Honeypots mailing list archives
Problem with roo and sebek. Need help.
From: Parvinder Bhasin <parvinder.bhasin () gmail com>
Date: Mon, 08 Oct 2007 23:36:07 -0700
Hi, First sorry if this email appears twice. I have been working on setting up a high interaction honeypot using the honeywall which has a honeypot server behind. Honeypot server is of linux flavour and I have setup sebek client on it and I see that the honeywall is seeing the sebek data when I try to do "sbk_extract -i eth0 -p 1101 | sbk_ks_log.pl" I do see the keystrokes etc. My question is that how come I don't see any of the sebek related data on the walleye interface? Is it that sebek only and only logs data if the ids thinks its an attack and then follow its trail??? How can I test this? Also, I have seen when I myself do a penetration test from different network, I see sometimes walleye login my ip and matching maybe 1 or 2 signatures but then sometimes using NIKTO I don't see those attacks being logged on walleye. I am up to date on the snort rules. Can anyone help me? I am stuck. I am new to this list, so If I have posted in wrong place please excuse me and point me to the right place. Thanks in advance. Appreciate any help. Parvinder Bhasin
Current thread:
- Problem with roo and sebek. Need help. Parvinder Bhasin (Oct 09)