Several days of playing working with the raw data and a couple of intermediate scripts (csv & mysql) have paid off. I’m now ready to release the first version of Infosanity‘s Nepenthes log parser.
This utility is substantially larger than my previous two releases (although still small) so I’ll not include source code here, head to Infosanity for the submissions2stats.py file. Usage is fairly simple, read logged_submissions file into stdin and let the script do it’s job.
Statistics are quite general at this stage, mainly compiling overall statistics from the log file including:
- Total number of submissions
- Number of unique malware samples (based on MD5 hashes)
- Number of unique source IPs
- Run time
- Average daily submissions
- Five most recent submissions
By default the script outputs plaintext to standard out, but this can be changed to HTML via the –output=html commandline flags.
I’m going to hold back releasing any example output from my own servers as I wanted to generate the statistics for use in an upcoming presentation I’m giving for local group Super Mondays. If you’re free and in the area (Newcastle, UK) on May 26th please stop by for the event and to say hi.
If you’re running a Nepenthes server I’d appreciate any feedback or issues running the script. I’m still looking to flesh the system’s capabilities out, so any suggestions/requests for additional features or statistics would be appreciated (contact(no-spam)[at]infosanity[dot]co[dot]uk ).
— Andrew Waite
N.B. The latest versions of all Infosanity tools related to statistic generation for Nepenthes can be found here.