/usr/share/honeyd/scripts/honeydsum-v0.3/README is in honeyd-common 1.5c-8ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 | Honeydsum v. 0.3
Thu Apr 15 09:30:31 BRT 2004
Copyright (c) 2004 Lucio Henrique Franco <lucio@lac.inpe.br>
and Carlos Henrique Peixoto Caetano Chaves <cae@lac.inpe.br>
1. License Information
Honeydsum is free software. Please refer to the source
code for detailed information.
2. What's Honeydsum?
Honeydsum is a tool written in Perl designed to generate a
summary from honeyd logs. The summaries may be produced using
different parameters as filters, such as ports, protocols,
IP addresses or networks. It shows the top source and port access
and the number of connections per hour, and supports input from
multiple log files. It allows to specify the honeypot network
address and other network address which will be sanitized with its
correspondent fake network. There is validation of networks
(address and size) for data's sanitize. It is able to generate a
summary in text or in valid HTML. There is also an option to
create graphics illustrating the information showed by the
summary. The script can also correlate events from several
honeypots.
3. Requires:
- Honeyd Logs v. 0.7 or later
- Perl
- Net::Netmask module for Perl
- GD module for Perl
- GD::Graph::pie module for Perl
- GD::Graph::bars module for Perl
- GD::Graph::bars3d module for Perl
4. Tested Systems
Honeydsum is a Perl script ran with -T (Tainted) and -w (use
warning) option. It was tested on OpenBSD 3.4 and Slackware Linux
9.1, with Perl 5.8.0 and with honeyd logs versions 0.7 and 0.8.
5. Features:
- Display honeypot configuration from honeyd.conf;
- Filter by list of honeypot's IP addresses;
- Filter by list of IP or Network addresses;
- Filter by list of destination ports;
- Filter by list of protocols;
- Connection counter;
- Connections per hour;
- Distinct network address sanitize;
- Validation of networks (address and size) for data's
sanitize;
- Support multiple honeyd log and conf files;
- Graphics generation;
6. Usage:
./honeydsum.pl -c honeydsum.conf [-hVw] log-file1 log-file2 ... log-filen
Where:
-c honeydsum.conf file.
-h display this help and exit.
-V display version number and exit.
-w display output as web page (HTML).
7. Examples:
Assumptions:
- List of honeypot's: 10.0.1.1, 10.0.1.2
- List of source NET for filtering: 192.168.1.0/24, 192.168.2.0/24
- List of destination port: 21, 80
- List of protocols: tcp
Configuration File Options:
# honeyd.conf file (support multiple files, eg: honeyd_conf=../honeyd.conf,/tmp/honeyd.conf.alt).
# Use comma separator for each option below.
honeyd_conf=honeyd.conf
# list of honeypot's IP addresses for filtering.
honeypot_list=10.0.1.1,10.0.1.2
# list of source IP or Network addresses for filtering.
net_list=192.168.1.0/24,192.168.2.0/24
# list of destination ports.
dest_port=21,80
# list of protocols.
proto_list=tcp
Run:
$ /<path-of-file>/honeydsum.pl -c honeydsum.conf honeyd.log.2003-10-10-00\:00 honeyd.log.2003-11-11-00\:00
Output:
### Honeypot's Configuration ###
Linux 2.4.18 - 2.4.20 (X86)
( / 10.0.1.1, 10.0.1.2 / )
21/tcp
80/tcp
--------------------------------------
Connection Counter
--------------------------------------
Total: 10
TCP: 10
UDP: 0
ICMP: 0
--------------------------------------
--------------------------------------
Honeypot: 10.0.1.1
--------------------------------------
Source IP Resource Connections
192.168.1.15 21/tcp 1
--------------------------------------
IPs Resources Connections
1 1 1
--------------------------------------
--------------------------------------
Honeypot: 10.0.1.2
--------------------------------------
Source IP Resource Connections
192.168.1.15 21/tcp 1
192.168.2.15 21/tcp 1
192.168.2.100 80/tcp 7
--------------------------------------
IPs Resources Connections
3 2 9
--------------------------------------
Top 10 Source Hosts
Rank Source IP Connections
1 192.168.2.100 7
2 192.168.1.15 2
3 192.168.2.15 1
Top 10 Accessed Resources
Rank Resource Connections
1 80/tcp 7
1 21/tcp 3
Connections per Hour
Hour Connections
00:00 0
01:00 0
02:00 0
03:00 0
04:00 0
05:00 0
06:00 0
07:00 0
08:00 0
09:00 0
10:00 0
11:00 0
12:00 0
13:00 0
14:00 0
15:00 9
16:00 1
17:00 0
18:00 0
19:00 0
20:00 0
21:00 0
22:00 0
23:00 0
See output sample in HTML at:
http://www.honeynet.org.br/tools/
8. Limitations
Honeydsum is a code under development. At this time
it has some limitations such as:
1. Might be slow
2. Might not offer desired output's alternatives
3. Might not offer all desired information on a summary
9. Obtaining this software
This software is available at:
http://www.honeynet.org.br/tools/
10. Reports and questions
Please send comments, questions and bug reports to
lucio@lac.inpe.br or cae@lac.inpe.br.
11. Acknowledgments
The authors would like to thank some colaborators:
- Andre Ricardo,
- Thiago Alves Siqueira, and
Honeynet.BR Team for their suggestions and tests.
### README ends here.
|