I have the following logfile
2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b +5] 2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport +,28,89.248.167.131] login attempt [root/root] succeeded 2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1] 2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566] 2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37 +d] 2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport +,0,89.248.167.131] login attempt [root/root] succeeded 2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a +3] 2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport +,1,89.248.167.131] login attempt [root/root] succeeded 2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550d +f] 2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport +,2,89.248.167.131] login attempt [root/root] succeeded 2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New + connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c] 2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport +,3,141.8.83.213] login attempt [user1/test123] failed 2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport +,3,141.8.83.213] login attempt [user1/test1234] failed 2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport +,3,141.8.83.213] login attempt [user1/test123] failed
I want to increment a value called frequency whenever the IP is found and the same username and password are used to login. For that I want to output the SourcePort, the statusfailed/succedded and the total number of occurrences of the IP, and user/pass combination. So for instance, taking the last three entries, the result would be
Port,Status,Occurrences 64400,failed,2 64400,failed,1
This is the code I have so far
$ip = ""; $port = ""; $usr = ""; $pass = ""; $status = ""; $frequency = 0; #Given this is a user/pass attempt honeypot logger, I will use + a wide character to reduce the possibility of stopping #the WEKA CSV loader from functioning by using smileyface as s +eperators. while(my $lines = <LOG2>){ if($lines =~ /New connection/){ ($ip, $port) = (split /[\[\]\s:()]+/, $lines)[7,8]; } if($lines =~ /login attempt/){#and the ip of the new c +onnection if($lines =~ /$ip/){ ($usr, $pass, $status) = (split /[\s:\[\]\/]+/, $lines +)[-3,-2,-1]; if($lines =~/$ip/ && $lines =~/$usr/ && $lines + =~ /$pass/){ $frequency++ } if($ip && $port && $usr && $pass && $status ne + ""){ print FILE2 join "$seperator",($port, +$status, $frequency, $end); print FILE2 "\n"; } } }
This was also cross posted on Stack Overflow
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |