Description

The following applies to HoneySnap version 1.0.7.

Honeysnap is a tool used for extracting and analyzing data from pcap files, including IRC communications. It is developed and maintained by Arthur Clune of the UK Chapter.

Installation

Prerequisites

$ sudo apt-get install libpcap0.8 libpcap0.8-dev python-pypcap python-irclib

Note

Though python 2.4/2.5 is mentioned as a required dependency in the official documentation, it has been confirmed to work with version 2.7.

Honeysnap

$ cd /data/src/
$ svn checkout https://projects.honeynet.org/svn/honeysnap/trunk honeysnap
$ cd honeysnap
$ sudo python setup.py install

Configuration

Description

Honeysnap can be used with parameters (see the options section) or with a configuration file. The 2 next sections explain the honeynet.cfg configuration file.

IO section

The [IO] section handles IO related options

OUTPUT_DATA_DIRECTORY

Output data directory

Default OUTPUT_DATA_DIRECTORY=analysis

FILENAME

save output to a file instead of sending to the screen?

Default FILENAME=myoutput.txt

WORDFILE

extra words file for IRC matching

If no file if given, honeysnap will use its built in list.

Default WORDFILE=./words

HONEYPOTS

Space separated list of all the honeypots for the data

HONEYPOTS=10.2.1.145 10.2.1.146 10.2.1.147 10.2.1.148

OPTIONS section

The [OPTIONS] Configures which analysis functions of honeysnap will be run

USE_UTC

Print time output in UTC? (Otherwise use local time zone)

Default USE_UTC=NO

RAW_TIME

Print time output just as a raw timestamp? This will override USE_UTC for obvious reasons

Default RAW_TIME=NO

DO_PCAP

Summarise pcap info

Default DO_PCAP=YES

DO_PACKETS

Summarise packet counts for common protocols

Default DO_PACKETS=YES

DO_OUTGOING

Summarise outgoing packets

Default DO_OUTGOING=YES

DO_INCOMING

Summarise incoming packets

Default DO_INCOMING=YES

PRINT_VERBOSE

print that flow info to stdout as well as to a file? Warning - it's a lot of output!

(only valid if either or both of DO_INCOMING or do DO_OUTGOING is YES above)

Default PRINT_VERBOSE=NO

FLOW_COUNT_LIMIT

Only print/write to file flows with more than N packets? 0 = all

Default FLOW_COUNT_LIMIT=0

DO_HTTP

Extract files from HTTP

Default DO_HTTP=YES

PRINT_SERVED

Print files served by the honeypot over http/smtp/ftp?

This option can be informative, but can also generate a lot of spurious output

if the honeypot is scanned etc.

Default PRINT_SERVED=NO

PRINT_HTTP_LOGS

print http requests in logfile format?

Default PRINT_HTTP_LOGS=YES

DO_FTP

Extract files from FTP

Default DO_FTP=YES

DO_SMTP

Extract files from SMTP

Default DO_SMTP=YES

DO_DNS

log DNS traffic?

Default DO_DNS=YES

ALL_FLOWS

Extract all flows?

Default ALL_FLOWS=YES

DO_IRC

Extract/analyse IRC sessions

Default DO_IRC=YES

IRC_PORTS

Ports to always check for IRC regardless and to generate packet counts for IRC_PORTS=6667,6668

Default IRC_PORTS=6667

IRC_LIMIT

Limit IRC summary output to just top N for each category?

Set to 0 to see everything

Default IRC_LIMIT=10

DO_SEBEK

Extract sebek data?

Default DO_SEBEK=YES

SEBEK_PORT

port to look for sebek packets on

Default SEBEK_PORT=1101

SEBEK_EXCLUDES

exclude output from these sebek commands when printing to the screen (full output still stored in the file)

Default SEBEK_EXCLUDES=configure prelink sshd sa2 makewhatis

SEBEK_DATA_EXCLUDES

exclude output with that match these regexs in the 'data' portion of the sebek string (space separated)

regex format is that of the python re module

Default SEBEK_DATA_EXCLUDES=SSH-.*-libssh.*

SEBEK_ALL_DATA

save all sebek data (not just keystroke data) to file?

warning - this generates lots and lots and lots of data and can easily fill up memory!

Default SEBEK_ALL_DATA=NO

DISABLE_DEFAULT_FILTERS

disable default filers?

Default DISABLE_DEFAULT_FILTERS=NO

USER_FILTER_LIST

User filters. If default filters are disabled, this replaces the filters. Otherwise, this is appended to the default filter list.

Each filter should consist of a description and a filter separated by a comma.

The %s representing a the honeypot requires an extra % (i.e. %%s) in order to parse correctly.

Here is an example of a filter that counts all ip and tcp packets.

