• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sebek
 

Sebek

on

  • 1,676 views

Data capture tool used by honeynet to track down attacker

Data capture tool used by honeynet to track down attacker

Statistics

Views

Total Views
1,676
Views on SlideShare
1,669
Embed Views
7

Actions

Likes
1
Downloads
36
Comments
0

2 Embeds 7

http://splash88.blogspot.com 6
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sebek Sebek Presentation Transcript

    • A kernel based capture tool
      Prepared by Jaison Salu John
      Sebek
    • Sebek
      Sebek is a data capture tool.
      To accurately recreate the events on a honeypot
      When an intruder broke in
      How they did it
      What they did after gaining access
      What their motivations are
      Who they may be working with
      Sebek captures data that provides the intruder’s keystrokes and the impact of the attack.
    • Sebek Architecture
      Sebek Web Interface
      Honeywall Gateway
      Sebek Server
      Module
      Sebek Packets
      Honeypot
      Honeypot
      Honeypot
      Sebek Client
      Module
      Sebek Client
      Module
      Sebek Client
      Module
    • How Sebek Captures from Client?
      Honeypot
      User Space
      Kernel Space
      Standard Library
      Read() call
      Syscall Table
      Orginal Read | Orginal Write
      (Pointers stored)
      Sebek Kernel Module
      New_Read Data Logger
    • How Sebek packets are kept hidden on the network?
      General flow:
      Sebek packets bypass
      TCP/IP Stack itself is not being used!
      Linux Kernel
      Local Ethernet
      Network
      Device Driver
      Socket
      Interface
      TCP/IP
      Stack
      Netfilter
      Sebek Kernel Module
      Data
      Logger
      Packet
      Generator
      Transmitter
    • Sebek Record Header
    • Sebek Functions
      Monitoring keystroke activity
      Command line
      Loading into a database
      Getting files tried to copy using scp command
      Identify point where attacker gained root access
      Web Interface
    • Sebek Client Installation Variables
      Interface
      Destination IP
      Destination MAC
      Magic Value
      Destination UDP Port
      Source UPD Port
      Keystrokes only
      Testing
    • Limitations
      Sebek modules can be detected with rootkit detection tools
    • References
      Know your Enemy – Sebek
      The Honeynet Project (17 November 2003)
      http://old.honeynet.org/papers/sebek.pdf