Added configurable option for anonymising

Export correct time with timezone
Export virus scan report in correct format

warden3/contrib/connectors/hp-dio/README

@@ -40,6 +40,13 @@ D. Configuration
     warden - path to warden-client config, e.g. 'warden/warden_client.cfg'
     name - sensor's source id used as a source of events, e.g. 'cz.cesnet.server.dionaea'
 
+    anonymised - no | yes | omit
+               - no (default value)
+               - yes = anonymize to 'target_net' (see below)
+               - omit = completely omit target field
+
+    target_net - anonymized network used as target if 'anonymized' option is 'yes'
+
     dbfile - path to sqlite database file, e.g. '/opt/dionaea/var/dionaea/logsql.sqlite'
     binaries_path - path to stored malware, e.g. '/opt/dionaea/var/dionaea/binaries'
     report_binaries - 'true' if malware attachment have to be included in event, otherwise 'false'
@@ -49,7 +56,7 @@ D. Configuration
     
    cron
     SCRIPT_PATH=/opt/warden_client/
-    */5  *   * * *  root cd $SCRIPT_PATH; warden3-dio-sender.py >> dio-sender.log
+    */5  *   * * *  root cd $SCRIPT_PATH; python warden3-dio-sender.py > /dev/null 2>&1
 
     Note: Repeat interval must be the same as value of 'awin'.
 

warden3/contrib/connectors/hp-dio/warden3-dio-sender.py

@@ -7,12 +7,14 @@
 from warden_client import Client, Error, read_cfg, format_timestamp
 import json
 import string
+import urllib
 from time import time, gmtime, strftime, sleep
 from math import trunc
 from uuid import uuid4
 from os import path
 import base64
 import sqlite3
+import sys
 
 DEFAULT_ACONFIG = 'warden_client-dio.cfg'
 DEFAULT_WCONFIG = 'warden_client.cfg'
@@ -27,6 +29,8 @@ DEFAULT_ATTACH_NAME = 'att1'
 DEFAULT_HASHTYPE = 'md5'
 DEFAULT_CONTENT_TYPE = 'application/octet-stream'
 DEFAULT_CONTENT_ENCODING = 'base64'
+DEFAULT_ANONYMISED = 'no'
+DEFAULT_TARGET_NET = '0.0.0.0/0'
 
 
 def gen_attach_idea(logger, report_binaries, binaries_path, filename, hashtype, hashdigest, vtpermalink, avref):
@@ -46,6 +50,7 @@ def gen_attach_idea(logger, report_binaries, binaries_path, filename, hashtype,
     refs.extend(avref.split(';'))
   
   if refs:
+    refs = [urllib.quote(ref, safe=':') for ref in refs]
     refs = list(set(refs))
     attach['Ref'] = refs
 
@@ -63,7 +68,7 @@ def gen_attach_idea(logger, report_binaries, binaries_path, filename, hashtype,
 
   return attach
 
-def gen_event_idea(logger, binaries_path, report_binaries, client_name, detect_time, win_start_time, win_end_time, aggr_win, data):
+def gen_event_idea(logger, binaries_path, report_binaries, client_name, anonymised, target_net, detect_time, win_start_time, win_end_time, aggr_win, data):
 
   category = []
   event = {
@@ -119,7 +124,13 @@ def gen_event_idea(logger, binaries_path, report_binaries, client_name, detect_t
   event['Source'][0][af]      = [data['src_ip']]
   event['Source'][0]['Port']  = [data['src_port']]
 
-  event['Target'][0][af]      = [data['dst_ip']]
+  if anonymised != 'omit':
+    if anonymised == 'yes':
+      event['Target'][0]['Anonymised'] = True
+      event['Target'][0][af] = [target_net]
+    else:
+      event['Target'][0][af] = [data['dst_ip']]
+
   event['Target'][0]['Port']  = [data['dst_port']]
   event['Target'][0]['Proto'] = proto
 
@@ -132,17 +143,26 @@ def main():
   wconfig = read_cfg(aconfig.get('warden', DEFAULT_WCONFIG))
   
   aname = aconfig.get('name', DEFAULT_NAME)
-  awin = aconfig.get('awin', DEFAULT_AWIN) * 60
 
+  wclient = Client(**wconfig)
+  wconfig['name'] = aname   
+
+  awin = aconfig.get('awin', DEFAULT_AWIN) * 60
   abinpath = aconfig.get('binaries_path', DEFAULT_BINPATH)
   adbfile = aconfig.get('dbfile', DEFAULT_DBFILE)
   aconattempts = aconfig.get('con_attempts', DEFAULT_CON_ATTEMPTS)
   aretryinterval = aconfig.get('con_retry_interval', DEFAULT_CON_RETRY_INTERVAL)
   areportbinaries = aconfig.get('report_binaries', DEFAULT_REPORT_BINARIES)
   
-  wconfig['name'] = aname
+  aanonymised = aconfig.get('anonymised', DEFAULT_ANONYMISED)
+  if aanonymised not in ['no', 'yes', 'omit']:
+    wclient.logger.error("Configuration error: anonymised: '%s' - possible typo? use 'no', 'yes' or 'omit'" % aanonymised)
+    sys.exit(2)
+
+  atargetnet  = aconfig.get('target_net', DEFAULT_TARGET_NET)
+  aanonymised = aanonymised if (atargetnet != DEFAULT_TARGET_NET) or (aanonymised == 'omit') else DEFAULT_ANONYMISED
+
 
-  wclient = Client(**wconfig)   
 
   con = sqlite3.connect(adbfile)
   con.row_factory = sqlite3.Row
@@ -177,12 +197,12 @@ def main():
   if con:
     con.close
 
-  etime = format_timestamp(time(), False)
-  stime = format_timestamp(time() - awin, False)
+  etime = format_timestamp(time())
+  stime = format_timestamp(time() - awin)
 
   for row in rows:
-    dtime = format_timestamp(row['timestamp'], False)
-    events.append(gen_event_idea(logger = wclient.logger, binaries_path = abinpath, report_binaries = areportbinaries, client_name = aname, detect_time = dtime, win_start_time = stime, win_end_time = etime, aggr_win = awin, data = row))
+    dtime = format_timestamp(row['timestamp'])
+    events.append(gen_event_idea(logger = wclient.logger, binaries_path = abinpath, report_binaries = areportbinaries, client_name = aname, anonymised = aanonymised, target_net = atargetnet, detect_time = dtime, win_start_time = stime, win_end_time = etime, aggr_win = awin, data = row))
       
   print "=== Sending ==="
   start = time()

warden3/contrib/connectors/hp-dio/warden_client-dio.cfg

 {
-	"warden": "warden_client.cfg",
-    "name": "cz.cesnet.kryten.dionaea",
+    "warden": "warden_client.cfg",
+    "name": "cz.cesnet.server.dionaea",
+
+    "anonymised": "no",
+    "target_net": "195.113.0.0/16",
 
     "dbfile": "/opt/dionaea/var/dionaea/logsql.sqlite",
     "binaries_path" : "/opt/dionaea/var/dionaea/binaries",
@@ -8,4 +11,4 @@
     "con_attempts" : 3,
     "con_retry_interval" : 5,
     "awin": 5
-}
+}
\ No newline at end of file