Honeypots mailing list archives
correlating sys_read data to "source" ip
From: "troy d. straszheim" <troy () resophonic com>
Date: Wed, 16 Aug 2006 23:10:46 -0400
Hey all, I'm trying to correlate data in sys_read with the ip address that the data came from. That is, if I ssh in to a honeypot from 10.11.12.13 and type "WHERE DID THIS COME FROM" I get something like this in my sys_read: mysql> select sensor_id, sys_read_id, process_id, data from sys_read where process_id = 6226; +-----------+-------------+------------+------+ | sensor_id | sys_read_id | process_id | data | +-----------+-------------+------------+------+ | 167772226 | 14099 | 6226 | W | | 167772226 | 14101 | 6226 | H | | 167772226 | 14103 | 6226 | E | | 167772226 | 14105 | 6226 | R | | 167772226 | 14107 | 6226 | E | | 167772226 | 14109 | 6226 | | | 167772226 | 14111 | 6226 | D | | 167772226 | 14113 | 6226 | I | | 167772226 | 14115 | 6226 | D | | 167772226 | 14117 | 6226 | | | 167772226 | 14119 | 6226 | T | | 167772226 | 14121 | 6226 | H | | 167772226 | 14123 | 6226 | I | | 167772226 | 14125 | 6226 | S | | 167772226 | 14127 | 6226 | | | 167772226 | 14129 | 6226 | C | | 167772226 | 14131 | 6226 | O | | 167772226 | 14133 | 6226 | M | | 167772226 | 14135 | 6226 | E | | 167772226 | 14137 | 6226 | | | 167772226 | 14139 | 6226 | F | | 167772226 | 14141 | 6226 | R | | 167772226 | 14143 | 6226 | O | | 167772226 | 14145 | 6226 | M | | 72226 | 14147 | 6226 | | 167772226 | 14148 | 6226 | | +-----------+-------------+------------+------+ 26 rows in set (0.01 sec) and I would like to be able to find the 10.11.12.13 in the database that corresponds to these keystrokes. I wonder if I am actually dealing with a misconfiguration of some kind. Looking at table 'process': mysql> select sensor_id, process_id, src_ip from process where process_id = 6226; +-----------+------------+-----------+ | sensor_id | process_id | src_ip | +-----------+------------+-----------+ | 167772226 | 6226 | 167772288 | +-----------+------------+-----------+ 1 row in set (0.00 sec) that sensor_id is actually the IP of the honeywall's administration interface (!?), and the src_ip is the ip address of the sensor. I've poked around in the argus table, and I don't see I don't see the correct IP addresses anywhere in the argus table. Could it be that the data hasn't been ingested yet? TIA, -troy
Current thread:
- correlating sys_read data to "source" ip troy d. straszheim (Aug 16)
- Re: correlating sys_read data to "source" ip Camilo Viecco (Aug 17)
- Re: correlating sys_read data to "source" ip troy d. straszheim (Aug 18)
- Re: correlating sys_read data to "source" ip Camilo Viecco (Aug 17)