Walleye not displaying Sebek3 data

[Cindy Jenkins <cj () u washington edu>]

Well, since I posted this question, I still have had no luck on  
solving this issue. Does anyone have Sebek3 under Walleye functioning  
correctly?

I have discovered how to manually wipe the walleye database to clear  
the sensor data, and can manually extract the data from walleye_0_3/ 
sys_read/data element. But this is highly time consuming and not the  
best method to fish out the sebek data when I need to do forensics on  
a host.

I can use the sebek viewer and logger perl scripts to see the data  
live on the screen, as well as use tcpdump to see it, both tools show  
the sebek keystrokes with no issue. I can then go to the walleye_0_3  
mysql db and pull the data out to a file and see it there as well. So  
I know the clients are communicating and sebek is storing the data in  
the db. But walleye will not show the sebek data at all. It shows on  
the main screens that clients are "sebekd". But when I go into the  
process list it shows the top level PID and command name, like  
cmd.exe, but does not show any read details, such as what was typed  
in the cmd window.

I am ready to throw the towel in on the web interface and cobble up  
something using perl and mysql to manually extract the data. Which  
seems a horrible waste of time and effort since I had thought walleye  
was supposed to do this? So before I go tho the effort to code a  
solution, anybody have suggestions on why walleye does not display  
the data?

--CJ

---Previous message ----------------
On Aug 16, 2006, at 1:01 PM, Cindy Jenkins wrote:
Hello all,

I have been trying to track the issue down and cannot find any  
information on this problem online.

Environment:
Hwall server ROO hw1.0-189
Honeypots: FC3 2.6, Win2KPro, WinXP, Mac OS X
Syslog server: FC3 log server
Software: Sebek 3.03l server and clients, 2.6 kernel on FC3 client

Problem: Walleye not showing read details for sebek data

Situation:
I can see the sebek traffic arriving on the Hwall server using the  
sbk_ks_log.pl or viewer scripts. So I know the clients are sending  
traffic. I can also see that the mysql files for sys_read, sys_open,  
and process all update file sizes and date stamps when I send data  
over from a client. I presume this means the database is recording  
the data.

The variables we have in honeywall.conf for sebek are below. Are they  
correct? Do I need to define the HwSEBEK_DST_IP on the Hwall to be  
the IP number for the command interface? eth2 is our ssh/walleye  
line, eth0 and eth1 make up the br0 bridge for the honeypots. Neither  
eth0 nor eth1 have IP's assigned.

HwSEBEK_DST_IP=192.168.1.34
HwSEBEK_LOG=yes
HwSEBEK_FATE=ACCEPT
HwSEBEK_log=yes
HwSEBEK_DST_PORT=7701
HwSEBEK=yes

I can see Sebek traffic in Walleye, including process lists but there  
are no details, like the keystrokes we type in. The viewere and  
ks_log when run manually show the keystrokes, but they are not in  
Walleye. I can see traffic flowing via tcpdump as well. I have cheked  
the log files for errors and do not find anything reporting on file  
permissions or such like that.  So, any ideas?

I have read all the KYE papers on the theory and implementation of  
sebek, but I can't find any hard core data on the installation and  
setup. And there is no troubleshooting data on this problem, at least  
that I can locate.

Thanks!
CJ