Quick and dirty Kippo log parsing

To be fair I haven’t really looked into this too much so I’m sure there may be better solutions out there. Here’s a couple of quick one liners to parse out some useful information from Kippo logs. What’s frustrating me is there doesn’t seem to be a “standard” formatting to the log file so it’s proving a little difficult to parse.

Anyway…here’s the good stuff :)

First of all, I pulled all my logs into a master log file “masterlog”.

 

Pull hosts from the log file:

This will check the master log file for all the unique IP connections connecting to the server before they started their brute force attacks. I’ll use the ipcons.txt file in the next scripts.

grep -e “New connection” masterlog.log| awk -F” ” ‘{ print $6 }’ | awk -F”:” ‘{ print $1 }’  | sort | uniq >> ipcons.txt

 

Pull username attempts per host:

This will pull out a list of all the usernames used in attacks against the server.

for x in `cat ipcons.txt ` ; do echo $x >> users.txt ; grep -e “$x” masterlog.log| grep -e “login attempt” | awk -F”[" '{ print $3 }' | awk -F"/" '{ print $1 }' | sort | uniq >> users.txt ; echo " " >> users.txt ; done

 

Pull passwords per host:

This will pull out a list of all the passwords used against the server for each connection.

for x in `cat ipcons.txt ` ; do echo $x >> passwords.txt ; grep -e "$x" masterlog.log | grep -e "login attempt" | awk -F"[" '{ print $3 }' | awk -F"/" '{ print $2 }' | awk -F"]” ‘{ print $1 }’ | sort | uniq >> passwords.txt ; echo ” ” >> passwords.txt ; done

 

Ok, so it’s not the cleanest, most efficient way of doing things, but until such time as I can finish up writing the log parser I’ve been “working” on for ages it’ll have to do. If anyone has comments or suggestions please feel free to get in touch.

 

./m

 

2 Comments.

  1. Hello Matt. I thought I should inform you…

    I have written a program that generates graphs and extracts geolocation data from Kippo honeypots, called Kippo-Graph. You can find it here: http://bruteforce.gr/kippo-graph

    If you have setup MySQL logging I would appreciate your feedback after giving it a try ;)

    Also here is a simple script to move some very basic stuff from text logs to a MySQL db, useful when you have forgotten enabling MySQL logging and have some text files lying around or when your VPS/whatever cannot run a MySQL server efficiently (eg quite low memory): http://bruteforce.gr/kippo2mysql
    I haven’t got the time to visualize those data (different db/table structures from the default Kippo db used in Kippo-Graph) but I will write a script for some graphs in the future.