Last active
January 11, 2024 19:44
-
-
Save 0xExal/d289dc586498f115e3235fb8203c3c9f to your computer and use it in GitHub Desktop.
Cowrie Bulk Reporting Script for AbuseIPDB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import pymongo | |
from pymongo import MongoClient | |
import csv | |
import datetime | |
import requests | |
import json | |
# Paramètres de configuration | |
MONGO_CONN_STRING = "" | |
DATABASE_NAME = "" | |
COLLECTION_NAME = "" | |
CSV_FILE_NAME = "suspect_ips.csv" | |
# Connexion à AbuseIPDB | |
ABUSE_IPDB_ENDPOINT = "https://api.abuseipdb.com/api/v2/bulk-report" | |
ABUSE_IPDB_KEY = "" | |
# Connexion à MongoDB | |
client = MongoClient(MONGO_CONN_STRING) | |
db = client[DATABASE_NAME] | |
collection = db[COLLECTION_NAME] | |
# Calculer la date/heure actuelle moins 24 heures sous forme de chaîne | |
time_limit = (datetime.datetime.utcnow() - datetime.timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%SZ") | |
# Agrégation pour filtrer par date/heure et grouper par IP | |
pipeline = [ | |
{ | |
"$match": { # Filtrer pour ne sélectionner que les documents des dernières 24 heures | |
"timestamp": {"$gt": time_limit} | |
} | |
}, | |
{ | |
"$group": { # Grouper par IP | |
"_id": "$src_ip", | |
"first_username": {"$first": "$username"}, | |
"first_timestamp": {"$first": "$timestamp"} | |
} | |
} | |
] | |
suspect_entries = collection.aggregate(pipeline) | |
CSV_FILE_NAME = "suspect_ips.csv" | |
with open(CSV_FILE_NAME, mode='w', newline='') as file: | |
writer = csv.writer(file) | |
writer.writerow(["IP", "Categories", "Comment", "ReportDate"]) | |
for entry in suspect_entries: | |
ip = entry["_id"] | |
categories = "22" # SSH | |
comment = f"Cowrie Honeypot: Unauthorized SSH/Telnet login attempt with user {entry['first_username']} at {entry['first_timestamp']}" | |
reported_at = entry["first_timestamp"] | |
writer.writerow([ip, categories, comment, reported_at]) | |
# Envoi du fichier CSV à AbuseIPDB | |
with open(CSV_FILE_NAME, 'rb') as file: | |
files = {'csv': (CSV_FILE_NAME, file)} | |
headers = {'Accept': 'application/json', 'Key': ABUSE_IPDB_KEY} | |
response = requests.request(method='POST', url=ABUSE_IPDB_ENDPOINT, headers=headers, files=files) | |
if response.status_code == 200: | |
decodedResponse = json.loads(response.text) | |
print(json.dumps(decodedResponse, sort_keys=True, indent=4)) | |
else: | |
print(f"Échec de l'envoi du fichier. Code d'erreur : {response.status_code}") | |
print("Message du serveur :", response.text) | |
print(f"Le fichier {CSV_FILE_NAME} a été créé et envoyé à AbuseIPDB.") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment