Honeypot visualization

[Jatt187]

I would like to know if anybody knows how a honeypoy data set can be visualised, to make it easier to detect an attack on the honeypot.

[phishphreek]

Well, ANY traffic that goes to a honeypot is suspect.

So, a firewall that logs ALL inbound/outbound traffic to that host. (even if you permit all traffic)

Do you have a network or host based intrusion detection system?
I would think that your nIDS would be a good indicator.

Then the hIDS and other host logs would tell the rest of the story? (you should send your hosts' logs to a hardened syslog server. so an intruder can't modify/delete the logs. since syslog is udp (connectionless), there is no need to allow traffic back from the syslog server. just to the syslog server)

I've heard of attackers who will try to fill the logs with junk to throw the admin off onto the wrong trail. Also, some logs are setup with a buffer. So, the idea is if they fill the logs with junk... it'll overwrite the attack log entries. This is where a syslog is useful. All logs are kept remotely with no buffer... so, there is no way to overflow the logs.

When there is a major alert on the firewall/nIDS, have it email/sms you so you'll know exactly when it is happening and you might catch the attack live.

Oh, I've been using a honeynet security console to gather all data from various sources to analyze the logs. It's pretty nifty. Graphs, log correlation, etc.

http://www.activeworx.org/programs/hsc/index.htm

I'm not 100% sure I understand your question though... please elaborate.

[Jatt187]

ok, i understand that all traffic going to the honeypot is suspect.

What i am trying to say is that normally you would need to look at the logs provided by the honeypot to see if the honeypot has been attacked or probed, but what i want to do is develop a program (may be by using Labview or Python) that visualises the attack. This would make it far easier for a honeypot user to see if there has been a attack on the honeypot.

basically i want to visulaise the honeypot data set, but i am not sure how or what visual aids could be used to represent the honeypot data set.

http://www.ripe.net/ripe/meetings/ri...ring%20Tool%22

This link shows how the performance of a network could be visualised. This is the type of concept i am looking to achieve.

thank you

[phishphreek]

Ah, I see. I wasn't quite sure that I understood what you wanted.

I'm thinking you'll either have to peice something together... or find some way to link all of these features. I'm not much of a coder (besides some quick scripting) so I'd probably look at peiceing several things together.

I really like the product I linked you to before. That is great for log corelation and getting an idea of the most common/frequent types of attacks. You can log/analyze just about everythig from there.

However, to monitor the hosts, services and network... check out nagios. I don't think you'll be disappointed. http://nagios.org/about/
If it is missing a feature, look for plugins others have created or make your own.

So, when you see an increase in traffic over the firewall, more alerts from your nIDS, an increase in resourse usage on the honeypot itself, etc.

To me, it's not very difficult to figure out when you're honeynet is being attacked. I don't know why you need a visual. You should be about to put the peices together and figure it out with the logs. If you can't look at the logs and figure out what is going on... you shouldn't be running a honeynet in the first place.

Monitor anything/everything with nagios
http://www.chrisburgess.com.au/wp-up...2005nagios.pdf

Also, check out the networksecuritytoolkit.

[Soda_Popinsky]

If you're running a honeywall, honeysnap will help you out.

http://www.ukhoneynet.org/tools/honeysnap/