Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sebek2 - A Kernel-based Data Capture Tool

Posted by michael on from the i-spy-with-my-little-eye dept.

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

13 of 74 comments (clear)

  1. Great tool in the right hands by mpeg4codec · · Score: 4, Insightful

    This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.

    1. Re:Great tool in the right hands by moreati · · Score: 5, Insightful

      True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

      Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

      In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

      Regards

      Alex

  2. weird name by Tumbleweed · · Score: 3, Funny

    Sounds Vulcan.

    1. Re:weird name by Tumbleweed · · Score: 2, Funny

      You shall not live long, nor prosper, for that joke.

  3. Wow! by scovetta · · Score: 3, Interesting

    I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

    Actually, doesn't Windows come with some pretty fancy-schmancy documented (and undocumented) kernel-level logging APIs?

    Or is this *nix? I should RTFA.

    --
    Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  4. Why the hell is this on Slashdot now? by Creepy+Crawler · · Score: 2, Interesting

    After all, with the Gen2 honeynets out there, this is the tool of choice.

    This tool has been out at honeynet.org for months now.I've been using it for at least 2 months.

    THIS IS NOT NEWS,

    --
    1. Re:Why the hell is this on Slashdot now? by Karamchand · · Score: 2, Informative

      IIRC the paper was last changed on 13th Sept 2003. So it is quite new. Not the tool itself (as the version number - remember, it was 2 - implies), but this paper about it.

  5. Mirror by Magus311X · · Score: 3, Informative

    Mirrored here: Sebek.pdf

    -----

  6. Re:re-incorporation? by Anonymous Coward · · Score: 3, Informative

    SELinux security modules are already in the vanilla 2.6-test kernels. The issuse of including all parts of SELinux has more to do with how well the code works with the rest of the kernel code. A good example of this is the current decision to use CryptoAPI instead of the long-standing kerneli patches. SELinux some code is already in the kernel without such a drastic rewrite, so more of it will likely find its way into the vanilla branch.

  7. Re:re-incorporation? by plcurechax · · Score: 2, Informative

    Why not just merge SELinux with Linux?

    SELinux is about mandatory access controls and control policy enforcement. See the SELinux FAQ for more info about SE Linux.

    Sebek (now version 2) is an kernel level logger. It does not stop users from doing anything. In fact if it did, that would make it useless for its primary job, as a tool for building HoneyNets, an controlled network of systems designed to be compromised by attackers, and the methods (and related) studied by security geeks.

  8. Probable origin of name? by deltagreen · · Score: 5, Informative

    I couldn't see it mentioned anywhere, but I found this on www.kemet.org, a site about the religious tradition of Ancient Egypt:

    Sebek (Sobek; G/R Suchos) - "Watching over You" Son of Nit (and also, according to some myths, Set), Sebek is either depicted as a full crocodile, or, less often, as a crocodile-headed man. He is often given the epithets of Heru-sa-Aset as a Netjer [manifestation of god] of protection, healing and vengeance over the wrongdoer. In some mythologies Sebek is a powerful and awe-inspiring denizen of the underworld, and was invoked to do away with annoyances and negative situations, in the phrase "to Sebek with it(him)!," much as modern-day slang consigns bothersome things and persons "to Hell."

  9. Re:Sigh by borius · · Score: 2, Funny

    1) Beer.
    2) Cops (on TV)
    3) Food. p All I need on a Saturday evening.

    Yet, here you are, posting on Slashdot

  10. Plonked off the high horse by poptones · · Score: 2, Insightful
    There are nearly 3/4 of a million registered users of slashdot. Like it or not, cowboy, this isn't a site that caters exclusively to those "already in the know." It's an advocacy site as much as anything, and the readers here are going to come from thousands of difference backgrounds and have thousands of different viewpoints.

    this article is interesting. I'm not an admin of a corporate wan and there's only so much damage that can be done to a home network, so my interest is not sufficient to compel me to "search for it" anymore than my interest in particle physics would drive me to "search for" the latest technical papers on particel accelerators.

    If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.