Previous Page Next Page

5.7. Honeydstats

A low-interaction honeypot like Honeyd does not simulate enough detail to allow an adversary to compromise a virtual honeypot, so you might wonder about the benefits provided by these honeypots. As mentioned earlier, Honeyd is a good tool to get a more detailed overview of network activity. Each virtual honeypot gives a little more insight into what is happening in your network. With a little bit of extra instrumentation for services, it is even possible to analyze what kind of attacks are being carried out. Clearly, our analysis capabilities become more powerful with more honeypots. So why stop at instrumenting a single network? Instead, we might want to instrument several C-class networks all over the Internet. Managing the different packet logs can be cumbersome. For each Honeyd installation, we would have to copy new logs to a central machine, collate them, and then run analysis algorithms over the aggregated logs. To faciliate this task, Honeyd supports a protocol for sending interesting statistics to a remote analysis station. The analysis software is called Honeydstats and it receives packet level logs quite similar to the logs described in Section 4.8.1 and continously analyzes their contents. It computes the following four tables:

Figure 5.9 shows the flags it supports, which we discuss following. The most important parameters are the port number and the name of the configuration file.

Figure 5.9. Runtime flags supported by Honeydstats.

--os_report <filename> Report os versions to this file.
--port_report <filename> Report port distribution to file.
--country_report <filename> Report country codes to this file.
--spammer_report <filename> Report spammer IPs to this file.
-V, --version Print program version and exit.
-h, --help Print this message and exit.
-l <address> Address to bind listen socket to.
-p <port> Port number to bind to.
-f <config> Name of configuration file.
-c <checkpoint> Name of checkpointing file.

The parameters for the other reports have the same syntax as the os-report flag just explained. They are also updated once a minute. Figure 5.10 shows an output sample from the operating system table. In this particular case, the Honeyd was unable to determine the operating system for the majority of network activity. This might be because most of the traffic comes from specifically crafted attack tools that circumvent the operating system TCP/IP stack, but it could also indicate that the passive fingerprinting tables are out of date.

Figure 5.10. Example operating system table from Honeydstats. It shows the activity of each operating system for the last minute, hour, and day.
Operating System MinuteHourDay
FreeBSD 4.6-4.8:103
FreeBSD 5.0-5.1:003
Linux 2.6:0025
LookSmart ZyBorg:001
NMAP syn scan 1:001
NMAP syn scan 4:001
NetApp CacheFlow:004
OpenBSD 3.0-3.4 opera:0011
Tru64 4.0:001
Windows 2000:0010
Windows 2000 RFC1323:007
Windows 2000 SP4:0198
Windows 98:002
Windows NT 4.0:001
Windows XP SP1:1012190
unknown:044010369


The output from Honeydstats becomes more powerful the more Honeyd machines report to it. To instruct Honeyd to report its statistics to a remote Honeydstats collector, you need to use the following command line flag:

honeyd -c host:port:username:password

The host corresponds to the IP address that Honeydstats runs on. The port number needs to be the same as specified by the -p flag mentioned previously. The username and password need to match the information in Honeydstat's configuration file. Honeyd uses the HMAC-SHA1 message authentication code to make sure that nobody can tamper with the transmitted information and only authorized users can contribute their information. If a password is compromised, it is easy to remove the username from the configuration file and rerun Honeydstats on the checkpoint data. Honeydstats is just going to ignore all information from the compromised account.

Previous Page Next Page