Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691

["Mark J. Hufe" <mark.j.hufe () wilmcoll edu>]

Does SEBEK run on the honeywall or each of the honeypots? One of the 
earlier responses to this thread referenced a simple code change to 
openssh, in which a couple of lines of code are added to the 
authentication function. This would be on the honeypot side, no?

If SEBEK is running on the honeywall, how does it have access to kernel 
functions on the honeypots?

- Mark

ader () ait edu gr wrote:
> > Hi.
> >
> > On 06.07.2006 10:49, George wrote:
> >
> > > How you will intercept  the crypted traffic from ssh? Is sebek so
> > > powerful to decrypt ssh? There is a honeypot that act as a ssh server
> > > but also write somewhere decrypted? You will make a forensics analyse?
>
> Ok guys The question that you bring about SEBEK is a very simple one,
> SEBEK  works on the KERNEL level... Meaning it can manipulate operating
> system core functions that under normal circuimstances a user is not
> allowed to (even if u have root access). This is one of the great benefits
> of SEBEK it works hidden in the Operating system recording all types of
> data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user
> knowing anything about it. What sebek does essentially, is to record the
> SYS_READ function of the operating system. Those of you that know a little
> about linux you understand how important and essential this function is.
> So When an attacker tries to Login through SSH, SEBEK will capture the
> data AFTER it has been decrypted by the SSHD, and the login request is
> made to the OS. Dont forget that SSH is designed in order to protect the
> data during transit through the Networks only.