Version 10 (modified by rmcmillen, 9 years ago)

--

The purpose of this document is to capture the steps required to build and install the Sebek client in an updated Ubuntu 7.10 Server. To accomplish this task, we will use VMware and the latest Sebek client from the Honeynet Project's svn repository.

Configuring VMware

1. Let's start by creating a new virtual machine.

Create new virtual machine

2. Select Linux as the Operating System and Other Linux 2.6.x kernel as the version.

Choose Operating System

3. Change the Name and its location as required.

VM Name and Location

4. Allocate enough space for the services you want to deploy. For the purposes of this document, 8 GB will be more than enough.

Virtual Hard Disk Size

5. Select the installation media.

VM Configuration Finish

6. Next, the VMware OS installation process should start.

Installing Ubuntu

1. Select Install to the hard disk.

Ubuntu Splash Screen

2. Choose language. We will choose English.

3. Choose country. We will choose United States.

4. Since I know my keyboard layout, I will not detect it.

  1. Select origin of the keyboard. We will choose U.S. English.
  2. Select keyboard layout (If origin has more than one option). We will choose U.S. English - Macintosh.

5. Configure hostname.

6. Partition disks. We will choose Guided - use entire disk.

7. Select disk to partition.

8. Write partitions to disk.

9. Select time zone. We will choose Eastern.

10. Set system clock to UTC.

11. Add user information.

  1. Full name for the new user.
  2. Username.
  3. Choose a password and verify it.

12. The base system should start installing. This may take a while depending on the speed/load of your VMware Host.

13. Software selection. We will choose LAMP server and OpenSSH server.

Updating Ubuntu

1. Log onto the system.

2. At the command prompt,

sudo apt-get update
sudo apt-get upgrade
sudo reboot

Install required packages

sudo apt-get install subversion
sudo apt-get install make gcc automake autoconf libc6-dev patch linux-headers-server

Getting the latest Sebek code

NOTE: This section requires a username and password. You can get these credentials by registering on the Sebek site: https://projects.honeynet.org/sebek/register

svn co --username <sebek site username> https://projects.honeynet.org/svn/sebek/linux-2.6/trunk sebek

Building Sebek

NOTE: The trunk does not currently support raw socket replacement.

cd sebek
./configure --disable-raw-socket-replacement
make

The results should be a compressed archive containing the Sebek binary and configuration files (sebek-lin26-3.2.0b-bin.tar.gz). Under ideal circumstances, you would build this on a development system and move this resulting compressed archive to the honeypot for installation. For the purposes of this document, we will simply move the resulting compressed archive to our users home directory.

Build results

Installing sebek

1. Copy the compressed archive (sebek-lin26-3.2.0b-bin.tar.gz) to the honeypot. For the purposes of this document, we will move the compressed archive to /tmp.

mv sebek-lin26-3.2.0b-bin.tar.gz /tmp
cd /tmp
tar zxf sebek-lin26-3.2.0b-bin.tar.gz
cd sebek-lin26-3.2.0b-bin

2. Edit the sbk_install.sh script as required.

#!/bin/sh
#------------------------------------------------------------------------------
#----- SEBEK LINUX CLIENT INSTALL SCRIPT --------------------------------------
#------------------------------------------------------------------------------


#------------------------------------------------------------------------------
#-----  USER CONFIGURABLE OPTIONS  --------------------------------------------
#----- NOTE: YOU MUST SPECIFIY A MAGIC VALUE AND DESTINATION PORT 
#------------------------------------------------------------------------------


#----- FILTER:
#-----
#----- File that contains the collection filter
#-----
FILTER="./filter.txt"


#----- INTERFACE:
#-----
#----- Identifies the interface from which Sebek will log
#----- This does not need to be an interface that has a
#----- configured IP address.
#-----
INTERFACE="eth0"

#----- DESTINATION_IP:
#-----
#----- sets destination IP for sebek packets
#-----
#----- If the collector is on the LAN, this value can be any address.
#-----
DESTINATION_IP="10.0.0.1"


#----- DESTINATION_MAC:
#-----
#----- sets destination MAC addr for sebek packets
#-----
#----- If the collector is running on the LAN, use the MAC from
#----- the collectors NIC.
#-----
#----- If the collector is multiple hops a way, set this to the MAC
#----- of Default Gateway's NIC
#-----
DESTINATION_MAC="FF:FF:FF:FF:FF:FF"


#----- SOURCE_PORT:
#-----
#----- defines the source udp port sebek sends to
#-----
#----- If multiple sebek hosts are behind NAT the source port
#----- is one way of distinguishing the two hosts
#-----
#----- Range:  1      to  655536
#----- Range:  0x0001 to  0xffff
#-----
SOURCE_PORT=1101


