Honeypot installation, Sebek with web interface Jan 23 2007 03:56AM
ntruhan kent edu

I am working on a project for my masters thesis on detecting 0-day

There are 3 machines and 2 subnets I am utilizing and this is at my
Just to explain the setup before the question.

I have a cable modem coming into my home into 1 router. This router
has a network
of 192.168.1.X. Off of this router is another router that is
firewalled and contains the subnet
192.168.2.X, which is my private internal network, firewalled behind
the router. Off of the
192.168.1.X router, there is also a 10 MB hub. Off of this hub are 2
servers. 1 is going to
be my honeypot with an address of The second is a
snort detection server that has
a one-way network cable attached so it can only listen off of the hub
and not transmit.

The third server, a database/web server sits on the 192.168.2.X
network for its management
interface. It also has 2 more network cards. The first is a bi-
directional direct connect to the snort box allowing
the collection of snort traffic and allowing the snort box to get
updates via the 192.168.2.X network
without getting easily detected. The second is another one-way cable
to recieve data from the honeypot
box without being able to send back to be easily detected.

The DB/Web and Snort boxes are setup and working, however, right now I
only have the base Fedora Core 5 linux OS installed in text-only mode.

I had intended on using Sebek on the honeypot to detect any activity
to the box, however I downloaded the version 2.X version and had
intensions of using it but of course the client only works on kernel
2.4. Also the web interface was throwing an error that a table called
resume was missing. The schema file included with the sebek server
and web interface only defined 1 table.

I looked at the new Roo honeywall CDROM, which has sebek version 3,
however, unless I am wrong here, my impression, and from trying to
install it, is that machine the CDROM provides actually is the
collection server and has Snort and DB on the same machine making the
hardware requirements higher. This box provides 2 interfaces bridged
together to silently pass information into another box which is the
honeypot. It would also seem to need a 3rd interface to recieve
updates and connect to the outside world since the other 2 interfaces
cannot have IP addresses.

Now to the question....
What I would like to do is install the sebek client on my honeypot
box, the sebek server on my DB/Web box and pass the info via
the one-way network cable. However, I would need some kind of
aggrigation web interface like the old sebek web interface or
the analysis piece of the walleye web interface included with version

Is there any way to extract the analysis part of the walleye interface
or install walleye on another system outside the Honeywall so I can
use it in this configuration?

If not, does anyone have any suggestions on what I can use similar to
sebek to capture information from the honeypot, send
it to the server, have it stored in a DB that can be aggrigated via a
web interface so I can compare it against the information
aggrigated from Snort via the BASE web interface.

Thank you,

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus