Re: Sebek detection

["Ty Bodell" <tebodell () email com>]

Also in the KYE Sebek paper is the format for the Sebek packet and the sebek communication protocol, i don't think it 
can be constructed with nemesis.  And what would constructing a sebek packet and putting it onto the network do for you 
anyway?  How would this allow you to see if there is a honeypot on the network when the socket interface is taught to 
ignore sebek packets?  The risk of sebek detection lies mostly on the local box itself, not the network interaction in 
the honeynet.    Maybe i'm missing something.  

Respectfully,
Ty Bodell

----- Original Message -----
From: <gconnell () middlebury edu>
Date: 29 Mar 2004 06:46:23 -0000
To: honeypots () securityfocus com
Subject: Sebek detection

> In the Know Your Enemy: Sebek whitepaper from honeynet.org, under the heading "Client Packet Export", it is made 
> clear that "[Sebek] modifies the kernel such that the system is unable to see Sebek Packets, not just the packets 
> generated by the local host, but any appropriatly configured Sebek Packet."
>
> I'm sort of new at Sebek and haven't actually tested this idea out, but from the documentation, it seems there would 
> be a pretty easy way to detect sebek running on a honeypot.  Why not just construct a sebek packet with some sort of 
> packet generation tool (maybe nemesis?) and send it onto the network, then see if it can be seen by a regular tcpdump 
> or snort session?
>
>      --Cleverduck

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm