Honeydsum is a script created by Lucio Henrique Franco and Carlos Henrique Peixoto Caetano Chaves for the Brazilian Honeynet project. As described by it’s Authors, it is:
a tool written in Perl designed to generate a text summary from Honeyd logs. The summaries may be produced using different parameters as filters, such as ports, protocols, IP addresses or networks. It shows the top source and port access and the number of connections per hour, and supports input from multiple log files. The script can also correlate events from several honeypots.
Using the script from the commandline is straightforward; simple invoke with a config file and pass the honeyd log to be analysed. In addition to the usual textual output honeydsum is also capable of generating HTML results providing a quick and easy visual. The download site also includes some sample output files, both text and html (tgz archive).
$ /usr/share/honeyd/scripts/honeydsum-v0.3/honeydsum.pl
Usage: honeydsum.pl -c honeydsum.conf [-hVw] log-file1 log-file2 … log-filen
-c honeydsum.conf file.
-h display this help and exit.
-V display version number and exit.
-w display output as web page (HTML).
The bulk of the text based output provides a list of connections made from external sources to the systems emulated by the HoneyD instance. Using the provided sample output as an example provides the information below; on a live and publically accessible system this output will be significantly longer:
-------------------------------------- Honeypot: 10.0.0.70 -------------------------------------- Source IP Resource Connections 192.168.50.20 21/tcp 1 192.168.100.130 21/tcp 1 192.168.177.253 11/icmp 1 192.168.139.133 11/icmp 1 -------------------------------------- IPs Resources Connections 4 2 4 --------------------------------------
The end of the output contains the information that I find most useful. It provides several different summaries of all the traffic captured by the whole HoneyD environment. Summaries include:
The most frequent remote sources:
Top 10 Source Hosts Rank Source IP Connections 1 192.168.100.130 3 2 192.168.139.133 2 3 192.168.50.20 1 4 192.168.131.157 1 5 192.168.217.41 1 6 192.168.207.84 1 7 192.168.177.253 1
Most requested emulated services/resources:
Top 10 Accessed Resources Rank Resource Connections 1 21/tcp 4 2 11/icmp 4 3 53/udp 2
— Andrew Waite
Leave a comment