Skip to content
Snippets Groups Projects

dionaea: Imported changes from HaaS project

Merged dionaea: Imported changes from HaaS project
new-dionaea into master
Merged Pavel Valach requested to merge new-dionaea into master
Compare
and
1 file
+ 37
17
Compare changes
  • Side-by-side
  • Inline
dionaea/log_wardenfiler.py
+ 37
17
@@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler):
@@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler):
ihandler.__init__(self, path)
ihandler.__init__(self, path)
self.path = path
self.path = path
self._config = config
self._config = config
 
 
def _fixup_event(self, event):
 
if 'database' in event and isinstance(event['database'], bytes):
 
event['database'] = str(event['database'], "utf-8", "backslashreplace")
 
return event
def _save_event(self, event):
def _save_event(self, event):
 
event = self._fixup_event(event)
f, name = self.filer.create_unique_file()
f, name = self.filer.create_unique_file()
with f:
with f:
f.write(json.dumps(event, ensure_ascii = True))
f.write(json.dumps(event, ensure_ascii = True))
@@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler):
@@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler):
if 'nat_port' in self._config:
if 'nat_port' in self._config:
self.nat_port = self._config.get('nat_port')
self.nat_port = self._config.get('nat_port')
if 'anon_mask_4' in self._config:
if 'anon_mask_4' in self._config:
self.nat_port = self._config.get('anon_mask_4')
self.anon_mask_4 = self._config.get('anon_mask_4')
if 'anon_mask_6' in self._config:
if 'anon_mask_6' in self._config:
self.nat_port = self._config.get('anon_mask_6')
self.anon_mask_6 = self._config.get('anon_mask_6')
if 'aggr_win' in self._config:
if 'aggr_win' in self._config:
self.aggr_win = self._config.get('aggr_win')
self.aggr_win = self._config.get('aggr_win')
if 'test_mode' in self._config:
if 'test_mode' in self._config:
@@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler):
@@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler):
c = a["count"]
c = a["count"]
if c > 1:
if c > 1:
src_ip, dst_ip, dst_port, proto = i.split(',')
src_ip, dst_ip, dst_port, proto = i.split(',')
if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128):
Target[0]["Anonymised"] = "true"
sevent["ID"] = str(uuid4())
sevent["ID"] = str(uuid4())
if len(a["creds"]):
if len(a["creds"]):
sevent["Category"] = ["Recon.Scanning"]
sevent["Category"] = ["Recon.Scanning"]
@@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler):
@@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler):
sevent["ConnCount"] = c
sevent["ConnCount"] = c
af = "IP4" if not ':' in src_ip else "IP6"
af = "IP4" if not ':' in src_ip else "IP6"
proto = [proto]
proto = [proto]
if a["proto"]
if a["proto"]:
proto.append(a["proto"])
proto.append(a["proto"])
sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}]
sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}]
sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}]
sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}]
 
if (self.anon_mask_4 < 32) and (not ':' in dst_ip) or (self.anon_mask_6 < 128):
 
sevent["Target"][0]["Anonymised"] = "true"
if len(a["creds"]):
if len(a["creds"]):
attach = {
attach = {
"Type": ["Credentials"],
"Type": ["Credentials"],
@@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler):
@@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler):
}
}
event["Category"].append("Intrusion.UserCompromise")
event["Category"].append("Intrusion.UserCompromise")
if s["proto"]:
if s["proto"]:
event["Note"] = p[s["proto"]] + "successful login"
event["Note"] = p[s["proto"]] + " successful login"
else
else:
event["Note"] = "Successful login attempt"
event["Note"] = "Successful login attempt"
attach = {
attach = {
"Type": ["Credentials"],
"Type": ["Credentials"],
"Note": "Credentials used by attacker used for simulated honeypot login",
"Note": "Credentials used by attacker used for simulated honeypot login",
"Credentials": s["creds"]
"Credentials": s["creds"]
}
}
event["Attach"] = [attach]
if "Attach" not in event:
 
event["Attach"] = []
 
event["Attach"].append(attach)
 
else:
 
# login without password or similar thing
 
event["Category"].append("Intrusion.UserCompromise")
 
event["Note"] = "Failed login attempt"
if len(s["cmds"]):
if len(s["cmds"]):
event["Category"].append("Attempt.Exploit")
event["Category"].append("Attempt.Exploit")
event["Note"] += " with unauthorized command input"
event["Note"] += " with unauthorized command input"
idata = "\n".join(str(c) for c in s[cmds])
idata = "\n".join(str(c) for c in s["cmds"])
plain = all(c in string.printable for c in idata)
plain = all(c in string.printable for c in idata)
eidata = idata if plain else b64encode(idata.encode()).decode()
eidata = idata if plain else b64encode(idata.encode()).decode()
attach = {
attach = {
@@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler):
@@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler):
}
}
if not plain:
if not plain:
attach["ContentEncoding"] = "base64"
attach["ContentEncoding"] = "base64"
 
if "Attach" not in event:
 
event["Attach"] = []
event["Attach"].append(attach)
event["Attach"].append(attach)
return(event)
return(event)
def _register_connection(self, con, proto = None, cred = None, cmd = None)
def _register_connection(self, con, proto = None, cred = None, cmd = None):
if not con in self.sessions:
if not con in self.sessions:
src_ip = con.remote.host.lstrip("::ffff:")
self.sessions[con] = {}
dst_ip = con.local.host.lstrip("::ffff:")
 
src_ip = con.remote.host
 
dst_ip = con.local.host
 
if src_ip.startswith("::ffff:"):
 
src_ip = src_ip[7:]
 
if dst_ip.startswith("::ffff:"):
 
dst_ip = dst_ip[7:]
if self.resolve_nat:
if self.resolve_nat:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler):
@@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler):
self.sessions[con]["creds"] = []
self.sessions[con]["creds"] = []
self.sessions[con]["cmds"] = []
self.sessions[con]["cmds"] = []
aid = ','.join((src_ip, dst_ip, str(con.local.port), con.transport))
aid = ','.join((self.sessions[con]["src_ip"], self.sessions[con]["dst_ip"], str(con.local.port), con.transport))
if not aid in in self.attackers:
if not aid in self.attackers:
self.attackers[aid] = {
self.attackers[aid] = {
"count": 0,
"count": 0,
"sports": [],
"sports": [],
@@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler):
@@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler):
con = icd.con
con = icd.con
cmd = icd.command.decode()
cmd = icd.command.decode()
if hasattr(icd, 'arguments'):
if hasattr(icd, 'arguments'):
cmd = " ".join([cmd], icd.arguments)
cmd += " " + " ".join(icd.arguments)
self._register_connection(con, "ftp", cmd = cmd)
self._register_connection(con, "ftp", cmd = cmd)
logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
@@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler):
@@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler):
def handle_incident_dionaea_modules_python_mysql_command(self, icd):
def handle_incident_dionaea_modules_python_mysql_command(self, icd):
con = icd.con
con = icd.con
cmd = icd.command
cmd = str(icd.command)
if hasattr(icd, 'args'):
if hasattr(icd, 'args'):
cmd = " ".join([cmd], icd.args)
cmd += "\n" + "\n".join(icd.args)
self._register_connection(con, "mysql", cmd = cmd)
self._register_connection(con, "mysql", cmd = cmd)
logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))