Kippo and LongTail

The batch integration of Kippo text logs is moving along, but has pointed out some annoying bugs in my rebuild code. The actual integration of the data into my log files is done (and mostly tested). The problem is that I have been creating lists of IP addresses, Usernames, and Passwords based on “ALL” the old data, and then using those files (passwords.all, for instance) to determine what passwords are new for that day.

Sooooo, I need to nuke those files, and then iterate through the days in order and recreate those files to get new passwords for that day. This is also important for my Trends anaylsis.

Thankfully I already had “rebuild” code in place, so I just need to do the analysis in that section of code.

Easy, but non trivial (I hope).

Version 2.0 of LongTail will handle batch AND live feeds from Kippo.

sshPsycho RED, Yellow, and Green, How are they determined?

  1. Could you please tell how you identify IP address belonging to ‘yellow’ and ‘green’ types? Because we also have such honeypot, and we are interested in extracting ‘yellow’ and ‘green’ type IP addresses.

Short answer here:
======================================
RED attacks

I am identifying the yellow and green types by analyzing the incoming attack patterns for similarities to attacks that came from the 4 sshPsycho IP address ranges.  These are the “Gold” standard.  Just to be clear, those IP address ranges are the following four class C subnets: 103.41.124, 103.41.125, 43.255.190, 43.255.191.  These are the Red portions of the bar chart.
======================================
YELLOW attacks

The yellow portions of the bar chart are what I am calling “Friends of sshPsycho”.  These are IP addresses that have used the exact same attack pattern for at least one attack as an attack that came from sshPsycho.

Another way of saying this is that I have analyzed the data from the attacks to create what I call an “Attack Pattern”.  I have then broken these attack patterns into individual files on my server.  I can then compare ALL of the attack patterns to easily determine which ones are exactly the same.  sshPsycho used the same exact attack patterns multiple times in their attacks.

So, if I see the same attack pattern from a different host, I know that whoever is running the attack from that server has received the tools and the dictionaries they are using from sshPsycho.  I am calling those IP addresses “Friends of sshPsycho” since I do not KNOW if they are the same people or not.  (My feeling is that they are the same group of hackers.)

======================================
GREEN attacks

Green attacks are what I call “Associates of sshPsycho”.  In English this implies a more distant relationship.  To clarify, in English the cloessness of a relationship goes from Self -> Spouse -> Family -> Friends -> Associates.

I have analyzed the sshPsycho attacks and have determined several characteristics that only appear in their attacks.  I have also characterized their typical attack patterns.

Specifically, the only places I have seen the passwords “XXXXXX” and “YYYYYY” come from was from sshPsycho.  Again, I have never seen those passwords come from any place besides China and Hong Kong, and mostly from sshPsycho IP addresses.  (I am not specifically mentioning WHICH two passwords they are just to make it a little harder for the bad guys to figure out which two passwords to stop using, but it’s also kind of obvious if you look at the data hard enough).

When I see those passwords, AND it is an attack against ONLY root, I list them as “Associates”.  Coincidentally these have only come from China.

As sshPsycho was being blocked from their main servers, I saw the amount of blue go up in my charts significantly.  This indicates to me that they are still active but using new IP addresses to attack from.  By coloring this set of attacks as green, I was able to show this belief that they are somehow connected to sshPsycho.

======================================
BLUE attacks

There is still a higher than normal number of blue attacks.  Those are attacks from IP addresses that are either other hackers than sshPsycho, or are IP addresses that have not yet shown they are associated with sshPsycho.

As these attacks continue I believe I will be able to move more of the blue IP addresses into the green or yellow sections of the chart.

======================================
HOW AM I DOING THIS?

That’s too hard to explain in a blog entry.  I am (slowly) working on a paper to discuss this issue.  I basically group all attacks against a single host that are closely connected in time and calling that an attack pattern.  When there is too much of a gap between attacks, I close the attack pattern and start a new one.

Based on the number of exactly the same attack patterns that I have seen from sshPsycho from multiple IP addresses, I believe it works.