Hello all,
I have been trying to track the issue down and cannot find any
information on this problem online.
Environment:
Hwall server ROO hw1.0-189
Honeypots: FC3 2.6, Win2KPro, WinXP, Mac OS X
Syslog server: FC3 log server
Software: Sebek 3.03l server and clients, 2.6 kernel on FC3 client
Problem: Walleye not showing read details for sebek data
Situation:
I can see the sebek traffic arriving on the Hwall server using the
sbk_ks_log.pl or viewer scripts. So I know the clients are sending
traffic. I can also see that the mysql files for sys_read, sys_open,
and process all update file sizes and date stamps when I send data
over from a client. I presume this means the database is recording
the data.
The variables we have in honeywall.conf for sebek are below. Are they
correct? Do I need to define the HwSEBEK_DST_IP on the Hwall to be
the IP number for the command interface? eth2 is our ssh/walleye
line, eth0 and eth1 make up the br0 bridge for the honeypots. Neither
eth0 nor eth1 have IP's assigned.
HwSEBEK_DST_IP=192.168.1.34
HwSEBEK_LOG=yes
HwSEBEK_FATE=ACCEPT
HwSEBEK_log=yes
HwSEBEK_DST_PORT=7701
HwSEBEK=yes
I can see Sebek traffic in Walleye, including process lists but there
are no details, like the keystrokes we type in. The viewere and
ks_log when run manually show the keystrokes, but they are not in
Walleye. I can see traffic flowing via tcpdump as well. I have cheked
the log files for errors and do not find anything reporting on file
permissions or such like that. So, any ideas?
I have read all the KYE papers on the theory and implementation of
sebek, but I can't find any hard core data on the installation and
setup. And there is no troubleshooting data on this problem, at least
that I can locate.
Thanks!
CJ
Received on Aug 17 2006
Intro
