├── README.md
└── log_parser.py


/README.md:
--------------------------------------------------------------------------------
 1 | # kippo-log-parser
 2 | Parses the log files of a kippo honeypot for the interesting parts.
 3 | 
 4 | # How to use
 5 | Copy your kippo-log into the same folder as the parser file and run it using python 3.
 6 | 
 7 | As a result you will get an output.txt and an ips.txt file.
 8 | 
 9 | The output.txt contains the parts of the log files with successful logins, the ips.txt shows which ip logged in how many times.
10 | 


--------------------------------------------------------------------------------
/log_parser.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import os.path
 3 | from pathlib import Path
 4 | 
 5 | dir_name = "log"
 6 | filter_unknown = True
 7 | 
 8 | 
 9 | def get_all_filepaths():
10 |     paths = reversed(sorted(Path(dir_name).iterdir(), key=os.path.getmtime))
11 |     output = []
12 |     for path in paths:
13 |         path = path.__str__()
14 |         if "tty" not in path:
15 |             output.append(path)
16 |     return output
17 | 
18 | 
19 | def split_file(filename):
20 |     print(filename)
21 |     file = open(filename, "r", encoding="latin-1")
22 |     file_content = file.read()
23 |     file.close()
24 | 
25 |     file_parts = file_content.split("login attempt ")
26 |     return file_parts
27 | 
28 | 
29 | def filter_file_parts(file_parts):
30 |     successful_logins = []
31 |     for file_part in file_parts:
32 |         file_part_parts = file_part.split(" ")
33 | 
34 |         if file_part_parts[0] == "[root/123456]":
35 |             successful_logins.append(file_part)
36 | 
37 |     return successful_logins
38 | 
39 | 
40 | def get_ip(successful_login):
41 |     login_parts = successful_login.split("HoneyPotTransport,")
42 |     ip_part = login_parts[1]
43 |     split2 = ip_part.split(",")
44 |     ip_part2 = split2[1]
45 |     ip_p = ip_part2.split("]")[0]
46 |     return ip_p
47 | 
48 | 
49 | def filter_unknown_channels(successful_logins):
50 |     interesting_logins = []
51 |     for login in successful_logins:
52 |         if "Failure: twisted.conch.error.ConchError: (3, 'unknown channel')" not in login:
53 |             interesting_logins.append(login)
54 | 
55 |     return interesting_logins
56 | 
57 | 
58 | def filter_commands(interestning_logins):
59 |     output = []
60 |     for login in interestning_logins:
61 |         if "executing command" in login:
62 |             output.append(login)
63 |     return output
64 | 
65 | 
66 | if __name__ == '__main__':
67 |     output_file = open("output.txt", "w")
68 |     all_ips = {}
69 |     file_paths = get_all_filepaths()
70 |     for file in file_paths:
71 |         output_file.write("\n\n--------------------------------\n" + file + "\n--------------------------------\n\n")
72 |         file_output = filter_file_parts(split_file(file))
73 |         if filter_unknown:
74 |             file_output = filter_commands(filter_unknown_channels(file_output))
75 |         for successlogin in file_output:
76 |             ip = get_ip(successlogin)
77 |             if ip not in all_ips:
78 |                 all_ips[ip] = 1
79 |             else:
80 |                 all_ips[ip] += 1
81 |             output_file.write(successlogin + "\n\n-----------------------------------------------------------\n\n")
82 | 
83 |     output_file.close()
84 |     all_ips = {k: v for k, v in reversed(sorted(all_ips.items(), key=lambda item: item[1]))}
85 |     ips_file = open("ips.txt", "w")
86 |     print(all_ips)
87 |     for ip in all_ips:
88 |         ip_str = ip + ": "
89 |         while len(list(ip_str)) < 20:
90 |             ip_str += " "
91 |         ip_str += str(all_ips[ip]) + "\n"
92 |         ips_file.write(ip_str)
93 |     ips_file.close()
94 | 


--------------------------------------------------------------------------------