A kernel based capture tool Prepared by Jaison Salu John Sebek
Sebek Sebek is a data capture tool. To accurately recreate the events on a honeypot When an intruder broke in How they did it What they did after gaining access What their motivations are Who they may be working with Sebek captures data that provides the intruder’s keystrokes and the impact of the attack.
How Sebek Captures from Client? Honeypot User Space Kernel Space Standard Library Read() call Syscall Table Orginal Read | Orginal Write (Pointers stored) Sebek Kernel Module New_Read Data Logger
How Sebek packets are kept hidden on the network? General flow: Sebek packets bypass TCP/IP Stack itself is not being used! Linux Kernel Local Ethernet Network Device Driver Socket Interface TCP/IP Stack Netfilter Sebek Kernel Module Data Logger Packet Generator Transmitter