Honeypots mailing list archives
Semantics of command_id, process_id, process_to_com, process_tree
From: "troy d. straszheim" <troy () resophonic com>
Date: Fri, 23 Jun 2006 10:11:07 -0400
Hi list, I'm trying to understand the tables of walleye_0_3 in detail, specifically how process_id's relate to command_ids and how the database represents trees of processes. I have a freshly installed honeywall with one sebek'ed honeypot behind it. I've logged in to the honeypot and generated a bunch of sys_read data which has successfully made it to the database. I get the following in my process_to_com table: mysql> select * from process_to_com where process_id = 44; +-----------+------------+------------+---------------+ | sensor_id | process_id | command_id | to_be_deleted | +-----------+------------+------------+---------------+ | 167772226 | 44 | 11 | 0 | | 167772226 | 44 | 6 | 0 | +-----------+------------+------------+---------------+ 2 rows in set (0.00 sec) I'd assumed (wrongly, apparently) that process_to_com would be a one-to-one mapping of process_id to command_id. If I look up the command name in the command table, it would seem that process 44 is both sshd and bash: mysql> select * from command where command_id=11; +-----------+------------+------+ | sensor_id | command_id | name | +-----------+------------+------+ | 167772226 | 11 | sshd | +-----------+------------+------+ 1 row in set (0.02 sec) mysql> select * from command where command_id=6; +-----------+------------+------+ | sensor_id | command_id | name | +-----------+------------+------+ | 167772226 | 6 | bash | +-----------+------------+------+ 1 row in set (0.00 sec) How does one interpret this? There are also some processes absent from process_to_com entirely, like processes 7 and 12: mysql> select * from process_to_com; +-----------+------------+------------+---------------+ | sensor_id | process_id | command_id | to_be_deleted | +-----------+------------+------------+---------------+ | 167772226 | 1 | 1 | 0 | | 167772226 | 4 | 1 | 0 | | 167772226 | 4 | 2 | 0 | | 167772226 | 5 | 3 | 0 | | 167772226 | 6 | 4 | 0 | | 167772226 | 8 | 5 | 0 | | 167772226 | 9 | 6 | 0 | | 167772226 | 11 | 7 | 0 | | 167772226 | 13 | 8 | 0 | | 167772226 | 14 | 7 | 0 | | 167772226 | 15 | 7 | 0 | (etc) But which do appear in process_tree as parent processes: mysql> select * from process_tree; +-----------+---------------+----------------+---------------+ | sensor_id | child_process | parent_process | to_be_deleted | +-----------+---------------+----------------+---------------+ | 167772226 | 4 | 1 | 0 | | 167772226 | 5 | 4 | 0 | | 167772226 | 8 | 7 | 0 | | 167772226 | 13 | 7 | 0 | | 167772226 | 14 | 12 | 0 | | 167772226 | 17 | 7 | 0 | (etc) So here, process_id's 8, 13, and 17 are children of process 7, which doesn't appear in process_to_com. What does a process with no associated command mean? Thanks in advance, -troy
Current thread:
- Semantics of command_id, process_id, process_to_com, process_tree troy d. straszheim (Jun 23)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 23)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Edward G. Balas (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Valdis . Kletnieks (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree troy d. straszheim (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 29)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Edward G. Balas (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 23)