Awesome
BurningDogs
Tool to create OTX Pulse entries from honeypot logs
Supported honeypots
BurningDogs reads honeypot logs and determines attacking client IPs, malicious URLs, and hashes of downloaded files, and then uploads that to AlienVault OTX.
SSH honeypots
BurningDogs supports Kippo and Cowrie logfiles to detect malicious client IPs, downloaded files, and malicious URLs.
Apache
BurningDogs uses the "wwwids" logfile analyzer to detect signs of web application abuse attempts. This is based in part on the principles in the SANS paper Detecting Attacks on Web Applications from Log Files.
phpMySqlAdmin
BurningDogs uses a custom PHP scipt (see the ShoppingLeague repository) to detect abuse attempts of phpMySqlAdmin. Client IPs, URLs, and files are characterized.
Wordpot
BurningDogs uses a custom set of PHP scripts (see the ShoppingLeague repository) to detect abuse attempts of Wordpress installations, including brute force intrusions and DDoS attempts via xmlrpc.php
script abuse.
Redispot
BurningDogs uses the Redis honeypot from NoSQLpot to detect brute force authentication abuse attempts. Client IPs and URLs are characterized.
VncLowPot
BurningDogs uses the VNC honeypot from vnclowpot to detect brute force authentication attempts.
Pghoney
BurningDocs uses the PostgreSQL honeypot from pghoney to detect brute force authentication attempts.
Dependencies
You'll need to sign up at OTX to get an API key to upload pulses.
BurningDogs depends on FAKE to build and NewtonSoft.Json for serialization. Use Paket to manage those via the paket.dependencies
file.
Building
BurningDogs uses FAKE to manage the build, simply issue a fake
once dependencies are downloaded.
Running
I run BurningDogs via cron
every night near midnight.
Modifying
Use the application.config
file to manage paths, and you may have to edit code to address some of my local specifics (e.g. log file format).