Honeypots mailing list archives
Re: pcap log analysis
From: "Joe Hickory" <J.Hickory () gmx net>
Date: Wed, 28 Jul 2004 23:48:59 +0200 (MEST)
Hey Joe, Can you provide a bit more detail on what your configuration was with the sebek server that crashed on you? For instance were you using sbk_upload.pl to consume the extracted data? Also can you send me a copy of the offending file? I attempted to duplicate but have been unsuccessful. Mostly because I am not sure that I have the correct file, on linux I believe the equiv. files are in /usr/share/zoneinfo, but...
ok, in the sbk_upload.pl from here downloaded: http://www.honeynet.org/tools/sebek/sebek-server-2.1.6.tar.gz they have a line: my $uid = "sebek"; for connecting with that uid to the mysql server. but they also use this variable for the uid of the process running on the honeypot. while looping read from network, there is the following line: ($ip,$magic,$ver,$type,$counter,$time_sec,$time_usec,$pid,$uid,$fd,$com,$len) = unpack("NNnnNNNNNNa12N",$line); there they overwrite the $uid, not so bad, as long as the sql connection not dies because of a broken sql string. i'm here in Europe/Berlin, and you are right, i meant /etc/localtime is a sylink to /usr/share/zoneinfo/... i only needed to cat /etc/localtime to break the sql string because that file contains one or more ' characters. so the db connection got lost and $uid was changed and no reconnet possible. so i decoded the data part of the string base64 before building the sql string, and renamed the global $uid in $dbuid. maybe a ' character in the process name or somewhere else will break the sql string, but it'll reconnect again. hope its more clear now? joe -- NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler! GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl -- NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler! GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl
Current thread:
- pcap log analysis Joe Hickory (Jul 19)
- Re: pcap log analysis Elliott C. Bäck (Jul 19)
- Re: pcap log analysis Kyle Maxwell (Jul 19)
- Re: pcap log analysis Graeme Connell (Jul 19)
- Re: pcap log analysis Christian Kreibich (Jul 19)
- <Possible follow-ups>
- Re: pcap log analysis Joe Hickory (Jul 26)
- Re: pcap log analysis Joe Hickory (Jul 28)
- Re: pcap log analysis Edward Balas (Jul 28)
- Re: pcap log analysis Joe Hickory (Jul 29)