I am very fond of ElasticSearch as a storage infrastructure and I do believe it is very useful for storing attack data, especially from honeypots. If you follow my blog, you would have seen my first attempts at transferring Kippo’s data to ElasticSearch, or creating Kibana dashboards to visualize SSH attacks. These eventually led to the Kippo2ElasticSearch script, a simple way to transfer your logged Kippo data from MySQL to an ES instance.
But, having just a script (which keeps no state by the way) is not the best way to go about it. So I decided to add ElasticSearch support to Kippo itself. For that purpose I have created a fork of Kippo which is now available for testing. The git repo is hosted on GitHub: https://github.com/ikoniaris/kippo
The way it works is by filling out a new section in Kippo’s config file, where you put all the details regarding your ES instance. An example is shown below:
[database_elasticsearch] host = 127.0.0.1 port = 9200 index = kippo type = auth
Before you use it you will have to install two additional requirements:
- pyes: https://pypi.python.org/pypi/pyes
- GeoIP: https://pypi.python.org/pypi/GeoIP
You then have to make sure the ES service is running and you’re ready to start Kippo. Using this fork, every connection attempt against your honeypot will be logged in your ElasticSearch instance automatically. You can then use the exported dashboard (.json file) from Kippo2ElasticSearch to visualize your data with Kibana. And just a extra note, the logging components of Kippo can be used together, so you can have MySQL and ES logging enabled at the same time.
I have also submitted my changes as a pull request to be included in the official Kippo codebase, hopefully it will be accepted. Until then you can help a lot if you give this fork a try and report back some feedback!
Pingback: Security-Vision » Adding ElasticSearch support to Kippo SSH honeypot()