Megatron is a tool implemented by CERT-SE which collects and analyses log files with bad machines, e.g. from Shadowserver. Apart from abuse mail handling, Megatron can be used to collect statistics, convert log files, and do log file analysis during incident handling.
For all features, see readme-general.txt
Convert a file with IP addresses to a pipe-separated file with IP, AS, country code, and hostname:
$ megatron.sh --job-type ip-flowing --export --no-db test-data/multiple-ips-per-line3.log
As above but output file is tab-separated and contains geolocation data:
$ megatron.sh --job-type ip-flowing-verbose --export --no-db test-data/multiple-ips-per-line3.log
Prints information about two IP addresses (hostnames or URLs works as well):
$ megatron.sh --whois 126.96.36.199 188.8.131.52 IP | AS | CC | Hostname | AS Name | Organization 184.108.40.206 | 1653 | SE | live.webb.uu.se | SUNET Swedish University Network | Uppsala universitet 220.127.116.11 | 29672 | SE | stockholm.se | S:t Erik Kommunikation AB | Stockholms stad
Prints information about URLs in specified file:
$ megatron.sh --whois infection-urls.txt
Process file and save result in the database:
$ megatron.sh --job-type shadowserver-drone test-data/2009-06-08-drone-report-se.log
Preview of mail to be sent:
$ megatron.sh --job shadowserver-drone_2013-06-22_160142 --id 4242 --mail-dry-run
Send emails for the job:
$ megatron.sh --job shadowserver-drone_2009-06-22_160142 --id 4242 --mail
Megatron is designed to automate day-to-day abuse handling. Running Megatron from the command line is only necessary in special cases.
Binaries, config files, and source code are included in this tarball:
MD5: 816a6b9644cc929822e861221b07ea37 SHA1: 77c8c1bedd6318574b34d85daaaae8a6d94e6b1e
Megatron is cross-platform as it is implemented in Java and Python. It has been tested on Windows 7 and Ubuntu 12.04. Megatron requires a MySQL database. Do not worry, the installation is easy and described in detail in this document: readme-install.txt
To get a grasp of Megatron, we recommend skimming the following:
Megatron is distributed under the terms of the Apache Software Foundation license version 2.0, which is included in the file LICENSE in the root of the project.
CERT-SE does not offer any support, and Megatron is provided "as is" without warranty of any kind.
Megatron Hacking is the mailing list for Megatron. Join by sending an empty email to:
Or you can go to the following URL:
The mailing list is for discussions about Megatron (installation problems, bug fixes, feature requests, etc.). Keep in mind that the list is public.