Honeydsum v. 0.2 Tue Mar 9 16:05:19 BRT 2004 Copyright (c) 2004 Lucio Henrique Franco and Carlos H. P. C. Chaves 1. License Information Honeydsum is free software. Please refer to the source code for detailed information. 2. What's Honeydsum? Honeydsum is a tool written in Perl designed to generate a text summary from Honeyd logs. The summaries may be produced using different parameters as filters, such as ports, protocols, IP addresses or networks. It shows the top source and port access and the number of connections per hour, and supports input from multiple log files. The script can also correlate events from several honeypots. 3. Requires: - Honeyd Logs v. 0.7 or later - Perl - Net::Netmask module for Perl 4. Tested Systems Honeydsum is a Perl script ran with -T (Tainted) and -w (use warning) option. It was tested on OpenBSD 3.4 with Perl 5.8.0 and with honeyd logs versions 0.7 and 0.8. 5. Features: - Display honeypot configuration from honeyd.conf; - Filter by list of honeypot's IP addresses; - Filter by list of IP or Network addresses; - Filter by list of destination ports; - Filter by list of protocols; - Connection counter; - Connections per hour; 6. Usage: ./honeydsum.pl [-c honeyd.conf file] [-hV] [-i IP1,IP2,...,IPn] [-n IP1|NET1,...,IPn|NETn] [-p PORT1,PORT2,...,PORTn] [-s NUMBER] [-t PROTO1,PROTO2,...,PROTOn] log-file1 log-file2 ... log-filen Where: -c honeyd.conf file -i list of honeypot's IP addresses. -h display this help and exit. -n source IP or Network addresses for filtering. -p list of destination ports. -s number of records on top (default 10). -t list of protocols. -V display version number and exit. 7. Examples: Assumptions: - List of honeypot's network(s): 10.0.1.1, 10.0.1.2 - List of source NET for filtering: 192.168.1.0/24, 192.168.2.0/24 - List of destination port: 21, 80 - List of protocols: tcp Run: $ //honeydsum.pl -c honeyd.conf \ -i 10.0.1.1,10.0.1.2 -n 192.168.1.0/24,192.168.2.0/24 -p 21,80 \ -t tcp honeyd.log.2003-10-10-00\:00 honeyd.log.2003-11-11-00\:00 Output: ### Honeypot's Configuration ### Linux 2.4.7 (X86) ( / 10.0.1.1, 10.0.1.2 / ) 21/tcp 80/tcp -------------------------------------- Connection Counter -------------------------------------- Total: 10 TCP: 10 UDP: 0 ICMP: 0 -------------------------------------- -------------------------------------- Honeypot: 10.0.1.1 -------------------------------------- Source IP Resource Connections 192.168.1.15 21/tcp 1 -------------------------------------- IPs Resources Connections 1 1 1 -------------------------------------- -------------------------------------- Honeypot: 10.0.1.2 -------------------------------------- Source IP Resource Connections 192.168.1.15 21/tcp 1 192.168.2.15 21/tcp 1 192.168.2.100 80/tcp 7 -------------------------------------- IPs Resources Connections 3 2 9 -------------------------------------- Top 10 Source Hosts Rank Source IP Connections 1 192.168.2.100 7 2 192.168.1.15 2 3 192.168.2.15 1 Top 10 Accessed Resources Rank Resource Connections 1 80/tcp 7 1 21/tcp 3 Connections per Hour Hour Connections 00:00 0 01:00 0 02:00 0 03:00 0 04:00 0 05:00 0 06:00 0 07:00 0 08:00 0 09:00 0 10:00 0 11:00 0 12:00 0 13:00 0 14:00 0 15:00 9 16:00 1 17:00 0 18:00 0 19:00 0 20:00 0 21:00 0 22:00 0 23:00 0 8. Limitations Honeydsum is a code under development. At this time it has some limitations such as: 1. Might be slow 2. Might not offer desired output's alternatives 3. Might not offer all desired information on a summary 9. Obtaining this software This software is available at: http://www.honeynet.org.br/tools/ 10. Reports and questions Please send comments, questions and bug reports to lucio@lac.inpe.br or cae@lac.inpe.br. 11. Acknowledgments The authors would like to thank Honeynet.BR Team for their suggestions and tests. ### README ends here.