How do you monitor your honeypot activity

36 views
Skip to first unread message

Tomasz Miklas

unread,
Aug 16, 2010, 2:26:01 PM8/16/10
to kippo...@googlegroups.com
Hi

Another question... How do you do monitoring of honeypot activity? Read logs, play sessions, etc?

I have a script that emails me on every successful login with ip an password used so I know seconds after it happens. That's my first line in fact, then I review logs and ttylogs, look at DLs, etc

Also what do you do if you go away - say for holiday, and don't have a person to look after honeypot? Leave it to collect data and maintain 'status quo' or turn off and not take the risk?

Just curious what do you do ;)

--
Tomasz Miklas

Jacob Kuehndorf

unread,
Aug 16, 2010, 2:36:33 PM8/16/10
to kippo...@googlegroups.com
Since My honeypot sits on an empty server I leave it running all the time no matter what. I haven't set up anything to notify me over new log, because a day after setting it up my job search got kicked into high gear and I haven't stopped moving since. But the email of a new log is a good idea. I may have borrow that. :-) Mostly i look at ttylogs and DLs b/c of the lack of time.

- Jacob

jacob.k...@gmail.com
ja...@jacobkuehndorf.com



--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.


Tomasz Miklas

unread,
Aug 16, 2010, 3:40:18 PM8/16/10
to kippo...@googlegroups.com, kippo...@googlegroups.com
No probs, will bounce my crude solution off the list tmrw ;)

-- 
Tomasz Miklas

Dennis Lemckert

unread,
Aug 16, 2010, 4:41:58 PM8/16/10
to kippo...@googlegroups.com
We mostly use a self-written script to gather aggregated data for
statistical study. It breaks it all down to country, time, number of
tries, number of entries etc. When we see an interesting combination,
we take a peek at the log, replay and such. That's basically it.
Usually someone else here monitors the kippo, so my contribution is
just small.


Dennis Lemckert
http://www.dlemckert.nl
Twitter: dlemckert
--

Only two things are Infinite: the Universe and human stupidity.
And I'm not sure Aboutaleb the Universe.
- Albert Einstein -

Lifestyle should NOT be a journey to the Grave with the intention of
arriving safely and in an attractive and well preserved body, but
rather to skid in sideways - Chardonnay in one hand - chocolate in the
other - body thorougly used up, totally worm out and screaming 'WOO
HOO, what a ride!'
- somewhere from the 'net -

PGP Key: 0xF66585F60DDEC3B6
http://pgp.surfnet.nl:11371/pks/lookup?op=index&search=0xF66585F60DDEC3B6

Tomasz Miklas

unread,
Aug 17, 2010, 6:08:37 PM8/17/10
to kippo users
In this case my email alers are really stone age ;)

I used to use tail and grep but now went to perl script that reads
file just like tail but allows me to add more complicated logic... and
it sends using Net::SMTP so can auth as any user and use any from
address I need. Good for now but want to improve it so it doesn't tell
me when somebody just brute-forced password and logged off (or at
least tried to, love those stale connections) - I'm interested mostly
in those interactive sessions and for brute-force attempts mere count
is enough :)

Tomasz
Reply all
Reply to author
Forward
0 new messages