Keep track of everything that happens on your honeypot.
Once an attacker has fallen prey to your honeypot and gained access to it, it is critical that you monitor all activity on that machine. By monitoring every tiny bit of activity on your honeypot, you can not only learn the intentions of your uninvited guest, but can often learn about new techniques for compromising a system as the intruder tries to gain further access. Besides, if you're not interested in what attackers are trying to do, why run a honeypot at all?
One of the most effective methods for tracking every packet and keystroke is to use a kernel-based monitoring tool. This way nearly everything that the attacker does on your honeypot can be monitored, even if the attackers use encryption to protect their data or network connection. One powerful package for monitoring a honeypot at the kernel level is Sebek (http://www.honeynet.org/tools/sebek/).
Sebek is a loadable kernel module for Linux and Solaris that intercepts key system calls in the kernel and monitors them for interesting information. It then transmits the data to a listening server and hides the presence of the transmissions from the local system. Sebek is actually made up of two kernel modules. The first, sebek.o, actually does the monitoring. The other module is cleaner.o, which protects sebek.o from being discovered.
To build the kernel modules on Linux, first make sure that /usr/src/linux-2.4 points to the source code of the kernel that you want to compile the modules for. Either unpack the kernel source under this directory or symlink it to an existing kernel source tree. You can then download the source distribution, unpack it, and build it with the usual commands:
$ ./configure $ make
This will generate a tar archive containing the kernel modules and an installer script. Copy this archive to your honeypot to complete the installation.
Here's what's inside:
$ tar tf sebek-linux-2.1.4-bin.tar sebek-linux-2.1.4-bin/ sebek-linux-2.1.4-bin/sebek.o sebek-linux-2.1.4-bin/cleaner.o sebek-linux-2.1.4-bin/sbk_install.sh
Before installing the modules on your honeypot, you'll need to edit the sbk_install.sh script and modify several variables that tell sebek.o where to send the information that it collects. These variables are DESTINATION_MAC, DESTINATION_IP, SOURCE_PORT, and DESTINATION_PORT. These should all be set to point to the Sebek server that you will build in a moment. Make sure to use the same DESTINATION_PORT for all honeypots that you'll be operating. In addition, you'll need to set the MAGIC_VAL variable to the same value on all your honeypots. This variable, in conjunction with DESTINATION_PORT, is used to hide traffic from other honeypots that you are operating. If you want Sebek to only collect keystrokes from your honeypot, you can set the KEYSTROKE_ONLY variable to 1.
Now run the install script on your honeypot:
# sh sbk_install.sh Installing Sebek: sebek.o installed successfully cleaner.o installed successfully cleaner.o removed successfully
Once Sebek is installed, be sure to remove the archive and installation files. The presence of these files on a system is a pretty clear indication that it is a honeypot, and it could tip off intruders.
There are two ways to receive the data from Sebek. The simplest is to run the Sebek server, which will sniff for the information and automatically extract it for you. If you prefer to collect the data manually, you can use a sniffer on the host that you configured in the sbk_install.sh script and later use Sebek's data extraction utility to pull the information out of your packet dumps.
To install the server, download the source distribution, unpack it, and go into the directory that it created. Then run this command:
$ ./configure && make
After compilation has finished, become root and run make install. This will install sbk_extract, sbk_ks_log.pl, and sbk_upload.pl. To extract information sent from a honeypot, use sbk_extract. You can run it in sniffer mode by using the -i and -p options to specify which interface to listen on and which destination port to look for, respectively. If you want to process packets that have already been captured using a packet capture tool, use the -f option to specify the location of the packet dump file. Once you've extracted the data, you can use sbk_ks_log.pl to display the attacker's keystrokes.
Sebek also has an optional web interface that uses PHP and MySQL to allow more complex queries of the collected data. In addition to logged keystrokes, the web interface can extract files that have been uploaded to the honeypot. The sbk_upload.pl script uploads the logs to the web interface. Installation of the web interface is a bit more involved, since it requires an Apache server, PHP, and a MySQL 4 database. For more details, consult Sebek's homepage at http://www.honeynet.org/tools/sebek/ .