Skip to content
Snippets Groups Projects
Commit 00d329f0 authored by Daniel Studený's avatar Daniel Studený
Browse files

Added configurable 'Test' mode

parent dc032dc8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
cowrie/warden_sender_cowrie.py
+ 18
4
View file @ 00d329f0
...@@ -23,6 +23,7 @@ aanonymised = aconfig['anonymised'] ...@@ -23,6 +23,7 @@ aanonymised = aconfig['anonymised']
aanonymised_net = aconfig['target_net'] aanonymised_net = aconfig['target_net']
aanonymised = aanonymised if (aanonymised_net != '0.0.0.0/0') or (aanonymised_net == 'omit') else '0.0.0.0/0' aanonymised = aanonymised if (aanonymised_net != '0.0.0.0/0') or (aanonymised_net == 'omit') else '0.0.0.0/0'
awin = aconfig['awin'] * 60 awin = aconfig['awin'] * 60
atest = aconfig['test_mode']
wclient = Client(**wconfig) wclient = Client(**wconfig)
...@@ -44,7 +45,7 @@ def gen_event_idea_cowrie_info(detect_time, src_ip, dst_ip, win_start_time, win_ ...@@ -44,7 +45,7 @@ def gen_event_idea_cowrie_info(detect_time, src_ip, dst_ip, win_start_time, win_
"DetectTime": detect_time, "DetectTime": detect_time,
"WinStartTime": win_start_time, "WinStartTime": win_start_time,
"WinEndTime": win_end_time, "WinEndTime": win_end_time,
"Category": ["Attempt.Login", "Test"], "Category": ["Attempt.Login"],
"Note": "SSH login attempt", "Note": "SSH login attempt",
"ConnCount": conn_count, "ConnCount": conn_count,
"Source": [{}], "Source": [{}],
...@@ -58,6 +59,10 @@ def gen_event_idea_cowrie_info(detect_time, src_ip, dst_ip, win_start_time, win_ ...@@ -58,6 +59,10 @@ def gen_event_idea_cowrie_info(detect_time, src_ip, dst_ip, win_start_time, win_
} }
] ]
} }
# Test if we're testing
if atest == "true":
event["Category"].append('Test')
event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net) event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net)
return event return event
...@@ -68,7 +73,7 @@ def gen_event_idea_cowrie_auth(detect_time, src_ip, dst_ip, username, password, ...@@ -68,7 +73,7 @@ def gen_event_idea_cowrie_auth(detect_time, src_ip, dst_ip, username, password,
"Format": "IDEA0", "Format": "IDEA0",
"ID": str(uuid4()), "ID": str(uuid4()),
"DetectTime": detect_time, "DetectTime": detect_time,
"Category": ["Information.UnauthorizedAccess", "Test"], "Category": ["Information.UnauthorizedAccess"],
"Note": "SSH successfull attempt", "Note": "SSH successfull attempt",
"ConnCount": 1, "ConnCount": 1,
"Source": [{}], "Source": [{}],
...@@ -82,6 +87,9 @@ def gen_event_idea_cowrie_auth(detect_time, src_ip, dst_ip, username, password, ...@@ -82,6 +87,9 @@ def gen_event_idea_cowrie_auth(detect_time, src_ip, dst_ip, username, password,
], ],
"Attach": [{ "sessionid": sessionid, "username": username, "password": password }] "Attach": [{ "sessionid": sessionid, "username": username, "password": password }]
} }
# Test if we're testing
if atest == "true":
event["Category"].append('Test')
event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net) event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net)
...@@ -94,7 +102,7 @@ def gen_event_idea_cowrie_ttylog(detect_time, src_ip, dst_ip, sessionid, ttylog, ...@@ -94,7 +102,7 @@ def gen_event_idea_cowrie_ttylog(detect_time, src_ip, dst_ip, sessionid, ttylog,
"Format": "IDEA0", "Format": "IDEA0",
"ID": str(uuid4()), "ID": str(uuid4()),
"DetectTime": detect_time, "DetectTime": detect_time,
"Category": ["Information.UnauthorizedAccess", "Test"], "Category": ["Information.UnauthorizedAccess"],
"Note": "Cowrie ttylog", "Note": "Cowrie ttylog",
"ConnCount": 1, "ConnCount": 1,
"Source": [{}], "Source": [{}],
...@@ -108,6 +116,9 @@ def gen_event_idea_cowrie_ttylog(detect_time, src_ip, dst_ip, sessionid, ttylog, ...@@ -108,6 +116,9 @@ def gen_event_idea_cowrie_ttylog(detect_time, src_ip, dst_ip, sessionid, ttylog,
], ],
"Attach": [ { "sessionid": sessionid, "ttylog": ttylog, "iinput": iinput, "smart": iinput } ] "Attach": [ { "sessionid": sessionid, "ttylog": ttylog, "iinput": iinput, "smart": iinput } ]
} }
# Test if we're testing
if atest == "true":
event["Category"].append('Test')
event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net) event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net)
...@@ -120,7 +131,7 @@ def gen_event_idea_cowrie_download(detect_time, src_ip, dst_ip, sessionid, url, ...@@ -120,7 +131,7 @@ def gen_event_idea_cowrie_download(detect_time, src_ip, dst_ip, sessionid, url,
"Format": "IDEA0", "Format": "IDEA0",
"ID": str(uuid4()), "ID": str(uuid4()),
"DetectTime": detect_time, "DetectTime": detect_time,
"Category": ["Malware", "Test"], "Category": ["Malware"],
"Note": "Cowrie download", "Note": "Cowrie download",
"ConnCount": 1, "ConnCount": 1,
"Source": [{}], "Source": [{}],
...@@ -134,6 +145,9 @@ def gen_event_idea_cowrie_download(detect_time, src_ip, dst_ip, sessionid, url, ...@@ -134,6 +145,9 @@ def gen_event_idea_cowrie_download(detect_time, src_ip, dst_ip, sessionid, url,
], ],
"Attach": [{ "sessionid": sessionid, "url": url, "outfile": outfile, "smart": url }] "Attach": [{ "sessionid": sessionid, "url": url, "outfile": outfile, "smart": url }]
} }
# Test if we're testing
if atest == "true":
event["Category"].append('Test')
event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net) event = idea_fill_addresses(event, src_ip, dst_ip, aanonymised, aanonymised_net)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment