Honeyd

Honeyd Tools

There are several tools that can be used in conjunction with Honeyd, for data analysis or for other purposes.

Arpd

Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots. With DHCP allocated IP addresses, is is possible that Arpd interfers with the DHCP server by causing Honeyd to reply to pings that the DHCP server uses to determine if an address is free.

Downloadarpd-0.2.tar.gz

NTTLScan

Nttlscan is a quick network topology scanner and functions as a highly parallel traceroute. It randomly picks destination IP addresses and sends TCP or UDP probes. Returing ICMP messages are interpreted to reconstruct the route that packets take to their respective destination. Nttlscan can be used to construct virtual routing topologies for Honeyd.

Downloadnttlscan-0.1.tar.gz

Honeydsum.pl

honeydsum.pl is a log analyzer written by the Brazilian Honeynet Team that can generate text summaries from Honeyd logs. The summaries can be filtered by specifying IP addresses, ports, protocols or networks. Honeydsum shows the top source IP addresses, ports and the number of connections per hour. It supports input from multiple log files and can also correlate events from several honeypots.

More informationhttp://www.honeynet.org.br/tools/

Honeycomb

Honeycomb is a plugin for Honeyd that can be used to automatically generate signatures for Network Intrusion Detection Systems like Snort. It applies protocol analysis and pattern-detection to traffic captured by Honeyd and is useful for creating worm signatures. For example, it created valid signatures for Slammer and Code Red.

More information: http://www.cl.cam.ac.uk/~cpk25/honeycomb/

Honeyview

Honeyview is another log file analysis tool for Honeyd. It provides a graphical overview of the collected data but also provides detailed textual output for events. Honeyview can be used to determine which ports and IP address were most active, and it also supports time series plot; see screenshot.

More information: http://honeyview.sourceforge.net/

If you are missing a tool, please let me know.