Your friendly neighborhood AppSec advisor and honeypot enthusiast. Formerly @ Goldman Sachs and Ernst & Young. Find his thoughts in code form committed to Github.
Running honeypots to collect information is great. Running honeypots to collect and share information is awesome. HoneyDB is a simple web site I cobbled together to share data collected from HoneyPy honeypots. Initially, HoneyDB presented high level honeypot activity stats, but it has evolved to be more useful then that. You can find HoneyDB at https://riskdiscovery.com/honeydb. In this post I’ll describe all the site features, but at a high level here is how you can use HoneyDB:
View graphs on the top attacking hosts and top targeted services.
View host details and session data.
Leverage the HoneyDB API to download threat information, and contribute honeypot data from your own HoneyPy honeypot.
View the latest activity on the Twitter threat info list.
Save specific hosts to your own “ThreatBin”.
Note, if you are interested in contributing your honeypot data to HoneyDB, this should only be done with either research or hobby honeypots. I described the various types of honeypots in a previous post, refer to the section “Why Run A Honeypot?”
Home view, when you visit HoneyDB the first thing you’ll see is a graph of activity for the last seven days. Activity is based on the number events, e.g. connections, received data, and transferred data.
Hosts view, this graph displays the top ten attack hosts for the last 24 hours. You can click the an IP address or a slice in the chart to drill down into activity details for that IP address. I’ll cover the the host details view later on in this post.
Services view, this graph displays the top ten services attacked for the last 24 hours. You can click on a service name or a slice in the graph to drill into what IP addresses were attacking that service. Then you can click on any of the IP addresses to view the associated session data.
The host details view has several things going on. First, for a given IP address you’ll see two graphs that break down the activity by protocol and services. Next, there are lookup tools, which are links to other sites that may have interesting information associated with the IP address. In addition, these look ups can produce additional information that confirm the maliciousness of the host. The full list of sites are:
DSheild — provides whois information and indicates if the IP appears on any of the Internet Storm Center’s threat lists.
Firyx — a threat detection is a service for Windows servers.
Twitter — find tweets that mention the IP address.
Google — search results can produce interesting and helpful information about the IP address.
Virus Total — reports if any malware or malicious domains are associated with the IP address.
Spamhaus — reports if the IP address is on the Spamhaus block list.
SpamCop — reports if the IP address is on the Spam Cop block list.
Senderbase — provides email and web reputations for the IP address.
Recommendations for additional lookup resources are welcome! To make a recommendation, visit the about page and click the “Leave feedback or request help” link.
Below lookup tools are three tabs, Session, Shodan, and Project Honeypot. The session tab is where you can view the activity and event data captured by the honeypots. The event data is where all the nitty gritty payload details are of what the offending host was attempting to do. A good way to discover the more interesting payloads is by observing the size of the sessions or RX events. The larger than average sized sessions can be an indicator of more meaningful interaction between the offending host and the honeypot.
The next tab, Shodan, will display port an banner information that has been collected by Shodan. The Project Honeypot tab will display information from the Project Honeypot’s block list if the IP address is found in their database.
Quick Note on Data Access
As mentioned above, the graphs only display data from the last 24 hours with the exception of the home view graph. To access historical data up to 90 days you will need to create an account. In addition, you will need an account if you want to leverage other features like the HoneyDB API and ThreatBin. Creating an account is easy, you can find more details on account creation here.
Viewing honeypot data in pretty graphs is cool and interesting, but you may want to actually leverage this data by feeding it into your threat analysis systems. Well, there’s an API for that! HoneyDB’s API enables you to consume the honeypot data and aggregated data from other the other honeypots on the Twitter threat info list. The API also makes it possible to contribute honeypot data by running your own HoneyPy honeypot!
As of this post there are three basic API endpoints. All responses from the API are in JSON format. Below is an overview of each.
Bad Hosts — A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB. The endpoint returns:
remote_host: the ip address of the offending host.
count: the number of connections made by the offending host.
last_seen: the date of the last time the offending host made a connection.
Since the malicious status of a host can change over time, you can leverage the count and last_seen fields to determine a threshold for aging out bad hosts. This is useful if you are using this data for blocking traffic from these IP addresses. You may not want to continue blocking IP addresses that haven’t generated malicious traffic for some time.
Also note, the Bad Host endpoint currently only returns IP addresses that have been seen within the last 24 hours. This was done to avoid possible performance issues with HoneyDB servers. However, if HoneyDB becomes a popular resource and there is demand for more historical data, then I may need to look into beefing up the servers. :-)
Twitter Threat Feed — Twitter threat feed provides a list of bad hosts that have connected or attempted to connect to the honeypots on this Threat Info Twitter list. With this endpoint there are two ways to query it, either without specifying an IP address or by specifying an IP address.
Without specifying an IP address you’ll get a response that is similar to the Bad Host endpoint above. It will include remote_host, count, and last_seen.
When specifying an IP address, the endpoint will return records for just that IP address. The response will include tweet information from any of the honeypots that have seen activity from the IP address. Fields returned are:
tweet_id: The Twitter ID of the tweet.
created: The timestamp of when the tweet was created.
screen_name: The screen name of the Twitter account that created the tweet.
The third API endpoint, HoneyPy Sensor, enables you to contribute honeypot data to HoneyDB. This is really awesome so you should really do it! :-) As covered in a previous post, HoneyPy can be configured to post data to HoneyDB, there’s no scripting required on your part. You only need to generate your own API ID and key, and apply it to HoneyPy’s configuration as shown below.
Obviously the more HoneyPy honeypots contributing data, the more that information there will be to share!
The Twitter page on HoneyDB is very simple. It is the latest tweets from the numerous honeypots on the Threat Info Twitter list.
ThreatBin is a nifty simple little feature on HoneyDB. As you are browsing data on HoneyDB you may come accross a few hosts that you want make note of, or you may want to come back later to review them. ThreatBin allows you to save hosts to your “bin”, similar to a bookmark in your browser, so you can easily track and go back to view host details of interest.
After you have logged into your account for the first time your ThreatBin will be empty. But when you view the host details page you’ll see a link “Add to ThreatBin”. Clicking this link adds and saves the IP address to your “bin”.
On the next page you can add some notes, or just click save to complete adding this host to your ThreatBin.
Below is a view of a ThreatBin with numerous hosts.
Whether you are a researcher or defending networks, HoneyDB has several features that can be useful to you. Especially useful is the HoneyDB API, which provides valuable information on malicious behaving hosts. I hope you’ll find HoneyDB can be another resource in your toolbox, and will consider contributing by operating your own HoneyPy honeypot. If you have questions or feedback, feel free to submit them via the link on the about page.