ISC SANS has a fantastic little honeypot you can throw on a Raspberry Pi. While you can interact with the collected Intel to some degree from the various dashboards on the SANS site, I wanted a bit more detail and immediate access to the logs.

Cowrie json logging is a fantastic feature, providing a rich source of information you can put to various uses.

Below I will show you how I parse the logs and enrich them with geoip to get a better feel for who is attacking and from where.

cat cowrie.json* | jq -r .src_ip | sort | uniq -c | sort -nr | head -n 100 | xargs -n 1 -I % sh -c 'echo %; geoiplookup %'

#=> parses all cowrie (ssh/telnet) logs pulls out the source ip address and runs those through geoip

This is performed from the cowrie logs directory which might not be in the most obvious of places:

cd /srv/cowrie/var/log/cowrie

If you have not installed GeoIP, you will need to do so for this all to work as expected:

sudo apt install geoip-bin

Sample Output

435 106.124.137.130 (time seen in logs | ip address)
GeoIP Country Edition: CN, China (Country)
GeoIP City Edition, Rev 1: CN, 30, Guangdong, Guangzhou, N/A, 23.116699, 113.250000, 0, 0
GeoIP ASNum Edition: AS4134 Chinanet (ASN)