Monkey.org Developments
Honeyd Tools

Honeyd Resources

Main - News - Forums 
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Blog - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Honeypot Books


Virtual Honeypots,
Niels Provos and Thorsten Holz

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 

Honeyd Tools

There are several tools that can be used in conjunction with Honeyd, for data analysis or for other purposes.

Arpd

Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots. With DHCP allocated IP addresses, is is possible that Arpd interfers with the DHCP server by causing Honeyd to reply to pings that the DHCP server uses to determine if an address is free.

Download: arpd-0.2.tar.gz

NTTLScan

Nttlscan is a quick network topology scanner and functions as a highly parallel traceroute. It randomly picks destination IP addresses and sends TCP or UDP probes. Returing ICMP messages are interpreted to reconstruct the route that packets take to their respective destination. Nttlscan can be used to construct virtual routing topologies for Honeyd.

Download: nttlscan-0.1.tar.gz

Honeydsum.pl

honeydsum.pl is a log analyzer written by the Brazilian Honeynet Team that can generate text summaries from Honeyd logs. The summaries can be filtered by specifying IP addresses, ports, protocols or networks. Honeydsum shows the top source IP addresses, ports and the number of connections per hour. It supports input from multiple log files and can also correlate events from several honeypots.

More information: http://www.honeynet.org.br/tools/

Honeycomb

Honeycomb is a plugin for Honeyd that can be used to automatically generate signatures for Network Intrusion Detection Systems like Snort. It applies protocol analysis and pattern-detection to traffic captured by Honeyd and is useful for creating worm signatures. For example, it created valid signatures for Slammer and Code Red.

More information: http://www.cl.cam.ac.uk/~cpk25/honeycomb/

Honeyview

Honeyview is another log file analysis tool for Honeyd. It provides a graphical overview of the collected data but also provides detailed textual output for events. Honeyview can be used to determine which ports and IP address were most active, and it also supports time series plot; see screenshot.

More information: http://honeyview.sourceforge.net/

If you are missing a tool, please let me know.

 
Last modified: April 21 2004 12:39:18 AM
Copyright (c) 1999-2004 by Niels Provos
Don't access my pirated music.