Originally Posted by ActiveX
Traffic has been logged from all over the world for some time now between various monitoring hosts that were behind iptables firewalls. The machines were used for logging/monitoring of attacks on default ports. Now we want to step it up and focus on the SSH attacks, hopefully using Sebek on a new machine to monitor what happens AFTER a breach. 98% of what we've observed so far has not resulted in a breach and when it has we've pulled the plug. Obviously for a honeypot we might ease back of the complexity of the passwords. This isn't just for curiosity. I want to research and document real attacks/comprimises with high detail. Thats why I wanted to use Sebek rather than just checking logs. I am open to advice from anyone who's used it, as it sounds like a good program for what I want to do.
Sounds like you've everything pretty much mapped out already.
Instead of 'pulling the plug' when a breach happens, observe what the attacker does AFTER the breach. Watch what the attacker does to further compromise the machine: he/she may immediately change the password after getting in, then cleanse the logs of the breach, then start installing trojans that will allow him/her backdoors into the machine if the breach is discovered and remedied, then start installing key loggers and sniffers to capture valuable data.
When you start seeing any such activity such as the culprit launching DoS attacks against other networks or attempting to enlist other potential zombie machines, pull the plug then.
I don't think the objective of using a honeypot is to observe attempts then drop the connections when a breach occurs...if that's the case, plain ole snort or a HIDS would work better.