Skip to content

Login attempts from various honeypots included. Fixes #470 #911

Merged
regulartim merged 2 commits intointelowlproject:developfrom
rootp1:fix/issue-470
Mar 2, 2026
Merged

Login attempts from various honeypots included. Fixes #470 #911
regulartim merged 2 commits intointelowlproject:developfrom
rootp1:fix/issue-470

Conversation

@rootp1
Copy link
Copy Markdown
Contributor

@rootp1 rootp1 commented Mar 1, 2026

Description

Previously, login attempts were only counted for two honeypots: Cowrie (via specific event IDs in session processing) and Heralding (via a hardcoded name check). All other honeypots such as Mailoney, Dionaea, CitrixHoneypot, Sentrypeer, Glutton etc. had their login attempts silently ignored.

The fix replaces the Heralding-specific hardcode in iocs_from_hits() with a generic field-based check: a hit is counted as a login attempt if the Elasticsearch document contains a non-empty username or password field. Since T-Pot's logstash pipeline normalizes credentials to these standard fields across all honeypots, this covers every current and future credential-capturing honeypot automatically without needing to enumerate them by name.

The redundant session_record.source.login_attempts += 1 in Cowrie's _process_session_hit() was also removed to prevent double-counting, since Cowrie only populates username/password fields on cowrie.login.failed and cowrie.login.success events exactly matching what the session-level increment was counting before.

Related issues

Closes #470

Type of change

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).
  • Chore (refactoring, dependency updates, CI/CD changes, code cleanup, docs-only changes).

Checklist

Please complete this checklist carefully. It helps guide your contribution and lets maintainers verify that all requirements are met.

Formalities

  • I have read and understood the rules about how to Contribute to this project.
  • I chose an appropriate title for the pull request in the form: <feature name>. Closes #999
  • My branch is based on develop.
  • The pull request is for the branch develop.
  • I have reviewed and verified any LLM-generated code included in this PR.

Docs and tests

  • I documented my code changes with docstrings and/or comments.
  • I have checked if my changes affect user-facing behavior that is described in the docs. If so, I also created a pull request in the docs repository.
  • Linter (Ruff) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved.
  • All the tests gave 0 errors.

GUI changes

Ignore this section if you did not make any changes to the GUI.

  • I have provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.

Review process

  • We encourage you to create a draft PR first, even when your changes are incomplete. This way you refine your code while we can track your progress and actively review and help.
  • If you think your draft PR is ready to be reviewed by the maintainers, click the corresponding button. Your draft PR will become a real PR.
  • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem.
  • Every time you make changes to the PR and you think the work is done, you should explicitly ask for a review. After receiving a "change request", address the feedback and click "request re-review" next to the reviewer's profile picture at the top right.

Copilot AI review requested due to automatic review settings March 1, 2026 17:41
Copilot AI reviewed Mar 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Extends IOC login-attempt counting to cover all honeypots that capture credentials by detecting normalized username/password fields in Elasticsearch hits, addressing the gap described in #470 and avoiding Cowrie double-counting.

Changes:

  • Update iocs_from_hits() to count login attempts based on presence of username or password fields (instead of Heralding-only logic).
  • Remove Cowrie session-level increment that could double-count login attempts.
  • Expand and adjust tests to cover credential-based login-attempt counting scenarios.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
greedybear/cronjobs/extraction/utils.py Switch login-attempt calculation to field-based credential detection across all hit types.
greedybear/cronjobs/extraction/strategies/cowrie.py Remove per-session increment to prevent double-counting now that IOC-level counting is credential-based.
tests/test_extraction_utils.py Add username/password support in hit factory and new tests for credential-based counting.
tests/test_cowrie_extraction.py Update Cowrie session hit test expectation to match removed increment behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

greedybear/cronjobs/extraction/utils.py
Comment on lines 129 to 133
ip_reputation=correct_ip_reputation(ip, hits[0].get("ip_rep", "")),
asn=hits[0].get("geoip", {}).get("asn"),
destination_ports=sorted(set(dest_ports)),
login_attempts=len(hits) if hits[0].get("type", "") == "Heralding" else 0,
login_attempts=sum(1 for h in hits if h.get("username") or h.get("password")),
firehol_categories=firehol_categories,
Copy link

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

login_attempts is computed with an additional full pass over hits. iocs_from_hits() already iterates over hits multiple times (dest ports, sensors, timestamps), so this adds another O(n) pass per IP. Consider accumulating login_attempts during an existing loop over hits to avoid extra iteration when processing large hit batches.

Copilot uses AI. Check for mistakes.
@rootp1
Copy link
Copy Markdown
Contributor Author

rootp1 commented Mar 1, 2026

Can you please review all these, @regulartim

regulartim
regulartim approved these changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@regulartim regulartim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, thank you! :)

@regulartim regulartim merged commit 3a94276 into intelowlproject:develop Mar 2, 2026
4 checks passed
@rootp1
Copy link
Copy Markdown
Contributor Author

rootp1 commented Mar 2, 2026

Very nice, thank you! :)

I’m genuinely delighted to have written a piece of code that required no review.

cclts pushed a commit to cclts/GreedyBear that referenced this pull request Mar 11, 2026
@rootp1 @cclts
Login attempts from various honeypots included. Fixes intelowlproject…
a81824a 
…#470  (intelowlproject#911)

* fix

* COPILOT CHANGES

---------

Co-authored-by: rootp1 <rootp1@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@regulartim regulartim regulartim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rootp1 @regulartim