Re: Information about Sebek 3??

[Edward Balas <ebalas () iu edu>]

Jaime Sotelo wrote:

> In sebek 3 there's no sbk_upload.pl but a sbk_diag.pl. I don't found
> anything (not even the readme file) wich reflects this. I'm trying to
> use sebekd.pl to do the work
>
> 2006/1/4, Jaime Sotelo <1jasotel () gmail com>:
>  
>
> > I'm looking for information about the latest version of Sebek. I've
> > readed the Sebek 2 White Paper and  founded it very useful. But I
> > don't find anything about Sebek 3 apart from the README file in the
> > sebekd server. Some one knows where can I find more info related to
> > Sebek 3 and it's features and how it works, etc??
> >
> > By the way I'm suposing that sebek 3 just don't change so much from
> > the previous version 2 and perhaps it's enough for me with the sebek 2
> > whitepaper. Thanks
> >
> >    
Jaime,

The only paper per se on the general topic of sebek 3 is:

http://www.honeynet.org/papers/individual/hflow.pdf

This goes into how sebek 3 enables new types of data fusion/
analysis.

In general sebek 3 is a refinement to version 2, we have
started to monitor additional system calls such as fork and
socket. This allows us to recreate the process tree which
can act as a organizing structure for analysis.  The monitoring
of socket calls allows us to related specific network flows to
a process, and the combination both allow us to identify related
network connections.

Hope that helps,

Edward