diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py index b7b34749b152fa3ee888d78a935ff4c8adda0e34..da70d1d23c7768390c8e5606960322c90bdd959a 100644 --- a/dionaea/log_wardenfiler.py +++ b/dionaea/log_wardenfiler.py @@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler): ihandler.__init__(self, path) self.path = path self._config = config + + def _fixup_event(self, event): + if 'database' in event and isinstance(event['database'], bytes): + event['database'] = str(event['database'], "utf-8", "backslashreplace") + return event def _save_event(self, event): + event = self._fixup_event(event) f, name = self.filer.create_unique_file() with f: f.write(json.dumps(event, ensure_ascii = True)) @@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler): if 'nat_port' in self._config: self.nat_port = self._config.get('nat_port') if 'anon_mask_4' in self._config: - self.nat_port = self._config.get('anon_mask_4') + self.anon_mask_4 = self._config.get('anon_mask_4') if 'anon_mask_6' in self._config: - self.nat_port = self._config.get('anon_mask_6') + self.anon_mask_6 = self._config.get('anon_mask_6') if 'aggr_win' in self._config: self.aggr_win = self._config.get('aggr_win') if 'test_mode' in self._config: @@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler): c = a["count"] if c > 1: src_ip, dst_ip, dst_port, proto = i.split(',') - if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128): - Target[0]["Anonymised"] = "true" sevent["ID"] = str(uuid4()) if len(a["creds"]): sevent["Category"] = ["Recon.Scanning"] @@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler): sevent["ConnCount"] = c af = "IP4" if not ':' in src_ip else "IP6" proto = [proto] - if a["proto"] + if a["proto"]: proto.append(a["proto"]) sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}] sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}] + if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128): + sevent["Target"][0]["Anonymised"] = "true" if len(a["creds"]): attach = { "Type": ["Credentials"], @@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler): } event["Category"].append("Intrusion.UserCompromise") if s["proto"]: - event["Note"] = p[s["proto"]] + "successful login" - else + event["Note"] = p[s["proto"]] + " successful login" + else: event["Note"] = "Successful login attempt" attach = { "Type": ["Credentials"], "Note": "Credentials used by attacker used for simulated honeypot login", "Credentials": s["creds"] } - event["Attach"] = [attach] + if "Attach" not in event: + event["Attach"] = [] + event["Attach"].append(attach) + else: + # login without password or similar thing + event["Category"].append("Intrusion.UserCompromise") + event["Note"] = "Failed login attempt" if len(s["cmds"]): event["Category"].append("Attempt.Exploit") event["Note"] += " with unauthorized command input" - idata = "\n".join(str(c) for c in s[cmds]) + idata = "\n".join(str(c) for c in s["cmds"]) plain = all(c in string.printable for c in idata) eidata = idata if plain else b64encode(idata.encode()).decode() attach = { @@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler): } if not plain: attach["ContentEncoding"] = "base64" + if "Attach" not in event: + event["Attach"] = [] event["Attach"].append(attach) return(event) - def _register_connection(self, con, proto = None, cred = None, cmd = None) + def _register_connection(self, con, proto = None, cred = None, cmd = None): if not con in self.sessions: - src_ip = con.remote.host.lstrip("::ffff:") - dst_ip = con.local.host.lstrip("::ffff:") + self.sessions[con] = {} + + src_ip = con.remote.host + dst_ip = con.local.host + if src_ip.startswith("::ffff:"): + src_ip = src_ip[7:] + if dst_ip.startswith("::ffff:"): + dst_ip = dst_ip[7:] if self.resolve_nat: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) @@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler): self.sessions[con]["creds"] = [] self.sessions[con]["cmds"] = [] - aid = ','.join((src_ip, dst_ip, str(con.local.port), con.transport)) + aid = ','.join((self.sessions[con]["src_ip"], self.sessions[con]["dst_ip"], str(con.local.port), con.transport)) - if not aid in in self.attackers: + if not aid in self.attackers: self.attackers[aid] = { "count": 0, "sports": [], @@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler): con = icd.con cmd = icd.command.decode() if hasattr(icd, 'arguments'): - cmd = " ".join([cmd], icd.arguments) + cmd += " " + " ".join(icd.arguments) self._register_connection(con, "ftp", cmd = cmd) logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port)) @@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler): def handle_incident_dionaea_modules_python_mysql_command(self, icd): con = icd.con - cmd = icd.command + cmd = str(icd.command) if hasattr(icd, 'args'): - cmd = " ".join([cmd], icd.args) + cmd += "\n" + "\n".join(icd.args) self._register_connection(con, "mysql", cmd = cmd) logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))