Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • 713/warden/warden-connectors
1 result
Show changes
Commits on Source (2)
Hide whitespace changes
Inline Side-by-side
Showing
with 7 additions and 4 deletions
cowrie/wardenfiler.py
View file @ 23d3df19
...@@ -209,11 +209,12 @@ class Output(cowrie.core.output.Output): ...@@ -209,11 +209,12 @@ class Output(cowrie.core.output.Output):
# aggregated credentials from attempts # aggregated credentials from attempts
if not self.attackers_creds.get(aid): if not self.attackers_creds.get(aid):
self.attackers_creds[aid] = [] self.attackers_creds[aid] = []
creds = self.attackers_creds[aid]
if (time() - ws < self.aggr_win): if (time() - ws < self.aggr_win):
self.attackers[aid] = cnt + 1 self.attackers[aid] = cnt + 1
else: else:
# This flushes out ALL the aggregated events!
# NOTE: The AID, and its values, are no longer relevant for this part of code!
event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win))) event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win)))
event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z' event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z' event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
...@@ -222,6 +223,7 @@ class Output(cowrie.core.output.Output): ...@@ -222,6 +223,7 @@ class Output(cowrie.core.output.Output):
for i, c in self.attackers.items(): for i, c in self.attackers.items():
a_src_ip, a_dst_ip = i.split(',') a_src_ip, a_dst_ip = i.split(',')
a_af = "IP4" if not ':' in a_src_ip else "IP6" a_af = "IP4" if not ':' in a_src_ip else "IP6"
a_creds = self.attackers_creds.get(i, [])
event["ID"] = str(uuid4()) event["ID"] = str(uuid4())
event["DetectTime"] = event["WinEndTime"] event["DetectTime"] = event["WinEndTime"]
event["ConnCount"] = c event["ConnCount"] = c
...@@ -229,10 +231,11 @@ class Output(cowrie.core.output.Output): ...@@ -229,10 +231,11 @@ class Output(cowrie.core.output.Output):
event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}] event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128): if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
event["Target"][0]["Anonymised"] = True event["Target"][0]["Anonymised"] = True
if creds: if a_creds:
event["Credentials"] = creds event["Credentials"] = a_creds
self.save_event(event) self.save_event(event)
self.attackers = {} self.attackers = {}
self.attackers_creds = {}
ws = time() ws = time()
self.attackers[aid] = 1 self.attackers[aid] = 1
self.attackers_creds[aid] = [] self.attackers_creds[aid] = []
...@@ -250,7 +253,7 @@ class Output(cowrie.core.output.Output): ...@@ -250,7 +253,7 @@ class Output(cowrie.core.output.Output):
if s in self.sessions: if s in self.sessions:
self.sessions[s]["input"] = [] self.sessions[s]["input"] = []
self.sessions[s]["loggedin"] = True self.sessions[s]["loggedin"] = True
self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True}) self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Type": ["AcceptedByServer"]})
elif entry["eventid"] == "cowrie.login.failed": elif entry["eventid"] == "cowrie.login.failed":
u, p = entry["username"], entry["password"] u, p = entry["username"], entry["password"]
......