From 87f7b98057de07c0e229d230a40035a97149853f Mon Sep 17 00:00:00 2001
From: Pavel Valach <pavel.valach@cesnet.cz>
Date: Wed, 10 Jul 2024 14:14:46 +0000
Subject: [PATCH] Cowrie, Dionaea: in the connectors, only output IDEA events
 with globally routable source IPs

---
 cowrie/wardenfiler.py      | 8 +++++++-
 dionaea/log_wardenfiler.py | 9 ++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/cowrie/wardenfiler.py b/cowrie/wardenfiler.py
index 642ef81..62bb3cf 100644
--- a/cowrie/wardenfiler.py
+++ b/cowrie/wardenfiler.py
@@ -19,6 +19,7 @@ from datetime import datetime
 from uuid import uuid4
 from hashlib import sha1
 from base64 import b64encode
+from ipaddress import ip_address
 from ipaddress import IPv4Network
 from ipaddress import IPv6Network
 from cowrie.core.config import CowrieConfig
@@ -173,7 +174,12 @@ class Output(cowrie.core.output.Output):
         if entry.get("dst_port") and self.reported_ssh_port:
             entry["dst_port"] = self.reported_ssh_port
 
-        if entry["eventid"] == 'cowrie.session.connect':
+        if entry["eventid"] == 'cowrie.session.connect':           
+            # Do not track a session for a source
+            # which is not globally routable
+            if not ip_address(entry["src_ip"]).is_global:
+                return()
+            
             if self.resolve_nat:
                 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                 s.connect((self.nat_host, self.nat_port))
diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py
index a65e904..709559e 100644
--- a/dionaea/log_wardenfiler.py
+++ b/dionaea/log_wardenfiler.py
@@ -21,6 +21,7 @@ from datetime import datetime
 from uuid import uuid4
 from hashlib import sha1
 from base64 import b64encode
+from ipaddress import ip_address
 from ipaddress import IPv4Network
 from ipaddress import IPv6Network
 
@@ -438,7 +439,13 @@ class LogWardenfilerHandler(ihandler):
 
         if con in self.sessions:
             s = self.sessions[con]
-            if s.get("cmds"):
+
+            # Do not generate IDEA event for a source
+            # which is not globally routable
+            if not ip_address(s["src_ip"]).is_global:
+                logger.info("not generating an event for connection from non-global IP %s:%s" % (con.remote.host, con.remote.port))
+
+            elif s.get("cmds"):
                 event = self._make_idea(con)
                 self._save_event(event)
                 logger.info("sending connection event from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
-- 
GitLab