Note: This is an add-on post on top of my Kippo write-up.
Kippo2MySQL is a simple piece of script that extracts some very basic stats from Kippo’s text-based log files and inserts them into a MySQL database.
My setup already has MySQL logging features enabled by default. Nonetheless, you can still use this script to extract some very basic data from your Kippo’s text-based log files and insert them into a MySQL database.
My Network Setup
So not to add more stuff on my Kippo machine, I have a dedicated machine for analytics work e.g. assessing and analysing the logs.
Note: Do not perceive this as a recommended Kippo setup, it is just to demonstrate that not everything has to be lumped into one single machine.
On your Kippo machine
Make sure your MySQL service is listening on your dedicated network interface. Then, grant authorisation to your analyst(s).
mysql -h 192.168.60.12 -u root -p
GRANT SELECT ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;
GRANT CREATE TEMPORARY TABLES ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;
SHOW GRANTS FOR ‘<analyst username>’@’192.168.60.10’;
On your analytics machine, make sure you can access the database:
mysql -h 192.168.60.12 -u <analyst username> -p
Now, with the analytics machine all set up, get all the required software before proceeding:
sudo apt-get install python-dev mysql-client libmysqlclient-dev python-pip
Kippo-Malware is a Python script that downloads all malicious files stored as URLs in your Kippo MySQL database. This is useful in situations e.g. you lost your files or something happened to your Kippo machine, but your database is still intact.
This script is also useful in my type of setup where I only have access to my Kippo database from my analytics machine (and not the files located in the dl/ directory).
Get the required Python packages:
sudo pip install mysql-python pony requests clint
Get a copy of Kippo-Malware:
git clone https://github.com/ikoniaris/kippo-malware
To run Kippo-Malware:
python kippo-malware.py -h
python kippo-malware.py -H 192.168.60.12 -u <analyst username> -p <password> --debug
The script also supports HTTP proxy usage to cover your IP address from malicious servers and custom User-Agent values.
Kippo-Graph is a full-featured script which visualise stats from a Kippo honeypot.
Get the software Kippo-Graph needs:
sudo apt-get install libapache2-mod-php5 php5-mysql php5-gd php5-curl
Get your Apache Web server started:
sudo /etc/init.d/apache2 restart
Get your Kippo-Graph up and running:
sudo git clone https://github.com/ikoniaris/kippo-graph
chmod 777 generate-graphs
cp config.php.dist config.php
Configure your Kippo-Graph configuration appropriately. Make sure to be pointing to the correct database, with the right credentials.
Browse to http://<your-web-server>/kippo-graph, and there you have it!
Get the necessary packages:
sudo apt-get install libgeoip-dev
sudo pip install geoip pony pyes
Get a copy of Kippo2ElasticSearch:
git clone https://github.com/ikoniaris/kippo2elasticsearch
Configure kippo2elasticsearch.py according to your configurations, make sure your Elasticsearch is up and running, and finally – run the Python script:
If you examine the script properly, you’d realised that the script simply takes the results from the following MySQL query, and populate it in an Elasticsearch instance:
SELECT auth.*, sessions.ip, clients.version, sensors.ip
INNER JOIN sessions ON auth.session = sessions.id
INNER JOIN clients ON sessions.client = clients.id
INNER JOIN sensors ON sessions.sensor = sensors.id;
With your dataset now on Elasticsearch as an instance, you can visualise some stats using Kibana.
I learned Elasticsearch and Kibana from the very beginning so to play with this. It’s very easy to get the basics right – You just need to dedicate a bit of your time to learn. Elastic provides many comprehensive guides: https://www.elastic.co/guide/index.html.
Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter