Sebek: kernel module based data collection tool for Linux honeypots----------------------------------------------------------------------This is the top level README, it is focused the overall organizationof the source distribution.Introduction:Sebek consists of a rootkit that gathers data on a honeypot and a collector that runs on a separate machine on the same broadcast domain.Data is transmitted from the honeypot to the collector in a somewhat covert manner using spoofed IP and MAC address. Currently packets are transmitted as Blowfish encrypted UDP packets that have configurable SRC and DST ports.There are three major components to the system: a modified versionof the adore rootkit that records all data from the read system call to a special device, an application that monitors this device, transmitting data data on the LAN, and a application that collects the data off of the LAN.  These components reside in the following directories:adore/	This is a modified Linux rootkit, it is capable of keystroke 	logging on sessions even if an intruder installs his/her own 	version of SSH or shell.  Further, it is able to record 	passwords entered and recover files copied with SCP to or 	from the system.  mon/	This holds the application that watches the sebek device and	transmits the data onto the LAN.  There are a couple	of options as to application to use but all do essentially	the following: decouple the time between interactive data 	recorded by the rootkit and the transmission of packets, 	obscuring the true source of the packets by forging all data	possible, and encrypting the data data of value.  sniff/	This holds the application that is used to collect data from 	the local LAN.  It can collect data from multiple honeypots 	concurrently and each honeypot has its own logfile based on 	the IP address of the honeypot. In its native form the logfile	is not pleasing to the eye, but we have provided a mechanism 	to render to logfile according to the desires of the user.dump/	This contains the perl scripts used to process the sniff logs	and extract out copied files, interactive session activity etc.	Currently, only one script called sbdump is present. Without 	this script examining the logfiles by hand will make you sad 	and weepy.Check out ./sebek.html for how to make this fly.Current Status:I would consider this a early beta at best, but in many situationsit is still darn useful. Most of the actual code has been used for some time however the build process is quite crude and may be displeasing, we intend to resolve this shortly. As well, the documentation as you can see also sucks, but soon that will suck less.Contact Info:	Questions, Comments, and Insults can be directed to ebalas@iu.edu