RE: Keystroke Logger bash patch on honeynet.org

["Barnett, Ryan C." <Ryan.Barnett () atf gov>]

You need to edit the talker line of the (logme) section to point to the host were you want these logs sent to.  By 
default, it logs to 10.1.1.1 -

############
talker("10.1.1.1", message);
############

Change this to your syslog server, or better yet to a non-existant IP and let your sniffer pick it up.

> Most Respectfully,
> Ryan C. Barnett
> SANS: GCFA, GCIH, GCUX, GSEC
> Department of Justice - ATF
> Information Services Division
> Operations Security Team Lead
> Email: Ryan.Barnett () atf gov
> Pager: Ryan.Barnett () skytel com
> Phone: 202-927-2913


 -----Original Message-----
 From: Eric Hines [mailto:eric.hines () appliedwatch com]
 Sent: Monday, March 22, 2004 1:40 PM
 To: honeypots () securityfocus com
 Subject: Keystroke Logger bash patch on honeynet.org
 
 
 Does anyone know of a link or any sort of write-up on how to 
 patch and configure
 the bash keystroke logger provided on honeynet.org?
 
 I patched the bash source code with it, compiled and installed 
 and don't know if
 its working or where its logging to, or what.. Do I need to do anything
 post-install? Do I have to set all the shells in the passwd 
 file to bash? This
 is of course referring to
 http://www.honeynet.org/tools/dcapture/bash-perassi.patch
 
 Are their better keystroke loggers out there? 
 
 Google has turned up nothing on this bash patch.
 
 BRDS,
 Eric Hines, GCIA
 CEO, President
 Applied Watch Technologies, Inc.
 
 
 -------------------------------------------
 Eric Hines, GCIA
 CEO, Chairman
 Applied Watch Technologies, Inc.
 web: http://www.appliedwatch.com
 email: eric.hines () appliedwatch com
 -------------------------------------------
 Direct: (877) 262-7593 - Toll Free x327
 Fax: (815) 425-2173
 General: (877) 262-7593 (9am-5pm CST)
 -------------------------------------------