Honeypots mailing list archives
Sebek Server and ICMP Host Unreacheable
From: Major Sylvain Leblanc <leblanc-s () rmc ca>
Date: Mon, 10 May 2004 15:46:11 -0400
Hello everyone,I think I may be missing something, please let me know. I installed the Sebek server and Linux client on two VMWare RedHat 9 VMs. Works like a charm! However, when I sniff the network traffic on the client using snort, I can see "ICMP Host Unreachable" packets being generated by the server. Running netstat on the server shows me that no processes are tied to my Sebek destination port, so I presume that the server is "sniffing" the keystroke data right off the interface. I am pretty sure that I could netstat a dummy process to my Sebek destination port so the server will not send "ICMP Host Unreachable" packets. Easy to fix, but this seems to me to be a fairly easy "fingerprint" that shows an attacker that something is not quite right which may give away the Honeypot. Any thoughts?
Sly -- Professeur adjoint le major S.P. Leblanc, P.Eng. Major Assistant Professor Phone: (613) 541-6000 Extension 6355 Fax: (613) 541-6315 http://www.rmc.ca/academic/busadm/staff/leblanc_f.html
Current thread:
- Sebek Server and ICMP Host Unreacheable Major Sylvain Leblanc (May 10)
- Re: Sebek Server and ICMP Host Unreacheable Edward Balas (May 10)