LongTail is a program that analyzes ssh brute force attacks and statistically quantifies them based on IP addresses used, Accounts, passwords, AND account/password pairs, and (what nobody else is doing at the moment) analyzing attack patterns for commonality and number of times used.
The main reason behind writing LongTail was to analyze attacks and to try and find coordination between different IP Addresses. The only non-intrusive way is to compare attack patterns from different attacking IP addresses.
LongTail has 6 different organizations and security professionals contributing data (including Bard College and SUNY New Paltz) with 13 honeypots (LongTail and Kippo) contributing data as of July 2015. (An additional 6 honeypot servers will be online before September.) LongTail now has over 13 million login attempts recorded and over 66 thousand "attack patterns" recorded.
Because of all this raw data, LongTail has been able to categorize and characterize over 100 botnet and botnet fragments. LongTail has also been able to track the blackhats known as sshPsycho (AKA The Hee Thai network) as they have moved from IP address to IP address.
Jim Owens of the Maine Cyber Security Cluster at the University of Southern Maine, author of "A Study of Passwords and Methods Used in Brute-Force SSH Attacks" (http://people.clarkson.edu/~owensjp/pubs/leet08.pdf ) has said:
"It's like my project from 2008, combined with a couple of others I'm aware of, all on steroids."
LongTail was written by Eric Wedaa and has been released under GPL V2
Raw input data from longtail.it.marist.edu will be made available 90 days after it was collected OR 90 days after the official "opening" of LongTail.it.marist.edu in order to allow Marist time to analyze the data and report on the data first. Data will be released to educational researchers only.
Data from longtail.it.marist.edu may be used by third parties as long as attribution is made to Eric Wedaa, LongTail Log Analysis, and Marist College. Please include a link back to http://longtail.it.marist.edu
Reports made by LongTail from longtail.it.marist.edu may be used by third parties as long as attribution is made to Eric Wedaa, LongTail Log Analysis, and Marist College. Please include a link back to http://longtail.it.marist.edu
Access to Attack Files is restricted.
By publishing attack patterns, I run the risk of contaminating my data set. If more than one site starts using the same attack pattern, is it because they are controlled by the same person, sharing information between attackers, OR, did they download the attack pattern from LongTail and start using the copied attack pattern.
The only way to prevent that from happening is to restrict access to attack patterns.
Please contact me if you are a verifiable researcher and I can share historical data with you after the 90 day window of Marist College only access has passed.
John Walsh of SSH Communications Security Corporation www.ssh.com has now contributed code to the LongTail project to enhance the abilities of the LongTail SSH honeypot so that it can now analyze attacks using SSH keys. While there have been anecdotal stories about SSH attacks using stolen SSH keys, but the LongTail SSH honeypot is the first honeypot and set of analytics tools to show these attacks on a realtime basis.
A big thanks to my co-workers at Marist College, Jeff Kirby, Joseph Augulis, Johannes Sayre, and Martha McConaghy for their comments and advise (not to mention listening to me talk about it endlessly...) As well as to Marist College for giving me a place to run my webserver!
A big thanks to David Brangaitis at Bard College and to Paul Chauvet at SUNY New Paltz for all their help setting and running up honeypots.
Thanks to Simon Bell of http://securehoney.net/ for pointing me towards jpgraph. That one tool made all my graphs possible.
I learned how to do my slideshow buttons with CSS courtesy of http://www.xkcd.com/
Fancy graphics are from jpgraph, a PHP based graphing software.
Country and (eventually) city data are from Maxmind.com under the Creative Commons License. Downloadable databases are at http://dev.maxmind.com/geoip/legacy/geolite/.
Please feel free to discuss LongTail in the Google Group that I setup for discussion. :-)
LongTail Copyright 2015 by Eric Wedaa, under GPLV2