Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: correlating sys_read data to "source" ip

correlating sys_read data to "source" ip

From: troy d. straszheim <troy_at_resophonic.com>
Date: Wed, 16 Aug 2006 23:10:46 -0400

Hey all,

I'm trying to correlate data in sys_read with the ip address that the
data came from. That is, if I ssh in to a honeypot from 10.11.12.13
and type "WHERE DID THIS COME FROM" I get something like this in my
sys_read:

mysql> select sensor_id, sys_read_id, process_id, data from sys_read where process_id = 6226;
+-----------+-------------+------------+------+
| sensor_id | sys_read_id | process_id | data |
+-----------+-------------+------------+------+
| 167772226 | 14099 | 6226 | W |
| 167772226 | 14101 | 6226 | H |
| 167772226 | 14103 | 6226 | E |
| 167772226 | 14105 | 6226 | R |
| 167772226 | 14107 | 6226 | E |
| 167772226 | 14109 | 6226 | |
| 167772226 | 14111 | 6226 | D |
| 167772226 | 14113 | 6226 | I |
| 167772226 | 14115 | 6226 | D |
| 167772226 | 14117 | 6226 | |
| 167772226 | 14119 | 6226 | T |
| 167772226 | 14121 | 6226 | H |
| 167772226 | 14123 | 6226 | I |
| 167772226 | 14125 | 6226 | S |
| 167772226 | 14127 | 6226 | |
| 167772226 | 14129 | 6226 | C |
| 167772226 | 14131 | 6226 | O |
| 167772226 | 14133 | 6226 | M |
| 167772226 | 14135 | 6226 | E |
| 167772226 | 14137 | 6226 | |
| 167772226 | 14139 | 6226 | F |
| 167772226 | 14141 | 6226 | R |
| 167772226 | 14143 | 6226 | O |
| 167772226 | 14145 | 6226 | M |
    | 72226 | 14147 | 6226 |
| 167772226 | 14148 | 6226 | |
+-----------+-------------+------------+------+
26 rows in set (0.01 sec)

and I would like to be able to find the 10.11.12.13 in the database
that corresponds to these keystrokes.

I wonder if I am actually dealing with a misconfiguration of some
kind. Looking at table 'process':

mysql> select sensor_id, process_id, src_ip from process where process_id = 6226;
+-----------+------------+-----------+
| sensor_id | process_id | src_ip |
+-----------+------------+-----------+
| 167772226 | 6226 | 167772288 |
+-----------+------------+-----------+
1 row in set (0.00 sec)

that sensor_id is actually the IP of the honeywall's administration
interface (!?), and the src_ip is the ip address of the sensor.
 
I've poked around in the argus table, and I don't see I don't see the
correct IP addresses anywhere in the argus table. Could it be that
the data hasn't been ingested yet?

TIA,

-troy
Received on Aug 16 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos