Attempt to run Log4pot

Question

Attempt to run Log4pot

josephKhoury95 opened this issue 3 years ago · 5 comments

Hello,

I am trying to run log4pot.py without any dependencies as mentioned in the Readme, as follows: python log4pot.py -p 8080

I am having a syntax error on line 96: if (m := ).
This is an invalid syntax, also what is the m variable?

Please note, I tried to replace it with if (m==), I got an error that m is not defined.

Any help please on this?
Thank you

Answer 1 · 2022-01-16T09:04:29.000Z

The := operator was introduced in newer python versions. It evaluates and directly assigns to the variable, here m. You have to use a recent version of the Python interpreter.

Answer 2 · 2022-01-17T07:43:21.000Z

Thank you for the info.

I have a different concern; the log4pot-loganalyzer.py is generating the below:

Loaded 29 events
Wrote 0 raw exploits.
Wrote 0 deobfuscated exploits.
Wrote deobfuscation_summary with 0 items.
Traceback (most recent call last):
File "log4pot-loganalyzer.py", line 87, in
df = loganalyzer.payload_url_summary(url_allowlist, url_denylist)
File "/home/ubuntu/Log4Pot/log4pot/loganalyzer.py", line 126, in payload_url_summary
df = df[df["url"].str.match(pattern, False)]
File "/home/ubuntu/.local/lib/python3.8/site-packages/pandas/core/generic.py", line 5487, in getattr
return object.getattribute(self, name)
File "/home/ubuntu/.local/lib/python3.8/site-packages/pandas/core/accessor.py", line 181, in get
accessor_obj = self._accessor(obj)
File "/home/ubuntu/.local/lib/python3.8/site-packages/pandas/core/strings/accessor.py", line 168, in init
self._inferred_dtype = self._validate(data)
File "/home/ubuntu/.local/lib/python3.8/site-packages/pandas/core/strings/accessor.py", line 225, in _validate
raise AttributeError("Can only use .str accessor with string values!")
AttributeError: Can only use .str accessor with string values!

A kind recommendation; I fixed the issue by replacing:
df = df[df["url"].str.match(pattern, False)] with df = df[df["url"].astype(str).str.match(pattern, False)]
in "Log4Pot/log4pot/loganalyzer.py", line 126

Answer 3 · 2022-01-18T06:11:20.000Z

Hello @thomaspatzke,
Using Log4Pot I am able to record multiple events (~17,000 events) in a period of approximately 2 hours. However, when running log4pot-loganalyzer.py I am having 0 raw exploits, 0 deobfuscated exploits, 0 payload URLs. Is there anything wrong that I am doing? Are you able to detect better results/exploits?

I am doing the below:

Directing several ports (15 different ports) to port 8080; using iptables -t nat -A PREROUTING -i eth0 -p tcp --dport XXXXX -j REDIRECT --to-port 8080
I am running log4pot as follows; python3 log4pot-server.py -p 8080 -P -dd downloads/
I am running log4pot log analyzer as follows; python3 lo4pot-loganalyzer.py -o ./ log4pot.log

Answer 4 · 2022-01-18T07:29:17.000Z

Hi! I think the time frame was a bit short. It's normal to have several hours without any log4shell exploitation attempt. 17k events sound reasonable, this should be the normal internet noise.

Answer 5 · 2022-01-18T07:42:53.000Z

Thank you @thomaspatzke for the feedback.