On Fri, Sep 19, 2008 at 4:00 AM, <[EMAIL PROTECTED]>wrote: > From: Dave <[EMAIL PROTECTED]> > Subject: Re: [Honeywall] Re: Sebek Install problem > > Excellent, I read your previous email first and was beginning to think > it was a kernel issue. > Glad you got it sorted. > > I am very much a linux, honeywall, sebek beginner myself so I cannot > really help you with the ssh packet stream. I think the tools > sbk_extract and sbk_ks_log.pl will allow you to first extract sebek > packets from a tcpdump file then view the attackers key strokes. > > http://www.honeynet.org/papers/sebek.pdf
Usually I view the logs via walleye, but this sure sounds handy (will give it a go) Thanks. The only problem with walleye is that you have to dig down the process tree till you hit the information you were looking for ( keystrokes/passwords/files ). I scp'd a flat text file onto the honeypot to test, but the logs only highlight the file name, location and permissions, not the file/binary contents. This was done by inserting the module with KEYSTROKE_ONLY=0 , which suggest that the only way to retrieve/extract the file/binary is to get it off the honeypot from the location pointed to by the sebek logs - not passively via sebek. > > > I am having problems myself with ssh, although others from outside my > LAN can connect and attempt to brute ssh, I cannot when I attempt to > connect to ssh via my external IP the one provided by my ISP my machine > or the router keeps sending a reset packet after the syn-ack handshake. > > I can connect to the other services on the honeypot like Samba and my > LAMP based website via my external IP but ssh is a no go. > > Dave This is unusual & seems like a firewall issue, try flushing iptables at the honeypot to test this hypothesis. (if the reset packet is generated by the honeypot) Otherwise check your router for any rule against your honeypot:ssh (if the reset is coming from the router) An interesting rather crude exercise would be to try ssh into your honeypot from the honeywall (test by assigning the management interface an IP from your current subnet - should be on same LAN to avoid routing if any probs during testing)
_______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
