Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/paralax/burningdogs

Honeypot log processor to create OTX Pulse entries
https://github.com/paralax/burningdogs

fsharp honeypot honeypot-logs

Last synced: 3 months ago
JSON representation

Honeypot log processor to create OTX Pulse entries

Host: GitHub
URL: https://github.com/paralax/burningdogs
Owner: paralax
License: apache-2.0
Created: 2016-08-12T11:46:21.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2024-01-01T23:31:38.000Z (10 months ago)
Last Synced: 2024-07-17T10:57:30.983Z (4 months ago)
Topics: fsharp, honeypot, honeypot-logs
Language: F#
Size: 27.1 MB
Stars: 29
Watchers: 6
Forks: 3
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-honeypot - **25**星

README

# BurningDogs

Tool to create OTX Pulse entries from honeypot logs

## Supported honeypots

BurningDogs reads honeypot logs and determines attacking client IPs, malicious URLs, and hashes of downloaded files, and then uploads that to [AlienVault OTX](https://otx.alienvault.com/browse/pulses/).

### SSH honeypots

BurningDogs supports Kippo and Cowrie logfiles to detect malicious client IPs, downloaded files, and malicious URLs.

### Apache

BurningDogs uses the "wwwids" logfile analyzer to detect signs of web application abuse attempts. This is based in part on the principles in the SANS paper [Detecting Attacks on Web Applications from Log Files](https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-2074).

### phpMySqlAdmin

BurningDogs uses a custom PHP scipt (see the [ShoppingLeague repository](https://github.com/paralax/ShoppingLeague)) to detect abuse attempts of phpMySqlAdmin. Client IPs, URLs, and files are characterized.

### Wordpot

BurningDogs uses a custom set of PHP scripts (see the [ShoppingLeague repository](https://github.com/paralax/ShoppingLeague)) to detect abuse attempts of Wordpress installations, including brute force intrusions and DDoS attempts via `xmlrpc.php` script abuse.

### Redispot

BurningDogs uses the Redis honeypot from [NoSQLpot](https://github.com/torque59/nosqlpot) to detect brute force authentication abuse attempts. Client IPs and URLs are characterized.

### VncLowPot

BurningDogs uses the VNC honeypot from [vnclowpot](https://github.com/magisterquis/vnclowpot) to detect brute force authentication attempts.

### Pghoney

BurningDocs uses the PostgreSQL honeypot from [pghoney](https://github.com/betheroot/pghoney) to detect brute force authentication attempts.

# Dependencies

You'll need to [sign up at OTX](https://otx.alienvault.com/api/) to get an API key to upload pulses.

BurningDogs depends on FAKE to build and NewtonSoft.Json for serialization. Use Paket to manage those via the `paket.dependencies` file.

# Building

BurningDogs uses FAKE to manage the build, simply issue a `fake` once dependencies are downloaded.

# Running

I run BurningDogs via `cron` every night near midnight.

# Modifying

Use the `application.config` file to manage paths, and you may have to edit code to address some of my local specifics (e.g. log file format).