HoneyView - a honeyd Logfile Analyzer

Motivation

honeyd is an excellent tool to collect data from hackers and script-kiddies but it can be difficult to get an overview of what really happens. Scrambling via "vi" through ascii-logfiles is time consuming and annoying.

A possible solution is HoneyView. It's goal is to present the logfile data graphically and textually in a condensed form, so you get a quick and easy overview. Most of the activities which happen at honeyd are time dependant - so HoneyView gives you the ability to focus on certain time intervals.

How it works

Basically HoneyView has two components:
  1. some weird shell-scripts that are invoked by "cron" to push the honeyd log data into the dbms (currently MySQL is supported).
  2. a php-based web interface to query the honeyd data in the database and to generate some useful diagrams to see very quickly what has happened and to get an overview of the situation with a few mouse clicks.
The basic idea was to put the honeyd data (currently only the data from honeyd's main logfile) into a database to allow efficient queries of this large amount of data, using web interface. The web interface should allow two things:
  1. Query and view the data in a text-based format.
  2. Generate diagrams to get a quick overview.
The data gathering is done by a cron job which is invoked at certain time intervals (one hour seems to be a good solution). A HoneyView-Script parses the hourly honeyd logfile and pushes the data into the DBMS. After this, the data is available from the web interface. The web interface allows you to set your query options using forms and presents the results as diagrams or text.

Features of the Web Interface

The Web interface currently supports the following things:

Conclusion

HoneyView can help you save time when watching and analyzing the activities on your honeypot. In a production environment it may facilitate faster detection of unwanted activities if you use your honeypot as a bad-guy indicator.

Future work

To make HoneyView more efficient, some more things could be done:

Download

HoneyView ist under GPL available at SourceForge: http://sourceforge.net/projects/honeyview


01.05.2003 Karl Hable
hable@kh-soft.de