Dionaea蜜罐IP数据地图可视化

Dionaea, HoneyPot

#关于如何简单搭建Dionaea低交互式蜜罐,详见博文
#前言.
 以我在洛杉矶租用某台VPS上搭建的Dionaea蜜罐,在5.26晚23.58至5.28日17.10时间段(41h)捕获到的所有扫描和攻击数据为例:
 开放脆弱服务、端口:

1
2
3
4
5
6
7
8
9
10
11
12
Blackhole  -123
Memcache   -11211
SipSession  -5060
epmapper     -135
httpd        -80
mongod       -27017
mqttd        -1883
mssqld       -1433
mysqld       -3306
pptpd        -1723
smbd         -445
upnpd        -1900

1. 剪裁数据

1
tree -a /opt/dionaea/var/dionaea/bistream > attack.txt #tree命令导出所有数据流记录

 生成的attack.txt文件手工去除几个日期列,剪裁至形式(ps.notepad++编辑器,Alt+鼠标选择整列):

1
Blackhole-123-101.100.146.*-DldOYS

 使用脚本split_to_ipaddr.py。为保证同一ip频数,结果未去重:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#Used To Split Logging File To IpAddress File.
#Just Run: ./split_to_ipaddr.py Or python split_to_ipaddr.py.
#Blog: http://www.cnblogs.com/khani0cc/

def split_to_ipaddr():
    iF = open('attack.txt','r')
    oF = open('ipaddr.txt','w')
    lines = iF.readlines()
    for line in lines:
        ipaddr = line.split('-')[2]
        print ipaddr
        oF.writelines(ipaddr)
        oF.writelines('\n')
    iF.close()
    oF.close()

def main():
    try:
        split_to_ipaddr()
        print "Attack File Split Successful!"
        exit(0)
    except Exception, e:
        print e
        exit(0)

if __name__ == '__main__':
    main()

 执行后生成仅包含逐行ip地址的文件ipaddr.txt。

2. 生成ip地址地图分布
PyGeoIpMap
  Requirement:Python3,numpy,matplotlib,Basemap,pygeoip
  a.关于Windows上WinPython-32bit-3.5.3安装basemap:
   pyproj‑1.9.5.1‑cp35‑cp35m‑win32.whl
   basemap‑1.1.0‑cp35‑cp35m‑win32.whl
  b.Windows CMD输出默认不支持UTF-8编码,对于诸如 “region_name”:”ÃŽle-de-France” 字符会报错
因此需要先改变CMD编码

1
chcp 65001

 然后执行脚本pygeoipmap.py

 脚本开始向https://freegeoip.net发送ip地理位置请求,返回

1
2
3
4
{"ip":"195.154.51.23",  "country_code":"FR","country_name":"France","region_code":"IDF",  
"region_name":"ÃŽle-de-France",  
"city":"LaNorville","zip_code":"91290",  "time_zone":"Europe/Paris","latitude":48.5824,  
"longitude":2.2618,"metro_code":0}

 并以

1
print("{ip}, {region_name}, {country_name}, {latitude}, {longitude}"

 的形式逐条输出ip地址对应地区、国家和经纬度信息.
 运行完毕会调用matplotlib自动生成一张output.png图片

愈鲜红的点说明该ip连接蜜罐次数越多

3.后言
 Py3的basemap模块在linux和Win下都很难安装,而通过WinPython3+lfd的非官方whl能顺利完成。
 参考链接:

  PyGeoIpMap:https://github.com/pierrrrrrre/PyGeoIpMap
  Unicode characters in Windows command line - how?:   https://stackoverflow.com/questions/388490/unicode-characters-in-windows-command-line-how/388500#388500