Ticket #44 (new defect)

Opened 11 years ago

Last modified 11 years ago

Windows sebek client does not integrate with Walleye

Reported by: bjou Owned by: [email protected]
Priority: major Milestone: roo-1.4
Component: Walleye Version: 1.4b3
Keywords: Cc:

Description

The windows sebek client does not integrate with Walleye. I am on XP SP3, fully patched. What I do get in walleye is only the UDP sebek data flow to port 1101 listed as a normal connection initiated from the honeypot. No tree views or the like. See screenshot attached. Latest walleye and latest sebek4win, only few days old: Sebek-Win32-3.0.4

Attachments

walleye2.JPG Download (74.8 KB) - added by bjou 11 years ago.

Change History

Changed 11 years ago by bjou

Changed 11 years ago by bjou

Hey guys,

another bug in sebek: Although sebek data from windows does not integrate with walleye (see Ticket #44), I can live view keystrokes using "sbk_extract -i eth1 -p1101 | sbk_ks_log.pl" on the gateway. Output: x.x.x.249 2008/06/11 15:29:50 record 173 received 1 lost 0 (0.00 percent) [2008-06-11 15:29:52 Host:x.x.x.249 UID:0 PID:1604 FD:0 INO:0 COM:cmd.exe ]#Microsoft Windows XP [Version 5.1.2600] =====[and so on, listing the keytrokes]=====

The linux sebek version (Linux 2.6 Client 3.2.0b with filtering) only gives me the introduction line:

x.x.x.250 2008/06/11 15:39:15 record 684 received 14 lost 0 (0.00 percent)

but no keystrokes for live monitoring...

-best regards, bjoern

Changed 11 years ago by bjou

Just an idea: May it be, that in the newest sebek version (released for linux) something (e.g. data-format) changed somehow, so that it perfectly integrates with walleye but that these changes have not yet been reflected in sbk_extract for piping its output to sbk_ks_log.pl? That would explain, why the output of the windows sebek version (which seems to be older) can be perfectly viewed using sbk_extract and sbk_ks_log.pl, but not using walleye...

Note: See TracTickets for help on using tickets.