First, store the credentials into the session info.
If the login succeeds, only the credentials from that login session will be sent.

Store all of the attempted credentials in aggregation buffer.

When the aggregation window expires and the event is flushed,
send the aggregated credentials to Warden.

First implementation, which uses the aggregation ID (AID) "src_ip,dst_ip" to watch all credentials used during the time window.

If the login fails, the credentials are stored under the AID.
The credentials are flushed from the AID cache either when the aggregation window expires, or when the login is successful - the unsuccessful credentials from the cache are then sent with the successful ones appended.

Cowrie, Dionaea: in the connectors, only output IDEA events with globally routable source IPs

See merge request !6

cowrie/wardenfiler: Replace lstrip with startswith and slicing

See merge request !8

Resolve "Dionaea exeptions"

Closes #1

See merge request !7

Dionaea: sanitize credentials

See merge request !4

Dionaea: Fix FTP connection category without login attempt

See merge request !5

dionaea/log_wardenfiler.py: Add option of static target IPv4 or IPv6

See merge request !3

dionaea: Imported changes from HaaS project

See merge request !1

cowrie: Imported changes from HaaS project

See merge request !2

Pavel Eis authored 7 years ago and Pavel Kácha committed 2 years ago

IDEA to STIX connector refractored -- merged into one file IdeaToStix.py and simplified some constructions, fixed some mistakes, added Desription to objects of observed data object and from IDEA Node is now filled both indices to identity object.