Honeypots mailing list archives
Re: Semantics of command_id, process_id, process_to_com, process_tree
From: "Frank S Posluszny, III" <fsp () mitre org>
Date: Wed, 28 Jun 2006 15:31:11 -0400
troy d. straszheim said the following on 6/23/2006 4:53 PM: ...
I was under the impression that process_id as it appears in the database is strictly internal to the database, not the pid of the process on the host:
... You're right. The process_id is assigned on the honeywall by the sebekd.pl script (iirc), which determines if the data it is seeing is associated with a new process. So here's what I'm guessing is happening with your process_id with no name... A sebek packet comes in and it contains a pid that has not been seen before, so a new process_id is associated with it and appropriate entries are made in the command_id table. During this processing, the ppid is identified as being a new process, and so a new process_id is associated with it. However, there is no command name in the sebek packet for the ppid, so no command_id entry is created. That make sense? -Frank p
Current thread:
- Semantics of command_id, process_id, process_to_com, process_tree troy d. straszheim (Jun 23)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 23)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Edward G. Balas (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Valdis . Kletnieks (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree troy d. straszheim (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 29)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Edward G. Balas (Jun 24)
- Re: Semantics of command_id, process_id, process_to_com, process_tree Frank S Posluszny, III (Jun 23)