Honeypots: Sebek Server and ICMP Host Unreacheable

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Honeypots mailing list archives

Sebek Server and ICMP Host Unreacheable

From: Major Sylvain Leblanc <leblanc-s () rmc ca>
Date: Mon, 10 May 2004 15:46:11 -0400

Hello everyone,

I think I may be missing something, please let me know. I installed theSebek server and Linux client on two VMWare RedHat 9 VMs. Works like acharm!However, when I sniff the network traffic on the client using snort, Ican see "ICMP Host Unreachable" packets being generated by the server.Running netstat on the server shows me that no processes are tied to mySebek destination port, so I presume that the server is "sniffing" thekeystroke data right off the interface.I am pretty sure that I could netstat a dummy process to my Sebekdestination port so the server will not send "ICMP Host Unreachable"packets. Easy to fix, but this seems to me to be a fairly easy"fingerprint" that shows an attacker that something is not quite rightwhich may give away the Honeypot. Any thoughts?


Sly
--
Professeur adjoint
le major


S.P. Leblanc, P.Eng.
Major
Assistant Professor
Phone: (613) 541-6000 Extension 6355
Fax: (613) 541-6315
http://www.rmc.ca/academic/busadm/staff/leblanc_f.html

By Date By Thread

Current thread:

Sebek Server and ICMP Host Unreacheable Major Sylvain Leblanc (May 10)
- Re: Sebek Server and ICMP Host Unreacheable Edward Balas (May 10)