Sebek Device Monitor(SDM)Introduction:This program, sdm,  reads sebek device and based on some fudge factorsit sends spoofed UDP packets with the payload encrypted.  It is anticipated that sebeksniff will be run on a different machine in thesame broadcast domain to collect these packets.  sdm employees a number of techniques to reduce make the task of exporting data overthe network less obvious to an intruder to a honeynet.1. forge the SRC and DST IP addresses.2. forge the SRC and DST port number.3. forge the MAC addresses used in a way that they "jive" with the IPs.4. transmit decoys when there is no system activity.All forging is controlled through command line options.Building:This applications requires the presence of openssl and libnet,  To build type "make".  We are in the process of getting autotools based build process working, but for now, lets not pay attention to that.Operation:The basic usage can be discovered by running without options:[edb@supersecret mon]$ ./sdm -s source        IP network specification: a.b.c.d/xy -d destination   IP network specification: a.b.c.d/xy -k encryption key -d destination port number -m magic number -f filename -x maximum interpacket delayExamples:  To make everything pretty random including port data:  sdm -d 10.0.0.0/8 -s 10.0.0.0/8 -m 666 -k key  To have static destination addr and port:  sdm -d 10.0.0.1/32 -s 10.0.0.0/8 -d 123 -k key  To have static src and dst with static ports:  sdm -d 10.0.0.1/32 -s 10.0.0.2/32 -d 123 -m 223  - the src port = value of -m minus value of -dMost of this is pretty straight foward except how youconfigure a static source and destination port, andwhat a magic number is. The Magic number defines what thesum of the src port and dst port must be.  Thus if you want the src and dst port to seem random then dont configurea dst port and just set the Magic Number.  If you wantTo specify both the dst port and the src port, then youuse -d to and -m in combination, once you specify the destinationthen the src will be based on the Magic number minus the dst port number.If no filename is specified with the -f flag, sdm willby default will read from /dev/sebek.for limiting the rate at which packets are sent on the network you can set the -x option. This sets the maximum interpacket delay expressed  in microseconds. The default value is 1000000 or 1 second.  In opereration, sdm will select a random number between 0 and the defined interpacket delay to use as the delay between packet transmissions.  Adjusting this will have a direct affect on the throughput of the sebek system,  the higher the value the the less suspicious the traffic is on the network.  As the delay is increased so too do our chances of causing data loss dueto not servicing the sebek device before the ring buffer fills up.