dionaea: Imported changes from HaaS project

8145609e · Pavel Valach · 16891c7d · 8145609e
Commit 8145609e authored 2 years ago by Pavel Valach
--- a/dionaea/log_wardenfiler.py
+++ b/dionaea/log_wardenfiler.py
@@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler):
        ihandler.__init__(self, path)
        self.path = path
        self._config = config
+    def _fixup_event(self, event):
+        if 'database' in event and isinstance(event['database'], bytes):
+            event['database'] = str(event['database'], "utf-8", "backslashreplace")
+        return event
    def _save_event(self, event):
+        event = self._fixup_event(event)
        f, name = self.filer.create_unique_file()
        with f:
            f.write(json.dumps(event, ensure_ascii = True))
@@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler):
        if 'nat_port' in self._config:
            self.nat_port = self._config.get('nat_port')
        if 'anon_mask_4' in self._config:
-            self.nat_port = self._config.get('anon_mask_4')
+            self.anon_mask_4 = self._config.get('anon_mask_4')
        if 'anon_mask_6' in self._config:
-            self.nat_port = self._config.get('anon_mask_6')
+            self.anon_mask_6 = self._config.get('anon_mask_6')
        if 'aggr_win' in self._config:
            self.aggr_win = self._config.get('aggr_win')
        if 'test_mode' in self._config:
@@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler):
                c = a["count"]
                if c > 1:
                    src_ip, dst_ip, dst_port, proto = i.split(',')
-                    if (self.anon_mask_4 < 32) and (not ':' in  dst_ip) or (self.anon_mask_6 < 128):
-                        Target[0]["Anonymised"] = "true"
                    sevent["ID"] = str(uuid4())
                    if len(a["creds"]):
                        sevent["Category"] = ["Recon.Scanning"]
@@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler):
                    sevent["ConnCount"] = c
                    af = "IP4" if not ':' in src_ip else "IP6"
                    proto = [proto]
-                    if a["proto"]
+                    if a["proto"]:
                        proto.append(a["proto"])
                    sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}]
                    sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}]
+                    if (self.anon_mask_4 < 32) and (not ':' in  dst_ip) or (self.anon_mask_6 < 128):
+                        sevent["Target"][0]["Anonymised"] = "true"
                    if len(a["creds"]):
                        attach = {
                            "Type": ["Credentials"],
@@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler):
            }
            event["Category"].append("Intrusion.UserCompromise")
            if s["proto"]:
-                event["Note"] = p[s["proto"]] + "successful login"
+                event["Note"] = p[s["proto"]] + " successful login"
-            else
+            else:
                event["Note"] = "Successful login attempt"
            attach = {
                "Type": ["Credentials"],
                "Note": "Credentials used by attacker used for simulated honeypot login",
                "Credentials": s["creds"]
            }
-            event["Attach"] = [attach]
+            if "Attach" not in event:
+                event["Attach"] = []
+            event["Attach"].append(attach)
+        else:
+            # login without password or similar thing
+            event["Category"].append("Intrusion.UserCompromise")
+            event["Note"] = "Failed login attempt"
        if len(s["cmds"]):
            event["Category"].append("Attempt.Exploit")
            event["Note"] += " with unauthorized command input"
-            idata = "\n".join(str(c) for c in s[cmds])
+            idata = "\n".join(str(c) for c in s["cmds"])
            plain = all(c in string.printable for c in idata)
            eidata = idata if plain else b64encode(idata.encode()).decode()
            attach = {
@@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler):
            }
            if not plain:
                attach["ContentEncoding"] = "base64"
+            if "Attach" not in event:
+                event["Attach"] = []
            event["Attach"].append(attach)
        return(event)
-    def _register_connection(self, con, proto = None, cred = None, cmd = None)
+    def _register_connection(self, con, proto = None, cred = None, cmd = None):
        if not con in self.sessions:
-            src_ip = con.remote.host.lstrip("::ffff:")
+            self.sessions[con] = {}
-            dst_ip = con.local.host.lstrip("::ffff:")
+            src_ip = con.remote.host
+            dst_ip = con.local.host
+            if src_ip.startswith("::ffff:"):
+                src_ip = src_ip[7:]
+            if dst_ip.startswith("::ffff:"):
+                dst_ip = dst_ip[7:]
            if self.resolve_nat:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler):
            self.sessions[con]["creds"] = []
            self.sessions[con]["cmds"] = []
-        aid = ','.join((src_ip, dst_ip, str(con.local.port), con.transport))
+        aid = ','.join((self.sessions[con]["src_ip"], self.sessions[con]["dst_ip"], str(con.local.port), con.transport))
-        if not aid in in self.attackers:
+        if not aid in self.attackers:
            self.attackers[aid] = {
                "count": 0,
                "sports": [],
@@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler):
        con = icd.con
        cmd = icd.command.decode()
        if hasattr(icd, 'arguments'):
-            cmd = " ".join([cmd], icd.arguments)
+            cmd += " " + " ".join(icd.arguments)
        self._register_connection(con, "ftp", cmd = cmd)
        logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
@@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler):
    def handle_incident_dionaea_modules_python_mysql_command(self, icd):
        con = icd.con
-        cmd = icd.command
+        cmd = str(icd.command)
        if hasattr(icd, 'args'):
-            cmd = " ".join([cmd], icd.args)
+            cmd += "\n" + "\n".join(icd.args)
        self._register_connection(con, "mysql", cmd = cmd)
        logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))