Skip to content

Instantly share code, notes, and snippets.

@0xExal
Last active January 11, 2024 19:44
Show Gist options
  • Save 0xExal/d289dc586498f115e3235fb8203c3c9f to your computer and use it in GitHub Desktop.
Save 0xExal/d289dc586498f115e3235fb8203c3c9f to your computer and use it in GitHub Desktop.
Cowrie Bulk Reporting Script for AbuseIPDB
import pymongo
from pymongo import MongoClient
import csv
import datetime
import requests
import json
# Paramètres de configuration
MONGO_CONN_STRING = ""
DATABASE_NAME = ""
COLLECTION_NAME = ""
CSV_FILE_NAME = "suspect_ips.csv"
# Connexion à AbuseIPDB
ABUSE_IPDB_ENDPOINT = "https://api.abuseipdb.com/api/v2/bulk-report"
ABUSE_IPDB_KEY = ""
# Connexion à MongoDB
client = MongoClient(MONGO_CONN_STRING)
db = client[DATABASE_NAME]
collection = db[COLLECTION_NAME]
# Calculer la date/heure actuelle moins 24 heures sous forme de chaîne
time_limit = (datetime.datetime.utcnow() - datetime.timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%SZ")
# Agrégation pour filtrer par date/heure et grouper par IP
pipeline = [
{
"$match": { # Filtrer pour ne sélectionner que les documents des dernières 24 heures
"timestamp": {"$gt": time_limit}
}
},
{
"$group": { # Grouper par IP
"_id": "$src_ip",
"first_username": {"$first": "$username"},
"first_timestamp": {"$first": "$timestamp"}
}
}
]
suspect_entries = collection.aggregate(pipeline)
CSV_FILE_NAME = "suspect_ips.csv"
with open(CSV_FILE_NAME, mode='w', newline='') as file:
writer = csv.writer(file)
writer.writerow(["IP", "Categories", "Comment", "ReportDate"])
for entry in suspect_entries:
ip = entry["_id"]
categories = "22" # SSH
comment = f"Cowrie Honeypot: Unauthorized SSH/Telnet login attempt with user {entry['first_username']} at {entry['first_timestamp']}"
reported_at = entry["first_timestamp"]
writer.writerow([ip, categories, comment, reported_at])
# Envoi du fichier CSV à AbuseIPDB
with open(CSV_FILE_NAME, 'rb') as file:
files = {'csv': (CSV_FILE_NAME, file)}
headers = {'Accept': 'application/json', 'Key': ABUSE_IPDB_KEY}
response = requests.request(method='POST', url=ABUSE_IPDB_ENDPOINT, headers=headers, files=files)
if response.status_code == 200:
decodedResponse = json.loads(response.text)
print(json.dumps(decodedResponse, sort_keys=True, indent=4))
else:
print(f"Échec de l'envoi du fichier. Code d'erreur : {response.status_code}")
print("Message du serveur :", response.text)
print(f"Le fichier {CSV_FILE_NAME} a été créé et envoyé à AbuseIPDB.")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment