Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

correlating sys_read data to "source" ip

From: "troy d. straszheim" <troy () resophonic com>
Date: Wed, 16 Aug 2006 23:10:46 -0400

Hey all,

I'm trying to correlate data in sys_read with the ip address that the
data came from.  That is, if I ssh in to a honeypot from 10.11.12.13
and type "WHERE DID THIS COME FROM" I get something like this in my
sys_read:

mysql> select sensor_id, sys_read_id, process_id, data from sys_read where process_id = 6226;
+-----------+-------------+------------+------+
| sensor_id | sys_read_id | process_id | data |
+-----------+-------------+------------+------+
| 167772226 |       14099 |       6226 | W    | 
| 167772226 |       14101 |       6226 | H    | 
| 167772226 |       14103 |       6226 | E    | 
| 167772226 |       14105 |       6226 | R    | 
| 167772226 |       14107 |       6226 | E    | 
| 167772226 |       14109 |       6226 |      | 
| 167772226 |       14111 |       6226 | D    | 
| 167772226 |       14113 |       6226 | I    | 
| 167772226 |       14115 |       6226 | D    | 
| 167772226 |       14117 |       6226 |      | 
| 167772226 |       14119 |       6226 | T    | 
| 167772226 |       14121 |       6226 | H    | 
| 167772226 |       14123 |       6226 | I    | 
| 167772226 |       14125 |       6226 | S    | 
| 167772226 |       14127 |       6226 |      | 
| 167772226 |       14129 |       6226 | C    | 
| 167772226 |       14131 |       6226 | O    | 
| 167772226 |       14133 |       6226 | M    | 
| 167772226 |       14135 |       6226 | E    | 
| 167772226 |       14137 |       6226 |      | 
| 167772226 |       14139 |       6226 | F    | 
| 167772226 |       14141 |       6226 | R    | 
| 167772226 |       14143 |       6226 | O    | 
| 167772226 |       14145 |       6226 | M    | 
    | 72226 |       14147 |       6226 | 
| 167772226 |       14148 |       6226 |     | 
+-----------+-------------+------------+------+
26 rows in set (0.01 sec)

and I would like to be able to find the 10.11.12.13 in the database
that corresponds to these keystrokes.  

I wonder if I am actually dealing with a misconfiguration of some
kind.  Looking at table 'process':

mysql> select sensor_id, process_id, src_ip from process where process_id = 6226;
+-----------+------------+-----------+
| sensor_id | process_id | src_ip    |
+-----------+------------+-----------+
| 167772226 |       6226 | 167772288 | 
+-----------+------------+-----------+
1 row in set (0.00 sec)

that sensor_id is actually the IP of the honeywall's administration
interface (!?), and the src_ip is the ip address of the sensor.  
 
I've poked around in the argus table, and I don't see I don't see the
correct IP addresses anywhere in the argus table.  Could it be that
the data hasn't been ingested yet?

TIA,

-troy
Previous By Date Next
Previous By Thread Next

Current thread: