cowrie/wardenfiler.py

@@ -19,6 +19,7 @@ from datetime import datetime
 from uuid import uuid4
 from hashlib import sha1
 from base64 import b64encode
+from ipaddress import ip_address
 from ipaddress import IPv4Network
 from ipaddress import IPv6Network
 from cowrie.core.config import CowrieConfig
@@ -174,7 +175,12 @@ class Output(cowrie.core.output.Output):
         if entry.get("dst_port") and self.reported_ssh_port:
             entry["dst_port"] = self.reported_ssh_port
 
-        if entry["eventid"] == 'cowrie.session.connect':
+        if entry["eventid"] == 'cowrie.session.connect':           
+            # Do not track a session for a source
+            # which is not globally routable
+            if not ip_address(entry["src_ip"]).is_global:
+                return()
+            
             if self.resolve_nat:
                 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                 s.connect((self.nat_host, self.nat_port))

dionaea/log_wardenfiler.py

@@ -21,6 +21,7 @@ from datetime import datetime
 from uuid import uuid4
 from hashlib import sha1
 from base64 import b64encode
+from ipaddress import ip_address
 from ipaddress import IPv4Network
 from ipaddress import IPv6Network
 
@@ -438,7 +439,13 @@ class LogWardenfilerHandler(ihandler):
 
         if con in self.sessions:
             s = self.sessions[con]
-            if s.get("cmds"):
+
+            # Do not generate IDEA event for a source
+            # which is not globally routable
+            if not ip_address(s["src_ip"]).is_global:
+                logger.info("not generating an event for connection from non-global IP %s:%s" % (con.remote.host, con.remote.port))
+
+            elif s.get("cmds"):
                 event = self._make_idea(con)
                 self._save_event(event)
                 logger.info("sending connection event from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))