Honeypots
Walleye not displaying Sebek3 data Aug 31 2006 08:40PM
Cindy Jenkins (cj u washington edu)
Well, since I posted this question, I still have had no luck on
solving this issue. Does anyone have Sebek3 under Walleye functioning
correctly?

I have discovered how to manually wipe the walleye database to clear
the sensor data, and can manually extract the data from walleye_0_3/
sys_read/data element. But this is highly time consuming and not the
best method to fish out the sebek data when I need to do forensics on
a host.

I can use the sebek viewer and logger perl scripts to see the data
live on the screen, as well as use tcpdump to see it, both tools show
the sebek keystrokes with no issue. I can then go to the walleye_0_3
mysql db and pull the data out to a file and see it there as well. So
I know the clients are communicating and sebek is storing the data in
the db. But walleye will not show the sebek data at all. It shows on
the main screens that clients are "sebekd". But when I go into the
process list it shows the top level PID and command name, like
cmd.exe, but does not show any read details, such as what was typed
in the cmd window.

I am ready to throw the towel in on the web interface and cobble up
something using perl and mysql to manually extract the data. Which
seems a horrible waste of time and effort since I had thought walleye
was supposed to do this? So before I go tho the effort to code a
solution, anybody have suggestions on why walleye does not display
the data?

--CJ

---Previous message ----------------
On Aug 16, 2006, at 1:01 PM, Cindy Jenkins wrote:
Hello all,

I have been trying to track the issue down and cannot find any
information on this problem online.

Environment:
Hwall server ROO hw1.0-189
Honeypots: FC3 2.6, Win2KPro, WinXP, Mac OS X
Syslog server: FC3 log server
Software: Sebek 3.03l server and clients, 2.6 kernel on FC3 client

Problem: Walleye not showing read details for sebek data

Situation:
I can see the sebek traffic arriving on the Hwall server using the
sbk_ks_log.pl or viewer scripts. So I know the clients are sending
traffic. I can also see that the mysql files for sys_read, sys_open,
and process all update file sizes and date stamps when I send data
over from a client. I presume this means the database is recording
the data.

The variables we have in honeywall.conf for sebek are below. Are they
correct? Do I need to define the HwSEBEK_DST_IP on the Hwall to be
the IP number for the command interface? eth2 is our ssh/walleye
line, eth0 and eth1 make up the br0 bridge for the honeypots. Neither
eth0 nor eth1 have IP's assigned.

HwSEBEK_DST_IP=192.168.1.34
HwSEBEK_LOG=yes
HwSEBEK_FATE=ACCEPT
HwSEBEK_log=yes
HwSEBEK_DST_PORT=7701
HwSEBEK=yes

I can see Sebek traffic in Walleye, including process lists but there
are no details, like the keystrokes we type in. The viewere and
ks_log when run manually show the keystrokes, but they are not in
Walleye. I can see traffic flowing via tcpdump as well. I have cheked
the log files for errors and do not find anything reporting on file
permissions or such like that. So, any ideas?

I have read all the KYE papers on the theory and implementation of
sebek, but I can't find any hard core data on the installation and
setup. And there is no troubleshooting data on this problem, at least
that I can locate.

Thanks!
CJ

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus