Note: This is an add-on post on top of my Kippo write-up.
Kippo2MySQL
Kippo2MySQL is a simple piece of script that extracts some very basic stats from Kippo’s text-based log files and inserts them into a MySQL database.
My setup already has MySQL logging features enabled by default. Nonetheless, you can still use this script to extract some very basic data from your Kippo’s text-based log files and insert them into a MySQL database.
My Network Setup
So not to add more stuff on my Kippo machine, I have a dedicated machine for analytics work e.g. assessing and analysing the logs.
Note: Do not perceive this as a recommended Kippo setup, it is just to demonstrate that not everything has to be lumped into one single machine.
On your Kippo machine
Make sure your MySQL service is listening on your dedicated network interface. Then, grant authorisation to your analyst(s).
mysql -h 192.168.60.12 -u root -pGRANT SELECT ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;
GRANT CREATE TEMPORARY TABLES ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;
SHOW GRANTS FOR ‘<analyst username>’@’192.168.60.10’;
On your analytics machine, make sure you can access the database:
mysql -h 192.168.60.12 -u <analyst username> -pNow, with the analytics machine all set up, get all the required software before proceeding:
sudo apt-get install python-dev mysql-client libmysqlclient-dev python-pipKippo-Malware
Kippo-Malware is a Python script that downloads all malicious files stored as URLs in your Kippo MySQL database. This is useful in situations e.g. you lost your files or something happened to your Kippo machine, but your database is still intact.
This script is also useful in my type of setup where I only have access to my Kippo database from my analytics machine (and not the files located in the dl/ directory).
Get the required Python packages:
sudo pip install mysql-python pony requests clintGet a copy of Kippo-Malware:
git clone https://github.com/ikoniaris/kippo-malwareTo run Kippo-Malware:
python kippo-malware.py -h
python kippo-malware.py -H 192.168.60.12 -u <analyst username> -p <password> --debugThe script also supports HTTP proxy usage to cover your IP address from malicious servers and custom User-Agent values.
Kippo-Graph
Kippo-Graph is a full-featured script which visualise stats from a Kippo honeypot.
Get the software Kippo-Graph needs:
sudo apt-get install libapache2-mod-php5 php5-mysql php5-gd php5-curlGet your Apache Web server started:
sudo /etc/init.d/apache2 restartGet your Kippo-Graph up and running:
cd /var/www/html
sudo git clone https://github.com/ikoniaris/kippo-graph
chmod 777 generate-graphs
cp config.php.dist config.php
vi config.phpConfigure your Kippo-Graph configuration appropriately. Make sure to be pointing to the correct database, with the right credentials.
Browse to http://<your-web-server>/kippo-graph, and there you have it!
Kippo2ElasticSearch
Kippo2ElasticSearch is a Python script that can be used to transfer data from a Kippo MySQL dataset to an Elasticsearch instance.
Get the necessary packages:
sudo apt-get install libgeoip-dev
sudo pip install geoip pony pyesGet a copy of Kippo2ElasticSearch:
git clone https://github.com/ikoniaris/kippo2elasticsearchConfigure kippo2elasticsearch.py according to your configurations, make sure your Elasticsearch is up and running, and finally – run the Python script:
python kippo2elasticsearch.pyIf you examine the script properly, you’d realised that the script simply takes the results from the following MySQL query, and populate it in an Elasticsearch instance:
SELECT auth.*, sessions.ip, clients.version, sensors.ip
FROM auth
INNER JOIN sessions ON auth.session = sessions.id
INNER JOIN clients ON sessions.client = clients.id
INNER JOIN sensors ON sessions.sensor = sensors.id; With your dataset now on Elasticsearch as an instance, you can visualise some stats using Kibana.
I learned Elasticsearch and Kibana from the very beginning so to play with this. It’s very easy to get the basics right – You just need to dedicate a bit of your time to learn. Elastic provides many comprehensive guides: https://www.elastic.co/guide/index.html.
Author
Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter