLIENT INSTALL SCRIPT
> --------------------------------------
> #------------------------------------------------------------------------------
>
>
> #------------------------------------------------------------------------------
> #----- USER CONFIGURABLE OPTIONS
> --------------------------------------------
> #----- NOTE: YOU MUST SPECIFIY A MAGIC VALUE AND DESTINATION PORT
> #------------------------------------------------------------------------------
>
>
> #----- FILTER:
> #-----
> #----- File that contains the collection filter
> #-----
> FILTER="./filter.txt"
>
>
> #----- INTERFACE:
> #-----
> #----- Identifies the interface from which Sebek will log
> #----- This does not need to be an interface that has a
> #----- configured IP address.
> #-----
> INTERFACE="eth0"
>
> #----- DESTINATION_IP:
> #-----
> #----- sets destination IP for sebek packets
> #-----
> #----- If the collector is on the LAN, this value can be any address.
> #-----
> DESTINATION_IP="10.0.0.1"
>
>
> #----- DESTINATION_MAC:
> #-----
> #----- sets destination MAC addr for sebek packets
> #-----
> #----- If the collector is running on the LAN, use the MAC from
> #----- the collectors NIC.
> #-----
> #----- If the collector is multiple hops a way, set this to the MAC
> #----- of Default Gateway's NIC
> #-----
> DESTINATION_MAC="FF:FF:FF:FF:FF:FF"
>
>
> #----- SOURCE_PORT:
> #-----
> #----- defines the source udp port sebek sends to
> #-----
> #----- If multiple sebek hosts are behind NAT the source port
> #----- is one way of distinguishing the two hosts
> #-----
> #----- Range: 1 to 655536
> #----- Range: 0x0001 to 0xffff
> #-----
> SOURCE_PORT=1101
>
>
> #----- DESTINATION_PORT:
> #-----
> #----- defines the destination udp port sebek sends to
> #-----
> #----- ALL HONEYPOTS that belong to the same group NEED
> #----- to use the SAME value for this.
> #-----
> #----- Range: 1 to 655536
> #----- Range: 0x0001 to 0xffff
> #-----
> DESTINATION_PORT=6189
>
>
> #----- MAGIC_VAL
> #-----
> #----- defines the magic value in the sebek record, it
> #----- used along with the Destination Port to identify
> #----- packets to hide from userspace on this host. Its
> #----- an unsigned 32 bit integer.
> #-----
> #----- ALL HONEYPOTS that belong to the same group NEED
> #----- to use the SAME value for this.
> #-----
> #----- Range 1 to 4.29497 billion
> #----- Range 0x00000001 to 0xffffffff
> #-----
> MAGIC_VAL=1111
>
>
> #----- KEYSTROKE_ONLY:
> #-----
> #----- controls if we only collect keystrokes, in this case anything that
> #----- has a read length of 1. This is a binary option.
> #-----
> #----- if set to 1: will only collect keystrokes
> #----- if set to 0: will collect ALL read data
> #-----
> KEYSTROKE_ONLY=1
>
>
>
> #----- SOCKET_TRACKING:
> #-----
> #----- Controls if we only collect information on network connections
> #----- This is a binary flag.
> #-----
> #----- if set to 1: will track socket connections
> #----- if set to 0: will not track sockets
> #-----
> SOCKET_TRACKING=1
>
>
> #----- WRITE_TRACKING:
> #-----
> #----- Experimental feature. For now, is use is not recommended.
> #----- We have observed stability problems.
> #-----
> #----- if set to 1: will ALL write activity
> #----- if set to 0: wil not record write activity
> WRITE_TRACKING=0
>
>
> #----- TESTING:
> #-----
> #----- Used to make the module hidden
> #-----
> #----- if set to 1: kernel module in testing mode
> #----- if set to 0: kernel module will hide itself
> #-----
> TESTING=1
>
>
> #---- MODULE NAME:
> #------
> #---- Used to control the name of the module, this should NOT be set to
> sebek
> #----
> #---- if set this defines the variable, if not a random name is selected
> #----
> #---- example MODULE_NAME="foobar.ko"
> #----
> MODULE_NAME=
>
>
> #------------------------------------------------------------------------------
> #----- !! END OF USER CONFIGURABLE OPTIONS
> !!----------------------------------
> #------------------------------------------------------------------------------
>
>
> #----- source parameters -----
> . ./parameters.sh
>
>
> #------------------------------------------------------------------------------
> echo $"Installing Sebek:"
>
>
> if [ $DESTINATION_PORT -eq 0 ] ; then
> echo $" ERROR: Undefined Destination Port"
> exit 1
> fi
>
> if [ $MAGIC_VAL -eq 0 ] ; then
> echo $" ERROR: Undefined Magic Value"
> exit 1
> fi
>
>
> if [ ! $MODULE_NAME ] ; then
> MODULE_NAME=${RAND_MOD_NAME}
> fi
>
>
> if [ $FILTER ]; then
> export LANG=POSIX
> ./compile_filter.pl -i ${FILTER} -o ./filter.of
> RETVAL=$?
>
> if [ $RETVAL -ne 0 ] ; then
> echo $" unable to compile filter";
> exit
> fi
>
> FILTER="./filter.of";
> fi
>
>
>
> cp sbk.ko ${MODULE_NAME}
>
> /sbin/insmod ${MODULE_NAME} ${DIP_PARM}=${DESTINATION_IP}\
> ${DMAC_PARM}=${DESTINATION_MAC}\
> ${DPORT_PARM}=${DESTINATION_PORT}\
> ${SPORT_PARM}=${SOURCE_PORT}\
> ${INT_PARM}=${INTERFACE} \
> ${KSO_PARM}=${KEYSTROKE_ONLY}\
> ${ST_PARM}=${SOCKET_TRACKING}\
> ${WT_PARM}=${WRITE_TRACKING}\
> ${MAGIC_PARM}=${MAGIC_VAL}\
> ${FILTER_PARAM}=${FILTER}\
> ${TESTING_PARM}=${TESTING}\
>
> RETVAL=$?
>
> if [ $RETVAL -eq 0 ] ; then
> #----- sebek module install succeeded
> echo $" ${MODULE_NAME} installed successfully"
>
> else
> #----- instal of the sebek module failed.
> echo $" ${MODULE_NAME} install failed"
>
> fi
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Honeywall mailing list
> [email protected]
> https://public.honeynet.org/mailman/listinfo/honeywall
>
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
