Honeypots mailing list archives

Re: my sebek2 did not work

From: Edward Balas <ebalas () iu edu>
Date: Tue, 17 Jun 2003 10:04:52 -0500 (EST)

On Tue, 17 Jun 2003, fatb wrote:

the pot and the sebeksniff are not in the same lan

and the sebeksniff 's mac add's first three char are 00:02:B3


When you say they are not on the same LAN, is there a Router between
your two hosts?

If so, this wont work currently .  The recommended method is to place the 
collector on the same LAN (broadcast domain) as the honeypot.



----- Original Message ----- 
From: "Edward Balas" <ebalas () iu edu>
To: "Fang Yong" <fatb () security zz ha cn>
Cc: <honeypots () securityfocus com>
Sent: Monday, June 16, 2003 9:48 PM
Subject: Re: my sebek2 did not work

On 16 Jun 2003, Fang Yong wrote:



Hi all

I'm a newbie here,plz do me a favor

I've downloaded Sebek-linux-2.0.1 and SebekSniff-2.0.1 source

and extracted the source code and get them compiled successfully in a 
redhat 7.3 box,so get a file named sebek-linux-2.0.1-bin.tar

I also extracted it and edited the sebek.sh with right info


#----- sets destination IP for sebek packets
DESTINATION_IP="xx.xx.xx.xx"

#----- sets destination MAC addr for sebek packets
DESTINATION_MAC="00:02:B3:94:58:04"

#----- defines the destination udp port sebek sends to
DESTINATION_PORT=1101

#----- controls what SRC MAC OUIs to hide from users
#----- Only the first 3 octets are evaluated.
FILTER_OUI="00:D0:09"

#----- controls the output interface
INTERFACE="eth0";

then I login another redhat7.3 box and compiled the sebeksniff and run it 
like this 
./sebeksniff -i eth0 -p 1101 -l /home/me/log

and then do something in the first linux box which installed the 
sebek,but the sebeksniff can get any info and find nothing in 
the /home/me/log dir :(

I also use tcpdump to capture the udp port 1101,but got nothing the same
Is there anybody faced the same problem the same with I did ? 

thanks in advance !!

Hi Fang,
 

Had a few Questions for you.  

First, are the honeypot and box on which your are running sebeksniff 
on the same LAN?

Second, is it the case the MAC address for the collector box is 
00:02:B3:94:58:04?

Current thread:

my sebek2 did not work Fang Yong (Jun 15)
- Re: my sebek2 did not work george chamales (Jun 16)
  - Re: my sebek2 did not work fatb (Jun 16)
    - Re: my sebek2 did not work Seth Arnold (Jun 16)
- Re: my sebek2 did not work Edward Balas (Jun 16)
  - Re: my sebek2 did not work fatb (Jun 16)
    - Re: my sebek2 did not work Edward Balas (Jun 17)