Jaime Sotelo wrote:
>In sebek 3 there's no sbk_upload.pl but a sbk_diag.pl. I don't found
>anything (not even the readme file) wich reflects this. I'm trying to
>use sebekd.pl to do the work
>
>2006/1/4, Jaime Sotelo <1jasotel_at_gmail.com>:
>
>
>>I'm looking for information about the latest version of Sebek. I've
>>readed the Sebek 2 White Paper and founded it very useful. But I
>>don't find anything about Sebek 3 apart from the README file in the
>>sebekd server. Some one knows where can I find more info related to
>>Sebek 3 and it's features and how it works, etc??
>>
>>By the way I'm suposing that sebek 3 just don't change so much from
>>the previous version 2 and perhaps it's enough for me with the sebek 2
>>whitepaper. Thanks
>>
>>
>>
Jaime,
The only paper per se on the general topic of sebek 3 is:
http://www.honeynet.org/papers/individual/hflow.pdf
This goes into how sebek 3 enables new types of data fusion/
analysis.
In general sebek 3 is a refinement to version 2, we have
started to monitor additional system calls such as fork and
socket. This allows us to recreate the process tree which
can act as a organizing structure for analysis. The monitoring
of socket calls allows us to related specific network flows to
a process, and the combination both allow us to identify related
network connections.
Hope that helps,
Edward
Received on Jan 04 2006
Intro
