spacer [an error occurred while processing this directive]
Home
About the Project
Challenges
Presentations
Whitepapers
Tools
Our Book
Funding/Donations
Mirrors

spacer
spacer  
SEBEK Homepage
spacer

The goal of this page is to provide you the latest documentation, source code, and utilities for the Sebek suite of tools. Sebek is a data capture tool designed to capture attacker's activities on a honeypot, without the attacker (hopefully) knowing it. It has two components. The first is a client that runs on the honeypots, its purpose is to capture all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server. The second component is the server which collects the data from the honeypots. The server normally runs on the Honeywall gateway. Refer to Figure A to see the overall Sebek architecture.

Developers:

Last Updated: 19 September, 2006
A new version of Sebek Linux client has been added with new filtering capabilities.

Documentation
Each distribution of Sebek comes with a README file that describes how to configure, install, and use the Sebek distribution. Last, you can reference the Sebek Frequently Asked Questions.

rule

GenIII Sebek Client Branch
This new branch is compatible with the new Roo Honeywall CDROM. They use version 3 packet format and collect process tree, socket and file opening data. The Sebek client is installed on each honeypot. The Sebek client operates as part of the kernel itself. Depending on the port, it is either an LKM or kernel src patch. It works by monitoring system call activity and recording data of interest. This data is then exported in a covert manner to the server. Linux is the version all primary new development is done on. Expect the latest new features to be found on the Linux clients. Once tested, they are then ported to other operating systems.

  • Linux
    With Filtering Capabilities (Newer 3.x version)
    Linux 2.6 Client 3.2.0b Sebek client for the Linux 2.6 kernel branch. This is compiled and used as a kernel module, not as a kernel patch.
    Linux 2.4 Client 3.2.0c Sebek client for the Linux 2.4 kernel branch. This is compiled and used as a kernel module, not as a kernel patch.

    Without Filtering Capabilities (Older 3.x version)
    Linux 2.6 Client 3.1.3c. Sebek client for the Linux 2.6 kernel branch. This is compiled and used as a kernel module, not as a kernel patch.
    Linux 2.4 Client 3.0.3. Sebek client for the Linux 2.4 kernel branch. This is compiled and used as a kernel module, not as a kernel patch.

  • Windows
    Win32 Client 3.0.3. Sebek client for the Win32 platform, in both src and binary format. This version supports Windows 2000 (All Service packs), Windows XP (All Service packs), and Windows 2003 (All service packs).

  • BSD Variants
    *BSD Clients 3.0. Sebek clients for OpenBSD, NetBSD, and FreeBSD.

  • Sebek Server
    Sebekd 3.0.3. This is what collects the Sebek client data from the network to be post-processed by various data analysis tools. Installed by default on the Roo Honeywall CDROM.

rule

GenII Sebek Client Branch
These versions of Sebek are outdated and no longer supported. These versions only monitor system read activity and use an older data format, as a result they are not compatable with the Roo Honeywall.

  • Linux Client 2.1.7. Sebek-linux is the kernel module used to run on 2.4.X Linux kernel.
  • Solaris Client 2.05.03. Sebek-Solaris is the kernel module used to run on Solaris 2.8/2.9 on both Sparc/X86 systems. Currently 64 bit only on Sparc.
  • Win32 Client 2.1.5. Sebek client for Win2000 and WinXP. Currently captures only command line activity with the cmd.exe command prompt. You can find the source code here
  • OpenBSD Client 2.6. Sebek-OpenBSD is a kernel patch used to run on 3.4 and current OpenBSD.
  • NetBSD and FreeBSD Client 1.2. Sebek-NetBSD and Sebek-FreeBSD are kernel patchs used for their respective operating systems.
  • Sebek Server 2.1.7. Sebek Server is a suite of three tools used to capture Honeynet data. The first tool is called sbk_extract. The purpose of this tool is to extract the Sebek data. It does this either from tcpdump files or sniffs the data directly from the network interface. Either way you will have to use this tool to recover the Sebek data. It is recommended to run these tools in a protected environment, such as with chroot(1) and kernel security patch (such as grsecurity.org patch).
  • Web Interface 0.9 . This is an old experimental PHP/mysql based Web Interface for sebek. It provides the ability to recover file transfers, monitor keystroke activity and query for specific attributes for clients < version 3.


Back to Top