Honeypots mailing list archives
RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall
From: "Michael A. Davis" <mike () datanerds net>
Date: Tue, 18 Oct 2005 19:20:53 -0500
Can you run tcpdump on roo and send me the pcap output? I cannot reproduce this in my testing here. Also, what version of roo? Is it 1.0hw189? Thanks, Michael A. Davis Chief Executive Officer Savid Technologies, Inc. Main: 708.243.2850 http://www.savidtech.com This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message.
-----Original Message----- From: Compton, Rich [mailto:RCompton () chartercom com] Sent: Tuesday, October 18, 2005 4:39 PM To: honeypots () securityfocus com Subject: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Hello all, I was wondering if you could help me out with a problem I'm having w/ the Sebek server running on a roo 1.0 honeywall (not the newest 1.0.189 version). I have installed the win32 3.0.3 client and specified a destination IP of 6.6.6.6 and a UDP port of 666. I'm running the sebek server w/ the command: /usr/bin/perl /usr/sbin/sebekd.pl -U hflow -W honey -p 666 -i eth1 -l /var/run/sebek-pipe -I <my honeywall management ip> When I look at my log in /var/log/sebekd I see the following: malformed sebek record: data length=34 packet caplen=166 malformed sebek record: data length=36 packet caplen=170 malformed sebek record: data length=2 packet caplen=102 malformed sebek record: data length=47 packet caplen=192 malformed sebek record: data length=40 packet caplen=178 malformed sebek record: data length=2 packet caplen=102 malformed sebek record: data length=41 packet caplen=180 malformed sebek record: data length=2 packet caplen=102 malformed sebek record: data length=49 packet caplen=196 malformed sebek record: data length=2 packet caplen=102 malformed sebek record: data length=51 packet caplen=200 malformed sebek record: data length=2 packet caplen=102 malformed sebek record: data length=48 packet caplen=194 I see traffic being generated from my honeypot when I execute commands. I don't see any data in the database either. Any help you could provide would be greatly appreciated. Thank you, Richard Compton Network Security Supervisor Charter Communications 12405 Powerscourt Drive St. Louis, MO 63131 W: 314-543-2506 C: 314-568-2876
Current thread:
- Problems capturing sebek win32 3.0.3 traffic on roo honeywall Compton, Rich (Oct 18)
- RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Michael A. Davis (Oct 18)
- <Possible follow-ups>
- RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Truong, Thanh V. (Oct 19)
- Re: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Edward Balas (Oct 19)
- RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Michael A. Davis (Oct 19)
- Re: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Edward Balas (Oct 19)
- RE: Problems capturing sebek win32 3.0.3 traffic on roo honeywall Michael A. Davis (Oct 20)