Honeysnap is designed to be a command-line tool for parsing single or multiple pcap data files and producing a ‘first-cut’ analysis report that identifies significant events within the processed data. This presents security analysts with a pre-prepared menu of high value network activity, aimed at focusing manual forensic analysis and saving significant incident investigation time. Once you have identified data that interests you, you can then employ other tools for more in depth analysis, such as the Walleye user interface to the Honeywall. Honeysnap is also suitable for manual operation or automation via cron.
- Packet and connection overview.
- Flow extraction of ASCII based communications.
- Protocol decode of the more common Internet communication protocols.
- Binary file transfer extraction.
- Flow summary of inbound and outbound connections.
- Keystroke extraction of ver2 and ver 3 Sebek data.
- Identification and analysis of IRC traffic, including keyword matching.
Version 1.0.6 now decodes the following protocols.
In addtion, the new 1.0.6 version includes
- Socks proxy traffic stats
- User definable filters for the counts
- Improved DNS output
- Fixed bug in file extraction
- A big speed increase in gzip decoding
- Print querying IP for DNS decodes
- Auto-spotting of IRC traffic on any port
- SOCKS decoding
- Fix to the truncation of extracted files
- Includes magicpy in the distribution to solve the problems caused by the original website going away.
You can download Honeysnap here:
Or read more here.