Honeypots: Re: Sebek Server and ICMP Host Unreacheable

[Edward Balas <ebalas () iu edu>]

On Mon, 10 May 2004, Major Sylvain Leblanc wrote:

> Hello everyone,
>
> I think I may be missing something, please let me know.  I installed the 
> Sebek server and Linux client on two VMWare RedHat 9 VMs.  Works like a 
> charm! 
>
> However, when I sniff the network traffic on the client using snort, I 
> can see "ICMP Host Unreachable" packets being generated by the server.  
> Running netstat on the server shows me that no processes are tied to my 
> Sebek destination port, so I presume that the server is "sniffing" the 
> keystroke data right off the interface. 
>
> I am pretty sure that I could netstat a dummy process to my Sebek 
> destination port so the server will not send "ICMP Host Unreachable" 
> packets.  Easy to fix, but this seems to me to be a fairly easy 
> "fingerprint" that shows an attacker that something is not quite right 
> which may give away the Honeypot.  Any thoughts?
Sly,

I would recommend not using the real server's IP address
in the destination IP field, if the server is on the local LAN it
doesnt really matter what the IP DST is, so long as you have
the MAC address correct, or set to Ethernet Bcast address, you should be
fine, set the DST IP to a non-existant host.

Otherwise, I suggest the use of packet filters on the server to 
silently dropping the sebek traffic (sebek server collects
using libpacp so the filters should wont inhibit collection)

Edward