Honeypots mailing list archives
Re: Help Needed: Having a problem with sebek server
From: Edward Balas <ebalas () iu edu>
Date: Wed, 19 Nov 2003 09:54:05 -0500 (EST)
On Wed, 19 Nov 2003, Turner,Robbin J. wrote:
I used the command:
sbk_extract -i eth0 -f tcpdump.out -p 53 | sbk_upload.pl -u sebek -p
sebek_pw -d sebek
Couple of observations:
1. The basic call structure looks correct.
2. Why are you using UDP port 53 for sebek logging data? This will cause
DNS queries to be examined by the sbk_extract and reported as
the malformed sebek packets. It should still record valid
sebek packets though.
3. The packets ar hidden from the honeypot, so there is no need to try
to obfuscate the packet. I would recommend selecting a port
not currently used by another service.
which gave me the below error. So I tried to see which part was giving
the error. So I just did:
sbk_extract -i eth0 -f tcpdump.out -p 53
FWIW, If you are reading from a file, you do not need to specify the interface.
and got the same response. Btw I got MySql configured and working. But would still like to see any configurations or setup instructions or scripts you might have to verify I did it the same as you would.
This is now on my todo list ;-)
Anyway back to the problem. I then ran:
sbk_extract -i eth0 -p 53
just to see if it was picking up the honeypots output. It did, I could
see the interaction when I would type on the honeypot output would spew
forth from STDOUT on the sebek server.
When it was spewing binary data to STDOUT, was it also reporting the malformed sebek packets?
I used the command tcpdump -F filter -w tcpdump.out. This I then used as indicated above which produced the output below. Tcpdump version is 3.7.2 and libpcap version 0.7.2.
So I then tried to pipe the output from the sbk_extract to a file with the above sbk_extract command. Then I tried to use sbk_upload.pl to upload that output but nothing happened, no errors, it just seemed to execute and quite.
Did your command sequence look like this? 1. sbk_extract -i eth0 -p 53 > testfile 2. cat testfile > sbk_upload.pl Are there no entires in the my sql database? What happens if you cat the testfile into sbk_ks_log.pl? Edward
Current thread:
- Help Needed: Having a problem with sebek server Turner,Robbin J. (Nov 18)
- Re: Help Needed: Having a problem with sebek server Edward Balas (Nov 18)
- Re: Help Needed: Having a problem with sebek server Turner,Robbin J. (Nov 19)
- Re: Help Needed: Having a problem with sebek server Edward Balas (Nov 19)
- Re: Help Needed: Having a problem with sebek server Turner,Robbin J. (Nov 19)
- Re: Help Needed: Having a problem with sebek server Pierre LALET (Nov 18)
- Re: Help Needed: Having a problem with sebek server Laurent OUDOT (Nov 22)
- Re: Help Needed: Having a problem with sebek server Pierre LALET (Nov 22)
- Re: Help Needed: Having a problem with sebek server Laurent OUDOT (Nov 22)
- Re: Help Needed: Having a problem with sebek server Edward Balas (Nov 18)