Honeypots mailing list archives
Re: Walleye not displaying Sebek3 data
From: wbmccarty () gmail com
Date: 3 Sep 2006 07:49:02 -0000
I don't have difficulty viewing Sebek3 data using Walleye. I had a honeypot compromised by badguys using an SSH password-guessing tool and was able to follow their BASH session flawlessly. Are you clicking the magnifying glass icon of connections you suspect may contain keystroke data? If so, could you be choosing the wrong connections or processes? Often the sys_read calls are issued by a child process of the process associated with the network connection. Figuring out which process has the keystroke data can be a bit difficult sometimes. I myself sometimes find the sbk_extract and sbk_ks_log scripts more useful than the Walleye UI. But, that's not surprising in my case, since I often prefer command-line tools to GUI/web-based UI tools. Cheers,
Current thread:
- Walleye not displaying Sebek3 data Cindy Jenkins (Aug 31)
- <Possible follow-ups>
- Re: Walleye not displaying Sebek3 data obichbiche (Sep 01)
- Re: Walleye not displaying Sebek3 data wbmccarty (Sep 03)