I analyzed cowrie (honeypot) using python pandas
Introduction
This time, it is an article that I tried to analyze the honeypot log using pandas of python. It is a personal play.
What is cowrie?
A cowrie is a security vulnerability in SSH or Telnet that is intentionally created to attack a cracker. (Low dialogue side Pannypot) The introductory article is in the above, so please have a look if you like. https://qiita.com/asmg07/items/73808eee7c960707da2b
Pre-analysis stage (about jaon log)
Before you can analyze the log, you need to understand the contents of the log. Here, pick up only what you need for the time being, not all to introduce.
About the types of eventid (only the ones I used for my analysis)
| eventid | meaning |
|---|---|
| cowrie.login.success | Login was successful |
| cowrie.login.failed | Login failed |
| cowrie.command.input | Command execution succeeded |
| cowrie.command.failed | Command execution failed |
Reference site
https://mogu2itachi.hatenablog.com/entry/2019/03/14/213602
Actual log analysis using pandas
Preface
The environment installs the jupter plugin in vscode and runs the program interactively on vscode.
① Understanding the whole picture
#2020-12-13 About cowrie log analysis
import pandas as pd #Library import
import datetime #Library import
fname = 'cowrie.json' #Read file
access = pd.read_json(fname,lines=True) #Pass through pandas
df=pd.DataFrame(access)
df['timestamp']=pd.to_datetime(df['timestamp'])#Convert time to time format
df #display
Execution result
② Start analysis for each data you want to collect
(1) Extract logs that have been successfully accessed
#Extraction of logs for successful login
df2=df.query('eventid == "cowrie.login.success"') #cowrie.login.Extract only success logs
print("Number of successful logins:"+str(len(df2))) #Display the number of lines (number of lines=Number of successful logins)
password=df2['password'].value_counts() #Visualize which password you are logged in with
password1=df2['password'].value_counts(normalize=True) #Visualize the mode
print(password)
print("Password frequency")
print(password1)
Execution result (partial excerpt)
- Regarding ID, it is assumed that you will be logged in with a default name such as root or admin by default. (1) Extract logs that have been successfully accessed
- Regarding ID, it is assumed that you will be logged in with a default name such as root or admin by default.
#Extraction of logs for successful login
df2=df.query('eventid == "cowrie.login.success"') #cowrie.login.Extract only success logs
print("Number of successful logins:"+str(len(df2))) #Display the number of lines (number of lines=Number of successful logins)
password=df2['password'].value_counts() #Visualize which password you are logged in with
password1=df2['password'].value_counts(normalize=True) #Visualize the mode
print(password)
print("Password frequency")
print(password1)
Execution result (partial excerpt)
(2) Extract the log that failed to access
#Extraction of logs that failed to log in
df2=df.query('eventid == "cowrie.login.failed"')
print("Number of login failures:"+str(len(df2)))
nopassword=df2['password'].value_counts()
nopassword1=df2['password'].value_counts(normalize=True)
print(nopassword)
print("Password frequency")
print(nopassword1)
Execution result (partial excerpt)
(3) Extract the command being executed
#Command that was successfully executed
df1=df.query('eventid == "cowrie.command.input"')
print(df1['input'])
Execution result
Summary and consideration
Summary: Until now, there weren't many articles on cowrie log analysis using python, so I actually tried it and made it an article. Consideration: ① Never use the default root or admin server ID -Actually, you can see that the access itself has failed and succeeded 22,111 times in a day. Using the root or admin ID as it is at port 22 is likely to be the target of an attack. I understand this. ② Setting a simple password is very dangerous -You can see that the password extracted this time is also logged in by entering a relatively simple password! It's dangerous so let's stop. Also, look at the articles on the net and be aware that if you install a server or system without thinking about it, there is a risk that it will be targeted and the server will be easily accessed. Although it has failed this time, it is obvious from the password that login failed that Raspberry Pi, which makes it relatively easy to make your own IoT, is easily targeted by attacks. ③ Look at the command being executed ... In this log, I don't see everything, but I can see that I'm downloading something. Maybe it's malware ...
Finally
This time I only analyzed simple logs, but I hope to create a tool that can analyze continuously in the future. Thank you very much.
Recommended Posts