Mar 31 2014

Kippo attack heatmap in seconds using Kibana and Kippo2ElasticSearch

Continuing from my previous post, here is how to create an attack heat map in seconds using the same ElasticSearch + Kibana instance. First of all we have to download Maxmind’s GeoIP database. The general procedure is super easy (no need to do it):

wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz

This will output a single GeoIP.dat file which is a binary format with IP to geolocation data mappings which you can query using an API. The Python version of the latter is easily installable via pip (do this):

pip install GeoIP

Bear in mind that you’ll probably get the “clang: error: unknown argument” failure message but fear not; I have written the solution here if you need it: http://bruteforce.gr/bypassing-clang-error-unknown-argument.html

We then have to modify the script I posted a little bit, in order to save the two letter country code in the JSON documents before indexing them in ElasticSearch. I have actually decided to pursue this project and publish the (poorly written at this stage, serving as an example) code properly. So just get the Kippo2ElasticSearch files from GitHub:

git clone https://github.com/ikoniaris/kippo2elasticsearch

It includes the GeoIP database, no need to get it yourself. Edit the MySQL and ES values and you’re ready. After importing the data to ElasticSearch, open Kibana and add a new map panel:

kibana_kippo_map_1And voilà, scroll down and you’ll have a heatmap of attacks:

kibana_kippo_map_2Do you really need more convincing about the prospects of a project combing honeypots with ElasticSearch + Kibana? :)

For comments, suggestions, fixes, please use the Kippo2ElasticSearch page: http://bruteforce.gr/kippo2elasticsearch

  • Pingback: Security-Vision » Kippo attack heatmap in seconds using Kibana and Kippo2ElasticSearch()

  • Craig Valli

    yep my thoughts exactly very capable and could provide a good frontend for monitoring multiple kippo instances

    • http://bruteforce.gr/ Ion

      Hello Craig! Right, and if you check out the latest version of the script, i.e. the Kibana dashboard, you can differentiate between sensors/instances easily.

  • Pingback: Adding ElasticSearch support to Kippo SSH honeypot - BruteForce Lab's Blog()

More in Honeypots, Visualization
Transferring Kippo’s data to ElasticSearch
Kippo-Graph 0.9.3 released, with new component: “Kippo-IP”
Kippo-Graph 0.9.2, with Kippo-Playlog!
Kippo-Malware update #2
Kippo-Malware update