With time being a commodity I do not have a lot of, it has quickly become apparent that the enthusiasm that I now have for logging in and checking my Kippo honeypot everyday will eventually wane. While Googling around for some ideas on what to look for and running Kippo I came across this blog post "Reviewing Kippo Logs" and the author Andrew Waite has provided his script to provide a daily review of Kippo logs via email, and I will look at customising this script to run on my honeypot.
This was a very simple script to output in an email the number of kippo sessions recorded in the last day, as well as any files in the "dl" download directory.
There are a few things that I'll be adding to this script over the next week and will document including;
- The unique IP addresses making connections and run a whois for each the IP addresses and report back on "inetnum, netname, country, person, and e-mail" to include as intelligence gathering from this exercise;
- Total disk space left, important with growing log files and limited space; and
- Size of the Kippo.log file.
There might be more to add as I work through this project, but I think that is a good start.
