Good evening folks
I thought I’d share a little something about Kippo that I didn’t know until this evening.
I’ve been tinkering with the Kippo log files in an attempt to write some code to parse out useful information. The long term goal is to be able to parse multiple log files from multiple servers and have it all dump to a database to make attack tracking and correlation a little easier. But that’s a story for another evening.
For tracking new connections to the ‘pots I’ve been using what I believe to be a unique session identifier which should be unique through the log files. It looks a little something like this:
2012-01-01 22:56:13+0200 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: $ATTACKER:42702 ($ADDRESS:$PORT) [session: 32666]
The “session: 32666″ is what I’ve been using to pull all the goodies from the log file.
The problem comes in when I combine multiple log files into one big log file for easier parsing (as per my previous post here). It seems that if you restart the Kippo server (huge assumption here) it will recycle old session identifiers. When doing a little script debugging I found that session X had been “repeated” across multiple log files. Not really an issue if you work with the individual Kippo log files, a big of a pain in the butt if you do what I do and combine multiple log files into one big file
It’s no biggie really, it just means I’ll need to do a little error checking in my code (somehow) or work with the individual log files (which could be a little more time consuming).
I just thought I’d share this in case anyone else is doing something similar to me.
If I’m horribly mistaken, please feel free to get in touch.