Hflow2 Data Analysis System

Hflow2 is a data coalesing tool for honeynet/network analysis. It allows to coalesce data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database.

There is a paper with a more detailed description can be found  here.

The rationale for building hflow2 was the need to create a tool that had several features that were not available in other systems. In particular no tool existed that provided a sebek and network aware offline processing. A comparision of hflow2 with other similar systems follows:

Hflow2Hflow + sebekd sebekd argus netflow
Flow Type Bidi Bidi none Bidi uni
Sebek Aware Yes Yes Yes No No
P0f Aware Yes Yes No No No
Content Based marking Yes No No No No
Off line Yes No Yes Yes Yes
No runtime dependencies Yes No Yes Yes Yes
Fail Stop Yes No Yes Yes Yes

hflow2 however can appear to be MUCH slower than other systems than only analyze flow data such as argus or netflow. The main reason this happens with high-interaction honeynet data is that hflow also takes care of sebek data, which can be extremely voluminous. Internal tests of idle systems show that sebek data is 40 times larger than non-sebek data. This results in a much higher use of the DB and thus a really disturbing performance, packet captures with no sebek data should be processed faster than argus v2.

More information can also be found in the  original hflow2 website.