RE: Sebek options for read/write/listen?

["Siles, Raul" <raul.siles () hp com>]

Hi Jon,
as you mentioned, Sebek is limited to specific syscalls (by desing). In order to capture other syscalls you'd require 
to change the Sebek code to monitor that too, and of course, this will also affect the Sebek PDU (new values for the 
new syscall types would be required).

Although it is not a directly honeynet-related tool, you can keep track of the Windows networking activities through 
the TDImon tool from Sysinternals (http://www.sysinternals.com/Utilities/TdiMon.html). It is not a OS kernel driver, 
like Sebek, but gets the info from the Windows TDI interface.

I hope this helps!
Raúl Siles 

-----Original Message-----
From: Jon Andersen [mailto:janderse () umich edu] 
Sent: miércoles, 07 de junio de 2006 17:10
To: honeypots () securityfocus com
Subject: Sebek options for read/write/listen?

Hi,

I'm using Sebek for Windows under VMware.  The socket 
open/close/read/write/listen calls are what I'm most interested in, and 
yet it appears that Sebek is only recording the socket opens.  I only 
see packets with "call=3" and "proto=6" when network traffic happens.  
Is there some way to configure/build Sebek to give more information 
than just socket opens, including read/write/listen on sockets?  Or is 
there some other tool the community has found that records those calls 
on Windows?

-Jon Andersen
Graduate Student
734-763-4521 (work)
734-763-8428 (home)
Computer Science & Engineering - Rm 4917
University of Michigan