Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sebek server question

From: Edward Balas <ebalas () anml iu edu>
Date: Fri, 9 Jul 2004 14:48:47 -0500
Hey Kathy,

Ok so here is the rub.

The -f argument is used to tell sbk_extract to recover the sebek packets
from the specified pcap file. sbk_extract, then extracts the sebek information from the packet and sends a binary representation of that to STDOUT. , typically you pipe the output of sbk_extract to a processing utility such as sbk_ks_log.pl or 
sbk_upload.pl.
It is an error that sbk_extract allows you to specify both an interface and a file to receive input on. As it currently stands independent of the order the arguments are presented, if the -f argument is used, sbk_extract will look to 
read packets in from a file, ignoring the interface specification.
For Sebek, it is currently recommended that you use the raw packets in pcap format as the canonical raw data source. If you need to capture on one system and examine on another, then I would use tcpdump, snort or other sniffer with a filter capture the Sebek packets, then on the analysis system use the -f arg in sbk_extract 
to process the pcap file.

Does that help?

Edward


On Jul 9, 2004, at 6:24 AM, Kathy Simm wrote:
I have sebek client running on my honeypot. On my honeywall I start rcfirewall, snort and snortinline. When I try the following on my honeywall, I see all the keystrokes fine: 
     sbk_extract -i eth2 -p 1101 | sbk_ks_log.pl
However, when I try to send the sebek info to a file (for later processing), it never works. I type the following: 
     sbk_extract -f sebekout -i eth2 -p 207373 &
I then take the file sebekout, cat it, and sent to either sbk-ks_log or sbk_upload.pl. Neither script appears to work, but neither geneates errors. 

What format should this file me?  ASCII?
I have also tried just tcpdumping the interface (tcpdump -i eth2 -w tcpdumpout) and feeding this to sbk-extract and all I get is Bad Dump File Format.
I've read the docs, but for those of us who are collecting the data, and transferring to another system (manually, the client won't allow auto stuff) things are a bit murky. Can someone help? thanks
Previous By Date Next
Previous By Thread Next

Current thread: