Honeyd2MySQL

Honeyd2MySQL is yet another simple piece of software that extracts all the basic stats from honeyd’s text-based log files and inserts them in a MySQL database. Then you can run some queries and of course visualize the data if you want to.

Many things are hardcoded or dead simple, but it does the job. The file is a modified version of “honeyd_importer” perl script originally writen by Joshua Gimer and shared through “honeypots” mailing list. This script works in combination with Honeyd-Viz, the web based interface for honeyd’s results visualization that was created along the lines of Kippo-Graph.

DOWNLOAD Honeyd2MySQL:

Important!

Download the latest version (0.3) here: honeyd2mysql-0.3

MD5 Checksum: 4856122B53264D9077A005864095C0DF
SHA-1 Checksum: CBB0ABD48B430AF521B43E8F6E1BD453EBD8F86E

Notice: Honeyd2MySQL can also be found at GitHub: https://github.com/ikoniaris/honeyd2mysql

INSTALLATION INSTRUCTIONS:

You will have to change the script and enter the correct paths, your MySQL credentials, have a database and a db user created beforehand, etc. It’s pretty straightforward if you take a look at the script and have some basic understanding of perl and MySQL server.

  • Pingback: Honeyd2MySQL v0.1, populate a MySQL database with data from honeyd logs! » BruteForce Lab's Blog

  • Pingback: Honeyd2MySQL v0.2 – important fix » BruteForce Lab's Blog

  • Pingback: Honeyd-Viz 0.1 released! » BruteForce Lab's Blog

  • http://www.madrock.net Derek

    Is there any easy way for Honeyd2MySQL to be modified to only insert new entries from the the honeyd.log?
    If so the script could then be run as a cron job and the database updated automatically.

    Thanks
    Derek

    • http://bruteforce.gr Ion

      Hello Derek, thanks for your comments.

      Yeah I suppose there is, but this was mostly my quick and dirty way of doing it :)

      Perhaps if I decide to work on it in the future, this could be a great addition. Or if you want to get your hands dirty, then by all means you are welcome to contribute, as the script is open source.

      Regards.

  • http://www.madrock.net Derek

    Hi,

    Is there any chance to have an option in the script to exclude IP addresses (specific and a range) that may relate to private IP addresses?

    This would allow only wanted IP traffic to be inserted into the database and therefore visible to honeyd-viz.
    A a useful feature for automated reporting of external traffic only.

    Thanks for the scripts, they are great.

    Derek

  • http://www.madrock.net Derek

    Sorry… I have just looked at config.php and noticed the exlude section.

    #Exclusions/filtering: you might want to filter certain
    #IPs/subnets from your results. This is required for the
    #Honeyd-Geo component. If your honeyd instance is located
    #inside a home LAN, chances are that various UDP/ICMP
    #connections from your other hosts or your router have
    #been recorded. You can use a wildcard with the ‘%’ symbol.

    • http://bruteforce.gr Ion

      Hello again :)

      Just to note that so far exclusions work only for the Honeyd-Geo component. Basically, it was a prerequisite for it in order to work correctly because geolocation brokes if there are private IPs. It is in my TODO list to apply it in all sections of the Honeyd-Viz script. Until then perhaps you can do it manually by altering the SQL queries inside the generator php page, adding a simple “AND NOT LIKE XYZ” to the WHERE clauses if appropriate.

      Regards.

Read previous post:
Extracting (unique) IPs from logfile
Σαρκοβόρο για τα malware, στη διάθεσή σας!
Παγίδες για τα malware του κόσμου όλου!
Ωραίο SSH honeypot, αλλά για το σπιτάκι!
Γλυκές παγίδες!
Close