forked from wedaa/LongTail-Log-Analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
about.shtml
70 lines (52 loc) · 3.37 KB
/
about.shtml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!--#include virtual="/honey/header.html" -->
<H3>About LongTail</H3>
<P>LongTail is a program that analyzes ssh brute force attacks
and statistically quantifies them based on IP addresses used,
Accounts, passwords, AND account/password pairs, and (what
nobody else is doing at the moment) analyzing attack patterns
for commonality and number of times used.
<P>The main reason behind writing LongTail was to analyze attacks
and to
try and find coordination between different IP Addresses. The
only non-intrusive way is to compare attack patterns between
websites.
<H3>LongTail Source Code, Reports, and Data are Shared! </H3>
<P>LongTail was written by Eric Wedaa and has been released under GPL V2
<P>Raw input data from longtail.it.marist.edu will be made available 90 days after it was
collected OR 90 days after the official "opening" of LongTail.it.marist.edu
in order to allow Marist time to analyze the data and report on
the data first.
<P>Data from longtail.it.marist.edu may be used by third parties as long as attribution is
made to Eric Wedaa, LongTail Log Analysis, and Marist College.
Please include a link back to http://longtail.it.marist.edu
<P>Reports made by LongTail from longtail.it.marist.edu may be used by third parties as
long as attribution is made to Eric Wedaa, LongTail Log
Analysis, and Marist College. Please include a link back to http://longtail.it.marist.edu
<H3>But We're Not Sharing Attack Patterns Directly</H3>
<P>Access to Attack Files is restricted.
<P>By publishing attack patterns, I run the risk of contaminating
my data set. If more than one site starts using the same attack
pattern, is it because they are controlled by the same person,
sharing information between attackers, OR, did they download the
attack pattern from LongTail and start using the copied attack
pattern.
<P>The only way to prevent that from happening is to restrict
access to attack patterns.
<P>Please contact me if you are a verifiable researcher and I can
share historical data with you after the 90 day window of Marist
College only access has passed.
<H3>SSH Communications Security Corporation Has Contributed to the LongTail SSH Honeypot</H3>
<P>John Walsh of SSH Communications Security Corporation <A HREF=http://www.ssh.com>www.ssh.com</A> has now contributed code to the LongTail project to enhance the abilities of the LongTail SSH honeypot so that it can now analyze attacks using SSH keys. While there have been anecdotal stories about SSH attacks using stolen SSH keys, but the LongTail SSH honeypot is the first honeypot and set of analytics tools to show these attacks on a realtime basis.
<H3> Thanks To All These People</H3>
<P>A big thanks to my co-workers at Marist College, Jeff Kirby, Joseph Augulis, Johannes Sayre, and Martha McConaghy
for their comments and advise (not to mention listening to me talk about it endlessly...) As well as to Marist College
for giving me a place to run my webserver!
<P>Thanks to Simon Bell of <A href="http://securehoney.net/">
http://securehoney.net/</a> for
pointing me towards jpgraph. That one tool made all my graphs
possible.
<P>I learned how to do my slideshow buttons with CSS courtesy of <A href=http://www.xkcd.com/>http://www.xkcd.com/</a>
<H3>Where Can You Talk About LongTail?</H3>
<P>Please feel free to discuss LongTail in the Google Group that I
setup for discussion. :-)
<!--#include virtual="/honey/footer.html" -->