Tool to create OTX Pulse entries from honeypot logs
BurningDogs reads honeypot logs and determines attacking client IPs, malicious URLs, and hashes of downloaded files, and then uploads that to AlienVault OTX.
BurningDogs supports Kippo and Cowrie logfiles to detect malicious client IPs, downloaded files, and malicious URLs.
BurningDogs uses the "wwwids" logfile analyzer to detect signs of web application abuse attempts. This is based in part on the principles in the SANS paper Detecting Attacks on Web Applications from Log Files.
BurningDogs uses a custom PHP scipt (see the ShoppingLeague repository) to detect abuse attempts of phpMySqlAdmin. Client IPs, URLs, and files are characterized.
BurningDogs uses a custom set of PHP scripts (see the ShoppingLeague repository) to detect abuse attempts of Wordpress installations, including brute force intrusions and DDoS attempts via xmlrpc.php script abuse.
BurningDogs uses the Redis honeypot from NoSQLpot to detect brute force authentication abuse attempts. Client IPs and URLs are characterized.
BurningDogs uses the VNC honeypot from vnclowpot to detect brute force authentication attempts.
BurningDocs uses the PostgreSQL honeypot from pghoney to detect brute force authentication attempts.
You'll need to sign up at OTX to get an API key to upload pulses.
BurningDogs depends on FAKE to build and NewtonSoft.Json for serialization. Use Paket to manage those via the paket.dependencies file.
BurningDogs uses FAKE to manage the build, simply issue a fake once dependencies are downloaded.
I run BurningDogs via cron every night near midnight.
Use the application.config file to manage paths, and you may have to edit code to address some of my local specifics (e.g. log file format).