What is Sebek?
Sebek is a tool designed for data capture, it attempts to capture
most of the attackers activity on the honeypot, without the attacker
knowing it (hopefully), then sends the recoverd data to a central
logging systemi (Refer to Figure A.
It can potentially recover such things as keystrokes, uploaded
files, passwords, and IRC chats, even if all communications
are encrypted (SSH, IPSec, SSL).
Can I run Sebek client and server on the same system?
No. One of the purposes of the client is to hide all exported data from
the system. If you install the server on the client, the server will not
be able to see or collect the client data, because the client is hiding it
from the server.
What is the Sebek Client?
This is the part of Sebek that is installed on all the
honeypots. It does this as a kernel module (or patch) that
copies all of the attackers actions, then sends them to the
remote server. The kernel module hides all Sebek packets
sent from the honeypot over the network. It does this by
not allowing the attacker to sniff or monitor any packet
that has both the predetermined UDP dst port and identifying
magic number within the Sebek packet.
Is the Sebek client detectable?
Most likely yes. The source code is OpenSource, this means anyone
can analyze it. Once an attacker has privleged access to a honeypot,
and they know what to look for, they can potentially find it. To
counter this threat, it is considered best practices to monitor your
honeypots for activity, to include the uploading of file or someone
interacting with it. It is also recommended that you customize or change
the Sebek client, making it harder for attackers to find, as it is
different from default installations.
What MAC should I use to configure the client?
We would suggest the use of the MAC address of the default gateway for the
network. You can use anything you want that will get the packet to the
Can I spoof the MAC address of a non-existant systems?
If you use a nonexistant MAC, that will have the same effect as using
the broadcast MAC.
I have noticied that I am getting duplicate keystrok entries from my linux sebek
client, what caused this?
If the client is installed twice it will double log keystrokes. There are two ways the
client can be installed on top of itself. First, the client is not in testing mode, then it will
remove itself from the linked list of known modules, as a result the kernel cant know not
to install it twice. Second, if you are in testing mode and you install once , recompile the
client, and reinstall , you will end up with to copies of sebek running. The later is a result
of the build process randomizing key attributes of the module.
What is the Sebek Server?
Sebek server is the central log system that collects all
the Sebek packets from the honeypots. Normally the Sebek
server is installed on the Honeywall gateway. The server is
made up of three tools; sbk_extract, sbk_ks_log.pl, sbk_upload.pl.
- sbk_extract:. A C program that collects the Sebek
packets for analysis. It can extract the Sebek packets from
either a tcpdump file, or capture the Sebek packets directly
from the network in real time.
- sbk_ks_log.pl: A Perl script that takes the Sebek
packets and shows the attackers keystrokes to STDOUT.
- sbk_upload.pl: A Perl script that takes the Sebek
packets and uploads them to a database for more advanced analysis.
The database can be local, or remote.
Sebek Server is giving me doubled characters
This may be the result of running two processes of sbk_extract. Make sure
you have only one sbk_extract process.