Honeypots mailing list archives
Honeypot installation, Sebek with web interface
From: ntruhan () kent edu
Date: Mon, 22 Jan 2007 22:56:00 -0500
Hello, I am working on a project for my masters thesis on detecting 0-day vulnerabilities. There are 3 machines and 2 subnets I am utilizing and this is at my home. Just to explain the setup before the question. I have a cable modem coming into my home into 1 router. This router has a network of 192.168.1.X. Off of this router is another router that is firewalled and contains the subnet 192.168.2.X, which is my private internal network, firewalled behind the router. Off of the 192.168.1.X router, there is also a 10 MB hub. Off of this hub are 2 servers. 1 is going to be my honeypot with an address of 192.168.1.200. The second is a snort detection server that has a one-way network cable attached so it can only listen off of the hub and not transmit. The third server, a database/web server sits on the 192.168.2.X network for its management interface. It also has 2 more network cards. The first is a bi- directional direct connect to the snort box allowing the collection of snort traffic and allowing the snort box to get updates via the 192.168.2.X network without getting easily detected. The second is another one-way cable to recieve data from the honeypot box without being able to send back to be easily detected. The DB/Web and Snort boxes are setup and working, however, right now I only have the base Fedora Core 5 linux OS installed in text-only mode. I had intended on using Sebek on the honeypot to detect any activity to the box, however I downloaded the version 2.X version and had intensions of using it but of course the client only works on kernel 2.4. Also the web interface was throwing an error that a table called resume was missing. The schema file included with the sebek server and web interface only defined 1 table. I looked at the new Roo honeywall CDROM, which has sebek version 3, however, unless I am wrong here, my impression, and from trying to install it, is that machine the CDROM provides actually is the collection server and has Snort and DB on the same machine making the hardware requirements higher. This box provides 2 interfaces bridged together to silently pass information into another box which is the honeypot. It would also seem to need a 3rd interface to recieve updates and connect to the outside world since the other 2 interfaces cannot have IP addresses. Now to the question.... What I would like to do is install the sebek client on my honeypot box, the sebek server on my DB/Web box and pass the info via the one-way network cable. However, I would need some kind of aggrigation web interface like the old sebek web interface or the analysis piece of the walleye web interface included with version 3. Is there any way to extract the analysis part of the walleye interface or install walleye on another system outside the Honeywall so I can use it in this configuration? If not, does anyone have any suggestions on what I can use similar to sebek to capture information from the honeypot, send it to the server, have it stored in a DB that can be aggrigated via a web interface so I can compare it against the information aggrigated from Snort via the BASE web interface. Thank you, Nathan
Current thread:
- Honeypot installation, Sebek with web interface ntruhan (Jan 23)