Posts Tagged ‘comp’

Visualizing honeypot activity

Certain honeypot intruders are quite persistently trying to open outbound SSH tunnels, as described in an earlier article. So far I’ve seen a lot of attempts to open tunnels towards mail server TCP ports 25 (SMTP), 465 (SMTPS) and 587 (submission); web servers on TCP ports 80 (HTTP) and 443 (HTTPS); but also several other […]

Honeynet outbound probes

My Cowrie honeypot is now seeing a surge of outbound SSH tunnel probes, both towards different mail servers but also towards a specific web server, probably with the purpose of informing about a successful intrusion. The honeypot has seen outbound attempts before, but not as persistent as with this bot from .ru. Cowrie fakes successful […]

More Logstalgia fun: Honeypot visualization

As the saying goes, when all you have is a hammer, everything looks like a nail. Well, it’s not that bad, but with a tool like Logstalgia available there’s a pretty low threshold for looking for other ways to use it. So why not try visualizing honeypot login activity? I’ve been running a honeypot for […]

Live visualizing Mikrotik firewall traffic with Logstalgia

Previously I’ve written about visualizing firewall activity. Revitalizing a fireplot graphing tool gives a nice day-to-day overview, but after being reminded of Logstalgia in this Imgur post I wanted to give live visualization a shot. Logstalgia is a neat tool for visualizing activity, by feeding it log files or live feeds. It’s originally designed for […]

Logging WordPress activity to OSSEC

Today I came across this blog article, explaining how to make WordPress log suspicious activity to an audit log file, which in turn can be monitored by OSSEC. Everything mentioned in the article was all fine and dandy, until I read the last paragraph: “Note that for this feature to work, you have to use […]

Munin and “Can’t use an undefined value as an ARRAY reference”

I recently came across a rather obscure and vague error in Munin: Can’t use an undefined value as an ARRAY reference at /usr/share/perl5/Munin/Master/HTMLOld.pm   It seems there are quite a few error reports on this, with very different suggestions on how to solve the problem – and for some, the problem was never solved. In […]

Auditd in Ubuntu not listening?

So you planned on using auditd for receiving logs from other auditd installations? And you’re using Ubuntu? Well, it could prove difficult. In the Ubuntu package, the maintainers have chosen – on everyone’s behalf – that no-one needs this. My setup is Ubuntu 14.04 (“Trusty”), with audit version 2.3.2, but it seems this has been […]

Inspirational HTTP access log poetry

Today my IDS reported of suspicious DELETE attempts in one of my web server log files. Upon closer inspection, it turned out to be some poetic web crawler: 151.217.177.200 – – [30/Dec/2015:06:00:36 +0100] “DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard […]

Raspberry Pi controlled mousetrap

Having had a few spare moments this holiday, I’ve been contemplating how to monitor a mousetrap or two in the attic. By doing that I wouldn’t have to go up to the cold attic in vain, but empty and reset the mousetraps only when needed. It occurred to me that since I’ve already got a […]

Localized SSH bruteforce attempts

Lately, my honeypot has seen an upsurge in SSH bruteforce login attempts. Among quite a few attackers, one particular IP address in Italy – 79.0.43.89 – is seen more often than the others. I’m seeing login attempts from this IP on other systems as well, so this is a busy one. What’s funny about this […]