From 2e4252500dd11b3bc42de306d2a09f891f4860e7 Mon Sep 17 00:00:00 2001 From: Emile Date: Thu, 14 Feb 2019 15:45:09 +0100 Subject: added a basic analyzer and a readme --- README.md | 42 +++++++++++++++++- analyze.py | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 analyze.py diff --git a/README.md b/README.md index b711e7b..3799a68 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,43 @@ # honeypot-log-analyzer -Analyzer the docker honeypot logs \ No newline at end of file +Analyzer the docker honeypot logs + +## usage: + +1. Setup a honeypoy +2. grab some logs (`docker-compose logs > .txt`) +3. run the analyzer (`python3 analyzer.py .txt`) + +``` +> $ python3 analyze.py +Amount of hits processed: [...] +----------------- +Most tried usernames: + +[...] + +----------------- +Most tried passwords: + +[...] + +----------------- +Most frequent ips: + +[...] + +----------------- +Most frequent ports: + +[...] + +``` + +Four images get saved: + +| filename | content | +| -------- | ------- | +| username.png | histogram of the most used usernames | +| passwords.png | histogram of the most used passwords | +| ip.png | histogram of to most used ips | +| port.png | histogram of the most used ports | diff --git a/analyze.py b/analyze.py new file mode 100644 index 0000000..9d151c0 --- /dev/null +++ b/analyze.py @@ -0,0 +1,147 @@ +#!/usr/bin/env python3 +import matplotlib.pyplot as plt +import re +import operator +import sys + +username_metrics = {} +ip_metrics = {} +port_metrics = {} +password_metrics = {} + +counter = 0 + +with open("password_list.txt", "a") as passwordfile: + with open(sys.argv[1]) as data: + content = data.readlines() + + for line in content[3:]: + username_ip_port_password = line[43:] + + # Get the username, print it and add it into the username_metrics dict + + username = username_ip_port_password.split("@")[0] + + if username in username_metrics: + username_metrics[username] += 1 + else: + username_metrics[username] = 1 + + # Get the ip, print it and add it into the ip_metrics dict + + ip_port_password = username_ip_port_password.strip(username + "@") + ip = ip_port_password.split(":")[0] + + if ip in ip_metrics: + ip_metrics[ip] += 1 + else: + ip_metrics[ip] = 1 + + # Get the port, print it and add it into the port_metrics dict + + port = ip_port_password.split(":")[1] + + if port in port_metrics: + port_metrics[port] += 1 + else: + port_metrics[port] = 1 + + # Get the password, print it and add it into the password_metrics dict + + password = ip_port_password.strip(ip + ":" + port + ": ").split("\'")[1] + + if password in password_metrics: + password_metrics[password] += 1 + else: + password_metrics[password] = 1 + + # append the password to the passwordfile + passwordfile.write(password + "\n") + + counter += 1 + +print("Amount of hits processed: " + str(counter)) + +plt.tight_layout() + +# plot the most used usernames +print("-----------------") +print("Most tried usernames:") +sorted_username_metrics = sorted(username_metrics.items(), key=operator.itemgetter(1)) + +username = [] +username_count = [] + +for item in sorted_username_metrics[-20:]: + print("{:<20}{:<10}".format(item[0], item[1])) + username.append(item[0]) + username_count.append(item[1]) + +plt.bar(username, username_count) +plt.title("usernames") +plt.xlabel('username used to login') +plt.xticks(rotation=90) +plt.ylabel('amount of attempts') +plt.savefig("usernames.png", dpi=400, orientation="landscape") +plt.clf() + +# plot the most used passwords +print("-----------------") +print("Most tried passwords:") +sorted_password_metrics = sorted(password_metrics.items(), key=operator.itemgetter(1)) +password = [] +password_count = [] + +for item in sorted_password_metrics[-15:]: + print("{:<20}{:<10}".format(item[0], item[1])) + password.append(item[0]) + password_count.append(item[1]) + +plt.bar(password, password_count) +plt.title("passwords") +plt.xlabel('passwords used to login') +plt.xticks(rotation=90) +plt.ylabel('amount of attempts') +plt.savefig("passwords.png", dpi=400, orientation='landscape') +plt.clf() + +# plot the most frequent ips +print("-----------------") +print("Most frequent ips:") +sorted_ip_metrics = sorted(ip_metrics.items(), key=operator.itemgetter(1)) +ip = [] +ip_count = [] + +for item in sorted_ip_metrics[-15:]: + print("{:<20}{:<10}".format(item[0], item[1])) + ip.append(item[0]) + ip_count.append(item[1]) + + +plt.bar(ip, ip_count) +plt.title("ips") +plt.xlabel('ip used to login') +plt.xticks(rotation=90) +plt.ylabel('amount of attempts') +plt.savefig("ip.png", dpi=400, orientation='landscape') +plt.clf() + +# plot the most frequent ports +print("-----------------") +print("Most frequent ports:") +sorted_port_metrics = sorted(port_metrics.items(), key=operator.itemgetter(1)) +port = [] +port_count = [] + +for item in sorted_port_metrics[-15:]: + print("{:<20}{:<10}".format(item[0], item[1])) + port.append(item[0]) + port_count.append(item[1]) + +plt.bar(port, port_count) +plt.title("ports") +plt.xlabel('port used to login') +plt.xticks(rotation=90) +plt.ylabel('amount of attempts') +plt.savefig("port.png", dpi=400, orientation='landscape') +plt.clf() -- cgit 1.4.1