Monitoring Honeypots?

94 views
Skip to first unread message

AndrewWaite

unread,
Nov 19, 2010, 11:31:59 AM11/19/10
to kippo users
All,

just wondering how you usually monitor your honeypot installations for
service uptime & connectivity?

Obviously usual (remote) method is to connect to a running service and
see if you get the expected response, but doing this with honeypots
will skew the gathered data.

Any suggestions?

--Andrew

Leon v/d Eijk

unread,
Nov 19, 2010, 12:39:23 PM11/19/10
to kippo...@googlegroups.com
I use ssh-service on a high port. I connect to the Apache webserver
using ssh for tunneling. I still screw things up connecting to my
kippo SSH in stead from time to time :)

> --
> You received this message because you are subscribed to the Google Groups "kippo users" group.
> To post to this group, send email to kippo...@googlegroups.com.
> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
>
>

Miguel Jacq

unread,
Nov 19, 2010, 6:16:50 PM11/19/10
to kippo...@googlegroups.com
Hey Andrew,

I run a Nagios server that uses NRPE to do low level service checks on the target host.

The target host listens on port 5666 and the nagios server tells it what checks to run. Thus the service checks are run locally on the target host and the return codes are sent back to the nagios server.

Let me know if you are interested, I can provide you with example configurations.

Otherwise google around for Nagios and NRPE. other examples might include SNMP.

Cheers

Mig

Miguel Jacq

unread,
Nov 19, 2010, 9:29:35 PM11/19/10
to kippo...@googlegroups.com
Hi again Andrew,

I read your original email a bit closer and realised I didn't really answer the question :)

re: where you want to check a service that is actually a honeypot service, yes that'll skew the data.

In the case of SSH (which was really all I was thinking about when I mentioned NRPE), I'd be running the real ssh on a nonstandard port and would check that.

I guess I haven't been in the situation where I've actually monitored the 'fake' ports the honeypot is running - never really thought about it :)

I don't know if there's a real way you could monitor a socket/port without it being aware of it, unless your honeypot was either not logging (and then what's the point) or clever enough to not log traffic coming from a certain IP.

Let me know where you go with it, will be interesting

Mig

Tomasz Miklas

unread,
Nov 20, 2010, 10:30:19 AM11/20/10
to kippo...@googlegroups.com, kippo...@googlegroups.com
netstat and pid file + ps results, all wrapped in a shell script (cron) and if the pid is stale socket should be dead as well, restart kippo

I stat away from connecting to my own sensors ;)

Btw so far one instance but soon more to follow - my sensors reporting stats to http://tomaszmiklas.pastebin.com/

Will add daily stats soon, for now just sensor lifetime blob goes up shortly after midnight UTC and expires after 24h.

When I finish I'll share my scripts if you are interested. They are (w)hacky but do work better or worse - good for me anyway ;)

--
Tomasz Miklas

Reply all
Reply to author
Forward
0 new messages