Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help Needed: Having a problem with sebek server

From: "Turner,Robbin J." <robbin () mitre org>
Date: Wed, 19 Nov 2003 08:21:55 -0500
I used the command:
sbk_extract -i eth0 -f tcpdump.out -p 53 | sbk_upload.pl -u sebek -p sebek_pw -d sebek
which gave me the below error. So I tried to see which part was giving the error. So I just did: 

   sbk_extract -i eth0 -f tcpdump.out -p 53
and got the same response. Btw I got MySql configured and working. But would still like to see any configurations or setup instructions or scripts you might have to verify I did it the same as you would. 
Anyway back to the problem.  I then ran:

   sbk_extract -i eth0 -p 53
just to see if it was picking up the honeypots output. It did, I could see the interaction when I would type on the honeypot output would spew forth from STDOUT on the sebek server. I used the command tcpdump -F filter -w tcpdump.out. This I then used as indicated above which produced the output below. Tcpdump version is 3.7.2 and libpcap version 0.7.2.
So I then tried to pipe the output from the sbk_extract to a file with the above sbk_extract command. Then I tried to use sbk_upload.pl to upload that output but nothing happened, no errors, it just seemed to execute and quite. 

Thanks for any help or advise.
Robbin Turner

Edward Balas wrote:


On Tue, 18 Nov 2003, Turner,Robbin J. wrote:
I was trying to extract the data from a tcpdump stream and the sbk_extract is giving me a malformed sebek record error. The data is coming off a Debian honeypot into a RedHat box running tcpdump. Then I'm piping the tcpdump output into the sbk_extract and getting the following: 

        [.....]

   malformed sebek record: data length=64  packet caplen=96
   malformed sebek record: data length=199  packet caplen=96
   malformed sebek record: data length=25  packet caplen=96
   malformed sebek record: data length=447  packet caplen=96

   warning RX 1073774479   Lost 107383140

   malformed sebek record: data length=208  packet caplen=96
   malformed sebek record: data length=55  packet caplen=96
   malformed sebek record: data length=176  packet caplen=96
   malformed sebek record: data length=25  packet caplen=96
   malformed sebek record: data length=444  packet caplen=96
   malformed sebek record: data length=7  packet caplen=96
   malformed sebek record: data length=497  packet caplen=96
   malformed sebek record: data length=56  packet caplen=96
   malformed sebek record: data length=36  packet caplen=96

   [.....]

If you have any advice where to look I'd really appreciate it.

Thanks
Robbin Turner





Can you give my the exact command that you  are running?
sbk_extract cant handle packets piped to it, it can either sniff the interface directly or it can open a tcpdump formated log file...
BTW, Ill get to the mysql issue tomarrow if thats alright.. 
Edward






--
                            ''~``
                           ( o o )
+----------------------.oooO--(_)--Oooo.----------------------+
| Robbin Turner                            robbin () mitre org   |
| Lead Info Systems Engineer                                  |
| G071 - Cyber Analysis and Investigations (703) 883-7775 (V) |
| The MITRE Corporation                    (888) 645-0576 (P) |
| Mail Stop W435                           (703) 883-4589 (F) |
| 7515 Colshire Drive                      McLean, VA 22102   |
|=============================================================|
|                                                             |
|                    Be nice to your kids.                    |
|              They'll choose your nursing home.              |
|                                                             |
|                        .oooO                                |
|                        (   )   Oooo.                        |
+-------------------------\ (----(   )------------------------+
                          \_)    ) /
                                (_/
Previous By Date Next
Previous By Thread Next

Current thread: