Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall

RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall

From: Michael A. Davis <mike_at_datanerds.net>
Date: Tue, 18 Oct 2005 19:20:53 -0500

Can you run tcpdump on roo and send me the pcap output? I cannot reproduce
this in my testing here. Also, what version of roo? Is it 1.0hw189?

Thanks,
Michael A. Davis
Chief Executive Officer
Savid Technologies, Inc.
Main: 708.243.2850
http://www.savidtech.com

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this message.

> -----Original Message-----
> From: Compton, Rich [mailto:RCompton_at_chartercom.com]
> Sent: Tuesday, October 18, 2005 4:39 PM
> To: honeypots_at_securityfocus.com
> Subject: Problems capturing sebek win32 3.0.3 traffic on roo honeywall
>
> Hello all,
>
> I was wondering if you could help me out with a problem I'm
> having w/ the Sebek server running on a roo 1.0 honeywall
> (not the newest 1.0.189 version).
> I have installed the win32 3.0.3 client and specified a
> destination IP of 6.6.6.6 and a UDP port of 666. I'm running
> the sebek server w/ the
> command:
> /usr/bin/perl /usr/sbin/sebekd.pl -U hflow -W honey -p 666 -i
> eth1 -l /var/run/sebek-pipe -I <my honeywall management ip>
> When I look at my log in /var/log/sebekd I see the following:
> malformed sebek record: data length=34 packet caplen=166
> malformed sebek record: data length=36 packet caplen=170
> malformed sebek record: data length=2 packet caplen=102
> malformed sebek record: data length=47 packet caplen=192
> malformed sebek record: data length=40 packet caplen=178
> malformed sebek record: data length=2 packet caplen=102
> malformed sebek record: data length=41 packet caplen=180
> malformed sebek record: data length=2 packet caplen=102
> malformed sebek record: data length=49 packet caplen=196
> malformed sebek record: data length=2 packet caplen=102
> malformed sebek record: data length=51 packet caplen=200
> malformed sebek record: data length=2 packet caplen=102
> malformed sebek record: data length=48 packet caplen=194
>
> I see traffic being generated from my honeypot when I execute
> commands.
> I don't see any data in the database either.
>
> Any help you could provide would be greatly appreciated.
>
> Thank you,
> Richard Compton
> Network Security Supervisor
> Charter Communications
> 12405 Powerscourt Drive
> St. Louis, MO 63131
> W: 314-543-2506
> C: 314-568-2876
>
Received on Oct 18 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos