Profiling of persistent SSHD brute force attack
Proper setting up and regular monitoring of logs gives you the avenue to know what's really happening with your box sitting out there in the internets, and to anticipate when bad things are about to happen. One of the warning signs would be that someone has been poking around your box, looking for an (easy?) way in.
The natural thing that would jump out at you then, is that this someone has been accessing your box in far higher volumes/durations, especially on services that should not be accessed by others.
This is one example of such accesses on a linux box: SSHD brute forcing over long periods of time.
Splunk 4.2
The next version of Splunk is out!
Amongst the new features that Splunk's advertising, a quick glance through the new version reveals that the revamped management interface might seem to make administering it/clusters easier. Also that the search and reporting features seem to have been beefed up too!
More to come after I poke around some more, and if I have the time to write something 
Splunking User Agent strings
Just thought I'd do a quick survey of the kinds of users trying to hit my site, just for the fun of it, heh.
Fired up Splunk to do a quick search over the past 7 days:
index=myblogindex | dedup useragent | fields useragent | sort useragent | format
The resulting string can be easily copied and massaged further in a text editor (replacing the "in between" strings like " ) OR ( useragent=" with \n)
I'm pretty interested still (as always) to see how easy it is to profile/"follow" an individual user due to uniqueness of each OS-browser's useragent (UA) strings, but that's another story for another exercise, another day...
Here're some of the more interesting UA strings and analyses. And these were harvested only over a span of 7 days!
BlackBerry9530/5.0.0.732 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/105
SonyEricssonC905/R1FA Browser/NetFront/3.4 Profile/MIDP-2.1 Configuration/CLDC-1.1 JavaPlatform/JP-8.4.3
T-Mobile Dash Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 320x240;) MSNBOT-MOBILE/1.1 (+http://search.msn.com/msnbot.htm)
Love it when I see mobile browsers' UA strings, wonder how much further could I dig into them in the future...
Flight Deck Bot 1.3 beta (http://www.flightdeckreports.com/bot)
Flight Deck's a game that I recently restarted my tactics experiments with, wonder how exactly did they hit my site? No referrers sent with the requests, but I suspect they came via Twitter. Or was it even the same Flight Deck site? Too lazy to dig further for now
Mozilla/4.0 (PSP (PlayStation Portable); 2.00)
PSP...?
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; sbcydsl 3.12; YComp 5.0.0.0; YPC 3.2.0; FunWebProducts; .NET CLR 1.1.4322; ZangoToolbar 4.8.2; yplus 5.1.04b)
Interesting to see how many people have installed adware/spyware like FunWebProducts. There're other examples in my logs too of such malware that modify the UA string, which makes it possible to do detection and statistics in perimeter devices like IDSes...
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7D11
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7E18
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/8A306
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7
Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16
Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; nl-nl) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16
iPhones/iPods/iWhatNot. OS AND browser versions all revealed! Now, how about some "automatic" "jailbreaking"? Heh heh heh...not!
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
Googlebot using SAMSUNG phones?! Either Google has some wicked architecture to incorporate mobile phones as crawlers, or that this is a very confused bot 
Wget/1.12 (linux-gnu)
Wget/1.9+cvs-stable (Red Hat modified)
curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3
curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3
When you see your site being accessed by programs like wget and curl, and it's not Amazon's AWS (use Splunk's lookup dnslookup clientip to find out the clienthost name), it's a very safe bet that they're zombies/compromised user computers as part of a botnet. The clienthost names and many different IP addresses would confirm that they're zombies.
Well, that's all for today folks! Feel free to comment/discuss below 