Created
February 10, 2015 10:49
-
-
Save aojea/55aa6c54ed9237cbaed6 to your computer and use it in GitHub Desktop.
Download rss log from @Malwared_ honeypot, process it and output a csv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import os | |
| import feedparser | |
| import GeoIP | |
| import csv | |
| # assume that maxmind .dat files are in the same directory | |
| # otherwise change the path | |
| gi = GeoIP.open("GeoIP.dat",GeoIP.GEOIP_STANDARD) | |
| giCity = GeoIP.open("GeoLiteCity.dat",GeoIP.GEOIP_STANDARD) | |
| giASN = GeoIP.open('GeoIPASNum.dat',GeoIP.GEOIP_STANDARD) | |
| # use UNICODE | |
| gi.set_charset(GeoIP.GEOIP_CHARSET_UTF8); | |
| giCity.set_charset(GeoIP.GEOIP_CHARSET_UTF8); | |
| giASN.set_charset(GeoIP.GEOIP_CHARSET_UTF8); | |
| # Get the data from the RSS feed | |
| d = feedparser.parse('http://malwared.malwaremustdie.org/rss_ssh.php') | |
| # Write down to a csv so we can load with R | |
| with open('sshlog.csv', 'wb') as csvfile: | |
| writer = csv.writer(csvfile,quotechar='\'') | |
| for post in d.entries: | |
| ip = post.description | |
| org = giASN.org_by_addr(ip) | |
| if org is not None: | |
| asn = org.split() | |
| gir = giCity.record_by_addr(ip) | |
| if gir is not None: | |
| city = gir['city'] | |
| longitude = gir['longitude'] | |
| latitude = gir['latitude'] | |
| country = gir['country_name'] | |
| ccode = gir['country_code'] | |
| row = [ip,ccode,country,org,city,longitude,latitude] | |
| writer.writerow(row) | |
| csvfile.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment