Honeypot installation, Sebek with web interface

[ntruhan () kent edu]

Hello,
 
I am working on a project for my masters thesis on detecting 0-day 
vulnerabilities.
 
There are 3 machines and 2 subnets I am utilizing and this is at my 
home.
Just to explain the setup before the question.
 
I have a cable modem coming into my home into 1 router.  This router 
has a network
of 192.168.1.X.  Off of this router is another router that is 
firewalled and contains the subnet
192.168.2.X, which is my private internal network, firewalled behind 
the router.  Off of the
192.168.1.X router, there is also a 10 MB hub.  Off of this hub are 2 
servers.  1 is going to
be my honeypot with an address of 192.168.1.200.  The second is a 
snort detection server that has
a one-way network cable attached so it can only listen off of the hub 
and not transmit.
 
The third server, a database/web server sits on the 192.168.2.X 
network for its management
interface.  It also has 2 more network cards.  The first is a bi-
directional direct connect to the snort box allowing
the collection of snort traffic and allowing the snort box to get 
updates via the 192.168.2.X network
without getting easily detected.  The second is another one-way cable 
to recieve data from the honeypot
box without being able to send back to be easily detected.
 
The DB/Web and Snort boxes are setup and working, however, right now I 
only have the base Fedora Core 5 linux OS installed in text-only mode.
 
I had intended on using Sebek on the honeypot to detect any activity 
to the box, however I downloaded the version 2.X version and had 
intensions of using it but of course the client only works on kernel 
2.4.  Also the web interface was throwing an error that a table called 
resume was missing.  The schema file included with the sebek server 
and web interface only defined 1 table.
 
I looked at the new Roo honeywall CDROM, which has sebek version 3, 
however, unless I am wrong here, my impression, and from trying to 
install it, is that machine the CDROM provides actually is the 
collection server and has Snort and DB on the same machine making the 
hardware requirements higher.  This box provides 2 interfaces bridged 
together to silently pass information into another box which is the 
honeypot.  It would also seem to need a 3rd interface to recieve 
updates and connect to the outside world since the other 2 interfaces 
cannot have IP addresses.
 
Now to the question....
What I would like to do is install the sebek client on my honeypot 
box, the sebek server on my DB/Web box and pass the info via
the one-way network cable.  However, I would need some kind of 
aggrigation web interface like the old sebek web interface or
the analysis piece of the walleye web interface included with version 
3.
 
Is there any way to extract the analysis part of the walleye interface 
or install walleye on another system outside the Honeywall so I can
use it in this configuration?
 
If not, does anyone have any suggestions on what I can use similar to 
sebek to capture information from the honeypot, send
it to the server, have it stored in a DB that can be aggrigated via a 
web interface so I can compare it against the information
aggrigated from Snort via the BASE web interface.
 
Thank you,
Nathan