# Honeypot Attack Analysis

This notebook analyzes data collected from our Cowrie SSH honeypot.

In [None]:
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import json
from datetime import datetime
import os

# Set plot style
sns.set(style="darkgrid")

In [None]:
def load_cowrie_logs(log_path):
    """Load and parse Cowrie logs"""
    events = []
    with open(log_path, 'r') as f:
        for line in f:
            try:
                event = json.loads(line)
                events.append(event)
            except:
                continue
    return pd.DataFrame(events)

In [None]:
# Change this to your actual log path
log_path = '../log/cowrie.json'
df = load_cowrie_logs(log_path)
df.head()

In [None]:
# Analyze login attempts
login_attempts = df[df['eventid'] == 'cowrie.login.failed']

# Top usernames
plt.figure(figsize=(10, 6))
login_attempts['username'].value_counts().head(10).plot(kind='barh')
plt.title('Top 10 Attempted Usernames')
plt.xlabel('Count')
plt.tight_layout()
plt.show()

# Top passwords
plt.figure(figsize=(10, 6))
login_attempts['password'].value_counts().head(10).plot(kind='barh')
plt.title('Top 10 Attempted Passwords')
plt.xlabel('Count')
plt.tight_layout()
plt.show()

In [None]:
# Attack source analysis
plt.figure(figsize=(12, 6))
df['src_ip'].value_counts().head(15).plot(kind='bar')
plt.title('Top Attack Sources')
plt.xlabel('Source IP')
plt.ylabel('Number of Events')
plt.xticks(rotation=45)
plt.tight_layout()
plt.show()