Honeypots mailing list archives
RE: Sebek client traffic not getting to Honeywall
From: "Siles, Raul" <raul.siles () hp com>
Date: Fri, 9 Jun 2006 11:01:43 +0200
Hi Schnibitz, 1. For the gateway address you can use any IP address, although it is recommended to use the IP address of the gateway of the net where the HWall and the HPots are located. The Honeynwall should capture all the Sebek traffic coming back from the Hpots because it works in bridge mode. 2. The Hwall will also detect attacks coming from hosts on the same net as the HWall/HPots, however, these attacks must come from the Hwall external interface. Be sure to create the approppriate VMware virtual nets and assign the virtual interfaces appropriatelly, so that your layout looks like this: Attacker ---- Hwall ---- Hpots VMnet_x VMnet_y These systems (attacker and Hpot) are located (the Hwall is a bridge) in the same IP logical subnet, let's say 192.168.100.0/24, but the Hwall must be physically located between both. 3. May I recommend you to read the following reference. I hope it will help with the info you're looking for: http://www.securityfocus.com/infocus/1855 http://www.securityfocus.com/infocus/1858 In order to troubleshoot if Sebek traffic is being received by the Hwall, I recommend you to take network traces (using tcpdump) on the Hwall, referencing the internal interface (-i). This is the interface where the Sebek packets, coming from the HPot, must be captured by the Hwall. You should see the traffic there. Thanks, Raúl Siles -----Original Message----- From: schnibitz () gmail com [mailto:schnibitz () gmail com] Sent: viernes, 02 de junio de 2006 16:33 To: honeypots () securityfocus com Subject: Sebek client traffic not getting to Honeywall All, I have set up a Honeynet using VMware, although I suspect I have done something incorrectly. The problem is when I launch attacks from a test machine, the network portion of those attacks (that snort would see) shows up on the honeywall web interface like they are supposed to, but despite a successful compromise of the honeywall, I don't see any Honeywall-specific information show in the web interface, just the snort data. In other words, it doesn't look like the honeypot is communicating properly with Honeywall. I am thinking this is a problem with my configuration, so I wanted to see if someone could clear something up for me. The following link: http://www.honeynet.org.pk/honeywall/roo/page20.htm suggests that: "Since Sebek server runs on Honeywall, it will automatically detect Sebek packets on the interface. Type gateway IP address for destination IP address of sebek packets and hit Enter." To me this means that whatever the gateway IP address for the honeywall is, put it in there. 1. Did I get this right? 2. Does it mean that the attack must originate from a network outside the honeynet? What if the attacker happens to be on the same network as the honeypot? Would Honeywall still show Sebek (client) traffic detailing the attack? 3. During the installation of the client, there is a section that deals with this as well: "Sebek logs all data it collects to a central server. Please specify the information Sebek will use to generate packets that the server can collect." So how do I reconcile that with the above questions. Is it asking for the MAC address of the internal interface of the Honeywall, or something else? I am sorta stuck here, so any suggestions you might have would be great! Schnibitz
Current thread:
- Sebek client traffic not getting to Honeywall schnibitz (Jun 02)
- RE: Sebek client traffic not getting to Honeywall Siles, Raul (Jun 09)