Skip to content
Snippets Groups Projects

cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts

Open Pavel Valach requested to merge cowrie-credentials into master
1 file
+ 1
1
Compare changes
  • Side-by-side
  • Inline
+ 35
2
@@ -87,6 +87,8 @@ class Output(cowrie.core.output.Output):
drop_malware = True
win_start = None
attackers = {}
# aggregated credentials from failed attempts per IP
attackers_creds = {}
sessions = {}
port_xlat = {}
@@ -175,7 +177,7 @@ class Output(cowrie.core.output.Output):
if entry.get("dst_port") and self.reported_ssh_port:
entry["dst_port"] = self.reported_ssh_port
if entry["eventid"] == 'cowrie.session.connect':
if entry["eventid"] == 'cowrie.session.connect':
# Do not track a session for a source
# which is not globally routable
if not ip_address(entry["src_ip"]).is_global:
@@ -198,14 +200,21 @@ class Output(cowrie.core.output.Output):
)
entry["loggedin"] = False
entry["credentials"] = []
# AID - aggregation ID
entry["aid"] = aid = ','.join((entry["src_ip"], entry["dst_ip"]))
self.sessions[entry["session"]] = entry
ws = self.win_start or time()
aid = ','.join((entry["src_ip"], entry["dst_ip"]))
cnt = self.attackers.get(aid, 0)
# aggregated credentials from attempts
if not self.attackers_creds.get(aid):
self.attackers_creds[aid] = []
if (time() - ws < self.aggr_win):
self.attackers[aid] = cnt + 1
else:
# This flushes out ALL the aggregated events!
# NOTE: The AID, and its values, are no longer relevant for this part of code!
event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win)))
event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
@@ -214,6 +223,7 @@ class Output(cowrie.core.output.Output):
for i, c in self.attackers.items():
a_src_ip, a_dst_ip = i.split(',')
a_af = "IP4" if not ':' in a_src_ip else "IP6"
a_creds = self.attackers_creds.get(i, [])
event["ID"] = str(uuid4())
event["DetectTime"] = event["WinEndTime"]
event["ConnCount"] = c
@@ -221,10 +231,16 @@ class Output(cowrie.core.output.Output):
event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
event["Target"][0]["Anonymised"] = True
if a_creds:
event["Credentials"] = a_creds
else:
event.pop("Credentials", None)
self.save_event(event)
self.attackers = {}
self.attackers_creds = {}
ws = time()
self.attackers[aid] = 1
self.attackers_creds[aid] = []
self.win_start = ws
elif entry["session"] not in self.sessions:
@@ -234,10 +250,18 @@ class Output(cowrie.core.output.Output):
return()
elif entry["eventid"] == 'cowrie.login.success':
u, p = entry["username"], entry["password"]
s = entry["session"]
if s in self.sessions:
self.sessions[s]["input"] = []
self.sessions[s]["loggedin"] = True
self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Type": ["AcceptedByServer"]})
elif entry["eventid"] == "cowrie.login.failed":
u, p = entry["username"], entry["password"]
s = entry["session"]
if s in self.sessions:
self.sessions[s]["credentials"].append({"Username": u, "Password": p})
elif entry["eventid"] == 'cowrie.command.input':
s = entry["session"]
@@ -380,5 +404,14 @@ class Output(cowrie.core.output.Output):
if not plain:
attach["ContentEncoding"] = "base64"
event["Attach"] = [attach]
if self.sessions[s]["credentials"]:
accepted_creds = [ c for c in self.sessions[s]["credentials"] if "Type" in c and "AcceptedByServer" in c["Type"] ]
event["Credentials"] = list(accepted_creds)
self.save_event(event)
if s in self.sessions:
# Store attempted credentials (all) to the aggregation cache
aid = self.sessions[s]["aid"]
self.attackers_creds[aid].extend(self.sessions[s]["credentials"])
# Discard the session
self.sessions.pop(s, None)
Loading