Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems building Sebek

From: "Mark J. Hufe" <mark.j.hufe () wilmcoll edu>
Date: Fri, 11 Aug 2006 08:51:12 -0400
Alen,

Thanks for the feedback!
I thought there might be a compiler fix, either a flag or version, but went the code fixing route. It turns out that the problem was known and that there was a fix. It just wasn't in the distribution, yet.
I checked this morning and the fix is there. As an FYI, here's what the it looks like: 

+ udp_ptr = (u32 *)((char *)skb->nh.iph + sizeof(struct iphdr));
+ s_ptr   = (struct updhdr *)((char *)udp_ptr + sizeof(struct udphdr));

The fixed version is: sebek-lin26-3.1.3c.tar.gz

Best regards,

Mark

Alen Capalik wrote:

Mark,
The problem is in the sebek code itself. There are two lines in af_packet.diff in the linux sebek client that are the culprit. Whoever wrote the code is casting an lvalue to a char pointer which is prohibited by gcc-4.01 complier and it's not recommended any longer. It's not a good idea to cast an lvalue in either case (I'm not criticizing anybody ;)). This is what gives you an error and it doesn't build. There are two ways around it. One is to compile this with gcc-3.4 which will only give you a warning saying that it is not a good idea to cast an lvalue and that it's being depreciated in new version of gcc (namely 4.0), or you can fix these two lines, which is little more involved. I haven't gotten around to properly fixing this code yet, so I don't have a fix for you but in order to build this just just 3.4 and you should be fine. Hope this helps. 

The two lines that fail in af_packet.diff:

+      (char *)udp_ptr       = (char *)skb->nh.iph + sizeof(struct iphdr);
+      (char *)s_ptr         = (char *)udp_ptr     + sizeof(struct udphdr);


Mark J. Hufe wrote:
I'm trying to install a Sebek client onto a SUSE 10.0 honeypot, but it's failing the make. This is with the gcc 4.01 compiler. I tried configuring first with the patched af_packet.c and then again by just copying af_packet.c from the linux source into the sebek path (after config) and still get the same failure. Any thoughts? 

See output below.

- Mark

patch  ./src/af_packet.c ./src/af_packet.diff
patching file ./src/af_packet.c
Hunk #2 succeeded at 1048 (offset 6 lines).
Hunk #3 succeeded at 1080 (offset 6 lines).
Hunk #4 succeeded at 1092 (offset 6 lines).
Hunk #5 succeeded at 1930 with fuzz 1 (offset 12 lines).
./gen_fudge.pl > ./src/fudge.h
cp ./sbk_install.sh ./src
cp ./parameters.sh  ./src
cd ./src; make -C /usr/src/linux SUBDIRS=/home/mjh/sebek-lin26-3.1.2b/src modules 
make[1]: Entering directory `/usr/src/linux-2.6.13-15.10'

  WARNING: Symbol version dump /usr/src/linux-2.6.13-15.10/Module.symvers
           is missing; modules will have no dependencies and modversions.

  CC [M]  /home/mjh/sebek-lin26-3.1.2b/src/sebek.o
  CC [M]  /home/mjh/sebek-lin26-3.1.2b/src/net.o
In file included from /home/mjh/sebek-lin26-3.1.2b/src/net.c:24:
/home/mjh/sebek-lin26-3.1.2b/src/af_packet.c: In function ‘packet_recvmsg’: /home/mjh/sebek-lin26-3.1.2b/src/af_packet.c:1102: error: invalid lvalue in assignment /home/mjh/sebek-lin26-3.1.2b/src/af_packet.c:1103: error: invalid lvalue in assignment 
/home/mjh/sebek-lin26-3.1.2b/src/net.c: In function ‘sprintf_stats’:
/home/mjh/sebek-lin26-3.1.2b/src/net.c:489: warning: format ‘%8lu’ expects type ‘long unsigned int’, but argument 12 has type ‘u32’ /home/mjh/sebek-lin26-3.1.2b/src/net.c:489: warning: format ‘%7lu’ expects type ‘long unsigned int’, but argument 13 has type ‘u32’ 
make[2]: *** [/home/mjh/sebek-lin26-3.1.2b/src/net.o] Error 1
make[1]: *** [_module_/home/mjh/sebek-lin26-3.1.2b/src] Error 2
make[1]: Leaving directory `/usr/src/linux-2.6.13-15.10'
make: *** [sebek] Error 2
Previous By Date Next
Previous By Thread Next

Current thread: