dimanche 1 mai 2016

Counting the frequency of seperate IP entries PERL

I have the following logfile and I want to output the frequency of distinct IPs that are in the file:

2016-04-29 15:08:47+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:34826 (172.17.0.2:2222) [session: c9d2f438]
2016-04-29 15:08:48+0000 [SSHService ssh-userauth on HoneyPotTransport,10,159.122.123.181] login attempt [root/password] succeeded
2016-04-29 15:08:56+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51999 (172.17.0.2:2222) [session: 57235446]
2016-04-29 15:08:56+0000 [SSHService ssh-userauth on HoneyPotTransport,11,159.122.123.181] login attempt [root/toor] failed
2016-04-29 15:08:57+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:46466 (172.17.0.2:2222) [session: 03862a50]
2016-04-29 15:09:00+0000 [SSHService ssh-userauth on HoneyPotTransport,12,159.122.123.181] login attempt [root/unix] failed
2016-04-29 15:09:02+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56756 (172.17.0.2:2222) [session: 9b8cd979]
2016-04-29 15:09:03+0000 [SSHService ssh-userauth on HoneyPotTransport,13,159.122.123.181] login attempt [root/test123] failed
2016-04-29 15:09:04+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:50215 (172.17.0.2:2222) [session: 2e68b87e]
2016-04-29 15:09:07+0000 [SSHService ssh-userauth on HoneyPotTransport,14,159.122.123.181] login attempt [root/toor123] failed
2016-04-29 15:09:08+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58407 (172.17.0.2:2222) [session: f8d1d9ae]
2016-04-29 15:09:12+0000 [SSHService ssh-userauth on HoneyPotTransport,15,159.122.123.181] login attempt [shell/shell] failed
2016-04-29 15:09:13+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:48225 (172.17.0.2:2222) [session: 091fcb7e]
2016-04-29 15:09:17+0000 [SSHService ssh-userauth on HoneyPotTransport,16,159.122.123.181] login attempt [admin/root] failed
2016-04-29 15:09:18+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:35815 (172.17.0.2:2222) [session: 49ad22eb]
2016-04-29 15:09:20+0000 [SSHService ssh-userauth on HoneyPotTransport,17,159.122.123.181] login attempt [root/admin] succeeded
2016-04-29 15:09:27+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58114 (172.17.0.2:2222) [session: e214b2c4]
2016-04-29 15:09:28+0000 [SSHService ssh-userauth on HoneyPotTransport,18,159.122.123.181] login attempt [admin/admin] succeeded
2016-04-29 15:09:35+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:45180 (172.17.0.2:2222) [session: 61c00c6c]
2016-04-29 15:09:36+0000 [SSHService ssh-userauth on HoneyPotTransport,19,159.122.123.181] login attempt [guest/guest123] failed
2016-04-29 15:09:38+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:37525 (172.17.0.2:2222) [session: d19434e3]
2016-04-29 15:09:42+0000 [SSHService ssh-userauth on HoneyPotTransport,20,159.122.123.181] login attempt [root/webmaster] failed
2016-04-29 15:09:43+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:36967 (172.17.0.2:2222) [session: de78048a]
2016-04-29 15:09:44+0000 [SSHService ssh-userauth on HoneyPotTransport,21,159.122.123.181] login attempt [admin/administrator] failed
2016-04-29 15:09:45+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:56465 (172.17.0.2:2222) [session: 58eeea98]
2016-04-29 15:09:47+0000 [SSHService ssh-userauth on HoneyPotTransport,22,159.122.123.181] login attempt [mysql/mysql] failed
2016-04-29 15:09:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:51145 (172.17.0.2:2222) [session: 905c8982]
2016-04-29 15:09:50+0000 [SSHService ssh-userauth on HoneyPotTransport,23,159.122.123.181] login attempt [root/shell] failed
2016-04-29 15:09:51+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:54406 (172.17.0.2:2222) [session: c6f21bfe]
2016-04-29 15:09:53+0000 [SSHService ssh-userauth on HoneyPotTransport,24,159.122.123.181] login attempt [guest/guest] failed
2016-04-29 15:09:55+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:58764 (172.17.0.2:2222) [session: 167d51cf]
2016-04-29 15:09:56+0000 [SSHService ssh-userauth on HoneyPotTransport,25,159.122.123.181] login attempt [root/linux] failed
2016-04-29 15:09:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 159.122.123.181:57158 (172.17.0.2:2222) [session: daa3fc72]
2016-04-29 15:10:01+0000 [SSHService ssh-userauth on HoneyPotTransport,26,159.122.123.181] login attempt [unix/unix] failed
2016-04-29 15:15:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:42359 (172.17.0.2:2222) [session: 930332a7]
2016-04-29 15:15:50+0000 [SSHService ssh-userauth on HoneyPotTransport,27,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 15:56:48+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:46055 (172.17.0.2:2222) [session: 3b8d22b5]
2016-04-29 15:56:49+0000 [SSHService ssh-userauth on HoneyPotTransport,28,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 16:11:14+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 52.28.89.99:53059 (172.17.0.2:2222) [session: a6c0fac1]
2016-04-29 16:17:42+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 13.92.114.157:1032 (172.17.0.2:2222) [session: d33e1566]
2016-04-29 19:07:10+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:45178 (172.17.0.6:2222) [session: fafec37d]
2016-04-29 19:07:10+0000 [SSHService ssh-userauth on HoneyPotTransport,0,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 19:42:58+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:56925 (172.17.0.6:2222) [session: 539960a3]
2016-04-29 19:42:58+0000 [SSHService ssh-userauth on HoneyPotTransport,1,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 20:39:03+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 89.248.167.131:54138 (172.17.0.6:2222) [session: b9f550df]
2016-04-29 20:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,2,89.248.167.131] login attempt [root/root] succeeded
2016-04-29 21:13:41+0000 [cowrie.ssh.transport.HoneyPotSSHFactory] New connection: 141.8.83.213:64400 (172.17.0.6:2222) [session: e696835c]
2016-04-29 21:13:59+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed
2016-04-29 21:14:10+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test1234] failed
2016-04-29 21:14:13+0000 [SSHService ssh-userauth on HoneyPotTransport,3,141.8.83.213] login attempt [user1/test123] failed

This is the perl script I have so far, kindly provided by @zdim in a previous post and tweaked a bit as shown below:

#!/usr/bin/perl

use warnings;
use strict;

my $file = "/home/tsec/prototype/logs/extractedlogs/cowrieresult.log";
open (LOG, $file);

# Assemble results for required output in data structure:
# %rept = { $port => { $usr => { $status => $freq } };
my $frequency = 0;
my %rept;
my ($ip, $port);

while (my $line = <LOG>)
{
    if ($line =~ /New connection/) {
        ($ip, $port) = $line =~ /New connection:\s+([^:]+):(\d+)/;
        next;
    }

    my ($usr, $status) =  $line =~ m/login\ attempt \s+ \[ ( [^\]]+ ) \] \s+ (\w+)/x;
    if ($usr and $status) {
        $rept{$port}{$usr}{$status}++;
    }
    else { warn "Line with an unexpected format:\n$line" }


}

close(LOG);
open (LOG, $file);

while (my $line = <LOG>){
        if($line =~ /login attempt/){

        #split string, get the ip and match it with original $ip
        my ($testip) = (split /[\s,:\[\]\/]+/, $line)[-6];
        #print "$testip\n";
        #this two lines above print ips from login attempt line.
        if($testip =~ /$ip/){
                $frequency++;
        }
        else {
                # stop frequency counter and start another one?
                print "$frequency\n";
                $frequency = 0;
        }

        }
}
print "$frequency\n";
close(LOG);

Right now the output is as follows, which is working for the last three entries in the log file as the IP is seen 3 times in the end:

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3

What am I doing wrong? I appreciate all your help. Thankyou

Aucun commentaire:

Enregistrer un commentaire