Utility script in a similar vein to submissions2csv.py, the script reads Nepenthes’ logged_submissions file from stdin and dumps the information into a MySQL database table.
Initially this serves the same purpose as it’s CSV counterpart, importing the date into system with powerful search and filter functionality. However this may be useful if wanting to work with the data in more complex tools as SQL databases form powerful backends and can be manipulated easily with almost programming language.
(again, apologises for formatting. I’m working on a resource repository for code and tools, hopefully available soon)
UPDATE: Code available from InfoSanity
#!/usr/bin/python
import sys
import MySQLdb
#
# Reads Nepenthes logged_submissions file and inserts data to mysql table
#
#connect to database
db = MySQLdb.connect( host="localhost", user="neplog", passwd="neplog123", db="nepenthes")
#create cursor
cursor = db.cursor()
#read from stdin
while 1:
line = sys.stdin.readline()
if not line:
break
logData = line.split(' ');
timestamp = logData[0].strip('[]')
date = timestamp.split('T')[0]
time = timestamp.split('T')[1]
sourceIP = logData[1]
sourceMalware = logData[4]
malwareMD5 = logData[5]
#Insert row
cursor.execute("insert into submissions values (\"%s\",\"%s\",\"%s\",\"%s\",\"%s\")" %( date, time, sourceIP, sourceMalware, malwareMD5) )
Database creation (I’m sure this can be improved, but it works):
CREATE TABLE `submissions` ( `logdate` date default NULL, `logtime` time default NULL, `ip` char(15) default NULL, `url` varchar(64) default NULL, `MD5` char(32) default NULL )
Hi andrew,,can you tell me where i put this submissions2mysql.py file on my nepenthes directory?
do i need re-config my nepenthes after i create database on mysql like you suggest?
I was running my nepenthes on my local server but i did not success to capture malwere..even i try to copy malware sample on my server..it still didn’t work..I just wanna look my nepenthes works fine with capture malware…do you help me?
Hi Sahal,
firstly, apologises for the delay in replying, your comment got lost in my spam folder.
The submissions2mysql.py script doesn’t need to be placed anywhere specific as it doesn’t alter the running of Nepenthes. You simply feed the logged_submissions file into submissions2mysql.py as stdin, and it should place a snapshot of the information into the MySQL database (that you need to setup manually).
However, I’d strongly suggest replacing Nepenthes with it’s successor, Dionaea. A database back-end has been built in with many useful features, removing the need for any of my kludges.
hope this helps, happy honeypotting.