Honeypots: Re: pcap log analysis

["Joe Hickory" <J.Hickory () gmx net>]

> Hey Joe, 
>  
> Can you provide a bit more detail on what your configuration 
> was with the sebek server that crashed on you?  For instance 
> were you using sbk_upload.pl to consume the extracted data?  Also 
> can you send me a copy of the offending file? I attempted to duplicate 
> but have been unsuccessful.  Mostly because I am not sure that I have  
> the 
> correct file, on linux I believe the equiv. files are in  
> /usr/share/zoneinfo, 
> but... 
ok, 
 
in the sbk_upload.pl from here downloaded:  
http://www.honeynet.org/tools/sebek/sebek-server-2.1.6.tar.gz 
they have a line:  
my $uid       = "sebek"; 
for connecting with that uid to the mysql server. but they also use this
variable 
for the uid of the process running on the honeypot. while looping read from
network, 
there is the following
line:

($ip,$magic,$ver,$type,$counter,$time_sec,$time_usec,$pid,$uid,$fd,$com,$len)
= 
            unpack("NNnnNNNNNNa12N",$line); 
there they overwrite the $uid, not so bad, as long as the sql connection not
dies 
because of a broken sql string. i'm here in Europe/Berlin, and you are
right, i 
meant /etc/localtime is a sylink to /usr/share/zoneinfo/... 
i only needed to cat /etc/localtime to break the sql string because that
file 
contains one or more ' characters. so the db connection got lost and $uid
was 
changed and no reconnet possible. 
so i decoded the data part of the string base64 before building the sql
string, and 
renamed the global $uid in $dbuid. maybe a ' character in the process name
or 
somewhere else will break the sql string, but it'll reconnect again. 
 
hope its more clear now? 
 
joe 

-- 
NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler!
GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl


-- 
NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler!
GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl