Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Sebek installation problem

From: Jason Schoenbrun <athlon () umd edu>
Date: Fri, 25 Feb 2005 15:13:21 -0500
Hello,

I'm having issues getting Sebek's extract utility to recognize
anything from the honeypot.
My original mistakes include not installing the client while
logged in as root, using Fedora Core 1 on both machines but 1
a more updated version of the kernel, and having to install
the client more than once. So there you have it as far as my
level of expertise goes...

But now I have in my sbk_install.sh:
INTERFACE="eth0"
DESTINATION_IP=""
DESTINATION_MAC="[Correct MAC address of eth0 for the Honeynet
server]"
SOURCE_PORT=1101
DESTINATION_PORT=[Random number I chose between 2000 and 655536]
MAGIC_VAL=[32-bit number]
KEYSTROKE_ONLY=0
TESTING=0
MODULE_NAME="[random string].o"

I moved the tarball onto the Sebek client computer, logged in
as root and typed ./sbk_install.sh

Then, I go onto the server, and unzip the server package that
I downloaded. Then I type into the terminal (logged in as
root) ./configure, make and make install.
They all complete without errors. Then I type:
sbk_extract -i eth0 -p [DESTINATION_PORT from above] |
sbk_ks_log.pl
and after I press <ENTER> I go back to the honeynet with the
Sebek client and I open up a terminal and type away. I open
files, type ls, mkdir, etc.
When I go back to the server, it just shows:
 monitoring eth0: looking for UDP dst port [DESTINATION_PORT
from above]
and then a blank newline. Nothing pops up, nothing shows up.

A few remarks:
-I was able to ping from the server to the client and vice versa.
-They are running on the same network, through the same switch.
-I never specified anything, like magic number, module name,
etc when installing/running the server/extract utility, except
the [DESTINATION_PORT] number.
-I left the DESTINATION_IP blank (just ""), though I'm not
sure I should have.

If there's anything you can recommend, I'd appreciate it. Last
problem I had got great help from here (Ty in particular) and
it did help me in understanding what's going on- I really
appreciate it. I'm just trying to do hacker analysis research
at my University and feel frustrated I can't even get the
software to run (though I'm sure it's my fault).

Thanks again,
Jason
Previous By Date Next
Previous By Thread Next

Current thread: