Skip to content
Snippets Groups Projects
Commit e342b25a authored by Pavel Valach's avatar Pavel Valach
Browse files

cowrie: Imported changes from HaaS project

parent 16891c7d
No related branches found
No related tags found
1 merge request!2cowrie: Imported changes from HaaS project
Hide whitespace changes
Inline Side-by-side
Showing
with 70 additions and 31 deletions
cowrie/wardenfiler.py
+ 70
31
View file @ e342b25a
...@@ -161,13 +161,13 @@ class Output(cowrie.core.output.Output): ...@@ -161,13 +161,13 @@ class Output(cowrie.core.output.Output):
entry["dst_ip"] = entry["dst_ip"].lstrip("::ffff:") entry["dst_ip"] = entry["dst_ip"].lstrip("::ffff:")
# detect IPv4 or IPv6 # detect IPv4 or IPv6
af = "IP4" if not ':' in entry["src_ip"] else "IP6" src_af = "IP4" if not ':' in entry["src_ip"] else "IP6"
# If configured, override destination IP and port # If configured, override destination IP and port
if entry.get("dst_ip"): if entry.get("dst_ip"):
if af == "IP4" and self.reported_public_ipv4: if src_af == "IP4" and self.reported_public_ipv4:
entry["dst_ip"] = self.reported_public_ipv4 entry["dst_ip"] = self.reported_public_ipv4
elif af == "IP6" and self.reported_public_ipv6: elif src_af == "IP6" and self.reported_public_ipv6:
entry["dst_ip"] = self.reported_public_ipv6 entry["dst_ip"] = self.reported_public_ipv6
if entry.get("dst_port") and self.reported_ssh_port: if entry.get("dst_port") and self.reported_ssh_port:
...@@ -205,14 +205,14 @@ class Output(cowrie.core.output.Output): ...@@ -205,14 +205,14 @@ class Output(cowrie.core.output.Output):
event["Category"].append("Attempt.Login") event["Category"].append("Attempt.Login")
event["Note"] = "SSH login attempt" event["Note"] = "SSH login attempt"
for i, c in self.attackers.items(): for i, c in self.attackers.items():
src_ip, dst_ip = i.split(',') a_src_ip, a_dst_ip = i.split(',')
af = "IP4" if not ':' in src_ip else "IP6" a_af = "IP4" if not ':' in a_src_ip else "IP6"
event["ID"] = str(uuid4()) event["ID"] = str(uuid4())
event["DetectTime"] = event["WinEndTime"] event["DetectTime"] = event["WinEndTime"]
event["ConnCount"] = c event["ConnCount"] = c
event["Source"] = [{"Proto": ["tcp", "ssh"], af: [src_ip]}] event["Source"] = [{"Proto": ["tcp", "ssh"], a_af: [a_src_ip]}]
event["Target"] = [{"Proto": ["tcp", "ssh"], af: [dst_ip]}] event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
if (self.anon_mask_4 < 32) and (not ':' in entry["dst_ip"]) or (self.anon_mask_6 < 128): if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
event["Target"][0]["Anonymised"] = True event["Target"][0]["Anonymised"] = True
self.save_event(event) self.save_event(event)
self.attackers = {} self.attackers = {}
...@@ -220,6 +220,12 @@ class Output(cowrie.core.output.Output): ...@@ -220,6 +220,12 @@ class Output(cowrie.core.output.Output):
self.attackers[aid] = 1 self.attackers[aid] = 1
self.win_start = ws self.win_start = ws
elif entry["session"] not in self.sessions:
# We do not save sessions
# that were created during previous Cowrie runs
# and we should not care about them.
return()
elif entry["eventid"] == 'cowrie.login.success': elif entry["eventid"] == 'cowrie.login.success':
s = entry["session"] s = entry["session"]
if s in self.sessions: if s in self.sessions:
...@@ -240,7 +246,7 @@ class Output(cowrie.core.output.Output): ...@@ -240,7 +246,7 @@ class Output(cowrie.core.output.Output):
mware = None mware = None
fname = None fname = None
if "outfile" in entry and os.path.exists(entry["outfile"]): if "outfile" in entry and os.path.exists(entry["outfile"]):
fp = open(entry["outfile"], "r") fp = open(entry["outfile"], "rb")
mware = fp.read() mware = fp.read()
fp.close() fp.close()
if self.drop_malware: if self.drop_malware:
...@@ -253,10 +259,10 @@ class Output(cowrie.core.output.Output): ...@@ -253,10 +259,10 @@ class Output(cowrie.core.output.Output):
if "url" in entry and entry["url"].startswith(tuple(sch.keys())): if "url" in entry and entry["url"].startswith(tuple(sch.keys())):
url = urlparse(entry["url"]) url = urlparse(entry["url"])
host = url.hostname url_host = url.hostname
ai = socket.getaddrinfo(host, None)[0] url_ai = socket.getaddrinfo(url_host, None)[0]
af = "IP6" if ai[0] == socket.AddressFamily.AF_INET6 else "IP4" url_af = "IP6" if url_ai[0] == socket.AddressFamily.AF_INET6 else "IP4"
ip = ai[4][0] url_ip = url_ai[4][0]
proto = [ "tcp", url.scheme ] proto = [ "tcp", url.scheme ]
port = url.port or sch[url.scheme] port = url.port or sch[url.scheme]
...@@ -265,15 +271,11 @@ class Output(cowrie.core.output.Output): ...@@ -265,15 +271,11 @@ class Output(cowrie.core.output.Output):
fname = os.path.basename(entry['destfile']) fname = os.path.basename(entry['destfile'])
elif not "url" in entry: elif not "url" in entry:
# TODO implement the path for other files after discussion if "destfile" in entry:
return() event["Note"] = "Redirected content during honeypot session"
# The remainder of this branch will not execute now fname = os.path.basename(entry["destfile"])
if entry["format"].startswith("Saved redir"):
event["Note"] = "Saved file during honeypot session"
fname = os.path.basename(entry['destfile'])
else: else:
event["Note"] = "Stdin contents during honeypot session" event["Note"] = "Stdin contents during honeypot session"
# End of the not executed part
else: else:
# TODO: Some exotic protocol? Let's not worry with that now # TODO: Some exotic protocol? Let's not worry with that now
...@@ -281,25 +283,27 @@ class Output(cowrie.core.output.Output): ...@@ -281,25 +283,27 @@ class Output(cowrie.core.output.Output):
event["DetectTime"] = entry["timestamp"] event["DetectTime"] = entry["timestamp"]
if "url" in entry: if "url" in entry:
del event["Target"]
event["Source"][0] = { "Type": ["Malware"] } event["Source"][0] = { "Type": ["Malware"] }
event["Source"][0]["URL"] = [entry["url"]] event["Source"][0]["URL"] = [entry["url"]]
event["Source"][0][af] = [ip] event["Source"][0][url_af] = [url_ip]
event["Source"][0]["Proto"] = proto event["Source"][0]["Proto"] = proto
event["Source"][0]["Port"] = [port] event["Source"][0]["Port"] = [port]
if ip != host: if url_ip != url_host:
event["Source"][0]["Hostname"] = [host] event["Source"][0]["Hostname"] = [url_host]
else: else:
# TODO implement later event["Source"][0] = { "Type": ["Botnet"] }
pass # the source of the malicious activity is the host, we don't have further details to that
event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
del event["Target"]
event["Attach"] = [{ event["Attach"] = [{
"Type": ["ShellCode"], "Type": ["ShellCode"],
"Hash": ["sha1:" + entry["shasum"]], "Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware), "Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session", "Note": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64", "ContentEncoding": "base64",
"Content": b64encode(mware.encode()).decode(), "Content": b64encode(mware).decode(),
}] }]
if fname: if fname:
event["Attach"][0]["FileName"] = [fname] event["Attach"][0]["FileName"] = [fname]
...@@ -307,6 +311,42 @@ class Output(cowrie.core.output.Output): ...@@ -307,6 +311,42 @@ class Output(cowrie.core.output.Output):
event["Attach"][0]["ExternalURI"] = [entry["url"]] event["Attach"][0]["ExternalURI"] = [entry["url"]]
self.save_event(event) self.save_event(event)
elif entry["eventid"] == 'cowrie.session.file_upload':
# Upload through SCP or SFTP to the honeypot
s = entry["session"]
if s in self.sessions:
# deal with the file first (drop even if not reported)
mware = None
fname = None
if "outfile" in entry and os.path.exists(entry["outfile"]):
fp = open(entry["outfile"], "rb")
mware = fp.read()
fp.close()
if self.drop_malware:
os.remove(entry["outfile"])
fname = entry["filename"]
if mware:
event["Category"].append("Malware")
event["Note"] = "Malware download during honeypot session"
event["DetectTime"] = entry["timestamp"]
event["Source"][0] = { "Type": ["Botnet"] }
# the source of the malicious activity is the host, we don't have further details to that
event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
event["Attach"] = [{
"Type": ["ShellCode"],
"FileName": [fname],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"Content": b64encode(mware).decode(),
}]
self.save_event(event)
elif entry["eventid"] == 'cowrie.session.closed': elif entry["eventid"] == 'cowrie.session.closed':
s = entry["session"] s = entry["session"]
if s in self.sessions and self.sessions[s]["loggedin"]: if s in self.sessions and self.sessions[s]["loggedin"]:
...@@ -314,9 +354,8 @@ class Output(cowrie.core.output.Output): ...@@ -314,9 +354,8 @@ class Output(cowrie.core.output.Output):
plain = all(c in string.printable for c in idata) plain = all(c in string.printable for c in idata)
event["Category"].append("Intrusion.UserCompromise") event["Category"].append("Intrusion.UserCompromise")
event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "") event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
af = "IP4" if not ':' in entry["src_ip"] else "IP6" event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0][af] = [entry["src_ip"]] event["Target"][0][src_af] = [self.sessions[s]["dst_ip"]]
event["Target"][0][af] = [self.sessions[s]["dst_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]] event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
dst_port = self.sessions[s]["dst_port"] dst_port = self.sessions[s]["dst_port"]
if dst_port in self.port_xlat: if dst_port in self.port_xlat:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment