Honeypots mailing list archives
Minor issue uploading Sebek 3.0.3 records to mySQL
From: Jason Schoenbrun <athlon () umd edu>
Date: Wed, 17 Aug 2005 10:31:22 -0400
Quick question: I have a computer with Fedora 1 and the Sebek 3.0.3 client installed. I set it up to send all read data, and have successfully received data on the Fedora 3 Honeynet server as filtered through sbk_ks_log.pl. So I know the setup is fundamentally working. My problem is in terms of running: sbk_extract -i eth0 -p 7811 | sebekd.pl -u root -p rootpass -D sebek I don't really have an error message since it's a basic question. I need help setting up my database correctly. On mySQL, I type: CREATE DATABASE sebek; USE sebek; GRANT ALL ON sebek.* to me@localhost IDENTIFIED BY 'password'; CREATE TABLE records2(ip INT, magic INT, ver INT, type INT, counter INT, time_sec INT, time_usec INT, pid INT, uid INT, fd INT, com VARCHAR(12), len INT, data VARCHAR(200)); I decided to do this based on the documentation. The documentation was a little ambiguous to me though, since before describing these fields as I set them up in mySQL, it also has a line: "The record format exported by sbk_extract is the following: ($ip,$magic,$ver,$counter,$time_sec,$time_usec,$pid,$uid,$fd,$com,$len) = unpack("NNnnNNNNNNa10N",$line);" This description doesn't say the data types or even a field for 'data', whereas the description that follows this in the documentation, which I used, does. Thing is, the 2 are different- the one I followed has 'type', whereas what I quoted doesn't. Please help and tell me if I'm creating the database incorrectly. The other possible issue is that the command I use to extract the sebek data and upload it (quoted above) doesn't indicate anything about putting it in the 'records2' table. I'm not sure where to put it, or if I need to at all. Well, when I type in mySQL "describe records2", it displays the same way I created it (which as I mentioned may have been wrong in the first place). Then, when I type the sbk_extract command, it says: monitoring eth0: looking for UDP dst port 7811 [myipaddr] 2005/07/21 23:04:48 record 2327674 recieved 1 lost 0 (0.00 percent) Connected to database monitoring eth0: looking for UDP dst port 0 but that's it. And typing "select ip from records2;" in mySQL returns an empty set. I'm sure this is simple, but could someone please help? Thanks a lot, Jason P.S. I have a few other questions that, if someone doesn't mind explaining a few perhaps basic things to a Linux beginner, it would really help me a lot. Some are long, though, and none absolutely essential to the project (so don't read on if you don't care or have time). 1) The read data I collect is much and hard to understand. I've written 2 scripts to parse and simplify the data, and altogether ignore things that I thought might be superfluous, like the 'sendmail' command (though I don't know if that was a bad assumption to make). How can I (train myself to) recognize something abnormal, or an attack? I've heard of programs like tripwire, but doesn't that defeat the point of Sebek's stealth? Should I be looking at system log files too? Anything else? 2) Apparently I don't have to reload the Sebek module every time I restart if I either change the init script to load Sebek on bootup, or setup and compile the kernel to include Sebek in it (i.e. not loaded as a module). I tried both, and ended up wasting *dozens* of hours with no luck. As a Linux beginner, I used various tutorials for both. My init script seemed to load the module (lsmod showed my module), but it wasn't logging anything. If I rmmod'ed and insmod'ed again, it worked. Can anyone tell me a quick reply of what to add, into which file and where? The recompiling the Kernel thing was a disaster. What I tried doing was boot into Linux, copy my compiled Sebek module into one of the system module folders, and then follow a bunch of website's tutorials on how to compile a Kernel. I did all that, but alas, it wasn't logging my data! I really have no idea how to make a module part of a Kernel. I even tried going into the sebek.c code, finding its changed (logging) "Read" code, and then doing a grep on the Kernel code for the part that defines the "Read" function, and pasting the logging version instead of it (and *then* recompiling the Kernel). Maybe someone can have a 10 minute IM chat with me and tell me where to start? I'll put in the dozens of hours to figure the rest out, but I need *some* direction! Thanks again to anyone who read on, and I very much appreciate any help. I do learn quickly if I have direction, but I'm new to Linux and therefore get stuck on these basic things a lot. I've put more than 100 hours learning with Sebek, and these are the things still tripping me up, so I therefore *really* appreciate anyone kind enough to take a few moments to lend a helping hand of any expertise!
Current thread:
- Minor issue uploading Sebek 3.0.3 records to mySQL Jason Schoenbrun (Aug 17)