This list was created possibly mainly to discuss how we can aggregate
our kippo results and have a high level view of what's going on with
our sensors... and sensors of our friends across the world.
1. Centralized approach:
One of the ideas proposed was to use central SQL database for logging
- which is supported by default, but then the question will be who
will hold the data? Remember that with the privilege ;-) come
responsibility - to keep it reliably up and on-line so we can log to
it, search through it and not loose the data if it would go down for
some reason. This is a bit of a burden in my opinion and is not very
'live' approach but anyway, we would need some kind of central DB to
check what's going on, etc.
2. Decentralized approach:
We all run our own databases and send copy of events to other users.
Ideal model for that would be pub-sub kind of things, so people can
subscribe to data feed from the group or maybe even from particular
sensor. That would require fault proof system if possible - to be
honest that's why the bad guys use things like IRC for simple botnets.
We can learn from that :)
We could have a simple script that feeds data over XMPP or even IRC if
needed to be simple... it could the send to several people/bots
(whitelist approach) or to a conference room (like on IRC) or both...
and all of us would have their own copy of all the logs and we could
monitor in real-time what's going on, etc... We could use Google Talk
as transfer medium (you can't beat their uptime hihi) but I'm not sure
if it has conferences as in typical XMPP/jabber server but there is
also IRC as possibility. My vibe is to use free public services and
have sensors/us as clients to it, rather than any of us becoming
service provider for something.
Downsides:
- need to write the script (send our logs, read others and feed to local DB)
- we depend on google talk or other similar service provider (I can
live with that)
- friend or foe - how do we tell them apart?
Upsides:
- less maintenance (infrastructure)
- not exposing central point/database - it doesn't exist
- ability to limit (whitelist/blacklist) who receives our log (by
configuring xmpp destiantions)
- can code something fancy later - say Ajax interface that would feed
off the live chatter stream and produce live dashboard
- development is decentralized, people can write and *share* their own
stuff - corelation/statistics tools that feed data to public, like
@netmenaces by @tliston
- ... I bet I can come up with some more :P
Now... with great power comes great responsibility, so how do we tell
who can connect to the feed?
We want data in real time but don't want the bad guys to be able to
listen to it that easily... otherwise they don't need to fingerprint
honeypot, just listen and alert if they see their own IP - I'm sure
that would get us Pwnie Award nomination in most epic FAIL category
:-> Channel passwords on IRC and sending messages via XMPP to selected
peers makes sense here, although it requires to build trust
relationship - so we trust that the person we send logs to is not the
bad guy.
Thoughts, comments, criticism... I'm all ears.
Tomasz
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
hi,
I believe that's how Shadowserver works right, but having two separate
report/views
>> kippousers+...@googlegroups.com<kippousers%2Bunsu...@googlegroups.com>
1. Centralized approach:
This is a bit of a burden in my opinion and is not very
'live' approach but anyway, we would need some kind of central DB to
check what's going on, etc.
2. Decentralized approach:
We could have a simple script that feeds data over XMPP or even IRC if
needed to be simple...
Sounds like a good idea, I actually think I have the capacity to host such a set of sites, and the private database for concentrating the data.
On Aug 11, 2010 7:22 PM, "Muhammad Najmi Ahmad Zabidi" <najmi....@gmail.com> wrote:
On 8/12/10, Jacob <three...@gmail.com> wrote:
> When it come to the untrusted watching us we could...
> <http://jacobkuehndorf.com>
> <ja...@jacobkuehndorf.com>
hi,
I believe that's how Shadowserver works right, but having two separate
report/views
>
> On Wed, Aug 11, 2010 at 3:39 PM, Tomasz Miklas
> <miklas...@gmail.com>wrote:
>
>> Hi
>>
>...
>> kippousers+...@googlegroups.com<kippousers%2Bunsu...@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/kippousers?hl=en.
>>...
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To po...
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
https://alliance.mwcollect.org/
where there's public statistics and special account views. The
privileged users are able to download the binaries using assigned keys
and through certain period.
There's article on Kojoney networks (hence Kojonet?) here in PDF;
http://packetstormsecurity.org/filedesc/HITB-Ezine-Issue-003.pdf.html
But not in detail, but we can see the pattern though
Forgot to mention one thing: the data transported is xml too.
Events send by dionaea are stuffed into an xml container, so each
messages dionaea sends is xml, therefore it is easy to parse and deal
with, plattform/architecture independent.
Markus