Skip to content
Snippets Groups Projects
Commit 8145609e authored by Pavel Valach's avatar Pavel Valach
Browse files

dionaea: Imported changes from HaaS project

parent 16891c7d
No related branches found
No related tags found
1 merge request!1dionaea: Imported changes from HaaS project
Hide whitespace changes
Inline Side-by-side
dionaea/log_wardenfiler.py
+ 37
17
View file @ 8145609e
......@@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler):
ihandler.__init__(self, path)
self.path = path
self._config = config
def _fixup_event(self, event):
if 'database' in event and isinstance(event['database'], bytes):
event['database'] = str(event['database'], "utf-8", "backslashreplace")
return event
def _save_event(self, event):
event = self._fixup_event(event)
f, name = self.filer.create_unique_file()
with f:
f.write(json.dumps(event, ensure_ascii = True))
......@@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler):
if 'nat_port' in self._config:
self.nat_port = self._config.get('nat_port')
if 'anon_mask_4' in self._config:
self.nat_port = self._config.get('anon_mask_4')
self.anon_mask_4 = self._config.get('anon_mask_4')
if 'anon_mask_6' in self._config:
self.nat_port = self._config.get('anon_mask_6')
self.anon_mask_6 = self._config.get('anon_mask_6')
if 'aggr_win' in self._config:
self.aggr_win = self._config.get('aggr_win')
if 'test_mode' in self._config:
......@@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler):
c = a["count"]
if c > 1:
src_ip, dst_ip, dst_port, proto = i.split(',')
if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128):
Target[0]["Anonymised"] = "true"
sevent["ID"] = str(uuid4())
if len(a["creds"]):
sevent["Category"] = ["Recon.Scanning"]
......@@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler):
sevent["ConnCount"] = c
af = "IP4" if not ':' in src_ip else "IP6"
proto = [proto]
if a["proto"]
if a["proto"]:
proto.append(a["proto"])
sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}]
sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}]
if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128):
sevent["Target"][0]["Anonymised"] = "true"
if len(a["creds"]):
attach = {
"Type": ["Credentials"],
......@@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler):
}
event["Category"].append("Intrusion.UserCompromise")
if s["proto"]:
event["Note"] = p[s["proto"]] + "successful login"
else
event["Note"] = p[s["proto"]] + " successful login"
else:
event["Note"] = "Successful login attempt"
attach = {
"Type": ["Credentials"],
"Note": "Credentials used by attacker used for simulated honeypot login",
"Credentials": s["creds"]
}
event["Attach"] = [attach]
if "Attach" not in event:
event["Attach"] = []
event["Attach"].append(attach)
else:
# login without password or similar thing
event["Category"].append("Intrusion.UserCompromise")
event["Note"] = "Failed login attempt"
if len(s["cmds"]):
event["Category"].append("Attempt.Exploit")
event["Note"] += " with unauthorized command input"
idata = "\n".join(str(c) for c in s[cmds])
idata = "\n".join(str(c) for c in s["cmds"])
plain = all(c in string.printable for c in idata)
eidata = idata if plain else b64encode(idata.encode()).decode()
attach = {
......@@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler):
}
if not plain:
attach["ContentEncoding"] = "base64"
if "Attach" not in event:
event["Attach"] = []
event["Attach"].append(attach)
return(event)
def _register_connection(self, con, proto = None, cred = None, cmd = None)
def _register_connection(self, con, proto = None, cred = None, cmd = None):
if not con in self.sessions:
src_ip = con.remote.host.lstrip("::ffff:")
dst_ip = con.local.host.lstrip("::ffff:")
self.sessions[con] = {}
src_ip = con.remote.host
dst_ip = con.local.host
if src_ip.startswith("::ffff:"):
src_ip = src_ip[7:]
if dst_ip.startswith("::ffff:"):
dst_ip = dst_ip[7:]
if self.resolve_nat:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
......@@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler):
self.sessions[con]["creds"] = []
self.sessions[con]["cmds"] = []
aid = ','.join((src_ip, dst_ip, str(con.local.port), con.transport))
aid = ','.join((self.sessions[con]["src_ip"], self.sessions[con]["dst_ip"], str(con.local.port), con.transport))
if not aid in in self.attackers:
if not aid in self.attackers:
self.attackers[aid] = {
"count": 0,
"sports": [],
......@@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler):
con = icd.con
cmd = icd.command.decode()
if hasattr(icd, 'arguments'):
cmd = " ".join([cmd], icd.arguments)
cmd += " " + " ".join(icd.arguments)
self._register_connection(con, "ftp", cmd = cmd)
logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
......@@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler):
def handle_incident_dionaea_modules_python_mysql_command(self, icd):
con = icd.con
cmd = icd.command
cmd = str(icd.command)
if hasattr(icd, 'args'):
cmd = " ".join([cmd], icd.args)
cmd += "\n" + "\n".join(icd.args)
self._register_connection(con, "mysql", cmd = cmd)
logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment