Honeypots mailing list archives
Re: Sebek Server and ICMP Host Unreacheable
From: Edward Balas <ebalas () iu edu>
Date: Mon, 10 May 2004 20:29:52 -0500 (EST)
On Mon, 10 May 2004, Major Sylvain Leblanc wrote:
Hello everyone, I think I may be missing something, please let me know. I installed the Sebek server and Linux client on two VMWare RedHat 9 VMs. Works like a charm! However, when I sniff the network traffic on the client using snort, I can see "ICMP Host Unreachable" packets being generated by the server. Running netstat on the server shows me that no processes are tied to my Sebek destination port, so I presume that the server is "sniffing" the keystroke data right off the interface. I am pretty sure that I could netstat a dummy process to my Sebek destination port so the server will not send "ICMP Host Unreachable" packets. Easy to fix, but this seems to me to be a fairly easy "fingerprint" that shows an attacker that something is not quite right which may give away the Honeypot. Any thoughts?
Sly, I would recommend not using the real server's IP address in the destination IP field, if the server is on the local LAN it doesnt really matter what the IP DST is, so long as you have the MAC address correct, or set to Ethernet Bcast address, you should be fine, set the DST IP to a non-existant host. Otherwise, I suggest the use of packet filters on the server to silently dropping the sebek traffic (sebek server collects using libpacp so the filters should wont inhibit collection) Edward
Current thread:
- Sebek Server and ICMP Host Unreacheable Major Sylvain Leblanc (May 10)
- Re: Sebek Server and ICMP Host Unreacheable Edward Balas (May 10)