45. Sebek
Tools
• Two
sets
of
sample
incident
data
(and
your
own
data
from
your
class
honeynets):
– 1
from
Mexican
honeypot
(192.168.100.28)
example.pcap.gz
– 1
from
UK
honeypot
(82.68.40.145)
20040319/*.gz
45
49. Honeysnap
• Command-‐line
tool
for
parsing
single
or
mul?ple
pcap
data
files
• Outputs
a
'first-‐cut'
analysis
report
to
iden?fy
poten?ally
significant
events
• Typically
run
off-‐line
in
batch
mode,
perhaps
as
a
nightly
email
report
• Just
need
to
provide
it
with
the
IP
address
of
the
honeypot
/
node
of
interest
49
50. Honeysnap
(Cont.)
• Packet
and
connec?on
overview
• Simple
flow
extrac?on
(ASCII
based)
• Common
protocol
decoding
• Binary
file
transfer
extrac?on
• Flow
summary
of
in/outbound
connec?ons
• Keystroke
extrac?on
of
Sebek
v2/v3
data
• Iden?fica?on
and
analysis
of
IRC
traffic,
• including
keyword
matching
50