Another sebek question

[Rock Lobster <rocklobster () cheerful com>]

Hi folks,

I seutp my 1st gen2 honeypot lastweek. It got hacked in under 24hrs and 
now I'm gleefully examining the logs!   I'm not sure sebek worked as 
expected though? I did run a test at the honeypot consol before I left it 
over the weekend and it seemed to work fine. But the logs I'm looking at 
now are telling a slightly different story?

I setup an eth1 on the honeypot for sebek transport, then setup another 
eth on my bridge box which I iptabled to drop everything other than udp on 
the relevant port. Now from looking at the logs I'm looking at these types 
of entries.

1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2: 
1054955404:2539:0:awk:0::c:2:F
1054955404:2539:0:awk:0::c:2:i
1054955404:2539:0:awk:0::c:2:l
1054955404:2539:0:awk:0::c:2:i
1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2:#
1054955404:2539:0:awk:0::c:2: 
1054955404:2539:0:awk:0::c:2:W
1054955404:2539:0:awk:0::c:2:a
1054955404:2539:0:awk:0::c:2:r
1054955404:2539:0:awk:0::c:2:n
1054955404:2539:0:awk:0::c:2:i
1054955404:2539:0:awk:0::c:2:n
1054955404:2539:0:awk:0::c:2:g

Not to mention,  plenty of source code (sshd patch) aswell as what 
generally seems to be stdout output, as oppossed to the keystrokes of the
cracker.

Another thing that I had issues with was, whenever I loaded sebek on the 
honeypot and rebooted the box it wouldnt work for me (RH 7.1). I'm not 
sure why that was?    If anyone wants the full sebek log please do email 
me, its about 400k uncompressed (of course I'll compress it for you :)

Thanks,
J.