2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b5]
2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport,28,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1]
2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566]
2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37d]
2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport,0,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a3]
2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport,1,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550df]
2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,2,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c]
2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test1234] failed
2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed

##</code><code>##

Port,Status,Occurrences
64400,failed,2
64400,failed,1

##</code><code>##

$ip = "";
        $port = "";
        $usr = "";
        $pass = "";
        $status = "";
        $frequency = 0;

        #Given this is a user/pass attempt honeypot logger, I will use a wide character to reduce the possibility of stopping
        #the WEKA CSV loader from functioning by using smileyface as seperators.


        while(my $lines = <LOG2>){

                if($lines =~ /New connection/){

                ($ip, $port) = (split /[\[\]\s:()]+/, $lines)[7,8];

                }
                if($lines =~ /login attempt/){#and the ip of the new connection

                if($lines =~ /$ip/){
                ($usr, $pass, $status) = (split /[\s:\[\]\/]+/, $lines)[-3,-2,-1];

                        if($lines =~/$ip/ && $lines =~/$usr/ && $lines =~ /$pass/){

                        $frequency++

                        }

                        if($ip && $port && $usr && $pass && $status ne ""){
                                print FILE2 join "$seperator",($port, $status, $frequency, $end);
                                print FILE2 "\n";
                        }
                        }


                }