#----- DESTINATION_PORT:
#-----
#----- defines the destination udp port sebek sends to
#-----
#----- ALL HONEYPOTS that belong to the same group  NEED
#----- to use the SAME value for this.
#-----
#----- Range:  1      to  655536
#----- Range:  0x0001 to  0xffff
#-----
DESTINATION_PORT=


#----- MAGIC_VAL
#-----
#----- defines the magic value in the sebek record, it
#----- used along with the Destination Port to identify 
#----- packets to hide from userspace on this host. Its
#----- an unsigned 32 bit integer.
#-----
#-----  ALL HONEYPOTS that belong to the same group  NEED
#----- to use the SAME value for this.
#-----
#----- Range 1          to  4.29497 billion
#----- Range 0x00000001 to  0xffffffff
#-----
MAGIC_VAL=1111


#----- KEYSTROKE_ONLY:
#-----
#----- controls if we only collect keystrokes, in this case anything that
#----- has a read length of 1. This is a binary option.
#----- 
#----- if set to 1: will only collect keystrokes
#----- if set to 0: will collect ALL read data
#-----   
KEYSTROKE_ONLY=1



#----- SOCKET_TRACKING:
#-----
#----- Controls if we only collect information on network connections
#----- This is a binary flag.
#-----
#----- if set to 1: will track socket connections
#----- if set to 0: will not track sockets
#-----
SOCKET_TRACKING=1


#----- WRITE_TRACKING:
#-----
#----- Experimental feature.  For now, is use is not recommended.
#----- We have observed stability problems.
#-----
#----- if set to 1: will ALL write activity
#----- if set to 0: wil not record write activity
WRITE_TRACKING=0


#----- TESTING:
#-----
#----- Used to make the module hidden
#-----
#----- if set to 1: kernel module in testing mode
#----- if set to 0: kernel module will hide itself 
#-----
TESTING=1


#---- MODULE NAME:
#------
#---- Used to control the name of the module, this should NOT be set to sebek
#---- 
#---- if set this defines the variable, if not a random name is selected
#----
#----  example MODULE_NAME="foobar.ko"
#----
MODULE_NAME=


#------------------------------------------------------------------------------
#----- !! END OF USER CONFIGURABLE OPTIONS !!----------------------------------
#------------------------------------------------------------------------------


#----- source parameters -----
. ./parameters.sh


#------------------------------------------------------------------------------
echo $"Installing Sebek:"


if [ $DESTINATION_PORT -eq 0 ] ; then
    echo $"     ERROR:  Undefined Destination Port"
    exit 1
fi

if [ $MAGIC_VAL -eq 0 ] ; then
    echo $"     ERROR:  Undefined Magic Value"
    exit 1
fi


if [ ! $MODULE_NAME  ] ; then
    MODULE_NAME=${RAND_MOD_NAME}
fi


if [ $FILTER ]; then
    export LANG=POSIX
    ./compile_filter.pl -i ${FILTER} -o ./filter.of
    RETVAL=$?

    if [ $RETVAL -ne 0 ] ; then
        echo $"  unable to compile filter";
        exit
    fi

    FILTER="./filter.of";
fi



cp sbk.ko ${MODULE_NAME}

/sbin/insmod  ${MODULE_NAME} ${DIP_PARM}=${DESTINATION_IP}\
			     ${DMAC_PARM}=${DESTINATION_MAC}\
                             ${DPORT_PARM}=${DESTINATION_PORT}\
                             ${SPORT_PARM}=${SOURCE_PORT}\
                             ${INT_PARM}=${INTERFACE} \
                             ${KSO_PARM}=${KEYSTROKE_ONLY}\
 			     ${ST_PARM}=${SOCKET_TRACKING}\
			     ${WT_PARM}=${WRITE_TRACKING}\
                             ${MAGIC_PARM}=${MAGIC_VAL}\
                             ${FILTER_PARAM}=${FILTER}\
			     ${TESTING_PARM}=${TESTING}\
			     
RETVAL=$?

if [ $RETVAL -eq 0 ] ; then
    #----- sebek module install succeeded
    echo $"  ${MODULE_NAME} installed successfully"

else
   #----- instal of the sebek module failed.
   echo $"  ${MODULE_NAME} install failed" 

fi

At a minimum, add a DESTINATION_PORT. The module will not load properly if the DESTINATION_PORT is not provided. Another variable to consider is TESTING. If you leave TESTING=1, you will be able to see the module. If you change TESTING=1 to TESTING=0, the module will hide itself.

3. Load the module.

sudo ./sbk_install.sh

Properly loaded module

Attachments