Excellent, I read your previous email first and was beginning to think it was a kernel issue. Glad you got it sorted.
I am very much a linux, honeywall, sebek beginner myself so I cannot really help you with the ssh packet stream. I think the tools sbk_extract and sbk_ks_log.pl will allow you to first extract sebek packets from a tcpdump file then view the attackers key strokes. http://www.honeynet.org/papers/sebek.pdf I am having problems myself with ssh, although others from outside my LAN can connect and attempt to brute ssh, I cannot when I attempt to connect to ssh via my external IP the one provided by my ISP my machine or the router keeps sending a reset packet after the syn-ack handshake. I can connect to the other services on the honeypot like Samba and my LAMP based website via my external IP but ssh is a no go. Dave Fahim Abbasi wrote: > Ah, Mr. Ubuntu didnt like all the modules being injected into it, > so I took a reboot of the honeypot, gave it a fresh injection of the sebek > module successfully and viola sebek process trees started appearing above > the magnifying glass in walleye flows :) sweeeeeet !!! > Testing with SSH, all keystrokes are being logged correctly followed by > modules & files read and written to in the process. However, I donot see the > user/password typed in. the SSH flows are encrypted and all is readeable > plaintext till the nodes decide to exchange diffie-hellman+sha ciphers to > encrypt the stream after that its all jibberish. Is there any way to dig the > u/p of the session out with sebek, & which is less painful than recompiling > openssh to log all u/p combinations to some hidden file? > > Thanks, fahim > > > ------------------------------------------------------------------------ > > _______________________________________________ > Honeywall mailing list > [email protected] > https://public.honeynet.org/mailman/listinfo/honeywall > _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
