############################################################################### # # # sbk_viewer.pl: Sebek Linux server (3.0.3) write patch display tool # # # # Raul Siles raul@raulsiles.com # # # ############################################################################### ####################### # # # Version: 0.9 # # Date: July 2005 # # # ####################### Intro: "sbk_viewer.pl" is the tool that allows to display the information collected by the Sebek "write" patch. Acting as a video camera, it allows you to watch the whole attacker's session, including what the attacker typed in the Honeypot and the response received. It must be installed on the Honeywall or on the Sebek server. All the Sebek "write" functionality from the user perspective is provided by this tool. Requirements: The "sbk_viewer.pl" tool requires to apply the Sebek "write" patch in the Sebek clients (Honeypots). The tool requires the Sebek server "sbk_extract" tool. The Sebek "write" patch is available for the Sebek Linux (3.0.3) clients (Linux 2.4). The Sebek "write" patch functionality is also available by default in the official Sebek Linux 2.6 clients (3.1.2b). Install: See the "README_sebekd-3.0.3_write.txt" file. Usage: "sbk_viewer.pl" understands the Sebek binary format provided by the "sbk_extract" tool. Usage examples: 1) By default, when the tool is run without command line options, it only displays information from the READ and WRITE system calls related to the user typing. The conditions should match: - READ <= 100 chars - WRITE from file descriptors 0, 1 and 2 and length > 1 (not to repeat the keystrokes read) - The OPEN or SOCKET syscalls are not monitored by default Example 1: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl 2) Verbose option (-v): This option displyes more verbose information for the READ and WRITE syscalls. The OPEN or SOCKET syscalls are not monitored by this option. NOTE: In verbose mode the encrypted information exchanged by SSH sessions is also displayed as garbage. This frequently hangs the terminal due to the escape sequences received. The terminal normal operation can be restored resetting it. Example 2: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -v 3) Ultra verbose option (-V): This option monitors the READ and WRITE syscalls using the default verbosity. This option provides more verbose information for OPEN or SOCKET syscalls. NOTE: This is the only option that allows to retrieve OPEN or SOCKET syscalls data. Example 3: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -V 4) Multiple verbose options (-v & -V): Combining both verbose options, the tool provides verbose information for the READ, WRITE, OPEN and SOCKET syscalls. NOTE: This option provides the maximum amount of information!! Example 4: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -v -V Usage recommendation: The statistical information generated by "sbk_extract" can be removed redirecting the standard error (stderr) to another file: # ./sbk_extract -i eth0 -p 1111 2>/dev/null | ... Filters: The amount of information generated by "sbk_viewer.pl" can be very extensive. The tool provides several filter options to reduce the output data. The options can be obtained using the "-h" (help) option: # ./sbk_viewer.pl -h ./sbk_viewer.pl (version: 0.9) Usage: ./sbk_viewer.pl [-hvV] [-t ][-p ][-c ] -h This screen! -v Verbose information (Timestamp, IP, UID, PID...) for READ and WRITE syscalls only -V Verbose information (Timestamp, IP, UID, PID...) for SOCKET and OPEN syscalls only -t Filter by SYSCALL type: 0 (READ) or 1 (WRITE) only!) -p Filter by PID/PPID (Ex.- use a "bash" shell PID) -c Filter by COMMAND (Ex.- "bash") System calls codes: - read (0) - write (1) - socket (2) - open (3) Filters usage recommendations: It is recommended to initially use the verbose (-v) option in order to identify the PID of the shell used by the attacker, such as "bash" (look at the "COM:" column): # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -v Once identified, run the tool in a different window filtering by the process ID (PID and PPID), to only focus on the READ and WRITE syscalls associated to a specific shell. The PID information can be retrieved by looking at the "PID:" column. # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -p 1992 A similar procedure applies to the other filtering mechanisms, such as filtering by syscall type or command string: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -t 0 (READ syscalls) or # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -c ls ("ls" commands) NOTE: Inside a shell, the "ls" command produces the output (WRITE) but the input is managed by the shell ("bash") itself (READ). So if you filter by command name you will only get the output generated by the command and not the shell interaction. In this case it is recommended to filter by the PID. These 3 filtering capabilities can be combined in a single command. The tool uses the AND logical operator to match the condition: # ./sbk_extract -i eth0 -p 1111 | ./sbk_viewer.pl -p 1992 -t 0 This example will flter by PID or PPID equal to 1992 AND only READ syscalls. Todo: - Map the TAB keystroke on the READ syscalls. TAB is used on Linux for command line completion. - Parse command line arguments using the Perl modules Getopt or Getoptions::Long modules. - Implement multiple Honeypots filtering options Credits: The "sbk_viewer.pl" tool and the Sebek "write" syscall functionality was the result of a Honeynet collaboration research project between: - "Telefonica Moviles Espaņa" (www.telefonicamoviles.com) - "Hewlett-Packard Espaņa" (www.hp.es) BUGS & COMMON ISSUES: - When monitoring a Red Hat 9.0 Honeypot it is common to periodically receive the output from an "ifconfig + grep" command that is continuously executed in the backgroundby the OS. - Commands that produce a large output, such as "ps -ef", sometimes increase the lost UDP Sebek packets statistics. They are not received by the Sebek server, "sebekd", due to the unreliable nature of the UDP protocol.