Following on from my work with gathering statistics from the Honeypot systems that I run I have released a limited alpha of a new script/tool that I am working on. The tool provides access to common result sets from the sqlite database, without the requirement for remembering the database architecture and entering lengthy SQL statements by hand.
Disclaimer first: the tool doesn’t do anything outrageously new, and most of the SQL queries have been borrowed from Markus’ post on SQL logging with Dionaea when the feature was first introduced. However I have found the script makes my analysis of the honeypot logs simpler and quicker, and I’ve a positive reaction from a limited few that have had a copy of the script before this post. Hopefully it will be of use others.
Usage is relatively simple, shown below:
Dionaea database query collection
Author: Andrew Waite – www.InfoSanity.co.uk
Inspiration from carnivore.it article:
/path/to/python dionaea-sqlquery.py –query #
Where # is:
1: Port Attack Frequency
2: Attacks over a day
3: Popular Malware Downloads
4: Busy Attackers
5: Popular Download Locations
6: Connections in last 24 hours
The script can be found here. There is still a good level of work to be undertaken to tidy up the output, potentially allowing for output in different formats, and I also want to add additional and more complex queries as time progresses. If you have any success, failure, comments or suggests please let me know.
— Andrew Waite