Record Honeypot Activity
Keep track of everything that happens on your honeypot.
Once an attacker has fallen prey to your honeypot and gained access to it, it is critical that you monitor all activity on that machine. By monitoring every tiny bit of activity on your honeypot, you can not only learn the intentions of your uninvited guest, but can often learn about new techniques for compromising a system as the intruder tries to gain further access. Besides, if you’re not interested in what attackers are trying to do, why run a honeypot at all?
One of the most effective methods for tracking every packet and
keystroke is to use a kernel-based monitoring tool. This way nearly
everything that the attacker does on your honeypot can be monitored,
even if the attackers use encryption to protect their data or network
connection. One powerful package for monitoring a honeypot at the
kernel level is Sebek
(http://www.honeynet.org/tools/sebek/).
Sebek
is a loadable kernel module for
Linux and Solaris that
intercepts key system calls in the kernel and monitors
them for interesting information. It then transmits the data to a
listening server and hides the presence of the transmissions from the
local system. Sebek
is actually made up of two
kernel modules. The first, sebek.o
, actually
does the monitoring. The other module is
cleaner.o
, which protects
sebek.o
from being discovered.
To build the kernel modules on Linux, first make sure that
/usr/src/linux-2.4
points to the source code of the ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.