Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall

RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall

From: Truong, Thanh V. <ttruong_at_mitre.org>
Date: Wed, 19 Oct 2005 09:43:56 -0400

Michael,
I have the same problem. After a little debugging, I found that
pcapheader->caplen is always equal to [(datlen*2) + pkt_head_sz] but in
your "if" statement (in sbk_extract.c) you check to see if
pcapheader->caplen = datlen + pkt_head_sz. That will fail. So, it
will complain about the malformed package.

After putting that in, it seems to work fine. But I haven't fully
tested to see if all functions work.

I'm running sebekd-3.0.3 on Fedora 4. I hope that and pcap output from
Rich Compton will help you looking into it.

Thanh

-----Original Message-----
From: Michael A. Davis [mailto:mike_at_datanerds.net]
Sent: Tuesday, October 18, 2005 8:21 PM
To: 'Compton, Rich'; honeypots_at_securityfocus.com
Subject: RE: Problems capturing sebek win32 3.0.3 traffic on roo
honeywall

Can you run tcpdump on roo and send me the pcap output? I cannot
reproduce this in my testing here. Also, what version of roo? Is it
1.0hw189?

Thanks,
Michael A. Davis
Chief Executive Officer
Savid Technologies, Inc.
Main: 708.243.2850
http://www.savidtech.com

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by
others is strictly prohibited. If you are not the intended recipient,
please contact the sender and delete all copies of this message.

> -----Original Message-----
> From: Compton, Rich [mailto:RCompton_at_chartercom.com]
> Sent: Tuesday, October 18, 2005 4:39 PM
> To: honeypots_at_securityfocus.com
> Subject: Problems capturing sebek win32 3.0.3 traffic on roo
honeywall
>
> Hello all,
>
> I was wondering if you could help me out with a problem I'm having w/

> the Sebek server running on a roo 1.0 honeywall (not the newest
> 1.0.189 version).
> I have installed the win32 3.0.3 client and specified a destination
IP
> of 6.6.6.6 and a UDP port of 666. I'm running the sebek server w/
the
> command:
> /usr/bin/perl /usr/sbin/sebekd.pl -U hflow -W honey -p 666 -i
> eth1 -l /var/run/sebek-pipe -I <my honeywall management ip> When I
> look at my log in /var/log/sebekd I see the following:
> malformed sebek record: data length=34 packet caplen=166 malformed
> sebek record: data length=36 packet caplen=170 malformed sebek
> record: data length=2 packet caplen=102 malformed sebek record: data

> length=47 packet caplen=192 malformed sebek record: data length=40
> packet caplen=178 malformed sebek record: data length=2 packet
> caplen=102 malformed sebek record: data length=41 packet caplen=180
> malformed sebek record: data length=2 packet caplen=102 malformed
> sebek record: data length=49 packet caplen=196 malformed sebek
> record: data length=2 packet caplen=102 malformed sebek record: data

> length=51 packet caplen=200 malformed sebek record: data length=2
> packet caplen=102 malformed sebek record: data length=48 packet
> caplen=194
>
> I see traffic being generated from my honeypot when I execute
> commands.
> I don't see any data in the database either.
>
> Any help you could provide would be greatly appreciated.
>
> Thank you,
> Richard Compton
> Network Security Supervisor
> Charter Communications
> 12405 Powerscourt Drive
> St. Louis, MO 63131
> W: 314-543-2506
> C: 314-568-2876
>
Received on Oct 19 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos