Help with debug mode needed

[Ángel González]

On 21/05/15 02:24, Eric Wedaa wrote:
> All;
>
>    I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo)
>
> TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
> TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none
> TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none
>
> I was able to find the section in sshd.c where I can log the client name and port,
> and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols.
>
> I honestly have no idea where I should really be looking.  If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it.  I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help.
>
> (BTW: It's live already at http://longtail.it.marist.edu and I've already found and/or analyzed 9 botnets.  Having better information on who's attacking will make it easier I hope to bunch them all together).
>
> (And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.)
I have a similar "honeypot patch" (available on request) but it doesn't 
include the key algos (I'd consider even more interesting the ssh client 
banner, though).

I will certainly try out your tool. I have too many events with only a 
brief processing (not that there are many ip addresses…).