I'm trying to understand the tables of walleye_0_3 in detail,
specifically how process_id's relate to command_ids and how the
database represents trees of processes.
I have a freshly installed honeywall with one sebek'ed honeypot behind
it. I've logged in to the honeypot and generated a bunch of sys_read
data which has successfully made it to the database. I get the
following in my process_to_com table:
I'd assumed (wrongly, apparently) that process_to_com would be a
one-to-one mapping of process_id to command_id. If I look up the
command name in the command table, it would seem that process 44 is
both sshd and bash:
mysql> select * from command where command_id=11;
+-----------+------------+------+
| sensor_id | command_id | name |
+-----------+------------+------+
| 167772226 | 11 | sshd |
+-----------+------------+------+
1 row in set (0.02 sec)
mysql> select * from command where command_id=6;
+-----------+------------+------+
| sensor_id | command_id | name |
+-----------+------------+------+
| 167772226 | 6 | bash |
+-----------+------------+------+
1 row in set (0.00 sec)
How does one interpret this?
There are also some processes absent from process_to_com entirely,
like processes 7 and 12:
So here, process_id's 8, 13, and 17 are children of process 7, which
doesn't appear in process_to_com. What does a process with no
associated command mean?
Hi list,
I'm trying to understand the tables of walleye_0_3 in detail,
specifically how process_id's relate to command_ids and how the
database represents trees of processes.
I have a freshly installed honeywall with one sebek'ed honeypot behind
it. I've logged in to the honeypot and generated a bunch of sys_read
data which has successfully made it to the database. I get the
following in my process_to_com table:
mysql> select * from process_to_com where process_id = 44;
+-----------+------------+------------+---------------+
| sensor_id | process_id | command_id | to_be_deleted |
+-----------+------------+------------+---------------+
| 167772226 | 44 | 11 | 0 |
| 167772226 | 44 | 6 | 0 |
+-----------+------------+------------+---------------+
2 rows in set (0.00 sec)
I'd assumed (wrongly, apparently) that process_to_com would be a
one-to-one mapping of process_id to command_id. If I look up the
command name in the command table, it would seem that process 44 is
both sshd and bash:
mysql> select * from command where command_id=11;
+-----------+------------+------+
| sensor_id | command_id | name |
+-----------+------------+------+
| 167772226 | 11 | sshd |
+-----------+------------+------+
1 row in set (0.02 sec)
mysql> select * from command where command_id=6;
+-----------+------------+------+
| sensor_id | command_id | name |
+-----------+------------+------+
| 167772226 | 6 | bash |
+-----------+------------+------+
1 row in set (0.00 sec)
How does one interpret this?
There are also some processes absent from process_to_com entirely,
like processes 7 and 12:
mysql> select * from process_to_com;
+-----------+------------+------------+---------------+
| sensor_id | process_id | command_id | to_be_deleted |
+-----------+------------+------------+---------------+
| 167772226 | 1 | 1 | 0 |
| 167772226 | 4 | 1 | 0 |
| 167772226 | 4 | 2 | 0 |
| 167772226 | 5 | 3 | 0 |
| 167772226 | 6 | 4 | 0 |
| 167772226 | 8 | 5 | 0 |
| 167772226 | 9 | 6 | 0 |
| 167772226 | 11 | 7 | 0 |
| 167772226 | 13 | 8 | 0 |
| 167772226 | 14 | 7 | 0 |
| 167772226 | 15 | 7 | 0 |
(etc)
But which do appear in process_tree as parent processes:
mysql> select * from process_tree;
+-----------+---------------+----------------+---------------+
| sensor_id | child_process | parent_process | to_be_deleted |
+-----------+---------------+----------------+---------------+
| 167772226 | 4 | 1 | 0 |
| 167772226 | 5 | 4 | 0 |
| 167772226 | 8 | 7 | 0 |
| 167772226 | 13 | 7 | 0 |
| 167772226 | 14 | 12 | 0 |
| 167772226 | 17 | 7 | 0 |
(etc)
So here, process_id's 8, 13, and 17 are children of process 7, which
doesn't appear in process_to_com. What does a process with no
associated command mean?
Thanks in advance,
-troy
[ reply ]