USER_FILTER_LIST=[Total IPv4 packets:, host %%s and (ip or tcp)] [Total TCP packets:, host %%s and tcp] [Total IPv4 packets:, host %%s and ip]

DO_SOCKS

extract socks 4|5 proxy data

Default DO_SOCKS=YES

Usage

Syntax

Usage: honeysnap [options] <file.pcap>

Options

--version

show program's version number and exit

-h, --help

show this help message and exit

-c CONFIG, --config=CONFIG

Config file

-f FILE, --file=FILE

Write report to FILE

-o DIR, --output=DIR

Write output to DIR, defaults to 'output'

-H HONEYPOTS, --honeypots=HONEYPOTS

Comma delimited list of honeypots

-w FILE, --words=FILE

Pull wordlist from FILE

--use-utc

Times in UTC? (Otherwise use localtime)

--raw-time

Just print raw timestamps? (Overrides --use-utc)

--do-packets

Summarise packet counts

--do-incoming

Summarise incoming traffic flows

--do-outgoing

Summarise outgoing traffic flows

--print-verbose

Print verbose flow counts to screen as well as storing in a file (needs --do-incoming or --do-outgoing)

--flow-count-limit=FLOW_COUNT_LIMIT

Only print/write to file flows with more than N packets? 0 = all

--do-dns

Extract DNS data

--do-http

Extract http data

--print-served

Print extracted files served by the honeypot(s)?

(Requires --do-http, --do-ftp or --do-smtp)

--print-http-logs

Print http requests in log file format? (Requires --do-http)

--do-ftp

Extract FTP data

--do-smtp

Extract smtp data

--do-telnet

Extract Telnet data

--do-irc

Summarize IRC and extract irc detail

--irc-ports=IRC_PORTS

Ports for IRC traffic (default 6667)

--irc-limit=IRC_LIMIT

Limit IRC summary to top N items

--do-sebek

Extract Sebek data

--sebek-port=SEBEK_PORT

Port for sebek traffic (default 1101)

--sebek-excludes=SEBEK_EXCLUDES

Exclude these commands when printing sebek output

--sebek-data-excludes=SEBEK_DATA_EXCLUDES

Exclude these regexes if matched in the data portion when printing sebek output

--sebek-all-data

Extract all sebek data? Warning - produces a very large amount of data (gigabytes)

--all-flows

Extract data from all tcp flows

--disable-default-filters

Disables default bpf filters

--user-filter-list=USER_FILTER_LIST

Appends a user defined bpf filter list. ex: [Total IPv4 packets:, host %s and ip],[Total TCP packets:, host %s and tcp]

--do-socks

Extract Socks proxy data

Example

$ honeysnap \
  -H 192.168.56.101 \
  --do-outgoing \
  --do-irc \
  --do-ftp \
  --do-sebek \
  --do-http \
  --do-outgoing \
  -o /data/tmp/analysis \
  -f /data/tmp/analysis/results.txt \
  /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap

The above command creates following files:

$ tree analysis/
analysis/
├── 192.168.56.101
│   ├── conns
│   │   └── outgoing.txt
│   └── http
│       ├── incoming
│       │   ├── 192.168.56.101.1044-180.71.56.227.80
│       │   ├── 192.168.56.101.1044-180.71.56.227.80.hdr
│       │   ├── 192.168.56.101.1045-180.71.56.227.80
│       │   ├── 192.168.56.101.1045-180.71.56.227.80.hdr
│       │   ├── 192.168.56.101.1050-180.71.56.227.80
│       │   └── 192.168.56.101.1050-180.71.56.227.80.hdr
│       └── outgoing
│           ├── 180.71.56.227.80-192.168.56.101.1044.hdr
│           ├── 180.71.56.227.80-192.168.56.101.1045.hdr
│           ├── 180.71.56.227.80-192.168.56.101.1050.hdr
│           ├── IETab.ini.1
│           ├── install.asp.2
│           └── setting.dat.2
├── pcapinfo.txt
└── results.txt

5 directories, 15 files

$ cat analysis/results.txt


Analysing file: /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap

Pcap file information:
	File name: /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap
 	Number of packets: 68
 	File size: 30427 bytes 
 	Data size: 29315 bytes 
 	Capture duration: 94.7538580894 seconds 
 	Start time: Sat Oct 26 11:24:05 2013 
 	End time: Sat Oct 26 11:25:40 2013 
 	Data rate: 309.380542292 bytes/s 
 	Data rate: 2475.04433834 bits/s 
 	Average packet size: 431.102941176 bytes 
         

Counting outgoing connections for 192.168.56.101

Looking for packets containing PRIVMSG for 192.168.56.101

No matching packets found

Analysing IRC

Honeypot 192.168.56.101, port 6667

	No IRC seen

Extracting from HTTP


HTTP summary for 192.168.56.101


requested_files:

180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/update/IE65/IETab.ini (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/IETab.ini.1, filetype: ASCII text, md5 sum: ab1500d553a2b01151d190ce66e17dd6
180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/install.asp (NSISDL/1.2 (Mozilla)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/install.asp.1, filetype: ASCII text, md5 sum: 19e4e5ad8959e3f5110e28abe9c4fd9d
180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/install.asp (NSISDL/1.2 (Mozilla)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/install.asp.2, filetype: ASCII text, md5 sum: 19e4e5ad8959e3f5110e28abe9c4fd9d
180.71.56.227 -> 192.168.56.101, www.ietab.co.kr/setting.dat (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:17 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/setting.dat.1, filetype: ASCII text, md5 sum: 4bfa1eb397779cc313e0d2a7bf52a47f
180.71.56.227 -> 192.168.56.101, www.ietab.co.kr/setting.dat (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:17 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/setting.dat.2, filetype: ASCII text, md5 sum: 4bfa1eb397779cc313e0d2a7bf52a47f

0 requests served by honeypot

Extracting from FTP


FTP summary for 192.168.56.101

	No traffic seen


Extracting Sebek data

Honeypot 192.168.56.101

No sebek data seen

Comments