Skip to content
Snippets Groups Projects
Commit 1e4bcae6 authored by Pavel Valach's avatar Pavel Valach
Browse files

Merge branch 'new-cowrie' into 'master' 

cowrie: Imported changes from HaaS project

See merge request !2
parents 16891c7d e342b25a
No related branches found
No related tags found
1 merge request!2cowrie: Imported changes from HaaS project
Show whitespace changes
Inline Side-by-side
Showing
with 70 additions and 31 deletions
cowrie/wardenfiler.py
+ 70
31
View file @ 1e4bcae6
......@@ -161,13 +161,13 @@ class Output(cowrie.core.output.Output):
entry["dst_ip"] = entry["dst_ip"].lstrip("::ffff:")
# detect IPv4 or IPv6
af = "IP4" if not ':' in entry["src_ip"] else "IP6"
src_af = "IP4" if not ':' in entry["src_ip"] else "IP6"
# If configured, override destination IP and port
if entry.get("dst_ip"):
if af == "IP4" and self.reported_public_ipv4:
if src_af == "IP4" and self.reported_public_ipv4:
entry["dst_ip"] = self.reported_public_ipv4
elif af == "IP6" and self.reported_public_ipv6:
elif src_af == "IP6" and self.reported_public_ipv6:
entry["dst_ip"] = self.reported_public_ipv6
if entry.get("dst_port") and self.reported_ssh_port:
......@@ -205,14 +205,14 @@ class Output(cowrie.core.output.Output):
event["Category"].append("Attempt.Login")
event["Note"] = "SSH login attempt"
for i, c in self.attackers.items():
src_ip, dst_ip = i.split(',')
af = "IP4" if not ':' in src_ip else "IP6"
a_src_ip, a_dst_ip = i.split(',')
a_af = "IP4" if not ':' in a_src_ip else "IP6"
event["ID"] = str(uuid4())
event["DetectTime"] = event["WinEndTime"]
event["ConnCount"] = c
event["Source"] = [{"Proto": ["tcp", "ssh"], af: [src_ip]}]
event["Target"] = [{"Proto": ["tcp", "ssh"], af: [dst_ip]}]
if (self.anon_mask_4 < 32) and (not ':' in entry["dst_ip"]) or (self.anon_mask_6 < 128):
event["Source"] = [{"Proto": ["tcp", "ssh"], a_af: [a_src_ip]}]
event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
event["Target"][0]["Anonymised"] = True
self.save_event(event)
self.attackers = {}
......@@ -220,6 +220,12 @@ class Output(cowrie.core.output.Output):
self.attackers[aid] = 1
self.win_start = ws
elif entry["session"] not in self.sessions:
# We do not save sessions
# that were created during previous Cowrie runs
# and we should not care about them.
return()
elif entry["eventid"] == 'cowrie.login.success':
s = entry["session"]
if s in self.sessions:
......@@ -240,7 +246,7 @@ class Output(cowrie.core.output.Output):
mware = None
fname = None
if "outfile" in entry and os.path.exists(entry["outfile"]):
fp = open(entry["outfile"], "r")
fp = open(entry["outfile"], "rb")
mware = fp.read()
fp.close()
if self.drop_malware:
......@@ -253,10 +259,10 @@ class Output(cowrie.core.output.Output):
if "url" in entry and entry["url"].startswith(tuple(sch.keys())):
url = urlparse(entry["url"])
host = url.hostname
ai = socket.getaddrinfo(host, None)[0]
af = "IP6" if ai[0] == socket.AddressFamily.AF_INET6 else "IP4"
ip = ai[4][0]
url_host = url.hostname
url_ai = socket.getaddrinfo(url_host, None)[0]
url_af = "IP6" if url_ai[0] == socket.AddressFamily.AF_INET6 else "IP4"
url_ip = url_ai[4][0]
proto = [ "tcp", url.scheme ]
port = url.port or sch[url.scheme]
......@@ -265,15 +271,11 @@ class Output(cowrie.core.output.Output):
fname = os.path.basename(entry['destfile'])
elif not "url" in entry:
# TODO implement the path for other files after discussion
return()
# The remainder of this branch will not execute now
if entry["format"].startswith("Saved redir"):
event["Note"] = "Saved file during honeypot session"
fname = os.path.basename(entry['destfile'])
if "destfile" in entry:
event["Note"] = "Redirected content during honeypot session"
fname = os.path.basename(entry["destfile"])
else:
event["Note"] = "Stdin contents during honeypot session"
# End of the not executed part
else:
# TODO: Some exotic protocol? Let's not worry with that now
......@@ -281,25 +283,27 @@ class Output(cowrie.core.output.Output):
event["DetectTime"] = entry["timestamp"]
if "url" in entry:
del event["Target"]
event["Source"][0] = { "Type": ["Malware"] }
event["Source"][0]["URL"] = [entry["url"]]
event["Source"][0][af] = [ip]
event["Source"][0][url_af] = [url_ip]
event["Source"][0]["Proto"] = proto
event["Source"][0]["Port"] = [port]
if ip != host:
event["Source"][0]["Hostname"] = [host]
if url_ip != url_host:
event["Source"][0]["Hostname"] = [url_host]
else:
# TODO implement later
pass
event["Source"][0] = { "Type": ["Botnet"] }
# the source of the malicious activity is the host, we don't have further details to that
event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
del event["Target"]
event["Attach"] = [{
"Type": ["ShellCode"],
"Hash": ["sha1:" + entry["shasum"]],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"Content": b64encode(mware.encode()).decode(),
"Content": b64encode(mware).decode(),
}]
if fname:
event["Attach"][0]["FileName"] = [fname]
......@@ -307,6 +311,42 @@ class Output(cowrie.core.output.Output):
event["Attach"][0]["ExternalURI"] = [entry["url"]]
self.save_event(event)
elif entry["eventid"] == 'cowrie.session.file_upload':
# Upload through SCP or SFTP to the honeypot
s = entry["session"]
if s in self.sessions:
# deal with the file first (drop even if not reported)
mware = None
fname = None
if "outfile" in entry and os.path.exists(entry["outfile"]):
fp = open(entry["outfile"], "rb")
mware = fp.read()
fp.close()
if self.drop_malware:
os.remove(entry["outfile"])
fname = entry["filename"]
if mware:
event["Category"].append("Malware")
event["Note"] = "Malware download during honeypot session"
event["DetectTime"] = entry["timestamp"]
event["Source"][0] = { "Type": ["Botnet"] }
# the source of the malicious activity is the host, we don't have further details to that
event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
event["Attach"] = [{
"Type": ["ShellCode"],
"FileName": [fname],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"Content": b64encode(mware).decode(),
}]
self.save_event(event)
elif entry["eventid"] == 'cowrie.session.closed':
s = entry["session"]
if s in self.sessions and self.sessions[s]["loggedin"]:
......@@ -314,9 +354,8 @@ class Output(cowrie.core.output.Output):
plain = all(c in string.printable for c in idata)
event["Category"].append("Intrusion.UserCompromise")
event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
af = "IP4" if not ':' in entry["src_ip"] else "IP6"
event["Source"][0][af] = [entry["src_ip"]]
event["Target"][0][af] = [self.sessions[s]["dst_ip"]]
event["Source"][0][src_af] = [entry["src_ip"]]
event["Target"][0][src_af] = [self.sessions[s]["dst_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
dst_port = self.sessions[s]["dst_port"]
if dst_port in self.port_xlat:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment