Honeypots mailing list archives

Re: can't make sebek-3.0.3 work - [solved]

From: Manolis Stamatogiannakis <mstamat () ics forth gr>
Date: Wed, 08 Jun 2005 17:54:28 +0300

Hello again,
Now things seem to work :-)
I checked the bugs page and noticed this post:
https://bugs.honeynet.org/show_bug.cgi?id=134
I guess it refers to sebek2, but I installed the sources as described:

apt-get install kernel-source-`uname -r|sed -e 's/-.*//'` kernel-headers-`uname -r`


Then I compiled sebek3 as before. Only differences:
    1. I changed sbk_install.sh before compiling (but that doesn't
matter, does it?)
    2. I added '-f' to the insmods of the script.

Without the -f in insmods, I was getting:
Installing Sebek:
foobar.o: kernel-module version mismatch
    foobar.o was compiled for kernel version 2.4.27
    while this kernel is version 2.4.27-2-386.
  foobar.o install failed

Then I run sbk_install.sh from created sebek-linux-3.0.3-bin.tar. Sebek
gets installed (although the kernel gets tainted). Ethereal reads
packets without problem, although it seems unable to extract any
meaningful data from them (passwords, files etc). Perhaps (?) it decodes
them as sebek2 packets. I guess roo will be able to decode the packets.
Note that I tried sebek both with KEYSTROKE_ONLY=0 and KEYSTROKE_ONLY=1
without problems.

I wonder what the cause of my previous problems was... I'll try to
reproduce it and I'll submit a bug if I crash again.

Thanks again,
Manolis


Edward Balas wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would recommend you submit a bug report via:

https://bugs.honeynet.org/

In it please include:

The message that was barfed to the screen when
the kernel crashed, or an aproxmiation if you cant
get at the data.

The configuration you used within sbk_install, no
need to provide the magic value or ip info , but did
you run keystrokes only, socket tracking, or testing.


If the kernel is crashing, there is a problem ;-)

Edward
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCoHNVlKB5oSzVKwoRArOpAJ9JfY6o9rQaVZC5i1HmKj9zk17mLACgkBan
hHCXyI19FQJ07iTVYXUvK4U=
=eaQw
-----END PGP SIGNATURE-----

Current thread:

can't make sebek-3.0.3 work Manolis Stamatogiannakis (Jun 03)
- Re: can't make sebek-3.0.3 work Edward Balas (Jun 03)
  - Re: can't make sebek-3.0.3 work - [solved] Manolis Stamatogiannakis (Jun 08)