Minor issue uploading Sebek 3.0.3 records to mySQL

[Jason Schoenbrun <athlon () umd edu>]

Quick question:

I have a computer with Fedora 1 and the Sebek 3.0.3 client
installed. I set it up to send all read data, and have
successfully received data on the Fedora 3 Honeynet server as
filtered through sbk_ks_log.pl. So I know the setup is
fundamentally working.

My problem is in terms of running:
sbk_extract -i eth0 -p 7811 | sebekd.pl -u root -p rootpass -D
sebek

I don't really have an error message since it's a basic
question. I need help setting up my database correctly.

On mySQL, I type:
CREATE DATABASE sebek;
USE sebek;
GRANT ALL ON sebek.* to me@localhost IDENTIFIED BY 'password';
CREATE TABLE records2(ip INT, magic INT, ver INT, type INT,
counter INT, time_sec INT, time_usec INT, pid INT, uid INT, fd
INT, com VARCHAR(12), len INT, data VARCHAR(200));

I decided to do this based on the documentation. The
documentation was a little ambiguous to me though, since
before describing these fields as I set them up in mySQL, it
also has a line:
"The record format exported by sbk_extract is the following:
($ip,$magic,$ver,$counter,$time_sec,$time_usec,$pid,$uid,$fd,$com,$len)
= unpack("NNnnNNNNNNa10N",$line);"

This description doesn't say the data types or even a field
for 'data', whereas the description that follows this in the
documentation, which I used, does. Thing is, the 2 are
different- the one I followed has 'type', whereas what I
quoted doesn't. Please help and tell me if I'm creating the
database incorrectly.

The other possible issue is that the command I use to extract
the sebek data and upload it (quoted above) doesn't indicate
anything about putting it in the 'records2' table. I'm not
sure where to put it, or if I need to at all.

Well, when I type in mySQL "describe records2", it displays
the same way I created it (which as I mentioned may have been
wrong in the first place).

Then, when I type the sbk_extract command, it says:
 monitoring eth0: looking for UDP dst port 7811
[myipaddr] 2005/07/21 23:04:48  record 2327674 recieved 1 lost
0 (0.00 percent)
Connected to database
 monitoring eth0: looking for UDP dst port 0

but that's it. And typing "select ip from records2;" in mySQL
returns an empty set.

I'm sure this is simple, but could someone please help?

Thanks a lot,
Jason

P.S. I have a few other questions that, if someone doesn't
mind explaining a few perhaps basic things to a Linux
beginner, it would really help me a lot. Some are long,
though, and none absolutely essential to the project (so don't
read on if you don't care or have time).
1) The read data I collect is much and hard to understand.
I've written 2 scripts to parse and simplify the data, and
altogether ignore things that I thought might be superfluous,
like the 'sendmail' command (though I don't know if that was a
bad assumption to make). How can I (train myself to) recognize
something abnormal, or an attack? I've heard of programs like
tripwire, but doesn't that defeat the point of Sebek's
stealth? Should I be looking at system log files too? Anything
else?

2) Apparently I don't have to reload the Sebek module every
time I restart if I either change the init script to load
Sebek on bootup, or setup and compile the kernel to include
Sebek in it (i.e. not loaded as a module). I tried both, and
ended up wasting *dozens* of hours with no luck. As a Linux
beginner, I used various tutorials for both. My init script
seemed to load the module (lsmod showed my module), but it
wasn't logging anything. If I rmmod'ed and insmod'ed again, it
worked. Can anyone tell me a quick reply of what to add, into
which file and where?
The recompiling the Kernel thing was a disaster. What I tried
doing was boot into Linux, copy my compiled Sebek module into
one of the system module folders, and then follow a bunch of
website's tutorials on how to compile a Kernel. I did all
that, but alas, it wasn't logging my data! I really have no
idea how to make a module part of a Kernel. I even tried going
into the sebek.c code, finding its changed (logging) "Read"
code, and then doing a grep on the Kernel code for the part
that defines the "Read" function, and pasting the logging
version instead of it (and *then* recompiling the Kernel).
Maybe someone can have a 10 minute IM chat with me and tell me
where to start? I'll put in the dozens of hours to figure the
rest out, but I need *some* direction!

Thanks again to anyone who read on, and I very much appreciate
any help. I do learn quickly if I have direction, but I'm new
to Linux and therefore get stuck on these basic things a lot.
I've put more than 100 hours learning with Sebek, and these
are the things still tripping me up, so I therefore *really*
appreciate anyone kind enough to take a few moments to lend a
helping hand of any expertise!