Re: Sebek detection

[Edward Balas <ebalas () iu edu>]

On 29 Mar 2004 gconnell () middlebury edu wrote:

> In the Know Your Enemy: Sebek whitepaper from honeynet.org, under the 
> heading "Client Packet Export", it is made clear that "[Sebek] modifies 
> the kernel such that the system is unable to see Sebek Packets, not just 
> the packets generated by the local host, but any appropriatly configured 
> Sebek Packet."
>
> I'm sort of new at Sebek and haven't actually tested this idea out, but 
> from the documentation, it seems there would be a pretty easy way to 
> detect sebek running on a honeypot.  Why not just construct a sebek 
> packet with some sort of packet generation tool (maybe nemesis?) and send 
> it onto the network, then see if it can be seen by a regular tcpdump or 
> snort session?

First, tcpdump would have to be running on a honeypot in order for 
this technique to work. 

Second, packet hiding is based not only on the Magic value field of the 
Sebek PDU but also the Destination port number.  In a worst case scenario
you would have to send 2 ^ (16+32) packets.   

Third, you would want to be carefull not to send at a rate which causes 
packet loss to be confused with packet hiding.  A firewall may also
cause such confusion.

Presuming that you address the 3 issues above, you should be able
to detect sebek on a client using this type of brute force technique.


Edward