-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcowrie_queries.py
105 lines (77 loc) · 2.94 KB
/
cowrie_queries.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
from py2neo import database
from inspect import getmembers, isfunction
def no_query_ips(neo):
for r in neo.run("""
MATCH (cred:Credentials)<-[:USED]-(ip:IP)
WITH cred, count(ip) AS count
order by count desc
limit 10
match (cred:Credentials)<-[:USED]-(ip:IP)
RETURN cred, ip
"""):
print r
def count_by_ip(neo, typ):
q = 'match (_:{})<-[*]-(ip:IP) WITH _, count(ip) as count order by count desc return _.label, count'.format(typ)
for r in neo.run(q):
print '{:>6,}\t{}'.format(r['count'], r['_.label'])
def rel_summary(neo):
q= 'match () <-[r]-(ip:IP) with type(r) as r, count(distinct ip) as count order by count desc return r, count'
for r in neo.run(q):
# print '{:>6,}\t{}'.format(r['count'], r['r'])
yield r['r'], r['count']
def event_count_with_rel(neo, rel):
q= 'MATCH () <-[r:{}]-(ip:IP) WITH distinct ip WITH sum(ip.event_count) as events return events'.format(rel)
for r in neo.run(q):
return r['events']
def count_twohops(neo, endpoint):
q= """
MATCH (ip:IP) -[:USED] - (cred:Credentials) - [:USEDBY] - (virus:KnownVirus)
WITH distinct ip
WITH sum(ip.event_count) as count, count(ip) as ips
RETURN count, ips
"""
MIRAI_DOWNLOADS = 'MATCH (ip:IP) - [:DOWNLOADED] - (hash:File) - [:IDENTIFIEDAS] - (`Mirai`)'
def query_count_hosts_with_mirai_downloads():
"""
Snippet 1 - Count the number of hosts that downloaded files, where the file hash matched a Mirai variant from Virus Total
Also count the number of total events these hosts represent
"""
return MIRAI_DOWNLOADS + """
WITH distinct ip
WITH sum(ip.event_count) as count, count(ip) as ips
RETURN count, ips
"""
def query_duration_summary_hosts_with_mirai_downloads():
"""
Snippet 2 - Summary of the duration of contact for those hosts that downloaded files,
where the file hash matched a Mirai variant from Virus Total
"""
return MIRAI_DOWNLOADS + """
WITH distinct ip
order by ip.duration_mean asc
RETURN ip.name, ip.connections, ip.seen_span_seconds,
ip.duration_mean, ip.duration_stddev
"""
def run_tags(neo):
for rel, count in rel_summary(neo):
print ('{} {} {}'.format(rel, count, event_count_with_rel(neo, rel)))
# count_by_ip(neo, 'OTXtag')
# count_by_ip(neo, 'File')
def exec_queries(obj, neo):
"""
helper that runs all queries in this file
"""
for name, func in getmembers(obj):
if isfunction(func):
if name.startswith('query_'):
doc = getattr(func, '__doc__', None)
if doc:
print ''
print doc
results = [_ for _ in neo.run(func())]
print '\t'.join(results[0].keys())
for r in results:
print '\t'.join([str(_) for _ in r.values()])
print '\n\n--\n'
elif name.startswith('run_'):
func(neo)