Honeypots
Re: Walleye not displaying Sebek3 data Sep 03 2006 07:49AM
wbmccarty gmail com
I don't have difficulty viewing Sebek3 data using Walleye. I had a honeypot compromised by badguys using an SSH password-guessing tool and was able to follow their BASH session flawlessly.

Are you clicking the magnifying glass icon of connections you suspect may contain keystroke data? If so, could you be choosing the wrong connections or processes? Often the sys_read calls are issued by a child process of the process associated with the network connection. Figuring out which process has the keystroke data can be a bit difficult sometimes. I myself sometimes find the sbk_extract and sbk_ks_log scripts more useful than the Walleye UI. But, that's not surprising in my case, since I often prefer command-line tools to GUI/web-based UI tools.

Cheers,

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus