7. Data Analysis
When you get down to it, the entire purpose of a deploying a honeynet is to
collect data. However, that data has no value if you cannot analyze it.
This was one of the greatest weakneses of the previous Honeywall Eeyore,
it had no simple way to analyze all that great data. We hope we
have solved that problem with Walleye, the new Web based user interface
to the Honeywall CDROM. To connect to the Walleye interface, type the
following in your browser (notice this is a secured connection using SSL).
Accessing the Walley interface Data Analysis section is
the same as accessing the System Admin
section section described in
Section 6: Maintaining.
You will then be prompted to login. If this is the first time
you have logged in, the default user is roo and password
honey. You will then be prompted to change the password.
If you have already logged in before, you will need to use the
updated login and password. Once you have gained access, the
user interface defaults to the
data analysis summary section.
When you first come to the data anlysis section, you get the
page. This page shows a summary of activity captured by the honeywall. The
sensor section provides an overview of the activity the honeywall
sees. Sensor identification is based on the management IP address of
your Honeywall. If you change the IP address of your Honeywall,
you will have multiple sensors listed (there is no way to delete
old ones). This is a known issues. We are planning in the
future for Walleye to support multiple honeynets. However, it
currently supports only the local Honeywall it is installed on.
The purpose of the summary page is to give an overview of honeywall
activity. The displayed data is a combination of argus and snort
data wich is grouped as either inbound or outbound flows.
The primary source of information
is flow information from argus. Anything listed as bidirectional
is defined as any flow for which data is sent in both directions:
from Client to Server and Server to Client. Total includes both
bidirection and unidirectional flows (such as inbound scans dropped
by a firewall). In addition it shows IDS alerts and network traffic.
Anything in blue you
can click on for more information. For example, if you click
on the identification number of your Honeywall sensor, you
will get a more detailed
overview of all the activity on that sensor.
The sensor detail section provides administrative summary data about
the honeywall and a top talkers report for the last 24 hours. The admin
summary is geared towards distributed environments and provides a
description of the geographic and organizational location of the
honewyall. The top talkers reports shows the 25 most active sources
for and destinations of network connections. If you click on the
connection section, it will give you the flow view for those connections,
if you do so on the ids events, it will take you to the flow view and
display the flows that related to the ids events. If you click on the host's
IP address then you would go to a host summary page.
At the bottom is a menu for querying specific IP based
information. Its relatively self explanotory, as you can search based
on time/date, IP address and/or ports.
Flows Section is where you can get started
digging into the details. Here you will see an overview of all
inbound and outbound connections and related activity. The user
interface starts by showing all the honeypots in order (by destination
IP adddress). You can sort the listing by any of the headers, such
as alerts, etc. If there are multiple pages, you can access them
from the top of the menu. At the bottom left of the screen is the
option to query the flows. Options include filtering by type of
traffic, bidirectional, from honeynet, all time periods,
and Sebek tracked. The filter
section allows you to refine your search by screening out uninteresting
data. For instance, you can ask the system to only show bi-directional TCP
connections initiated from the honeynet. If you want detailed information
on each and every flow for that IP address, or you want the flows listed in
order that they happen, select the IP address of the system you are interested
in, or the Detailed option at the bottom left and submit your query.
This will take you to the Details Section
section. Here you see connection listed in detail. These connections are listed
in the order they happened, with the oldest at top and the newest connection at the
bottom. Each line contains detailed information about each connection, including
protocol type, number and bytes of of packets involved, and OS type of src IP
address initiating the connection. Any Snort alerts related to the connection are
also listed. To the left of each connection you will see several icons. If you do
NOT have Sebek installed on the honeypot, you will only see two icons for
each connection, the floppy disk and the magnifying glass. Each is explained
below. If you do have Sebek installed on the client, you will see an
additional two more icons on the left, these are described in detail below
in the Sebek section.
Floppy Icon: By clicking on this image, you will be able to download
in pcap format the data related to that specific flow. Or, if you prefer,
configure your browser to launch your tool
of choice to analyze the pcap data, such as Ethereal. This is an excellent
way for detailed analysis.
Magnifying Glass Icon: By clicking on this image, you are able
to analyze the connection in more detail with Snort. You get a
Flows Examination section, which allows
you to analyze in more detail any IDS alerts, and Snort
packet decode of the flow.
Walleye also supports the integration and
analysis of Sebek data. However, it only works with the latest version,
specifically the 3.X branch of Sebek. It does not work with older versions
due to the new capabilities added to Sebek client. The power of Sebek
data is that it captures all of the system activity and gives you the ability
to analyze what happened on the honeypot, even if the attacker went in
encrypted. You know you have Sebek data for a flow when on the left column
there are two additional icons, specifically a blue arrorw and a graph tree.
Each is explained in more detail below.
Blue Arrow Icon: By clicking on this image, you get
all connections related to
that specific flow.
Graph Tree Icon" This is the most powerful of all options.
It allows you to analyze in details all system activities, including
processes, files opened, etc. The first screen you get will be a
visual graph tree of all the
processes and their childs. This gives you a visual presentation
of all the processes. You can click on specific processes for more
information and drill down of the processes themselves. In addition,
if you click on the option at the
top View Details for this Process, you should get a
detailed listing of all the
Opened Files and Read Activity.
There is a known issue when trying to analyze Sebek data through the
Walleye interface. Please refer to Section 12:
Known Issues for more information.
<-Back Home Next->