Re: sebek data

[<gconnell () middlebury edu>]

In-Reply-To: <20040204114011.1798.qmail () web9504 mail yahoo com>

> is sebek is the only one data capture tool in a
> honeynet? can the data captured by be used to do some
> analysis? is it enough?

In the GenII honeynets (the ones that use sebek) described by the honeynet project, there are quite a few more data 
capture tools.  It's just some of them don't look quite like data capture tools.  For instance, each honeypot within 
the honeynet is itself a data capture tool, as all changes to it are considered malicious.  Also, all packets that 
enter the honeynet are captured by snort and logged, since all data on the honeynet is, once again, considered 
malicious.  Sebek is just one of the "lower level" data capture tools.

  Sebek:  Keystrokes, commands through ssh, etc.
  Snort:  All network data, especially cleartext data, but also including any over-the-network attacks, etc.
  Honeypots:  Forensics on these can show all sorts of fun stuff, especially if the hacker isn't careful.  For 
instance, take a look at the system log and the bash histories.

    --Cleverduck