Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sebek client traffic not getting to Honeywall

From: "Siles, Raul" <raul.siles () hp com>
Date: Fri, 9 Jun 2006 11:01:43 +0200
Hi Schnibitz,

1. For the gateway address you can use any IP address, although it is recommended to use the IP address of the gateway 
of the net where the HWall and the HPots are located. The Honeynwall should capture all the Sebek traffic coming back 
from the Hpots because it works in bridge mode. 

2. The Hwall will also detect attacks coming from hosts on the same net as the HWall/HPots, however, these attacks must 
come from the Hwall external interface. Be sure to create the approppriate VMware virtual nets and assign the virtual 
interfaces appropriatelly, so that your layout looks like this:

    
Attacker    ----    Hwall    ----    Hpots
            VMnet_x          VMnet_y

These systems (attacker and Hpot) are located (the Hwall is a bridge) in the same IP logical subnet, let's say 
192.168.100.0/24, but the Hwall must be physically located between both.

3. May I recommend you to read the following reference. I hope it will help with the info you're looking for:
http://www.securityfocus.com/infocus/1855
http://www.securityfocus.com/infocus/1858


In order to troubleshoot if Sebek traffic is being received by the Hwall, I recommend you to take network traces (using 
tcpdump) on the Hwall, referencing the internal interface (-i). This is the interface where the Sebek packets, coming 
from the HPot, must be captured by the Hwall. You should see the traffic there.

Thanks,
Raúl Siles

-----Original Message-----
From: schnibitz () gmail com [mailto:schnibitz () gmail com] 
Sent: viernes, 02 de junio de 2006 16:33
To: honeypots () securityfocus com
Subject: Sebek client traffic not getting to Honeywall

All,
I have set up a Honeynet using VMware, although I suspect I have done something incorrectly.  The problem is when I 
launch attacks from a test machine, the network portion of those attacks (that snort would see) shows up on the 
honeywall web interface like they are supposed to, but despite a successful compromise of the honeywall, I don't see 
any Honeywall-specific information show in the web interface, just the snort data.  In other words, it doesn't look 
like the honeypot is communicating properly with Honeywall.

I am thinking this is a problem with my configuration, so I wanted to see if someone could clear something up for me.  
The following link:

http://www.honeynet.org.pk/honeywall/roo/page20.htm

suggests that:

"Since Sebek server runs on Honeywall, it will automatically detect Sebek packets on the interface. Type gateway IP 
address for destination IP address of sebek packets and hit Enter."

To me this means that whatever the gateway IP address for the honeywall is, put it in there.

1. Did I get this right?

2. Does it mean that the attack must originate from a network outside the honeynet?  What if the attacker happens to be 
on the same network as the honeypot?  Would Honeywall still show Sebek (client) traffic detailing the attack?

3. During the installation of the client, there is a section that deals with this as well:

"Sebek logs all data it collects to a central server.  Please specify the information Sebek will use to generate 
packets that the server can collect."

So how do I reconcile that with the above questions.  Is it asking for the MAC address of the internal interface of the 
Honeywall, or something else?  I am sorta stuck here, so any suggestions you might have would be great!

Schnibitz
Previous By Date Next
Previous By Thread Next

Current thread: