Dshield Honeypot Tricks 1
ISC SANS has a fantastic little honeypot you can throw on a Raspberry Pi. While you can interact with the collected Intel to some degree from the various dashboards on the SANS site, I wanted a bit more detail and immediate access to the logs.
Cowrie json logging is a fantastic feature, providing a rich source of information you can put to various uses.
Below I will show you how I parse the logs and enrich them with geoip to get a better feel for who is attacking and from where.
This is performed from the cowrie logs directory which might not be in the most obvious of places:
If you have not installed GeoIP, you will need to do so for this all to work as expected:
Sample Output
435 106.124.137.130 (time seen in logs | ip address)
GeoIP Country Edition: CN, China (Country)
GeoIP City Edition, Rev 1: CN, 30, Guangdong, Guangzhou, N/A, 23.116699, 113.250000, 0, 0
GeoIP ASNum Edition: AS4134 Chinanet (ASN)