From 2e4252500dd11b3bc42de306d2a09f891f4860e7 Mon Sep 17 00:00:00 2001
From: Emile <hanemile@protonmail.com>
Date: Thu, 14 Feb 2019 15:45:09 +0100
Subject: added a basic analyzer and a readme

---
 README.md  |  42 +++++++++++++++++-
 analyze.py | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+), 1 deletion(-)
 create mode 100644 analyze.py

diff --git a/README.md b/README.md
index b711e7b..3799a68 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,43 @@
 # honeypot-log-analyzer
 
-Analyzer the docker honeypot logs
\ No newline at end of file
+Analyzer the docker honeypot logs
+
+## usage:
+
+1. Setup a honeypoy
+2. grab some logs (`docker-compose logs > <filename>.txt`)
+3. run the analyzer (`python3 analyzer.py <filename>.txt`)
+
+```
+> $ python3 analyze.py                                                                                                                 
+Amount of hits processed: [...] 
+-----------------
+Most tried usernames:
+
+[...]
+
+-----------------
+Most tried passwords:
+
+[...]
+
+-----------------
+Most frequent ips:
+
+[...]
+
+-----------------
+Most frequent ports:
+    
+[...]
+
+```
+
+Four images get saved:
+
+| filename | content |
+| -------- | ------- |
+| username.png | histogram of the most used usernames |
+| passwords.png | histogram of the most used passwords |
+| ip.png | histogram of to most used ips |
+| port.png | histogram of the most used ports |
diff --git a/analyze.py b/analyze.py
new file mode 100644
index 0000000..9d151c0
--- /dev/null
+++ b/analyze.py
@@ -0,0 +1,147 @@
+#!/usr/bin/env python3
+import matplotlib.pyplot as plt
+import re
+import operator
+import sys
+
+username_metrics = {}
+ip_metrics = {}
+port_metrics = {}
+password_metrics = {}
+
+counter = 0
+
+with open("password_list.txt", "a") as passwordfile:
+    with open(sys.argv[1]) as data:
+        content = data.readlines()
+        
+        for line in content[3:]:
+            username_ip_port_password = line[43:]
+
+            # Get the username, print it and add it into the username_metrics dict
+
+            username = username_ip_port_password.split("@")[0]
+
+            if username in username_metrics: 
+                username_metrics[username] += 1 
+            else:
+                username_metrics[username] = 1
+
+            # Get the ip, print it and add it into the ip_metrics dict
+
+            ip_port_password = username_ip_port_password.strip(username + "@")
+            ip = ip_port_password.split(":")[0]
+
+            if ip in ip_metrics: 
+                ip_metrics[ip] += 1 
+            else:
+                ip_metrics[ip] = 1
+
+            # Get the port, print it and add it into the port_metrics dict
+
+            port = ip_port_password.split(":")[1]
+
+            if port in port_metrics: 
+                port_metrics[port] += 1 
+            else:
+                port_metrics[port] = 1
+
+            # Get the password, print it and add it into the password_metrics dict
+
+            password = ip_port_password.strip(ip + ":" + port + ": ").split("\'")[1]
+            
+            if password in password_metrics: 
+                password_metrics[password] += 1 
+            else:
+                password_metrics[password] = 1
+
+            # append the password to the passwordfile
+            passwordfile.write(password + "\n")
+
+            counter += 1
+
+print("Amount of hits processed: " + str(counter))
+
+plt.tight_layout()
+
+# plot the most used usernames
+print("-----------------")
+print("Most tried usernames:")
+sorted_username_metrics = sorted(username_metrics.items(), key=operator.itemgetter(1))
+
+username = []
+username_count = []
+
+for item in sorted_username_metrics[-20:]:
+    print("{:<20}{:<10}".format(item[0], item[1]))
+    username.append(item[0])
+    username_count.append(item[1])
+
+plt.bar(username, username_count)
+plt.title("usernames")
+plt.xlabel('username used to login')
+plt.xticks(rotation=90)
+plt.ylabel('amount of attempts')
+plt.savefig("usernames.png", dpi=400, orientation="landscape")
+plt.clf()
+        
+# plot the most used passwords 
+print("-----------------")
+print("Most tried passwords:")
+sorted_password_metrics = sorted(password_metrics.items(), key=operator.itemgetter(1))
+password = []
+password_count = []
+
+for item in sorted_password_metrics[-15:]:
+    print("{:<20}{:<10}".format(item[0], item[1]))
+    password.append(item[0])
+    password_count.append(item[1])
+
+plt.bar(password, password_count)
+plt.title("passwords")
+plt.xlabel('passwords used to login')
+plt.xticks(rotation=90)
+plt.ylabel('amount of attempts')
+plt.savefig("passwords.png", dpi=400, orientation='landscape')
+plt.clf()
+
+# plot the most frequent ips 
+print("-----------------")
+print("Most frequent ips:")
+sorted_ip_metrics = sorted(ip_metrics.items(), key=operator.itemgetter(1))
+ip = []
+ip_count = []
+
+for item in sorted_ip_metrics[-15:]:
+    print("{:<20}{:<10}".format(item[0], item[1]))
+    ip.append(item[0])
+    ip_count.append(item[1])
+
+
+plt.bar(ip, ip_count)
+plt.title("ips")
+plt.xlabel('ip used to login')
+plt.xticks(rotation=90)
+plt.ylabel('amount of attempts')
+plt.savefig("ip.png", dpi=400, orientation='landscape')
+plt.clf()
+
+# plot the most frequent ports 
+print("-----------------")
+print("Most frequent ports:")
+sorted_port_metrics = sorted(port_metrics.items(), key=operator.itemgetter(1))
+port = []
+port_count = []
+
+for item in sorted_port_metrics[-15:]:
+    print("{:<20}{:<10}".format(item[0], item[1]))
+    port.append(item[0])
+    port_count.append(item[1])
+
+plt.bar(port, port_count)
+plt.title("ports")
+plt.xlabel('port used to login')
+plt.xticks(rotation=90)
+plt.ylabel('amount of attempts')
+plt.savefig("port.png", dpi=400, orientation='landscape')
+plt.clf()
-- 
cgit 1.4.1