Honeysnap
Honeysnap Post Version 1.0.2 Releases
Newer releases of Honeysnap are available directly from the Honeynet Project web site tool section. Future releases will be made available there, and a public SVN repository will soon be available for those people wishing to contribute code.
Honeysnap 1.0.2 Released (30/11/06)
We are pleased to announce that the shell version of Honeysnap has finally been superceded by a more modular and scalable version written in Python. From version 1.0 forwards, Honeysnap becomes an official Honeynet Project tool and will be actively maintained. As the Python version of Honeysnap has now been released, if you are still using the previous shell versions (v0.93 or below), please consider upgrading immediately as the shell version will no longer be actively maintained and the Python version fixes a number of known issues, particularly relating to network flow extraction and IRC protocol parsing. The Python releases of Honeysnap are available here:
http://www.honeynet.org/tools/honeysnap/
For further information, or if you have any queries about this change, please contact us here.
Pre-python Shell Version Release History (up to v0.93)
This information will remain for historical reasons, but is now considered obsolete and replaced by the v1.x Python based releases of honeysnap.
Changes from 0.91 to 0.93
- Correctly handle /r at end of http filenames
- Tidy ‘file’ output for linux
- analyse_irc changed to suit and now deals with user-user PRIVMSG
- privmsg.pl updated to latest version
- Corrected bug with ftp filenames (made unique) and made more efficient
Thanks to Bill McCarty for bug reports and patches.
What is Honeysnap?
Honeysnap is a simple tool to analyse arbitary pcap files and extract summary information.
Why write Honeysnap?
The current summary script that comes with the Honeywall CDROM is very network traffic focused, and whilst this is useful for high level summaries, with multiple live honeynets deployed and not much time we have two main problems:
- How to detect when an attacker has compromised a honeypot and started doing something interesting.
- When faced with a directory full of pcap files and firewall logs, how to quickly locate the obvious items of value from amongst all the noise
We also find this to be a particular problem when someone else supplies us with a random set of Honeynet data where “something interesting happened last month” – but we don`t know much about the system or where to start looking for items of interest.
We want a summary report that quickly shows us exactly what has been occurring on our honeynets from an attacker’s perspective.
What does Honeysnap do?
It parses a directory full of pcap files (ie. /var/log/snort on the Honeywall CDROM) and summarises the activity during a specified day (a simple pattern matching date filter – all, year, month, day). It lists packets, HTTP sessions, mail messages, etc, extracts and lists files downloaded by FTP or HTTP, summarises IRC sessions and keyword, lists Sebek keystrokes and lists out mail messages (amongst other things). This is all based on the principle that anything outbound is suspect and worth investigating.
Why is Honeysnap useful?
It provides an analyst with a simple report listing interesting events and activities, including some timestamps, plus a directory full of re-assembled tcp streams and associated extracted files. If you have ever operated a long running honeynet, or had to manually extract 50 separate files from a pcap file using Ethereal’s “follow stream” option, you`ll already know why this is useful!
It can also be run as a cron job each day to alert you to interesting activity – just set the datemask to yesterday and only report on the last day’s worth of data. We have been running this internally for a while now and it works very well for us – few hours are now wasted wading through barren pcap files for the occasional tidbit of useful data.
What is Honeysnap not?
The usual disclaimers apply – this is a simple little shell script that has just evolved. It is not yet complete and is of arguable release quality, and although it’s working happily for us, your experience may, as always, be different. Please make sure you back up the data set you are going to run it on first!
Bugs / feature requests?
Probably a lot! Please blame David Watson (david@honeynet.org.uk). A modular and fully expandable version written in Python is currently under development by members of the Honeynet Project and will be beta released to the community in September 2006. Version 0.93 of honeysnap will (hopefully) be the last release in shell script!