Honeypots mailing list archives
Sebeksol-2.05.03 Problems
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 2 Jan 2004 19:49:00 -0000
Happy New Year Everyone! I am having problems using the current releases of Sebek for Solaris. I configured the sebek client programs correctly and installed them on the honeypots. I then started up the sbk_extract binary on the honeynet log host and piped it into the sbk_ks_log.pl script so that it would show the ascii text for data it sniffed off the wire. When I started executing commands on the honeypot, the sebek sniffer did identify data, however it looked like it was binary data - # ./sbk_extract -i eri0 -p 2222 | ./sbk_ks_log.pl monitoring eri0: looking for UDP dst port 2222 ÷o>Ýsshd2wVT102VT102 ûú¢?õÀ bF>Ýsshd2i ûú¢?õÀ*:>Ýsshd2f ûú¢?õÎ>Ýsshd2c ûú?õÀ Õ>Ýsshd2oVT102VT102VT102^[[?1;2cVT102VT102 ûú¢ ?õÀ ÊB>Ýsshd2f ûú¢ ?õÀ>Ýsshd2i ûú¢ ?õÀî.>Ýsshd2gVT102VT102VT102 ûú¢ ?õÀ½o>Ýsshd2n ?õÀ >Ýsshd2fVT102VT102 I thought that the sbk_ks_log.pl script was supposed to make this data readable? Additionally, I tried to log to a directory rather than to stand out per the README file's instructions - Running: sbk_extract can pull sebek packets from libpcap file or from network interface. As it does so, it sends each record to standard out. Options include: - l logdir, the director sbk_extract stores logs in. - i device, if you are sniffing from the network this specifies which interface. - f file, if you are reading from pcap file, this specifies which file, you can read from file, or read from net - p port, specified what Destination UDP port to look for However, when I tried to start up sbk_extract with the "-l logdir" flag and it didn't like it - # ./sbk_extract -i eri0 -p 2222 -l sebek_logs | ./sbk_ks_log.pl ./sbk_extract: illegal option -- l monitoring eri0: looking for UDP dst port 2222 ^C Anyone run into these issues before??? Thanks, Ryan
Current thread:
- Sebeksol-2.05.03 Problems Ryan Barnett (Jan 02)