Skip to content
Snippets Groups Projects

cowrie: Imported changes from HaaS project

Merged cowrie: Imported changes from HaaS project
new-cowrie into master
Merged Pavel Valach requested to merge new-cowrie into master
Compare
and
1 file
+ 70
31
Compare changes
  • Side-by-side
  • Inline
cowrie/wardenfiler.py
+ 70
31
@@ -161,13 +161,13 @@ class Output(cowrie.core.output.Output):
@@ -161,13 +161,13 @@ class Output(cowrie.core.output.Output):
entry["dst_ip"] = entry["dst_ip"].lstrip("::ffff:")
entry["dst_ip"] = entry["dst_ip"].lstrip("::ffff:")
# detect IPv4 or IPv6
# detect IPv4 or IPv6
af = "IP4" if not ':' in entry["src_ip"] else "IP6"
src_af = "IP4" if not ':' in entry["src_ip"] else "IP6"
# If configured, override destination IP and port
# If configured, override destination IP and port
if entry.get("dst_ip"):
if entry.get("dst_ip"):
if af == "IP4" and self.reported_public_ipv4:
if src_af == "IP4" and self.reported_public_ipv4:
entry["dst_ip"] = self.reported_public_ipv4
entry["dst_ip"] = self.reported_public_ipv4
elif af == "IP6" and self.reported_public_ipv6:
elif src_af == "IP6" and self.reported_public_ipv6:
entry["dst_ip"] = self.reported_public_ipv6
entry["dst_ip"] = self.reported_public_ipv6
if entry.get("dst_port") and self.reported_ssh_port:
if entry.get("dst_port") and self.reported_ssh_port:
@@ -205,14 +205,14 @@ class Output(cowrie.core.output.Output):
@@ -205,14 +205,14 @@ class Output(cowrie.core.output.Output):
event["Category"].append("Attempt.Login")
event["Category"].append("Attempt.Login")
event["Note"] = "SSH login attempt"
event["Note"] = "SSH login attempt"
for i, c in self.attackers.items():
for i, c in self.attackers.items():
src_ip, dst_ip = i.split(',')
a_src_ip, a_dst_ip = i.split(',')
af = "IP4" if not ':' in src_ip else "IP6"
a_af = "IP4" if not ':' in a_src_ip else "IP6"
event["ID"] = str(uuid4())
event["ID"] = str(uuid4())
event["DetectTime"] = event["WinEndTime"]
event["DetectTime"] = event["WinEndTime"]
event["ConnCount"] = c
event["ConnCount"] = c
event["Source"] = [{"Proto": ["tcp", "ssh"], af: [src_ip]}]
event["Source"] = [{"Proto": ["tcp", "ssh"], a_af: [a_src_ip]}]
event["Target"] = [{"Proto": ["tcp", "ssh"], af: [dst_ip]}]
event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
if (self.anon_mask_4 < 32) and (not ':' in entry["dst_ip"]) or (self.anon_mask_6 < 128):
if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
event["Target"][0]["Anonymised"] = True
event["Target"][0]["Anonymised"] = True
self.save_event(event)
self.save_event(event)
self.attackers = {}
self.attackers = {}
@@ -220,6 +220,12 @@ class Output(cowrie.core.output.Output):
@@ -220,6 +220,12 @@ class Output(cowrie.core.output.Output):
self.attackers[aid] = 1
self.attackers[aid] = 1
self.win_start = ws
self.win_start = ws
 
elif entry["session"] not in self.sessions:
 
# We do not save sessions
 
# that were created during previous Cowrie runs
 
# and we should not care about them.
 
return()
 
elif entry["eventid"] == 'cowrie.login.success':
elif entry["eventid"] == 'cowrie.login.success':
s = entry["session"]
s = entry["session"]
if s in self.sessions:
if s in self.sessions:
@@ -240,7 +246,7 @@ class Output(cowrie.core.output.Output):
@@ -240,7 +246,7 @@ class Output(cowrie.core.output.Output):
mware = None
mware = None
fname = None
fname = None
if "outfile" in entry and os.path.exists(entry["outfile"]):
if "outfile" in entry and os.path.exists(entry["outfile"]):
fp = open(entry["outfile"], "r")
fp = open(entry["outfile"], "rb")
mware = fp.read()
mware = fp.read()
fp.close()
fp.close()
if self.drop_malware:
if self.drop_malware:
@@ -253,10 +259,10 @@ class Output(cowrie.core.output.Output):
@@ -253,10 +259,10 @@ class Output(cowrie.core.output.Output):
if "url" in entry and entry["url"].startswith(tuple(sch.keys())):
if "url" in entry and entry["url"].startswith(tuple(sch.keys())):
url = urlparse(entry["url"])
url = urlparse(entry["url"])
host = url.hostname
url_host = url.hostname
ai = socket.getaddrinfo(host, None)[0]
url_ai = socket.getaddrinfo(url_host, None)[0]
af = "IP6" if ai[0] == socket.AddressFamily.AF_INET6 else "IP4"
url_af = "IP6" if url_ai[0] == socket.AddressFamily.AF_INET6 else "IP4"
ip = ai[4][0]
url_ip = url_ai[4][0]
proto = [ "tcp", url.scheme ]
proto = [ "tcp", url.scheme ]
port = url.port or sch[url.scheme]
port = url.port or sch[url.scheme]
@@ -265,15 +271,11 @@ class Output(cowrie.core.output.Output):
@@ -265,15 +271,11 @@ class Output(cowrie.core.output.Output):
fname = os.path.basename(entry['destfile'])
fname = os.path.basename(entry['destfile'])
elif not "url" in entry:
elif not "url" in entry:
# TODO implement the path for other files after discussion
if "destfile" in entry:
return()
event["Note"] = "Redirected content during honeypot session"
# The remainder of this branch will not execute now
fname = os.path.basename(entry["destfile"])
if entry["format"].startswith("Saved redir"):
event["Note"] = "Saved file during honeypot session"
fname = os.path.basename(entry['destfile'])
else:
else:
event["Note"] = "Stdin contents during honeypot session"
event["Note"] = "Stdin contents during honeypot session"
# End of the not executed part
else:
else:
# TODO: Some exotic protocol? Let's not worry with that now
# TODO: Some exotic protocol? Let's not worry with that now
@@ -281,25 +283,27 @@ class Output(cowrie.core.output.Output):
@@ -281,25 +283,27 @@ class Output(cowrie.core.output.Output):
event["DetectTime"] = entry["timestamp"]
event["DetectTime"] = entry["timestamp"]
if "url" in entry:
if "url" in entry:
 
del event["Target"]
event["Source"][0] = { "Type": ["Malware"] }
event["Source"][0] = { "Type": ["Malware"] }
event["Source"][0]["URL"] = [entry["url"]]
event["Source"][0]["URL"] = [entry["url"]]
event["Source"][0][af] = [ip]
event["Source"][0][url_af] = [url_ip]
event["Source"][0]["Proto"] = proto
event["Source"][0]["Proto"] = proto
event["Source"][0]["Port"] = [port]
event["Source"][0]["Port"] = [port]
if ip != host:
if url_ip != url_host:
event["Source"][0]["Hostname"] = [host]
event["Source"][0]["Hostname"] = [url_host]
else:
else:
# TODO implement later
event["Source"][0] = { "Type": ["Botnet"] }
pass
# the source of the malicious activity is the host, we don't have further details to that
 
event["Source"][0][src_af] = [entry["src_ip"]]
 
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
del event["Target"]
event["Attach"] = [{
event["Attach"] = [{
"Type": ["ShellCode"],
"Type": ["ShellCode"],
"Hash": ["sha1:" + entry["shasum"]],
"Hash": ["sha256:" + entry["shasum"]],
"Size": len(mware),
"Size": len(mware),
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"Note": "Some probably malicious code downloaded during honeypot SSH session",
"ContentEncoding": "base64",
"ContentEncoding": "base64",
"Content": b64encode(mware.encode()).decode(),
"Content": b64encode(mware).decode(),
}]
}]
if fname:
if fname:
event["Attach"][0]["FileName"] = [fname]
event["Attach"][0]["FileName"] = [fname]
@@ -307,6 +311,42 @@ class Output(cowrie.core.output.Output):
@@ -307,6 +311,42 @@ class Output(cowrie.core.output.Output):
event["Attach"][0]["ExternalURI"] = [entry["url"]]
event["Attach"][0]["ExternalURI"] = [entry["url"]]
self.save_event(event)
self.save_event(event)
 
elif entry["eventid"] == 'cowrie.session.file_upload':
 
# Upload through SCP or SFTP to the honeypot
 
s = entry["session"]
 
if s in self.sessions:
 
# deal with the file first (drop even if not reported)
 
mware = None
 
fname = None
 
if "outfile" in entry and os.path.exists(entry["outfile"]):
 
fp = open(entry["outfile"], "rb")
 
mware = fp.read()
 
fp.close()
 
if self.drop_malware:
 
os.remove(entry["outfile"])
 
fname = entry["filename"]
 
 
if mware:
 
event["Category"].append("Malware")
 
event["Note"] = "Malware download during honeypot session"
 
event["DetectTime"] = entry["timestamp"]
 
event["Source"][0] = { "Type": ["Botnet"] }
 
# the source of the malicious activity is the host, we don't have further details to that
 
event["Source"][0][src_af] = [entry["src_ip"]]
 
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
 
 
event["Attach"] = [{
 
"Type": ["ShellCode"],
 
"FileName": [fname],
 
"Hash": ["sha256:" + entry["shasum"]],
 
"Size": len(mware),
 
"Note": "Some probably malicious code downloaded during honeypot SSH session",
 
"ContentEncoding": "base64",
 
"Content": b64encode(mware).decode(),
 
}]
 
self.save_event(event)
 
 
elif entry["eventid"] == 'cowrie.session.closed':
elif entry["eventid"] == 'cowrie.session.closed':
s = entry["session"]
s = entry["session"]
if s in self.sessions and self.sessions[s]["loggedin"]:
if s in self.sessions and self.sessions[s]["loggedin"]:
@@ -314,9 +354,8 @@ class Output(cowrie.core.output.Output):
@@ -314,9 +354,8 @@ class Output(cowrie.core.output.Output):
plain = all(c in string.printable for c in idata)
plain = all(c in string.printable for c in idata)
event["Category"].append("Intrusion.UserCompromise")
event["Category"].append("Intrusion.UserCompromise")
event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
event["Note"] = "SSH successful login" + (" with unauthorized command input" if len(idata) else "")
af = "IP4" if not ':' in entry["src_ip"] else "IP6"
event["Source"][0][src_af] = [entry["src_ip"]]
event["Source"][0][af] = [entry["src_ip"]]
event["Target"][0][src_af] = [self.sessions[s]["dst_ip"]]
event["Target"][0][af] = [self.sessions[s]["dst_ip"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
event["Source"][0]["Port"] = [self.sessions[s]["src_port"]]
dst_port = self.sessions[s]["dst_port"]
dst_port = self.sessions[s]["dst_port"]
if dst_port in self.port_xlat:
if dst_port in self.port_xlat: