in reply to Increment frequency of attempts based on IP and login details combination

This should be easy to modify to get what you want. There are some more succinct methods to query deep hashes, cant find the module right now.

while(<DATA>){
        if (/New connection: ([\d\.]+):(\d+)/){
                ($ip,$port) = ($1,$2);
                next;
        }
        chomp;
        if (/login attempt\s+\[(.*)\]\s+(\w+)$/){
                ($user_pass,$status) = ($1,$2);
                $HONEY{$ip}{$port}{$status}{$user_pass} +=1;
                print "DEBUG: Add ip=$ip:$port $status $user_pass\n";
        }
}

for my $ip (keys %HONEY){
        for my $port (keys %{$HONEY{$ip}}){
                for my $user (keys %{$HONEY{$ip}{$port}}){
                        for my $status (keys %{$HONEY{$ip}{$port}}){
                                for my $user_pass (keys %{$HONEY{$ip}{
+$port}{$status}}){
                                        $freq = $HONEY{$ip}{$port}{$st
+atus}{$user_pass};
                                        push(@DATA, "$port,$status,$fr
+eq") ;
                                }
                        }
                }
        }
}

for my $data (sort @DATA){
        print $data . "\n";
}

__DATA__
2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b
+5]
2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport
+,28,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1]
2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566]
2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37
+d]
2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport
+,0,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a
+3]
2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport
+,1,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550d
+f]
2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport
+,2,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New
+ connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c]
2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport
+,3,141.8.83.213] login attempt [user1/test123] failed
2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport
+,3,141.8.83.213] login attempt [user1/test1234] failed
2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport
+,3,141.8.83.213] login attempt [user1/test123] failed

[download]
  • Comment on Re: Increment frequency of attempts based on IP and login details combination
  • Download Code

Replies are listed 'Best First'.
Re^2: Increment frequency of attempts based on IP and login details combination
by Laurent_R (Canon) on Apr 30, 2016 at 19:13 UTC
    Depending on how is is going to be used, it may not be necessary to build deeply nested hashes, as a composite key can often render the same service and make things easier.

    For example, 

    $HONEY{$ip}{$port}{$status}{$user_pass} +=1;

    [download]
    might be replaced by: 
    $HONEY{"$ip;$port;$status;$user_pass"} ++;

    [download]
    but it really depends on how it's gonna be used.
[reply]
[d/l]
[select]
Re^2: Increment frequency of attempts based on IP and login details combination
by Laurent_R (Canon) on Apr 30, 2016 at 21:55 UTC
    Just another way of iterating on a deeply nested hash which does not need to go back to the original hash each time (a made up example) 
    use strict;
use warnings;
use Data::Dumper;


my %hash;
my $count = 0;

# populating a deeply nested hash
for my $ip (qw <ip1 ip2 ip3>) {
    for my $port ( qw <port1 port2 port3>) {
        for my $status (qw <stat1 stat2>) {
            for my $user (qw <user1 user2 user3>) {
                $hash{$ip}{$port}{$status}{$user} = $count++;  # (just
+ a dummy value for testing)
            }
        }
    }
}

# print Dumper \%hash;

# iterating through the nested hash
for my $nest0 (values %hash) {
    while (my ($port, $nest1) = each %$nest0) {        
        while (my ($status, $nest2) = each %$nest1) {
            for my $freq (values %$nest2) {
                print "$port\t$status\t$freq\n";
            }
        }
    }
}

    [download]
    Note: I use each when I need both the key and the sub-hash ref (because I need to print the key) and values when I only need to dive one step further into the nested structure. But, for some reason, a for loop with each seems to behave inconsistently (incomplete results) on my Perl version, so I used a while loop for the cases with each. I think to remember from the past there was a bug at some point on each, maybe my version of Perl is one of them. Well, anyway, replacing the for loop by a while loop solves the issue.

    This prints in part: 

    port2   stat2   9
port2   stat2   11
port2   stat2   10
port2   stat1   6
port2   stat1   8
port2   stat1   7
port3   stat2   15
port3   stat2   17
port3   stat2   16
port3   stat1   12
port3   stat1   14
port3   stat1   13
port1   stat2   3
port1   stat2   5
port1   stat2   4
port1   stat1   0
port1   stat1   2
.....

    [download]
[reply]
[d/l]
[select]
Re^2: Increment frequency of attempts based on IP and login details combination
by firepro20 (Novice) on May 01, 2016 at 10:11 UTC

    I tried what you suggested but the argument for the loop was read from a file like so

    #!/usr/bin/perl

$log = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";

open(DATA, $log) or die "Can't open '$log': $!";

sub tester(){

while(<DATA>){
        if (/New connection: ([\d\.]+):(\d+)/){
                ($ip,$port) = ($1,$2);
                next;
        }
        chomp;
        if (/login attempt\s+\[(.*)\]\s+(\w+)$/){
                ($user_pass,$status) = ($1,$2);
                $HONEY{$ip}{$port}{$status}{$user_pass} +=1;
                print "DEBUG: Add ip=$ip:$port $status $user_pass\n";
        }
}

for my $ip (keys %HONEY){
        for my $port (keys %{$HONEY{$ip}}){
                for my $user (keys %{$HONEY{$ip}{$port}}){
                        for my $status (keys %{$HONEY{$ip}{$port}}){
                                for my $user_pass (keys %{$HONEY{$ip}{
+$port}{$status}}){
                                        $freq = $HONEY{$ip}{$port}{$st
+atus}{$user_pass};
                                        push(@DATA, "$port,$status,$fr
+eq") ;
                                }
                        }
                }
        }
}

for my $data (sort @DATA){
        print $data . "\n";
}


}

    [download]

    Unfortunately nothing was outputted on the screen. Also if I use stict and warnings it says that variables requires explicit package name and other errors as well as shown below

    Variable "@DATA" is not imported at ./test2.prg line 31.
Variable "@DATA" is not imported at ./test2.prg line 38.
Global symbol "$log" requires explicit package name at ./test2.prg lin
+e 6.
Global symbol "$log" requires explicit package name at ./test2.prg lin
+e 8.
Global symbol "$log" requires explicit package name at ./test2.prg lin
+e 8.
Global symbol "$ip" requires explicit package name at ./test2.prg line
+ 14.
Global symbol "$port" requires explicit package name at ./test2.prg li
+ne 14.
Global symbol "$user_pass" requires explicit package name at ./test2.p
+rg line 19.
Global symbol "$status" requires explicit package name at ./test2.prg 
+line 19.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 20.
Global symbol "$ip" requires explicit package name at ./test2.prg line
+ 20.
Global symbol "$port" requires explicit package name at ./test2.prg li
+ne 20.
Global symbol "$status" requires explicit package name at ./test2.prg 
+line 20.
Global symbol "$user_pass" requires explicit package name at ./test2.p
+rg line 20.
Global symbol "$ip" requires explicit package name at ./test2.prg line
+ 21.
Global symbol "$port" requires explicit package name at ./test2.prg li
+ne 21.
Global symbol "$status" requires explicit package name at ./test2.prg 
+line 21.
Global symbol "$user_pass" requires explicit package name at ./test2.p
+rg line 21.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 25.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 26.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 27.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 28.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 29.
Global symbol "$freq" requires explicit package name at ./test2.prg li
+ne 30.
Global symbol "%HONEY" requires explicit package name at ./test2.prg l
+ine 30.
Global symbol "@DATA" requires explicit package name at ./test2.prg li
+ne 31.
Global symbol "$freq" requires explicit package name at ./test2.prg li
+ne 31.
Global symbol "@DATA" requires explicit package name at ./test2.prg li
+ne 38.
Execution of ./test2.prg aborted due to compilation errors.

    [download]
[reply]
[d/l]
[select]

      Hello firepro20,

      Unfortunately nothing was outputted on the screen.

      A big part of the problem here is simply the layout, which makes it hard to see the structure of the code. With a bit of indentation:

      $log = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";

open(DATA, $log) or die "Can't open '$log': $!";

sub tester()
{
    while(<DATA>){
        ...
    }

    for my $ip (keys %HONEY){
        ...
    }

    for my $data (sort @DATA){
        ...
    }
}

      [download]

      See the problem now? sub tester is defined, but never called! You have to invoke the sub:

      my $log = '/home/tsec/prototype/logs/extractedlogs/cowrieresult.log';
open(my $data, '<', $log) or die "Can't open '$log' for reading: $!";
tester($data);
close  $data              or die "Can't close '$log': $!";

sub tester
{
    my ($fh) = @_;

    while (<$fh>) {
        ...
    }
    ...
}

      [download]

      and then you should see the output you were expecting. Some notes:

      • Prefer the 3-argument form of open (it’s clearer and safer).
      • For filehandles, prefer lexical variables to barewords. Also, avoid using DATA for files, because this will confuse readers of your code: they will expect it to have its pre-defined meaning.
      • Pass arguments to subroutines explictly via @_.
      • Don’t use subroutine prototypes unless you have a good reason. In sub tester() the () is a prototype specifying that the sub takes no arguments.

      Hope that helps,

      Athanasius <°(((><contra mundum Iustus alius egestas vitae, eros Piratica,

[reply]
[d/l]
[select]

      So, what did you try to fix those errors? Hint: my.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]

In Section Seekers of Perl Wisdom