Script to send kippo/cowrie login attempt information to https://isc.sans.edu/ssh.html
Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.md
kipposhield.py

README.md

kippo-pyshield

Script to send kippo/cowrie honeypot login attempt information to https://isc.sans.edu/ssh.html It can read login attempts from kippo/cowrie log files, or from a MySQL database if your honeypot is redirecting its logs there too.

Adapted from the Perl script published by isc.sans.edu at https://isc.sans.edu/clients/kippo/kippodshield.pl

Installation

  • Edit kipposhield.py and set the values for auth_key and dbshield_userid. Both can be found at your profile page at https://isc.sans.edu/myinfo.html If you plan to read login attempts from the DB, add the values for db_name, db_host, db_username, db_password

  • Install dependencies

    pip install requests tzlocal MySQL-python pytz
    
  • Clone the repository

    git clone https://github.com/jkakavas/kippo-pyshield.git
    
  • Make the script executable

    chmod +x kipposhield.py
    

Usage

./kipposhield.py -h
usage: kipposhield.py [-h] [-db] [-f LOGFILE]

optional arguments:
-h, --help  show this help message and exit
-db         Get login attempts from a database
-f LOGFILE  Get login attemtps from a log file

By default, kipposhield marks the timestamp of the last log entry it has sent to ISC in a text file in the same directory as kipposhield.py in order to not send duplicate entries.

This allows kipposhield.py to be run as a cronjob every few hours, sending only the new entries to ISC.

If there is a need to bypass this, one can edit or remove the last_sent file from the current directory.

Example output

cowrie@mypot:~/kippo-pyshield$ ./kipposhield.py -f /home/cowrie/cowrie/log/cowrie.log.2
INFO: analyzing and sending entries that occured later than 2015-11-10 11:16:46
INFO: Found 2 login attempts in the specified log source
INFO: Sending all entries to the server
response is ok

SUCCESS: Sent 101 bytes worth of data to secure.dshield.org