Honeypots mailing list archives
Re: Re: Sebek detection
From: Guilhem <guilhem.m () wanadoo fr>
Date: Mon, 29 Mar 2004 16:33:06 +0200 (CEST)
I think his point was: if someone hack into a honepot, he can run a tcpdump, and generate such a packet. If the tcpdump fails to notice the packet, there is something fishy. I don't have the answer. I know Sebek generates (or asks for) an ID to find which packets are to be stored / analyzed and which are not. My guess is, only the specific ID is hidden, and the hacker, who doesn't know the ID, can't generate the packet. As for the phrack paper, i think that at least some of his points are right. Or maybe they are not anymore, some flaws are detected, some flaws are corrected... Hey, never trust anyone, try for yourself ^^ Guilhem
Message du 29/03/04 16:16 De : Ty Bodell A : gconnell () middlebury edu Copie à : honeypots () securityfocus com Objet : Re: Sebek detection Also in the KYE Sebek paper is the format for the Sebek packet and the sebek communication protocol, i don't think it can be constructed with nemesis. And what would constructing a sebek packet and putting it onto the network do for you anyway? How would this allow you to see if there is a honeypot on the network when the socket interface is taught to ignore sebek packets? The risk of sebek detection lies mostly on the local box itself, not the network interaction in the honeynet. Maybe i'm missing something. Respectfully, Ty Bodell ----- Original Message ----- From: Date: 29 Mar 2004 06:46:23 -0000 To: honeypots () securityfocus com Subject: Sebek detectionIn the Know Your Enemy: Sebek whitepaper from honeynet.org, under the heading "Client Packet Export", it is made clear that "[Sebek] modifies the kernel such that the system is unable to see Sebek Packets, not just the packets generated by the local host, but any appropriatly configured Sebek Packet." I'm sort of new at Sebek and haven't actually tested this idea out, but from the documentation, it seems there would be a pretty easy way to detect sebek running on a honeypot. Why not just construct a sebek packet with some sort of packet generation tool (maybe nemesis?) and send it onto the network, then see if it can be seen by a regular tcpdump or snort session? --Cleverduck
Current thread:
- Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- Re: Sebek detection Thorsten Holz (Mar 29)
- Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)