Problem with roo and sebek. Need help.

[Parvinder Bhasin <parvinder.bhasin () gmail com>]

Hi,

First sorry if this email appears twice.

I have been working on setting up a high interaction honeypot using
the honeywall which has a honeypot server behind. Honeypot server is
of linux flavour and I have setup sebek client on it and I see that
the honeywall is seeing the sebek data when I try to do "sbk_extract
-i eth0 -p 1101 | sbk_ks_log.pl" I do see the keystrokes etc.

My question is that how come I don't see any of the sebek related data
on the walleye interface?  Is it that sebek only and only logs data if
the ids thinks its an attack and then follow its trail???  How can I
test this?

Also, I have seen when I myself do  a penetration test from different
network, I see sometimes walleye login my ip and matching maybe 1 or 2
signatures but then sometimes using NIKTO I don't see those attacks
being logged on walleye.  I am up to date on the snort rules.

Can anyone help me? I am stuck.

I am new to this list, so If I have posted in wrong place please
excuse me and point me to the right place.

Thanks in advance. Appreciate any help.

Parvinder Bhasin