Honeypots mailing list archives
Re: Sebek detection
From: Edward Balas <ebalas () iu edu>
Date: Mon, 29 Mar 2004 09:42:31 -0500 (EST)
On 29 Mar 2004 gconnell () middlebury edu wrote:
In the Know Your Enemy: Sebek whitepaper from honeynet.org, under the heading "Client Packet Export", it is made clear that "[Sebek] modifies the kernel such that the system is unable to see Sebek Packets, not just the packets generated by the local host, but any appropriatly configured Sebek Packet." I'm sort of new at Sebek and haven't actually tested this idea out, but from the documentation, it seems there would be a pretty easy way to detect sebek running on a honeypot. Why not just construct a sebek packet with some sort of packet generation tool (maybe nemesis?) and send it onto the network, then see if it can be seen by a regular tcpdump or snort session?
First, tcpdump would have to be running on a honeypot in order for this technique to work. Second, packet hiding is based not only on the Magic value field of the Sebek PDU but also the Destination port number. In a worst case scenario you would have to send 2 ^ (16+32) packets. Third, you would want to be carefull not to send at a rate which causes packet loss to be confused with packet hiding. A firewall may also cause such confusion. Presuming that you address the 3 issues above, you should be able to detect sebek on a client using this type of brute force technique. Edward
Current thread:
- Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- Re: Sebek detection Thorsten Holz (Mar 29)
- Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)