Raul Siles

Sebek "write" patch

On July 2005, while I was involved on a GenIII Honeynet project, I developed a patch for the Sebek tool. The patch improves Sebek to inspect the "write" system call and allows not only to get what the attacker typed in the honeypot but the response received.

Downloads:
The Sebek "write" patch is available for the Sebek 3.0.3 Linux client and the Sebek 3.0.3 Linux server. The current version is v0.9 and has been published on January 2006.

  • The client patch modifies the Sebek LKM to intercept the "write" syscall. The README file explains how to apply the patch to the official Sebek code. The Changelog file details the new changes introduced.
  • The server patch fixes a few messages typos and includes a new tool, called sbk_viewer.pl, that displays the information sent by a patched Sebek client. Please read the tool README file ("README.sbk_viewer_v0.9.txt") for more information.
    If you want to install the Sebek server patch on a GenIII Honeynet, it is strongly recommended to do it inthe Roo Honeywall. In this case you do not require the patch. Simply copy the sbk_viewer.pl tool (change the .txt extension by .pl) in the "/usr/sbin" directory and add execution permissions to this file.
The Sebek "write" patch functionality has been included for beta testing in the official Sebek Linux 2.6 branch. The first Linux 2.6 Sebek version, 3.1.2b, was released on October 2005. This version includes a new configuration variable, WRITE_TRACKING, that activates the "write" capabilities.

MD5 verification: (v0.9 - January 2006)

  • sebek-linux-3.0.3-write.tar.gz: 1af332afcb597d75b2c7e4350739cfd2
  • sebekd-3.0.3-write.tar.gz: ff2e0d97179ad786a4b4b381ced3cefe
  • sbk_viewer.pl (v0.9): 5a5a890b09d2a6110d1d9d459a6b3ad3

Limitations:
The Sebek "write" patch works fine over non X-Windows based honeypots, that is, Linux boxes without graphical environment. There are known performance issues associated with this patch on the client side if it is run on a honeypot running X-windows. The amount of work required to log through the network all the “write” events taking place at the kernel level will freeze the Honeypot.

Credits:
This is the result of a Honeynet research project between Telefonica Moviles Spain (TME) and Hewlett-Packard Spain (HPE).


WARNING

The sbk_viewer.pl tool is based on the sbk_ks_log.pl tool. This tool README file describes the following bug that can also be found on the new tool: 
BUGS:
	Some version of linux which have perl 5.8, which has a 
	serious bug in it.  The read function malfunctions.
	http://archive.develooper.com/perl5-porters@perl.org/msg92560.html

	If this problem is present, then try the following workaround
	export LANG="POSIX"

	I have NO idea as to why this resolves the issue.
If you run these Sebek server tools on a system using perl 5.8, the default version on Red Hat 9.0, you will get weird behaviours and "Out of memory!" messages.