The purpose of this section is to explain how to analyze all the data you collect, primarily using the Walleye interface. Please submit all bugs/corrections for this documentation or the Honeywall CDROM to our Bugzilla Server.

NOTE: Any images shown on this page are liable to radical change. The visual interface is still undergoing active development (we are trying to make it easier to use and more intuitive). Expect new features and improvements made. All examples are done using the Firefox browser on Win32.

Last Modified: 25 May, 2007

7. Data Analysis

1. Overview
2. Summary
3. Flows
4. Details
5. Sebek

7.1 Overview
When you get down to it, the entire purpose of a deploying a honeynet is to collect data. However, that data has no value if you cannot analyze it. This was one of the greatest weakneses of the previous Honeywall Eeyore, it had no simple way to analyze all that great data. We hope we have solved that problem with Walleye, the new Web based user interface to the Honeywall CDROM. To connect to the Walleye interface, type the following in your browser (notice this is a secured connection using SSL).

https://ip-address-mgmt-interface

Accessing the Walley interface Data Analysis section is the same as accessing the System Admin section section described in Section 6: Maintaining. You will then be prompted to login. If this is the first time you have logged in, the default user is roo and password honey. You will then be prompted to change the password. If you have already logged in before, you will need to use the updated login and password. Once you have gained access, the user interface defaults to the data analysis summary section.

7.2 Summary
When you first come to the data anlysis section, you get the summary page. This page shows a summary of activity captured by the honeywall. The sensor section provides an overview of the activity the honeywall sees. Sensor identification is based on the management IP address of your Honeywall. If you change the IP address of your Honeywall, you will have multiple sensors listed (there is no way to delete old ones). This is a known issues. We are planning in the future for Walleye to support multiple honeynets. However, it currently supports only the local Honeywall it is installed on.

The purpose of the summary page is to give an overview of honeywall activity. The displayed data is a combination of argus and snort data wich is grouped as either inbound or outbound flows. The primary source of information is flow information from argus. Anything listed as bidirectional is defined as any flow for which data is sent in both directions: from Client to Server and Server to Client. Total includes both bidirection and unidirectional flows (such as inbound scans dropped by a firewall). In addition it shows IDS alerts and network traffic. Anything in blue you can click on for more information. For example, if you click on the identification number of your Honeywall sensor, you will get a more detailed overview of all the activity on that sensor. The sensor detail section provides administrative summary data about the honeywall and a top talkers report for the last 24 hours. The admin summary is geared towards distributed environments and provides a description of the geographic and organizational location of the honewyall. The top talkers reports shows the 25 most active sources for and destinations of network connections. If you click on the connection section, it will give you the flow view for those connections, if you do so on the ids events, it will take you to the flow view and display the flows that related to the ids events. If you click on the host's IP address then you would go to a host summary page.

At the bottom is a menu for querying specific IP based information. Its relatively self explanotory, as you can search based on time/date, IP address and/or ports.

7.3 Flows
Flows Section is where you can get started digging into the details. Here you will see an overview of all inbound and outbound connections and related activity. The user interface starts by showing all the honeypots in order (by destination IP adddress). You can sort the listing by any of the headers, such as alerts, etc. If there are multiple pages, you can access them from the top of the menu. At the bottom left of the screen is the option to query the flows. Options include filtering by type of traffic, bidirectional, from honeynet, all time periods, and Sebek tracked. The filter section allows you to refine your search by screening out uninteresting data. For instance, you can ask the system to only show bi-directional TCP connections initiated from the honeynet. If you want detailed information on each and every flow for that IP address, or you want the flows listed in order that they happen, select the IP address of the system you are interested in, or the Detailed option at the bottom left and submit your query.

7.4 Details
This will take you to the Details Section section. Here you see connection listed in detail. These connections are listed in the order they happened, with the oldest at top and the newest connection at the bottom. Each line contains detailed information about each connection, including protocol type, number and bytes of of packets involved, and OS type of src IP address initiating the connection. Any Snort alerts related to the connection are also listed. To the left of each connection you will see several icons. If you do NOT have Sebek installed on the honeypot, you will only see two icons for each connection, the floppy disk and the magnifying glass. Each is explained below. If you do have Sebek installed on the client, you will see an additional two more icons on the left, these are described in detail below in the Sebek section.

• Floppy Icon: By clicking on this image, you will be able to download in pcap format the data related to that specific flow. Or, if you prefer, configure your browser to launch your tool of choice to analyze the pcap data, such as Ethereal. This is an excellent way for detailed analysis.
• Magnifying Glass Icon: By clicking on this image, you are able to analyze the connection in more detail with Snort. You get a Flows Examination section, which allows you to analyze in more detail any IDS alerts, and Snort packet decode of the flow.

7.5 Sebek
Walleye also supports the integration and analysis of Sebek data. However, it only works with the latest version, specifically the 3.X branch of Sebek. It does not work with older versions due to the new capabilities added to Sebek client. The power of Sebek data is that it captures all of the system activity and gives you the ability to analyze what happened on the honeypot, even if the attacker went in encrypted. You know you have Sebek data for a flow when on the left column there are two additional icons, specifically a blue arrorw and a graph tree. Each is explained in more detail below.

• Blue Arrow Icon: By clicking on this image, you get all connections related to that specific flow.
• Graph Tree Icon" This is the most powerful of all options. It allows you to analyze in details all system activities, including processes, files opened, etc. The first screen you get will be a visual graph tree of all the processes and their childs. This gives you a visual presentation of all the processes. You can click on specific processes for more information and drill down of the processes themselves. In addition, if you click on the option at the top View Details for this Process, you should get a detailed listing of all the Opened Files and Read Activity.

There is a known issue when trying to analyze Sebek data through the Walleye interface. Please refer to Section 12: Known Issues for more information.