Publishing anonymous kippo stats
18 views
Skip to first unread message
Tomasz Miklas
Nov 21, 2010, 1:17:49 PM11/21/10
to kippo users
Hi guys
I've knocked up two small scripts to crawl the logs and generate some
very basic stats. The idea was to anonymously publish those stats
without revealing where the honeypot is. Those would have to go off to
some 'neutral(ish)' place... As for now it goes to a subdomain on
pastebin - http://kippo.pastebin.com/
First upload from one of my sensors will go up today just after
midnight UTC.
If you would care to share your stats, then the scripts are at
http://groups.google.com/group/kippousers/web/pastebin-stats.tar.gz
Install:
1. Download and unpack content in kippo dir
2. Adjust $kippohome and KIPPOHOME variables in both scripts
3. Add cron job for pastebin.sh to run at 23:59
By default kippo instance is identified by md5 hash of kippo.cfg (you
can tell which one is yours!) and expiry date on posts is set to 1 day
- ideally it would be something like a week or so, but pastebin api
doesn't have such options (just several predefined values) so it's one
day or one month. I'll test it a bit more and go with daily stats to
one month I think...
On that note - daily stats highlighted an interesting situation - at
the moment mine show 130 connections today, 128 with ssh library, no
login attempts, so... does that mean that 2 were just port-scans, 128
were actual ssh sessions (banner grabbing?) and that's it?! If so,
then why I have several hosts doing all those over and over again? If
you have a zombie scanning ports or rather connecting using ssh
library (so you can try to log in), why would you connect over 50
times to the same host? Expecting another banner or what?
What's your guess?
Tomasz
BTW there is more scripts coming soon... sharing is caring ;-)
I've knocked up two small scripts to crawl the logs and generate some
very basic stats. The idea was to anonymously publish those stats
without revealing where the honeypot is. Those would have to go off to
some 'neutral(ish)' place... As for now it goes to a subdomain on
pastebin - http://kippo.pastebin.com/
First upload from one of my sensors will go up today just after
midnight UTC.
If you would care to share your stats, then the scripts are at
http://groups.google.com/group/kippousers/web/pastebin-stats.tar.gz
Install:
1. Download and unpack content in kippo dir
2. Adjust $kippohome and KIPPOHOME variables in both scripts
3. Add cron job for pastebin.sh to run at 23:59
By default kippo instance is identified by md5 hash of kippo.cfg (you
can tell which one is yours!) and expiry date on posts is set to 1 day
- ideally it would be something like a week or so, but pastebin api
doesn't have such options (just several predefined values) so it's one
day or one month. I'll test it a bit more and go with daily stats to
one month I think...
On that note - daily stats highlighted an interesting situation - at
the moment mine show 130 connections today, 128 with ssh library, no
login attempts, so... does that mean that 2 were just port-scans, 128
were actual ssh sessions (banner grabbing?) and that's it?! If so,
then why I have several hosts doing all those over and over again? If
you have a zombie scanning ports or rather connecting using ssh
library (so you can try to log in), why would you connect over 50
times to the same host? Expecting another banner or what?
What's your guess?
Tomasz
BTW there is more scripts coming soon... sharing is caring ;-)
Jacob
Nov 21, 2010, 1:42:17 PM11/21/10
to kippo...@googlegroups.com
Awesome Scripts Tomasz, but if you could a another place to have to be able to be downloaded. Google is remove the ability to upload files to Google Groups soon (i Think Dec. 1st) and when they turn it off the files will go away. If you want i can host it on my server
- Jacob
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
Tomasz Miklas
Nov 21, 2010, 3:31:04 PM11/21/10
to kippo users
True... although Google says previously uploaded files will be
available I will keep copies and most likely open up github account
where I will keep all different scripts I write. I'll post new
location together with updates/new scripts.
available I will keep copies and most likely open up github account
where I will keep all different scripts I write. I'll post new
location together with updates/new scripts.
Jacob Kuehndorf
Nov 21, 2010, 10:59:18 PM11/21/10
to kippo...@googlegroups.com
Tomasz Miklas
Nov 28, 2010, 10:55:44 AM11/28/10
to kippo users
FYI I had a chat with pastebin operators about some features lacking
in their API - you can't delete posts submitted via API. That is about
to change soon...
in their API - you can't delete posts submitted via API. That is about
to change soon...
Reply all
Reply to author
Forward
0 new messages