HoneyView - a honeyd Logfile Analyzer
Motivation
honeyd is an excellent tool to collect data from hackers and
script-kiddies but it can be difficult to get an overview of what
really happens. Scrambling via "vi" through ascii-logfiles is time
consuming and annoying.
A possible solution is HoneyView. It's goal is to present the logfile
data graphically and textually in a condensed form, so you get a quick
and easy overview. Most of the activities which happen at honeyd are
time dependant - so HoneyView gives you the ability to focus on
certain time intervals.
How it works
Basically HoneyView has two components:
- some weird shell-scripts that are invoked by "cron" to push the
honeyd log data into the dbms (currently MySQL is supported).
- a php-based web interface to query the honeyd data in the
database and to generate some useful diagrams to see very quickly
what has happened and to get an overview of the situation with a few
mouse clicks.
The basic idea was to put the honeyd data (currently only the data from
honeyd's main logfile) into a database to allow efficient queries of
this large amount of data, using web interface. The web interface
should allow two things:
- Query and view the data in a text-based format.
- Generate diagrams to get a quick overview.
The data gathering is done by a cron job which is invoked at certain
time intervals (one hour seems to be a good solution). A
HoneyView-Script parses the hourly honeyd logfile and pushes the data
into the DBMS. After this, the data is available from the web
interface. The web interface allows you to set your query options using
forms and presents the results as diagrams or text.
Features of the Web Interface
The Web interface currently supports the following things:
- Show which ports were attacked within a certain time range using
pie charts (Screenshot).
It's also possible to limit the result by specifying an
ip-address or domain name - partial ip's or domain names also
work.
- Show which remote ip-addresses "visited" your honeypot in a
certain time range using a pie chart (Screenshot). Here it's possible to
specify a port number to show activity on a specific port.
- A timeline based hit statistic showing how many hits per second
your honeypot got in a certain time range (Screenshot).
- A textual hit statistic over a certain time range (Screenshot). By specifying
an IP or FQH and / or a port number you have the ability to focus
on specific events.
- View of the original honeyd log data over a specific time range.
- Certain Short Summaries which give you a quick overview (Screenshot).
Conclusion
HoneyView can help you save time when watching and analyzing the
activities on your honeypot. In a production environment it may
facilitate faster detection of unwanted activities if you use your
honeypot as a bad-guy indicator.
Future work
To make HoneyView more efficient, some more things could be done:
- Make the web interface more flexible (e.g. allow the negetive
interpretation of input.
Example: Port = !445 == Show Acivities on all Ports but 445
- Put the logfile data of port-bound honeyd scripts (like
telnet.sh) into the DBMS.
- Implement statistical analysis ... for example: calculate the
"attack average level" and then show all activities that are
significantl about this level.
Download
HoneyView ist under GPL available at SourceForge:
http://sourceforge.net/projects/honeyview
01.05.2003 Karl Hable
hable@kh-soft.de