Honeypots mailing list archives
Sebek detection
From: <gconnell () middlebury edu>
Date: 29 Mar 2004 06:46:23 -0000
In the Know Your Enemy: Sebek whitepaper from honeynet.org, under the heading "Client Packet Export", it is made clear
that "[Sebek] modifies the kernel such that the system is unable to see Sebek Packets, not just the packets generated
by the local host, but any appropriatly configured Sebek Packet."
I'm sort of new at Sebek and haven't actually tested this idea out, but from the documentation, it seems there would be
a pretty easy way to detect sebek running on a honeypot. Why not just construct a sebek packet with some sort of
packet generation tool (maybe nemesis?) and send it onto the network, then see if it can be seen by a regular tcpdump
or snort session?
--Cleverduck
Current thread:
- Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- Re: Sebek detection Thorsten Holz (Mar 29)
- Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)