spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Sebek FAQ

Sebek is a powerful tool designed primarily for data capture. Sometimes people will run into common problems, or frequently asked questions. This page attempts to answer those. It is assumed you have already read and understand the paper Know Your Enemy: Sebek.

Last Updated: 23 January, 2005

What is Sebek?
Sebek is a tool designed for data capture, it attempts to capture most of the attackers activity on the honeypot, without the attacker knowing it (hopefully), then sends the recoverd data to a central logging systemi (Refer to Figure A. It can potentially recover such things as keystrokes, uploaded files, passwords, and IRC chats, even if all communications are encrypted (SSH, IPSec, SSL).

Can I run Sebek client and server on the same system?
No. One of the purposes of the client is to hide all exported data from the system. If you install the server on the client, the server will not be able to see or collect the client data, because the client is hiding it from the server.

What is the Sebek Client?
This is the part of Sebek that is installed on all the honeypots. It does this as a kernel module (or patch) that copies all of the attackers actions, then sends them to the remote server. The kernel module hides all Sebek packets sent from the honeypot over the network. It does this by not allowing the attacker to sniff or monitor any packet that has both the predetermined UDP dst port and identifying magic number within the Sebek packet.

Is the Sebek client detectable?
Most likely yes. The source code is OpenSource, this means anyone can analyze it. Once an attacker has privleged access to a honeypot, and they know what to look for, they can potentially find it. To counter this threat, it is considered best practices to monitor your honeypots for activity, to include the uploading of file or someone interacting with it. It is also recommended that you customize or change the Sebek client, making it harder for attackers to find, as it is different from default installations.

What MAC should I use to configure the client?
We would suggest the use of the MAC address of the default gateway for the network. You can use anything you want that will get the packet to the collector.

Can I spoof the MAC address of a non-existant systems?
If you use a nonexistant MAC, that will have the same effect as using the broadcast MAC.

I have noticied that I am getting duplicate keystrok entries from my linux sebek client, what caused this?
If the client is installed twice it will double log keystrokes. There are two ways the client can be installed on top of itself. First, the client is not in testing mode, then it will remove itself from the linked list of known modules, as a result the kernel cant know not to install it twice. Second, if you are in testing mode and you install once , recompile the client, and reinstall , you will end up with to copies of sebek running. The later is a result of the build process randomizing key attributes of the module.

What is the Sebek Server?
Sebek server is the central log system that collects all the Sebek packets from the honeypots. Normally the Sebek server is installed on the Honeywall gateway. The server is made up of three tools; sbk_extract,,

  • sbk_extract:. A C program that collects the Sebek packets for analysis. It can extract the Sebek packets from either a tcpdump file, or capture the Sebek packets directly from the network in real time.
  • A Perl script that takes the Sebek packets and shows the attackers keystrokes to STDOUT.
  • A Perl script that takes the Sebek packets and uploads them to a database for more advanced analysis. The database can be local, or remote.

Sebek Server is giving me doubled characters
This may be the result of running two processes of sbk_extract. Make sure you have only one sbk_extract process.

Back to Top