Skip to content
Snippets Groups Projects
Commit a1cf70fa authored by Pavel Valach's avatar Pavel Valach
Browse files

Merge branch '3-move-event-description-to-the-right-idea-attribute' into 'master' 

Resolve "Move event description to the right IDEA attribute"

Closes #3

See merge request !11
parents 2a57cf41 462ba95a
Branches master
No related tags found
1 merge request!11Resolve "Move event description to the right IDEA attribute"
Show whitespace changes
Inline Side-by-side
cowrie/wardenfiler.py
+ 9
9
View file @ a1cf70fa
......@@ -219,7 +219,7 @@ class Output(cowrie.core.output.Output):
event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
event["Category"].append("Attempt.Login")
event["Note"] = "SSH login attempt"
event["Description"] = "SSH login attempt"
for i, c in self.attackers.items():
a_src_ip, a_dst_ip = i.split(',')
a_af = "IP4" if not ':' in a_src_ip else "IP6"
......@@ -286,7 +286,7 @@ class Output(cowrie.core.output.Output):
if mware:
# TODO: Classify everything as Malware?
event["Category"].append("Malware")
event["Note"] = "Malware download during honeypot session"
event["Description"] = "Malware download during honeypot session"
if "url" in entry and entry["url"].startswith(tuple(sch.keys())):
url = urlparse(entry["url"])
......@@ -303,10 +303,10 @@ class Output(cowrie.core.output.Output):
elif not "url" in entry:
if "destfile" in entry:
event["Note"] = "Redirected content during honeypot session"
event["Description"] = "Redirected content during honeypot session"
fname = os.path.basename(entry["destfile"])
else:
event["Note"] = "Stdin contents during honeypot session"
event["Description"] = "Stdin contents during honeypot session"
else:
# TODO: Some exotic protocol? Let's not worry with that now
......@@ -332,7 +332,7 @@ class Output(cowrie.core.output.Output):
"Type": ["ShellCode"],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"Description": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"Content": b64encode(mware).decode(),
}]
......@@ -359,7 +359,7 @@ class Output(cowrie.core.output.Output):
if mware:
event["Category"].append("Malware")
event["Note"] = "Malware download during honeypot session"
event["Description"] = "Malware download during honeypot session"
event["DetectTime"] = entry["timestamp"]
event["Source"][0] = { "Type": ["Botnet"] }
# the source of the malicious activity is the host, we don't have further details to that
......@@ -371,7 +371,7 @@ class Output(cowrie.core.output.Output):
"FileName": [fname],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"Description": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"Content": b64encode(mware).decode(),
}]
......@@ -384,7 +384,7 @@ class Output(cowrie.core.output.Output):
idata = '\n'.join(self.sessions[s]["input"])
plain = all(c in string.printable for c in idata)
event["Category"].append("Intrusion.UserCompromise")
event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
event["Description"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
event["Source"][0][src_af] = [entry["src_ip"]]
event["Target"][0][src_af] = [self.sessions[s]["dst_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
......@@ -398,7 +398,7 @@ class Output(cowrie.core.output.Output):
"Type": ["Exploit"],
"Hash": ["sha1:" + sha1(idata.encode("utf-8")).hexdigest()],
"Size": len(idata),
"Note": "Commands entered by attacker during honeypot SSH session",
"Description": "Commands entered by attacker during honeypot SSH session",
"Content": eidata
}
if not plain:
......
dionaea/log_wardenfiler.py
+ 7
7
View file @ a1cf70fa
......@@ -193,10 +193,10 @@ class LogWardenfilerHandler(ihandler):
sevent["ID"] = str(uuid4())
if len(a["creds"]):
sevent["Category"] = ["Recon.Scanning"]
sevent["Note"] = "Successful logins to honeypoted service."
sevent["Description"] = "Successful logins to honeypoted service."
else:
sevent["Category"] = ["Attempt.Login"]
sevent["Note"] = "Connection attempts to IPs assigned to honeypot."
sevent["Description"] = "Connection attempts to IPs assigned to honeypot."
sevent["ConnCount"] = c
af = "IP4" if not ':' in src_ip else "IP6"
proto = [proto]
......@@ -245,9 +245,9 @@ class LogWardenfilerHandler(ihandler):
}
event["Category"].append("Intrusion.UserCompromise")
if s["proto"]:
event["Note"] = p[s["proto"]] + " successful login"
event["Description"] = p[s["proto"]] + " successful login"
else:
event["Note"] = "Successful login attempt"
event["Description"] = "Successful login attempt"
creds = self._format_credentials(s["creds"])
if "Credentials" not in event:
......@@ -256,13 +256,13 @@ class LogWardenfilerHandler(ihandler):
else:
# login without password or similar thing
event["Category"].append("Recon.Scanning")
event["Note"] = "Connection"
event["Description"] = "Connection"
if len(s["cmds"]):
# consider this an exploit only if there was a login attempt
if len(s["creds"]):
event["Category"].append("Attempt.Exploit")
event["Note"] += " with command input"
event["Description"] += " with command input"
idata = "\n".join(str(c) for c in s["cmds"])
plain = all(c in string.printable for c in idata)
eidata = idata if plain else b64encode(idata.encode()).decode()
......@@ -270,7 +270,7 @@ class LogWardenfilerHandler(ihandler):
"Type": ["Exploit"],
"Hash": ["sha1:" + sha1(idata.encode("utf-8")).hexdigest()],
"Size": len(idata),
"Note": "Commands entered by attacker during honeypot session",
"Description": "Commands entered by attacker during honeypot session",
"Content": eidata
}
if not plain:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment