Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: sebek server question

Re: sebek server question

From: Edward Balas <ebalas_at_anml.iu.edu>
Date: Fri, 9 Jul 2004 14:48:47 -0500

Hey Kathy,

Ok so here is the rub.

The -f argument is used to tell sbk_extract to recover the sebek packets
from the specified pcap file. sbk_extract, then extracts the sebek
information
from the packet and sends a binary representation of that to STDOUT. ,
typically
you pipe the output of sbk_extract to a processing utility such as
sbk_ks_log.pl or
sbk_upload.pl.

It is an error that sbk_extract allows you to specify both an interface
and
a file to receive input on. As it currently stands independent of the
order the
arguments are presented, if the -f argument is used, sbk_extract will
look to
read packets in from a file, ignoring the interface specification.

For Sebek, it is currently recommended that you use the raw packets in
pcap
format as the canonical raw data source. If you need to capture on one
system and
examine on another, then I would use tcpdump, snort or other sniffer
with a filter
capture the Sebek packets, then on the analysis system use the -f arg
in sbk_extract
to process the pcap file.

Does that help?

Edward

On Jul 9, 2004, at 6:24 AM, Kathy Simm wrote:

> I have sebek client running on my honeypot. On my honeywall I start
> rcfirewall, snort and snortinline. When I try the following on my
> honeywall, I see all the keystrokes fine:
> sbk_extract -i eth2 -p 1101 | sbk_ks_log.pl
>
>
> However, when I try to send the sebek info to a file (for later
> processing), it never works. I type the following:
> sbk_extract -f sebekout -i eth2 -p 207373 &
>
> I then take the file sebekout, cat it, and sent to either sbk-ks_log
> or sbk_upload.pl. Neither script appears to work, but neither
> geneates errors.
>
> What format should this file me? ASCII?
>
> I have also tried just tcpdumping the interface (tcpdump -i eth2 -w
> tcpdumpout) and feeding this to sbk-extract and all I get is Bad Dump
> File Format.
>
> I've read the docs, but for those of us who are collecting the data,
> and transferring to another system (manually, the client won't allow
> auto stuff) things are a bit murky. Can someone help? thanks
>
>
Received on Jul 10 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos