Beispiel #1
0
def daycounterreset(lock,ECFG):

    if lock == False:
        logme("ARGCHK","Lock Socket is busy ...",("P1"),ECFG)
        logme("ARGCHK","Waiting 300 seconds for getting lock socket.",("P1"),ECFG)
        for i in range(6000):
            if locksocket() == False:
                time.sleep(0.1)
            else:
                break
        if locksocket() == False:
            logme("daycounterreset","Daycounterreset fails. Socket over 300 sec busy",("P1","LOG"),ECFG)
            sys.exit(0)

    z = ConfigParser.RawConfigParser()
    z.read(ECFG["homedir"] + os.sep + "ews.idx")

    for i in z.sections():
        if z.has_option(i,"daycounter") == True:
            logme("daycounterreset","Daycounter " + i + " : " + z.get(i,"daycounter") + " alerts send." ,("LOG"),ECFG)
            z.set(i,"daycounter",0)

    with open(ECFG["homedir"] + os.sep + "ews.idx", 'wb') as countfile:
        z.write(countfile)
        countfile.close

    logme("daycounterreset","Daycounters successfull reset.",("P1"),ECFG)
    sys.exit(0)
Beispiel #2
0
def kippo():

    MODUL = "KIPPO"
    logme(MODUL, "Starting Kippo Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("kippo", "nodeid", "mysqlhost", "mysqldb", "mysqluser", "mysqlpw")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # open database

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"],
                              user=HONEYPOT["mysqluser"],
                              passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"],
                              cursorclass=MySQLdb.cursors.DictCursor)

    except MySQLdb.Error, e:
        logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
Beispiel #3
0
def daycounterreset(lock, ECFG):

    if lock == False:
        logme("ARGCHK", "Lock Socket is busy ...", ("P1"), ECFG)
        logme("ARGCHK", "Waiting 300 seconds for getting lock socket.", ("P1"),
              ECFG)
        for i in range(6000):
            if locksocket() == False:
                time.sleep(0.1)
            else:
                break
        if locksocket() == False:
            logme("daycounterreset",
                  "Daycounterreset fails. Socket over 300 sec busy",
                  ("P1", "LOG"), ECFG)
            sys.exit(0)

    z = ConfigParser.RawConfigParser()
    z.read(ECFG["homedir"] + os.sep + "ews.idx")

    for i in z.sections():
        if z.has_option(i, "daycounter") == True:
            logme(
                "daycounterreset", "Daycounter " + i + " : " +
                z.get(i, "daycounter") + " alerts send.", ("LOG"), ECFG)
            z.set(i, "daycounter", 0)

    with open(ECFG["homedir"] + os.sep + "ews.idx", 'wb') as countfile:
        z.write(countfile)
        countfile.close

    logme("daycounterreset", "Daycounters successfull reset.", ("P1"), ECFG)
    sys.exit(0)
Beispiel #4
0
def mysqldb():

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"],
                              user=HONEYPOT["mysqluser"],
                              passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"],
                              cursorclass=MySQLdb.cursors.DictCursor)
    except MySQLdb.Error as e:
        logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
        return

    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from log")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL, "[ERROR] No entry's in Glastopf Database. Abort!",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute("SELECT * from log where id > %s and id <= %s;", (imin, imax))
    rows = c.fetchall()
Beispiel #5
0
    def filelist(DIR):

        if os.path.isdir(DIR) is not True:
            logme(MODUL, "Error missing dir " + DIR + " Abort !",
                  ("P1", "EXIT"), ECFG)
        else:
            return os.listdir(DIR)
Beispiel #6
0
def calcminmax(MODUL,imin,imax,ECFG):

    if (imax - imin) > int(ECFG["sendlimit"]):
        logme(MODUL,"Need to send : " + str(imax -imin) + " limit is : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
        imax = imin + int(ECFG["sendlimit"])

    return imin,imax
Beispiel #7
0
    def del_job(DIR,MODUL):
        FILEIN = filelist(DIR)

        for files in FILEIN:
            fpart = files.split('.')
            if len(fpart) == 3 and int(fpart[1]) > 4:
                logme(MODUL, "Cleaning spooler dir: %s delete file: %s reached max transmit counter !" % (DIR, files),("LOG"),ECFG)
                os.remove(DIR + os.sep + files)
Beispiel #8
0
    def clean_dir(DIR,MODUL):
        FILEIN = filelist(DIR)

        for files in FILEIN:
            if not ".ews" in files:
                os.remove(DIR + os.sep + files)
                logme(MODUL, "Cleaning spooler dir: %s delete file: %s" % (DIR, files),("LOG"),ECFG)
        return()
Beispiel #9
0
def hpfeedsend(esm):

    try:
        hpc = hpfeeds.new(ECFG["host"],int(ECFG["port"]),ECFG["ident"],ECFG["secret"])
        logme("hpfeedsend","Connect to (%s)" % format(hpc.brokername) ,("P3","VERBOSE"),ECFG)
    except hpfeeds.FeedException, e:
        logme("hpfeedsend","HPFeeds Error (%s)" % format(e) ,("LOG","VERBOSE"),ECFG)
        return False
Beispiel #10
0
    def check_job(DIR,MODUL):
        FILEIN = filelist(DIR)

        if len(FILEIN) < 1:
            logme(MODUL, "Sender : No Jobs to send in %s" % (DIR),("P1"),ECFG)
            return False
        else:
            logme(MODUL, "Sender : There are %s jobs to send in %s" %(str(len(FILEIN)),DIR),("P1"),ECFG)
            return True
Beispiel #11
0
def calcminmax(MODUL, imin, imax, ECFG):

    if (imax - imin) > int(ECFG["sendlimit"]):
        logme(
            MODUL, "Need to send : " + str(imax - imin) + " limit is : " +
            str(ECFG["sendlimit"]) + ". Adapting to limit!", ("P1"), ECFG)
        imax = imin + int(ECFG["sendlimit"])

    return imin, imax
Beispiel #12
0
def viewcounter(MODUL, x, y):

    if y == 100:
        x += 100
        # Inform every 100 send records
        logme(MODUL, str(x) + " EWS alert records sent ...", ("P2"), ECFG)
        y = 1
    else:
        y += 1

    return x, y
Beispiel #13
0
def viewcounter(MODUL,x,y):

    if y  == 100:
        x += 100
        # Inform every 100 send records
        logme(MODUL,str(x) +" EWS alert records sent ...",("P2"),ECFG)
        y = 1
    else:
        y += 1

    return x,y
Beispiel #14
0
    def clean_dir(DIR, MODUL):
        FILEIN = filelist(DIR)

        for files in FILEIN:
            if not ".ews" in files:
                os.remove(DIR + os.sep + files)
                logme(
                    MODUL,
                    "Cleaning spooler dir: %s delete file: %s" % (DIR, files),
                    ("LOG"), ECFG)
        return ()
Beispiel #15
0
    def del_job(DIR, MODUL):
        FILEIN = filelist(DIR)

        for files in FILEIN:
            fpart = files.split('.')
            if len(fpart) == 3 and int(fpart[1]) > 4:
                logme(
                    MODUL,
                    "Cleaning spooler dir: %s delete file: %s reached max transmit counter !"
                    % (DIR, files), ("LOG"), ECFG)
                os.remove(DIR + os.sep + files)
Beispiel #16
0
def mysqldb():

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"],
                              user=HONEYPOT["mysqluser"],
                              passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"],
                              cursorclass=MySQLdb.cursors.DictCursor)
    except MySQLdb.Error, e:
        logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
        return
Beispiel #17
0
def hpfeedsend(esm):

    try:
        hpc = hpfeeds.new(ECFG["host"], int(ECFG["port"]), ECFG["ident"],
                          ECFG["secret"])
        logme("hpfeedsend", "Connect to (%s)" % format(hpc.brokername),
              ("P3", "VERBOSE"), ECFG)
    except hpfeeds.FeedException, e:
        logme("hpfeedsend", "HPFeeds Error (%s)" % format(e),
              ("LOG", "VERBOSE"), ECFG)
        return False
Beispiel #18
0
    def check_job(DIR, MODUL):
        FILEIN = filelist(DIR)

        if len(FILEIN) < 1:
            logme(MODUL, "Sender : No Jobs to send in %s" % (DIR), ("P1"),
                  ECFG)
            return False
        else:
            logme(
                MODUL, "Sender : There are %s jobs to send in %s" %
                (str(len(FILEIN)), DIR), ("P1"), ECFG)
            return True
Beispiel #19
0
def mysqldb():

    try:
        con = MySQLdb.connect(
            host=HONEYPOT["mysqlhost"],
            user=HONEYPOT["mysqluser"],
            passwd=HONEYPOT["mysqlpw"],
            db=HONEYPOT["mysqldb"],
            cursorclass=MySQLdb.cursors.DictCursor,
        )
    except MySQLdb.Error, e:
        logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
        return
Beispiel #20
0
def sqlitedb(MODUL, DBPATH, ECFG):

    rows = []

    # is sqlitedb exist ?

    if os.path.isfile(DBPATH) == False:
        logme(MODUL, "[ERROR] Missing sqlitedb file " + DBPATH + ". Abort !", ("P3", "LOG"), ECFG)
        return 1, rows

    # open database

    try:
        con = sqlite3.connect(DBPATH, 30)
        con.row_factory = sqlite3.Row
        cur = con.cursor()

    except sqlite.Error, e:
        logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0], ("P3", "LOG"), ECFG)
        return 1, rows
Beispiel #21
0
def sqlitedb(MODUL, DBPATH, ECFG):

    rows = []

    # is sqlitedb exist ?

    if os.path.isfile(DBPATH) == False:
        logme(MODUL, "[ERROR] Missing sqlitedb file " + DBPATH + ". Abort !",
              ("P3", "LOG"), ECFG)
        return 1, rows

    # open database

    try:
        con = sqlite3.connect(DBPATH, 30)
        con.row_factory = sqlite3.Row
        cur = con.cursor()

    except sqlite.Error, e:
        logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0],
              ("P3", "LOG"), ECFG)
        return 1, rows
Beispiel #22
0
def kippo():

    MODUL  = "KIPPO"
    logme(MODUL,"Starting Kippo Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("kippo","nodeid","mysqlhost","mysqldb","mysqluser","mysqlpw")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
       HONEYPOT["ip"] = ECFG["ip"]

    # open database

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"], user=HONEYPOT["mysqluser"], passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"], cursorclass=MySQLdb.cursors.DictCursor)

    except MySQLdb.Error,e:
        logme(MODUL,"[ERROR] %s" %(str(e)),("P3","LOG"),ECFG)
Beispiel #23
0
def emobility():

    MODUL = "EMOBILITY"
    logme(MODUL, "Starting eMobility Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("eMobility", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # Prepair and collect Alert Data

            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            srcipandport, dstipandport, url, dateandtime = line.split("|", 3)

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6],
                                 dateandtime[6:8], dateandtime[9:17]),
                "sadr":
                "%s.%s.%s.%s" %
                (srcipandport.split(".")[0], srcipandport.split(".")[1],
                 srcipandport.split(".")[2], srcipandport.split(".")[3]),
                "sipv":
                "ipv4",
                "sprot":
                "tcp",
                "sport":
                srcipandport.split(".")[4],
                "tipv":
                "ipv4",
                "tadr":
                "%s.%s.%s.%s" %
                (dstipandport.split(".")[0], dstipandport.split(".")[1],
                 dstipandport.split(".")[2], dstipandport.split(".")[3]),
                "tprot":
                "tcp",
                "tport":
                dstipandport.split(".")[4],
            }

            REQUEST = {
                "description": "eMobility Honeypot",
                "url": urllib.quote(url.encode('ascii', 'ignore'))
            }

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
Beispiel #24
0
        cur = con.cursor()

    except sqlite.Error, e:
        logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0], ("P3", "LOG"), ECFG)
        return 1, rows

    # calculate max alerts

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT max(id) from events")
        maxid = cur.fetchone()["max(id)"]
    elif MODUL == "DIONAEA":
        cur.execute("SELECT max(connection) from connections;")
        maxid = cur.fetchone()["max(connection)"]
    else:
        logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!", ("P2", "LOG"), ECFG)
        return 1, rows

    if maxid is None:
        logme(MODUL, "[ERROR] No entry's in Database %s. Abort!" % DBPATH, ("P2", "LOG"), ECFG)
        return 1, rows

    imin, imax = calcminmax(MODUL, int(countme(MODUL, "sqliteid", -1, ECFG)), int(maxid), ECFG)

    # read alerts from database

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
    elif MODUL == "DIONAEA":
        cur.execute("SELECT * from connections where connection > ? and connection <= ?;", (imin, imax))
    else:
Beispiel #25
0
def ewswebservice(ems):

    MODUL = "ewswebservice"

    headers = { 'User-Agent'     : name + " " + version,
                'Content-type'   : 'text/xml',
                'SOAPAction'     : '',
                'charset'        : 'UTF-8',
                'Connection'     : 'close'
              }

    host = random.choice([ ECFG["rhost_first"] , ECFG["rhost_second"] ])

    if ECFG["proxy"] != "NULL" and ECFG["proxy"] != "FALSE":
       proxydic = { "https" : ECFG["proxy"] }
    else:
       proxydic = {}

    try:
        if not "https" in proxydic:
            webservice = requests.post(host,
                                       data=ems,
                                       headers=headers,
                                       allow_redirects=True,
                                       timeout=60,
                                       verify=True
                                      )
        else:
            webservice = requests.post(host,
                                       data=ems,
                                       headers=headers,
                                       allow_redirects=True,
                                       proxies=proxydic,
                                       timeout=60,
                                       verify=True
                                      )


        webservice.raise_for_status()

        xmlresult = re.search('<StatusCode>(.*)</StatusCode>', webservice.text).groups()[0]

        if xmlresult != "OK":
            logme(MODUL,"XML Result != ok ( %s) (%s)" % (xmlresult,webservice.text) ,("LOG","VERBOSE"),ECFG)
            return False

        if ECFG["a.verbose"] is True:
            logme(MODUL,"---- Webservice Report ----" ,("VERBOSE"),ECFG)
            logme(MODUL,"HOST          : %s" % (host) ,("VERBOSE"),ECFG)
            logme(MODUL,"XML Result    : %s" % (xmlresult) ,("VERBOSE"),ECFG)
            logme(MODUL,"Statuscode    : %s" % (webservice.status_code) ,("VERBOSE"),ECFG)
            logme(MODUL,"Header        : %s" % (webservice.headers) ,("VERBOSE"),ECFG)
            logme(MODUL,"Body          : %s" % (webservice.text) ,("VERBOSE"),ECFG)
            logme(MODUL,"",("VERBOSE"),ECFG)

        return True

    except requests.exceptions.Timeout, e:
        logme(MODUL,"Timeout to remote host %s (%s)" % (host , str(e)) ,("LOG","VERBOSE"),ECFG)
        return False
Beispiel #26
0
            logme(MODUL,"---- Webservice Report ----" ,("VERBOSE"),ECFG)
            logme(MODUL,"HOST          : %s" % (host) ,("VERBOSE"),ECFG)
            logme(MODUL,"XML Result    : %s" % (xmlresult) ,("VERBOSE"),ECFG)
            logme(MODUL,"Statuscode    : %s" % (webservice.status_code) ,("VERBOSE"),ECFG)
            logme(MODUL,"Header        : %s" % (webservice.headers) ,("VERBOSE"),ECFG)
            logme(MODUL,"Body          : %s" % (webservice.text) ,("VERBOSE"),ECFG)
            logme(MODUL,"",("VERBOSE"),ECFG)

        return True

    except requests.exceptions.Timeout, e:
        logme(MODUL,"Timeout to remote host %s (%s)" % (host , str(e)) ,("LOG","VERBOSE"),ECFG)
        return False

    except requests.exceptions.ConnectionError, e:
        logme(MODUL,"Remote host %s didn't answers ! (%s)" % (host , str(e)) ,("LOG","VERBOSE"),ECFG)
        return False

    except requests.exceptions.HTTPError, e:
        logme(MODUL,"HTTP Errorcode != 200 (%s)" % (str(e)) ,("LOG","VERBOSE"),ECFG)
        return False

def viewcounter(MODUL,x,y):

    if y  == 100:
        x += 100
        # Inform every 100 send records
        logme(MODUL,str(x) +" EWS alert records sent ...",("P2"),ECFG)
        y = 1
    else:
        y += 1
Beispiel #27
0
def verbosemode(MODUL, DATA, REQUEST, ADATA):
    logme(MODUL, "---- " + MODUL + " ----", ("VERBOSE"), ECFG)
    logme(MODUL, "Nodeid          : %s" % DATA["aid"], ("VERBOSE"), ECFG)
    logme(MODUL, "Timestamp       : %s" % DATA["timestamp"], ("VERBOSE"), ECFG)
    logme(MODUL, "", ("VERBOSE"), ECFG)
    logme(MODUL, "Source IP       : %s" % DATA["sadr"], ("VERBOSE"), ECFG)
    logme(MODUL, "Source IPv      : %s" % DATA["sipv"], ("VERBOSE"), ECFG)
    logme(MODUL, "Source Port     : %s" % DATA["sport"], ("VERBOSE"), ECFG)
    logme(MODUL, "Source Protocol : %s" % DATA["sprot"], ("VERBOSE"), ECFG)
    logme(MODUL, "Target IP       : %s" % DATA["tadr"], ("VERBOSE"), ECFG)
    logme(MODUL, "Target IPv      : %s" % DATA["tipv"], ("VERBOSE"), ECFG)
    logme(MODUL, "Target Port     : %s" % DATA["tport"], ("VERBOSE"), ECFG)
    logme(MODUL, "Target Protocol : %s" % DATA["tprot"], ("VERBOSE"), ECFG)

    for key, value in ADATA.items():
        logme(MODUL, "%s       : %s" % (key, value), ("VERBOSE"), ECFG)

    logme(MODUL, "", ("VERBOSE"), ECFG)

    return
Beispiel #28
0
def ewswebservice(ems):

    MODUL = "ewswebservice"

    headers = {
        'User-Agent': name + " " + version,
        'Content-type': 'text/xml',
        'SOAPAction': '',
        'charset': 'UTF-8',
        'Connection': 'close'
    }

    host = random.choice([ECFG["rhost_first"], ECFG["rhost_second"]])

    if ECFG["proxy"] != "NULL" and ECFG["proxy"] != "FALSE":
        proxydic = {"https": ECFG["proxy"]}
    else:
        proxydic = {}

    try:
        if not "https" in proxydic:
            webservice = requests.post(host,
                                       data=ems,
                                       headers=headers,
                                       allow_redirects=True,
                                       timeout=60,
                                       verify=not ECFG["a.ignorecert"])
        else:
            webservice = requests.post(host,
                                       data=ems,
                                       headers=headers,
                                       allow_redirects=True,
                                       proxies=proxydic,
                                       timeout=60,
                                       verify=not ECFG["a.ignorecert"])

        webservice.raise_for_status()

        xmlresult = re.search('<StatusCode>(.*)</StatusCode>',
                              webservice.text).groups()[0]

        if xmlresult != "OK":
            logme(MODUL,
                  "XML Result != ok ( %s) (%s)" % (xmlresult, webservice.text),
                  ("LOG", "VERBOSE"), ECFG)
            return False

        if ECFG["a.verbose"] is True:
            logme(MODUL, "---- Webservice Report ----", ("VERBOSE"), ECFG)
            logme(MODUL, "HOST          : %s" % (host), ("VERBOSE"), ECFG)
            logme(MODUL, "XML Result    : %s" % (xmlresult), ("VERBOSE"), ECFG)
            logme(MODUL, "Statuscode    : %s" % (webservice.status_code),
                  ("VERBOSE"), ECFG)
            logme(MODUL, "Header        : %s" % (webservice.headers),
                  ("VERBOSE"), ECFG)
            logme(MODUL, "Body          : %s" % (webservice.text), ("VERBOSE"),
                  ECFG)
            logme(MODUL, "", ("VERBOSE"), ECFG)

        return True

    except requests.exceptions.Timeout, e:
        logme(MODUL, "Timeout to remote host %s (%s)" % (host, str(e)),
              ("LOG", "VERBOSE"), ECFG)
        return False
Beispiel #29
0
def verbosemode(MODUL,DATA,REQUEST,ADATA):
    logme(MODUL,"---- " + MODUL + " ----" ,("VERBOSE"),ECFG)
    logme(MODUL,"Nodeid          : %s" % DATA["aid"],("VERBOSE"),ECFG)
    logme(MODUL,"Timestamp       : %s" % DATA["timestamp"],("VERBOSE"),ECFG)
    logme(MODUL,"" ,("VERBOSE"),ECFG)
    logme(MODUL,"Source IP       : %s" % DATA["sadr"],("VERBOSE"),ECFG)
    logme(MODUL,"Source IPv      : %s" % DATA["sipv"],("VERBOSE"),ECFG)
    logme(MODUL,"Source Port     : %s" % DATA["sport"],("VERBOSE"),ECFG)
    logme(MODUL,"Source Protocol : %s" % DATA["sprot"],("VERBOSE"),ECFG)
    logme(MODUL,"Target IP       : %s" % DATA["tadr"],("VERBOSE"),ECFG)
    logme(MODUL,"Target IPv      : %s" % DATA["tipv"],("VERBOSE"),ECFG)
    logme(MODUL,"Target Port     : %s" % DATA["tport"],("VERBOSE"),ECFG)
    logme(MODUL,"Target Protocol : %s" % DATA["tprot"],("VERBOSE"),ECFG)

    for key,value in ADATA.items():
        logme(MODUL,"%s       : %s" %(key,value) ,("VERBOSE"),ECFG)

    logme(MODUL,"" ,("VERBOSE"),ECFG)

    return
Beispiel #30
0
    except sqlite.Error, e:
        logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0],
              ("P3", "LOG"), ECFG)
        return 1, rows

    # calculate max alerts

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT max(id) from events")
        maxid = cur.fetchone()["max(id)"]
    elif MODUL == "DIONAEA":
        cur.execute("SELECT max(connection) from connections;")
        maxid = cur.fetchone()["max(connection)"]
    else:
        logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!",
              ("P2", "LOG"), ECFG)
        return 1, rows

    if maxid is None:
        logme(MODUL, "[ERROR] No entry's in Database %s. Abort!" % DBPATH,
              ("P2", "LOG"), ECFG)
        return 1, rows

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT * from events where id > ? and id <= ?;", (
            imin,
Beispiel #31
0
def glastopfv3():

    MODUL  = "GLASTOPFV3"
    logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("glastopfv3","nodeid","sqlitedb","malwaredir")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
       HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter empty requests and nagios checks

        if  row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL,'sqliteid',row["id"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
                    "aid"       : HONEYPOT["nodeid"],
                    "timestamp" : row["time"],
                    "sadr"      : re.sub(":.*$","",row["source"]),
                    "sipv"      : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
                    "sprot"     : "tcp",
                    "sport"     : "",
                    "tipv"      : "ipv" + ip4or6(HONEYPOT["ip"]),
                    "tadr"      : HONEYPOT["ip"],
                    "tprot"     : "tcp",
                    "tport"     : "80",
                  }

        REQUEST = {
                    "description" : "WebHoneypot : Glastopf v3.1",
                    "url"         : urllib.quote(row["request_url"])
                  }

        if "request_raw" in  row.keys() and len(row["request_raw"]) > 0:
            #REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
            REQUEST["raw"] = base64.encodestring(row["request_raw"])

        if "filename" in  row.keys() and row["filename"] != None:
           error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
           if error == 0:
                REQUEST["binary"] = malwarefile
           else:
                logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
 
        # Collect additional Data

        ADATA = {
                 "sqliteid"    : row ["id"],
                }

        if "request_method" in  row.keys():
           ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in  row.keys():
            m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in  row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in  row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm,DATA,REQUEST,ADATA)
        jesm = buildjson(jesm,DATA,REQUEST,ADATA)

        countme(MODUL,'sqliteid',row["id"],ECFG)
        countme(MODUL,'daycounter', -2,ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL,DATA,REQUEST,ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
    return
Beispiel #32
0
def ecfg(name, version):
    MODUL = "EINIT"

    ECFG = {}

    parser = argparse.ArgumentParser()
    parser.add_argument("-c",
                        "--configpath",
                        help="Load configuration file from Path")
    parser.add_argument("-v",
                        "--verbose",
                        help="set output verbosity",
                        action="store_true")
    parser.add_argument("-d",
                        "--debug",
                        help="set output debug",
                        action="store_true")
    parser.add_argument(
        "-l",
        "--loop",
        help="Go in endless loop. Set {xx} for seconds to wait for next loop",
        type=int,
        default=0,
        action="store")
    parser.add_argument("-m",
                        "--modul",
                        help="only send alerts for this modul",
                        choices=[
                            'glastopfv3', 'glastopfv2', 'kippo', 'dionaea',
                            'honeytrap', 'rdpdetect', 'emobility', 'conpot',
                            'cowrie', 'elasticpot', 'suricata', 'rdpy',
                            'mailoney', 'vnclowpot', 'heralding', 'ciscoasa',
                            'tanner', 'glutton'
                        ],
                        action="store")
    parser.add_argument("-s",
                        "--silent",
                        help="silent mode without output",
                        action="store_true")
    parser.add_argument("-i",
                        "--ignorecert",
                        help="ignore certificate warnings",
                        action="store_true")
    parser.add_argument("-S",
                        "--sendonly",
                        help="only send unsend alerts",
                        action="store_true")
    parser.add_argument("-E",
                        "--ewsonly",
                        help="only generate ews alerts files",
                        action="store_true")
    parser.add_argument("-dcr",
                        "--daycounter",
                        help="reset and log daycounters for all honeypots",
                        action="store_true")
    parser.add_argument("-j",
                        "--jsonpath",
                        help="Write JSON output file to path")
    parser.add_argument(
        "-L",
        "--sendlimit",
        help="Set {xxx} for max alerts will send in one session",
        type=int,
        action="store")
    parser.add_argument("-V",
                        "--version",
                        help="show the EWS Poster Version",
                        action="version",
                        version=name + " " + version)

    args = parser.parse_args()

    if args.sendlimit:
        ECFG["sendlimit2"] = args.sendlimit
    else:
        ECFG["sendlimit2"] = ""

    if args.loop:
        ECFG["a.loop"] = args.loop
    else:
        ECFG["a.loop"] = 0

    if args.verbose:
        ECFG["a.verbose"] = True
    else:
        ECFG["a.verbose"] = False

    if args.debug:
        ECFG["a.debug"] = True
    else:
        ECFG["a.debug"] = False

    if args.ignorecert:
        ECFG["a.ignorecert"] = True
    else:
        ECFG["a.ignorecert"] = False

    if args.silent:
        ECFG["a.silent"] = True
    else:
        ECFG["a.silent"] = False

    if args.daycounter:
        ECFG["a.daycounter"] = True
    else:
        ECFG["a.daycounter"] = False

    if args.sendonly:
        ECFG["a.sendonly"] = True
    else:
        ECFG["a.sendonly"] = False

    if args.ewsonly:
        ECFG["a.ewsonly"] = True
    else:
        ECFG["a.ewsonly"] = False

    if args.configpath:
        ECFG["path2"] = args.configpath

        if os.path.isdir(args.configpath) is not True:
            logme(MODUL,
                  "ConfigPath %s did not exist. Abort !" % (args.configpath),
                  ("P1", "EXIT"), ECFG)
    else:
        ECFG["path2"] = ""

    if args.modul and args.modul in [
            'glastopfv3', 'glastopfv2', 'kippo', 'dionaea', 'honeytrap',
            'rdpdetect', 'emobility', 'conpot', 'cowrie', 'elasticpot',
            'suricata', 'rdpy', 'mailoney', 'vnclowpot', 'heralding',
            'ciscoasa', 'tanner', 'glutton'
    ]:
        ECFG["a.modul"] = args.modul
    else:
        ECFG["a.modul"] = ""

    if args.jsonpath:
        ECFG["a.jsondir"] = args.jsonpath

        if os.path.isdir(args.jsonpath) is not True:
            logme(MODUL,
                  "JsonPath %s did not exist. Abort !" % (args.jsonpath),
                  ("P1", "EXIT"), ECFG)

    else:
        ECFG["a.jsondir"] = ""

    # say hello

    logme(
        MODUL, name + " " + version +
        " (c) by Markus Schroer <*****@*****.**>\n", ("P0"), ECFG)

    # read EWSPoster Main Path

    ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace(
        "/moduls", "")

    if ECFG["path2"] == "":
        ECFG["path2"] = ECFG["path"]

    if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg") is False:
        logme(
            MODUL, "Missing EWS Config %s. Abort !" %
            (ECFG["path2"] + os.sep + "ews.cfg"), ("P1", "EXIT"), ECFG)
    else:
        ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"

    # Create IDX File if not exist

    if os.path.isfile(ECFG["path"] + os.sep + "ews.idx") is False:
        os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR | os.O_CREAT)
        logme(MODUL, "Create ews.idx counterfile", ("P1"), ECFG)

    # Read Main Config Parameter

    ITEMS = ("homedir", "spooldir", "logdir", "contact",
             "del_malware_after_send", "send_malware", "sendlimit")
    MCFG = readcfg("MAIN", ITEMS, ECFG["cfgfile"])

    # IP Handling

    # try to determine the external IP
    MCFG["ip"] = getOwnExternalIP(ECFG)

    if not MCFG["ip"]:
        logme(
            MODUL,
            "External IP address cannot be determined. Set external IP in ews.cfg, ews.ip or env variable MY_EXTIP or allow external api request.. Abort !",
            ("P1", "EXIT"), ECFG)

    logme(MODUL, "Using external IP address " + str(MCFG["ip"]), ("P1", "Log"),
          ECFG)

    # sendlimit expect

    if ECFG["sendlimit2"] != "":
        MCFG["sendlimit"] = ECFG["sendlimit2"]

    if int(MCFG["sendlimit"]) > 500:
        logme(
            MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
            " to high. Max 500 ! ", ("P1", "EXIT"), ECFG)
    elif int(MCFG["sendlimit"]) < 1:
        logme(
            MODUL,
            "Error Sendlimit " + str(MCFG["sendlimit"]) + " to low. Min 1 ! ",
            ("P1", "EXIT"), ECFG)
    elif MCFG["sendlimit"] == "NULL" or str(MCFG["sendlimit"]) == "UNKNOW":
        logme(
            MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
            " Must set between 1 and 500. ", ("P1", "EXIT"), ECFG)

    # send_malware ?

    if MCFG["send_malware"].lower() == "true":
        MCFG["send_malware"] = True
    else:
        MCFG["send_malware"] = False

    # del_malware_after_send ?

    if MCFG["del_malware_after_send"].lower() == "true":
        MCFG["del_malware_after_send"] = True
    else:
        MCFG["del_malware_after_send"] = False

    # home dir available ?

    if os.path.isdir(MCFG["homedir"]) is not True:
        logme(MODUL, "Error missing homedir " + MCFG["homedir"] + " Abort !",
              ("P1", "EXIT"), ECFG)
    else:
        os.chdir(MCFG["homedir"])

    # spool dir available ?

    if os.path.isdir(MCFG["spooldir"]) is not True:
        logme(MODUL, "Error missing spooldir " + MCFG["spooldir"] + " Abort !",
              ("P1", "EXIT"), ECFG)

    # log dir available ?

    MCFG["logdir"] = readonecfg("MAIN", "logdir", ECFG["cfgfile"])

    if MCFG["logdir"] != "NULL" and MCFG[
            "logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
    elif MCFG["logdir"] != "NULL" and MCFG[
            "logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        logme(MODUL, "Error missing logdir " + MCFG["logdir"] + " Abort !",
              ("P1", "EXIT"), ECFG)
    else:
        MCFG["logfile"] = "/var/log" + os.sep + "ews.log"

    # Proxy Settings ?

    MCFG["proxy"] = readonecfg(MODUL, "proxy", ECFG["cfgfile"])

    # Read EWS Config Parameter

    ITEMS = ("ews", "username", "token", "rhost_first", "rhost_second")
    EWSCFG = readcfg("EWS", ITEMS, ECFG["cfgfile"])

    # Set ews real true or false

    if EWSCFG["ews"].lower() == "true":
        EWSCFG["ews"] = True
    else:
        EWSCFG["ews"] = False

    # ignore cert validation if ignorecert-parameter is set

    EWSCFGCERT = readonecfg("EWS", "ignorecert", ECFG["cfgfile"])

    if EWSCFGCERT.lower() == "true":
        ECFG["a.ignorecert"] = True

    # Read HPFEED Config Parameter

    ITEMS = ("hpfeed", "host", "port", "channels", "ident", "secret")
    HCFG = readcfg("HPFEED", ITEMS, ECFG["cfgfile"])

    if HCFG["hpfeed"].lower() == "true":
        HCFG["hpfeed"] = True
    else:
        HCFG["hpfeed"] = False

    # Read EWSJSON Config Parameter

    ITEMS = ("json", "jsondir")
    EWSJSON = readcfg("EWSJSON", ITEMS, ECFG["cfgfile"])

    if EWSJSON["json"].lower() == "true":
        EWSJSON["json"] = True

        if os.path.isdir(EWSJSON["jsondir"]) is True:
            EWSJSON["jsondir"] = EWSJSON["jsondir"] + os.sep + "ews.json"
        else:
            logme(MODUL,
                  "Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",
                  ("P1", "EXIT"), ECFG)

    else:
        EWSJSON["json"] = False

    if ECFG["a.jsondir"] != "" and os.path.isdir(ECFG["a.jsondir"]) is True:
        EWSJSON["json"] = True
        EWSJSON["jsondir"] = ECFG["a.jsondir"] + os.sep + "ews.json"

    ECFG.update(MCFG)
    ECFG.update(EWSCFG)
    ECFG.update(HCFG)
    ECFG.update(EWSJSON)

    return ECFG
Beispiel #33
0
def ecfg(name,version):
    MODUL = "EINIT"

    ECFG= {}

    parser = argparse.ArgumentParser()
    parser.add_argument("-c","--configpath", help="Load configuration file from Path")
    parser.add_argument("-v","--verbose", help="set output verbosity",action="store_true")
    parser.add_argument("-d","--debug", help="set output debug",action="store_true")
    parser.add_argument("-s","--silent", help="silent mode without output",action="store_true")
    parser.add_argument("-S","--sendonly", help="only send unsend alerts",action="store_true")
    parser.add_argument("-E","--ewsonly", help="only generate ews alerts files",action="store_true")
    parser.add_argument("-dcr","--daycounter", help="reset and log daycounters for all honeypots",action="store_true")
    parser.add_argument("-V","--version", help="show the EWS Poster Version",action="version", version=name + " " + version)

    args = parser.parse_args()

    if args.verbose:
        ECFG["a.verbose"] = True
    else:
        ECFG["a.verbose"] = False
 
    if args.debug:
        ECFG["a.debug"] = True
    else:
        ECFG["a.debug"] = False

    if args.silent:
        ECFG["a.silent"] = True
    else:
        ECFG["a.silent"] = False

    if args.daycounter:
        ECFG["a.daycounter"] = True
    else:
        ECFG["a.daycounter"] = False

    if args.sendonly:
        ECFG["a.sendonly"] = True
    else:
        ECFG["a.sendonly"] = False

    if args.ewsonly:
        ECFG["a.ewsonly"] = True
    else:
        ECFG["a.ewsonly"] = False

    if args.configpath:
        ECFG["path2"] = args.configpath

        if os.path.isdir(args.configpath) is not True:
            logme(MODUL,"ConfigPath %s did not exist. Abort !" % (args.configpath),("P1","EXIT"),ECFG)
    else:
        ECFG["path2"] = ""

    # say hello

    logme(MODUL,name + " " + version + " (c) by Markus Schroer <*****@*****.**>\n",("P0"),ECFG)

    # read EWSPoster Main Path

    ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace("/moduls","")

    if ECFG["path2"] == "":
        ECFG["path2"] = ECFG["path"]

    if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg" ) is False:
        logme(MODUL,"Missing EWS Config %s. Abort !"%(ECFG["path2"] + os.sep + "ews.cfg"),("P1","EXIT"),ECFG)
    else:
        ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"

    # Create IDX File if not exist

    if os.path.isfile(ECFG["path"] + os.sep + "ews.idx" ) is False:
        os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR|os.O_CREAT )
        logme(MODUL,"Create ews.idx counterfile",("P1"),ECFG)

    # Read Main Config Parameter

    ITEMS = ("homedir","spooldir","logdir","contact","del_malware_after_send","send_malware","sendlimit")
    MCFG = readcfg("MAIN",ITEMS, ECFG["cfgfile"])

    # IP Handling

    ewsip = ECFG["path2"] + os.sep + "ews.ip"

    MCFG["ip"] = readonecfg("MAIN","ip", ECFG["cfgfile"])

    if os.path.isfile(ewsip) is True:
        MCFG["ip"] = readonecfg("MAIN","ip", ewsip)
        if MCFG["ip"].lower() == "null":
             logme(MODUL,"Error IP Address in File " + ewsip + " not set. Abort !",("P1","EXIT"),ECFG)

    if MCFG["ip"].lower() == "null" or MCFG["ip"].lower() == "false":
        logme(MODUL,"Error IP Address in ews.cfg not set or null. Abort !",("P1","EXIT"),ECFG)

    # sendlimit expect

    if int(MCFG["sendlimit"]) > 400:
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to high. Max 400 ! ",("P1","EXIT"),ECFG)
    elif int(MCFG["sendlimit"]) < 1:
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to low. Min 1 ! ",("P1","EXIT"),ECFG)
    elif MCFG["sendlimit"] == "NULL" or MCFG["sendlimit"] == "UNKNOW":
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " Must set between 1 and 400. ",("P1","EXIT"),ECFG)

    # send_malware ?

    if MCFG["send_malware"].lower() == "true":
        MCFG["send_malware"] = True
    else:
        MCFG["send_malware"] = False

    # del_malware_after_send ?

    if MCFG["del_malware_after_send"].lower() == "true":
        MCFG["del_malware_after_send"] = True
    else:
        MCFG["del_malware_after_send"] = False

    # home dir available ?

    if os.path.isdir(MCFG["homedir"]) is not True:
        logme(MODUL,"Error missing homedir " + MCFG["homedir"] + " Abort !",("P1","EXIT"),ECFG)
    else:
        os.chdir(MCFG["homedir"])

    # spool dir available ?

    if os.path.isdir(MCFG["spooldir"]) is not True:
        logme(MODUL,"Error missing spooldir " + MCFG["spooldir"] + " Abort !",("P1","EXIT"),ECFG)

    # log dir available ?

    MCFG["logdir"] = readonecfg("MAIN","logdir", ECFG["cfgfile"])

    if MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
    elif MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        logme(MODUL,"Error missing logdir " + MCFG["logdir"] + " Abort !",("P1","EXIT"),ECFG)
    else:
        MCFG["logfile"] = "/var/log" + os.sep + "ews.log"

    # Proxy Settings ?

    MCFG["proxy"] = readonecfg(MODUL,"proxy", ECFG["cfgfile"])

    # Read EWS Config Parameter

    ITEMS = ("ews","username","token","rhost_first","rhost_second")
    EWSCFG = readcfg("EWS",ITEMS, ECFG["cfgfile"])

    # Set ews real true or false

    if EWSCFG["ews"].lower() == "true":
       EWSCFG["ews"] = True
    else:
       EWSCFG["ews"] = False

    # Read HPFEED Config Parameter 

    ITEMS = ("hpfeed","host","port","channels","ident","secret")
    HCFG = readcfg("HPFEED",ITEMS, ECFG["cfgfile"])

    if HCFG["hpfeed"].lower() == "true":
       HCFG["hpfeed"] = True
    else:
       HCFG["hpfeed"] = False

    # Read EWSJSON Config Parameter

    ITEMS = ("json","jsondir")
    EWSJSON = readcfg("EWSJSON",ITEMS, ECFG["cfgfile"])

    if EWSJSON["json"].lower() == "true":
       EWSJSON["json"] = True
    else:
       EWSJSON["json"] = False

    if EWSJSON["jsondir"] != "NULL" and  EWSJSON["jsondir"] != "FALSE" and os.path.isdir(EWSJSON["jsondir"]) is True:
         EWSJSON["jsondir"] =  EWSJSON["jsondir"] + os.sep + "ews.json"
    else:
        logme(MODUL,"Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",("P1","EXIT"),ECFG)

    ECFG.update(MCFG)
    ECFG.update(EWSCFG)
    ECFG.update(HCFG)
    ECFG.update(EWSJSON)

    return ECFG
Beispiel #34
0
def rdpdetect():

    MODUL  = "RDPDETECT"
    logme(MODUL,"Starting RDPDetect Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("rdpdetect","nodeid","iptableslog","targetip")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # iptables file exists ?

    if os.path.isfile(HONEYPOT["iptableslog"]) is False:
        logme(MODUL,"[ERROR] Missing Iptables LogFile " + HONEYPOT["iptableslog"] + ". Abort !",("P3","LOG"),ECFG)

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["iptableslog"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            if HONEYPOT["targetip"] == re.search('SRC=(.*?) ', line).groups()[0]:
                continue

            # Prepair and collect Alert Data

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8], line[9:11], line[12:14], line[15:17]),
                        "sadr"      : re.search('SRC=(.*?) ', line).groups()[0],
                        "sipv"      : "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
                        "sprot"     : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                        "sport"     : re.search('SPT=(.*?) ', line).groups()[0],
                        "tipv"      : "ipv" + ip4or6(ECFG["ip"]),
                        "tadr"      : ECFG["ip"],
                        "tprot"     : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                        "tport"     : re.search('DPT=(.*?) ', line).groups()[0],
                      }

            REQUEST = {
                        "description" : "RDPDetect"
                      }


            # Collect additional Data

            ADATA =   {
                      }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)


    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return
Beispiel #35
0
def honeytrap():

    MODUL  = "HONEYTRAP"
    logme(MODUL,"Starting Honeytrap Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("honeytrap","nodeid","attackerfile","payloaddir","newversion")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # Attacking file exists ?

    if os.path.isfile(HONEYPOT["attackerfile"]) is False:
        logme(MODUL,"[ERROR] Missing Attacker File " + HONEYPOT["attackerfile"] + ". Abort !",("P3","LOG"),ECFG)

    # Payloaddir exist ?

    if os.path.isdir(HONEYPOT["payloaddir"]) is False:
        logme(MODUL,"[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)

    # New Version are use ?

    if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(HONEYPOT["payloaddir"]):
        logme(MODUL,"[ERROR] Missing Payload Directory " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)

    # Calc MD5sum for Payloadfiles

    if HONEYPOT["newversion"].lower() == "true":
       logme(MODUL,"Calculate MD5sum for Payload Files",("P2"),ECFG)

       for i in os.listdir(HONEYPOT["payloaddir"]):
           if not "_md5_" in i:
            filein = HONEYPOT["payloaddir"] + os.sep + i
            os.rename(filein,filein + "_md5_" +  hashlib.md5(open(filein, 'rb').read()).hexdigest())

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["attackerfile"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            if HONEYPOT["newversion"].lower() == "false":
                date , time , _ , source, dest, _ = line.split(" ",5)
                protocol = "" ; md5 = ""
            else:
                date , time , _ , protocol, source, dest, md5, _ = line.split(" ",7)

            # Prepair and collect Alert Data

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
                        "sadr"      : re.sub(":.*$","",source),
                        "sipv"      : "ipv" + ip4or6(re.sub(":.*$","",source)),
                        "sprot"     : protocol,
                        "sport"     : re.sub("^.*:","",source),
                        "tipv"      : "ipv" + ip4or6(re.sub(":.*$","",dest)),
                        "tadr"      : re.sub(":.*$","",dest),
                        "tprot"     : protocol,
                        "tport"     : re.sub("^.*:","",dest),
                      }


            REQUEST = { 
                        "description" : "NetworkHoneypot Honeytrap vX.x"
                      }

            # Search for Payload

            if HONEYPOT["newversion"].lower() == "true":
                sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub("^.*:","",dest),protocol,date[0:4], date[4:6], date[6:8],md5)

                for mfile in os.listdir(HONEYPOT["payloaddir"]):
                   if fnmatch.fnmatch(mfile, sfile):
                       error , payloadfile = malware(HONEYPOT["payloaddir"],mfile,False)
                       if error == 0:
                           REQUEST["raw"] = payloadfile
                       else:
                           logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)


            # Collect additional Data

            ADATA = {
                    }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)


    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return
Beispiel #36
0
def conpot():
    MODUL = "CONPOT"
    logme(MODUL, "Starting Conpot Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("conpot", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # parse json
            try:
                content = json.loads(line)
            except ValueError, e:
                logme(
                    MODUL, "Invalid json entry found in line " + str(I) +
                    ", skipping entry.", ("P3"), ECFG)
                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)
                pass  # invalid json
            else:
                DATA = {
                    "aid":
                    HONEYPOT["nodeid"],
                    "timestamp":
                    "%s-%s-%s %s" %
                    (content['timestamp'][0:4], content['timestamp'][5:7],
                     content['timestamp'][8:10], content['timestamp'][11:19]),
                    "sadr":
                    "%s" % content['src_ip'],
                    "sipv":
                    "ipv4",
                    "sprot":
                    "tcp",
                    "sport":
                    "%d" % content['src_port'],
                    "tipv":
                    "ipv4",
                    "tadr":
                    "%s" % content['dst_ip'],
                    "tprot":
                    "tcp",
                    "tport":
                    "undefined",
                }

                REQUEST = {
                    "description": "Conpot Honeypot",
                }

                # Collect additional Data

                ADATA = {
                    "conpot_event_type": "%s" % content['event_type'],
                    "conpot_data_type": "%s" % content['data_type'],
                    "conpot_sensor_id": "%s" % content['sensorid'],
                    "conpot_request": "%s" % content['request'],
                    "conpot_id": "%s" % content['id'],
                    "conpot_response": "%s" % content['response']
                }

                # generate template and send

                esm = buildews(esm, DATA, REQUEST, ADATA)
                jesm = buildjson(jesm, DATA, REQUEST, ADATA)

                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)

                if ECFG["a.verbose"] is True:
                    verbosemode(MODUL, DATA, REQUEST, ADATA)
Beispiel #37
0
                  ("VERBOSE"), ECFG)
            logme(MODUL, "Header        : %s" % (webservice.headers),
                  ("VERBOSE"), ECFG)
            logme(MODUL, "Body          : %s" % (webservice.text), ("VERBOSE"),
                  ECFG)
            logme(MODUL, "", ("VERBOSE"), ECFG)

        return True

    except requests.exceptions.Timeout, e:
        logme(MODUL, "Timeout to remote host %s (%s)" % (host, str(e)),
              ("LOG", "VERBOSE"), ECFG)
        return False

    except requests.exceptions.ConnectionError, e:
        logme(MODUL, "Remote host %s didn't answers ! (%s)" % (host, str(e)),
              ("LOG", "VERBOSE"), ECFG)
        return False

    except requests.exceptions.HTTPError, e:
        logme(MODUL, "HTTP Errorcode != 200 (%s)" % (str(e)),
              ("LOG", "VERBOSE"), ECFG)
        return False

    except OpenSSL.SSL.WantWriteError, e:
        logme(MODUL, "OpenSSL Write Buffer too small", ("LOG", "VERBOSE"),
              ECFG)
        return False


def viewcounter(MODUL, x, y):
Beispiel #38
0
def emobility():

    MODUL  = "EMOBILITY"
    logme(MODUL,"Starting eMobility Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("eMobility","nodeid","logfile")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",("P3","LOG"),ECFG)

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = ""

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # Prepair and collect Alert Data

            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            srcipandport, dstipandport, url, dateandtime =  line.split("|",3)

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6], dateandtime[6:8], dateandtime[9:17]),
                        "sadr"      : "%s.%s.%s.%s" % (srcipandport.split(".")[0], srcipandport.split(".")[1], srcipandport.split(".")[2], srcipandport.split(".")[3]),
                        "sipv"      : "ipv4",
                        "sprot"     : "tcp",
                        "sport"     : srcipandport.split(".")[4],
                        "tipv"      : "ipv4",
                        "tadr"      : "%s.%s.%s.%s" % (dstipandport.split(".")[0], dstipandport.split(".")[1], dstipandport.split(".")[2], dstipandport.split(".")[3]),
                        "tprot"     : "tcp",
                        "tport"     : dstipandport.split(".")[4],
                      }

            REQUEST = {
                        "description" : "eMobility Honeypot",
                        "url"         : urllib.quote(url.encode('ascii', 'ignore'))
                      }


            # Collect additional Data

            ADATA =   {
                      }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return
Beispiel #39
0
def honeytrap():

    MODUL = "HONEYTRAP"
    logme(MODUL, "Starting Honeytrap Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("honeytrap", "nodeid", "attackerfile", "payloaddir", "newversion")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # Attacking file exists ?

    if os.path.isfile(HONEYPOT["attackerfile"]) is False:
        logme(
            MODUL, "[ERROR] Missing Attacker File " +
            HONEYPOT["attackerfile"] + ". Abort !", ("P3", "LOG"), ECFG)

    # Payloaddir exist ?

    if os.path.isdir(HONEYPOT["payloaddir"]) is False:
        logme(
            MODUL, "[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] +
            ". Abort !", ("P3", "LOG"), ECFG)

    # New Version are use ?

    if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(
            HONEYPOT["payloaddir"]):
        logme(
            MODUL, "[ERROR] Missing Payload Directory " +
            HONEYPOT["payloaddir"] + ". Abort !", ("P3", "LOG"), ECFG)

    # Calc MD5sum for Payloadfiles

    if HONEYPOT["newversion"].lower() == "true":
        logme(MODUL, "Calculate MD5sum for Payload Files", ("P2"), ECFG)

        for i in os.listdir(HONEYPOT["payloaddir"]):
            if not "_md5_" in i:
                filein = HONEYPOT["payloaddir"] + os.sep + i
                os.rename(
                    filein, filein + "_md5_" +
                    hashlib.md5(open(filein, 'rb').read()).hexdigest())

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["attackerfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            if HONEYPOT["newversion"].lower() == "false":
                date, time, _, source, dest, _ = line.split(" ", 5)
                protocol = ""
                md5 = ""
            else:
                date, time, _, protocol, source, dest, md5, _ = line.split(
                    " ", 7)

            #  Prepair and collect Alert Data

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
                "sadr":
                re.sub(":.*$", "", source),
                "sipv":
                "ipv" + ip4or6(re.sub(":.*$", "", source)),
                "sprot":
                protocol,
                "sport":
                re.sub("^.*:", "", source),
                "tipv":
                "ipv" + ip4or6(re.sub(":.*$", "", dest)),
                "tadr":
                re.sub(":.*$", "", dest),
                "tprot":
                protocol,
                "tport":
                re.sub("^.*:", "", dest),
            }

            REQUEST = {"description": "NetworkHoneypot Honeytrap v1.1"}

            # Search for Payload

            if HONEYPOT["newversion"].lower() == "true":
                sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub(
                    "^.*:", "",
                    dest), protocol, date[0:4], date[4:6], date[6:8], md5)

                for mfile in os.listdir(HONEYPOT["payloaddir"]):
                    if fnmatch.fnmatch(mfile, sfile):
                        error, payloadfile = malware(HONEYPOT["payloaddir"],
                                                     mfile, False)
                        if error == 0:
                            REQUEST["raw"] = payloadfile
                        else:
                            logme(MODUL,
                                  "Mission Malwarefile %s" % row["filename"],
                                  ("P1", "LOG"), ECFG)

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
Beispiel #40
0
def getOwnExternalIP(ECFG):
    #  try from env variable
    try:
        if os.environ.get('MY_EXTIP') is not None:
            if ipaddress.ip_address(str(os.environ.get('MY_EXTIP'))).is_global:
                return os.environ.get('MY_EXTIP')
            else:
                logme(
                    "Main",
                    "[ERROR] Environment variable MY_EXTIP is not a public IP",
                    ("P1", "Log"), ECFG)
                pass
        else:
            logme("Main", "[INFO] Environment variable MY_EXTIP not set",
                  ("P1", "Log"), ECFG)
    except:
        logme("Main",
              "[ERROR] Environment variable MY_EXTIP contains no IP address",
              ("P1", "Log"), ECFG)

    # try ews.ip file
    ewsip = ECFG["path2"] + os.sep + "ews.ip"

    if os.path.isfile(ewsip):
        pubipfile = readonecfg("MAIN", "ip", ewsip)
        if pubipfile.lower() == "null" or pubipfile.lower(
        ) == "false" or pubipfile.lower() == "unknown":
            logme(
                "Main",
                "[ERROR] ews.ip contained no ip section or empty value for ip. ",
                ("P1", "Log"), ECFG)
            pass
        else:
            try:
                if ipaddress.ip_address(str(pubipfile)).is_global:
                    return pubipfile
                else:
                    logme("Main",
                          "[ERROR] IP address in ews.ip is not a public IP",
                          ("P1", "Log"), ECFG)
                    pass
            except:
                logme("Main", "[ERROR] ews.ip contains no IP address",
                      ("P1", "Log"), ECFG)

    # try the IP from ews.cfg
    configip = readonecfg("MAIN", "ip", ECFG["cfgfile"])
    try:
        if ipaddress.ip_address(str(configip)).is_global:
            return configip
        else:
            logme("Main", "[ERROR] IP address in ews.cfg is not a public IP",
                  ("P1", "Log"), ECFG)
            pass
    except:
        logme("Main", "[ERROR]] ews.cfg contains no IP address", ("P1", "Log"),
              ECFG)

    # try from public service
    try:
        extip = get('https://api.ipify.org', timeout=5).text
        if ipaddress.ip_address(str(extip)).is_global:
            return extip
        else:
            logme(
                "Main",
                "[ERROR] IP address returned from external service is not a public IP, this should never happen...",
                ("P1", "Log"), ECFG)
            pass
    except:
        logme(
            "Main",
            "[ERROR] Could not determine a valid public IP using external service",
            ("P1", "Log"), ECFG)

    return False
Beispiel #41
0
    def filelist(DIR):

        if os.path.isdir(DIR) is not True:
            logme(MODUL,"Error missing dir " + DIR + " Abort !",("P1","EXIT"),ECFG)
        else:
            return os.listdir(DIR)
Beispiel #42
0
def glastopfv3():

    MODUL = "GLASTOPFV3"
    logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(
            MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
            ". Skip !", ("P3", "LOG"), ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter empty requests and nagios checks

        if row["request_url"] == os.sep or row[
                "request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL, 'sqliteid', row["id"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
            "aid": HONEYPOT["nodeid"],
            "timestamp": row["time"],
            "sadr": re.sub(":.*$", "", row["source"]),
            "sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
            "sprot": "tcp",
            "sport": "",
            "tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
            "tadr": HONEYPOT["ip"],
            "tprot": "tcp",
            "tport": "80",
        }

        REQUEST = {
            "description": "WebHoneypot : Glastopf v3.1",
            "url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
        }

        if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
            REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
                'ascii', 'ignore'))

        if "filename" in row.keys() and row["filename"] != None:
            error, malwarefile = malware(HONEYPOT["malwaredir"],
                                         row["filename"],
                                         ECFG["del_malware_after_send"])
            if error == 0:
                REQUEST["binary"] = malwarefile
            else:
                logme(MODUL, "Mission Malwarefile %s" % row["filename"],
                      ("P1", "LOG"), ECFG)

        # Collect additional Data

        ADATA = {
            "sqliteid": row["id"],
        }

        if "request_method" in row.keys():
            ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in row.keys():
            m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        jesm = buildjson(jesm, DATA, REQUEST, ADATA)

        countme(MODUL, 'sqliteid', row["id"], ECFG)
        countme(MODUL, 'daycounter', -2, ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL, DATA, REQUEST, ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
              ECFG)
    return
Beispiel #43
0
def rdpdetect():

    MODUL = "RDPDETECT"
    logme(MODUL, "Starting RDPDetect Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("rdpdetect", "nodeid", "iptableslog", "targetip")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # iptables file exists ?

    if os.path.isfile(HONEYPOT["iptableslog"]) is False:
        logme(
            MODUL, "[ERROR] Missing Iptables LogFile " +
            HONEYPOT["iptableslog"] + ". Abort !", ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["iptableslog"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            if HONEYPOT["targetip"] == re.search('SRC=(.*?) ',
                                                 line).groups()[0]:
                continue

            # Prepair and collect Alert Data

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8],
                                       line[9:11], line[12:14], line[15:17]),
                "sadr":
                re.search('SRC=(.*?) ', line).groups()[0],
                "sipv":
                "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
                "sprot":
                re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                "sport":
                re.search('SPT=(.*?) ', line).groups()[0],
                "tipv":
                "ipv" + ip4or6(ECFG["ip"]),
                "tadr":
                ECFG["ip"],
                "tprot":
                re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                "tport":
                re.search('DPT=(.*?) ', line).groups()[0],
            }

            REQUEST = {"description": "RDPDetect"}

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
Beispiel #44
0
def dionaea():

    MODUL  = "DIONAEA"
    logme(MODUL,"Starting Dionaea Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("dionaea","nodeid","sqlitedb","malwaredir")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # Malwaredir exist ?

    if os.path.isdir(HONEYPOT["malwaredir"]) is False:
        logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)

     # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(connection) from connections;")

    maxid = c.fetchone()["max(connection)"]

    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Dionaea Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from connections where connection > ? and connection <= ?;",(imin,imax,))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter empty remote_host

        if row["remote_host"] == "": 
            countme(MODUL,'sqliteid',row["connection"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA =   {
                    "aid"       : HONEYPOT["nodeid"],
                    "timestamp" : datetime.fromtimestamp(int(row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
                    "sadr"      : str(row["remote_host"]),
                    "sipv"      : "ipv" + ip4or6(str(row["remote_host"])),
                    "sprot"     : str(row["connection_type"]),
                    "sport"     : str(row["remote_port"]),
                    "tipv"      : "ipv" + ip4or6(str(row["local_host"])),
                    "tadr"      : str(row["local_host"]),
                    "tprot"     : str(row["connection_type"]),
                    "tport"     : str(row["local_port"]),
                  }

        REQUEST = {
                    "description" : "Network Honeyport Dionaea vX.x",
                  }

        # Check for malware bin's

        c.execute("SELECT download_md5_hash from downloads where connection = ?;",(str(row["connection"]),))
        check = c.fetchone()

        if check is not None:
           error,malwarefile = malware(HONEYPOT["malwaredir"],check[0],ECFG["del_malware_after_send"])
           if error == 0:
               REQUEST["binary"] = malwarefile
           else:
               logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)

        # Collect additional Data

        ADATA = {
                 "sqliteid"    : str(row["connection"]),
                }

        # generate template and send

        esm = buildews(esm,DATA,REQUEST,ADATA)
        jesm = buildjson(jesm,DATA,REQUEST,ADATA)

        countme(MODUL,'sqliteid',row["connection"],ECFG)
        countme(MODUL,'daycounter', -2,ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL,DATA,REQUEST,ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
    return
Beispiel #45
0
def cowrie():

    MODUL = "COWRIE"
    logme(MODUL, "Starting Cowrie Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("cowrie", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    # dict to gather session information
    cowriesessions = {}
    sessionstosend = []

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
        currentline = imin + I

        if len(line) == 0:
            break
        else:
            # parse json
            try:
                content = json.loads(line)
            except ValueError, e:
                logme(
                    MODUL, "Invalid json entry found in line " + str(I) +
                    ", skipping entry.", ("P3"), ECFG)
                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)
                pass  # invalid json
            else:
                # if new session is started, store session-related info
                if (content['eventid'] == "cowrie.session.connect"):
                    # create empty session content: structure will be the same as kippo
                    # | id  | username | password | success | logintimestamp | session | sessionstarttime| sessionendtime | ip | cowrieip | version| src_port|dst_port
                    cowriesessions[content["session"]] = [
                        I, '', '', '', '', content["session"],
                        content["timestamp"], '', content["src_ip"],
                        content["sensor"], '', content["src_port"],
                        content["dst_port"]
                    ]

                # store correponding ssh client version
                if (content['eventid'] == "cowrie.client.version"):
                    if content["session"] in cowriesessions:
                        cowriesessions[
                            content["session"]][10] = content["version"]

                # create successful login
                if (content['eventid'] == "cowrie.login.success"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Success"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # create failed login
                elif (content['eventid'] == "cowrie.login.failed"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Fail"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # store session close
                if (content['eventid'] == "cowrie.session.closed"):
                    for n, i in enumerate(sessionstosend):
                        if (i[5] == content["session"]):
                            i[7] = content["timestamp"]
Beispiel #46
0
def dionaea():

    MODUL = "DIONAEA"
    logme(MODUL, "Starting Dionaea Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("dionaea", "nodeid", "sqlitedb", "malwaredir")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # Malwaredir exist ?

    if os.path.isdir(HONEYPOT["malwaredir"]) is False:
        logme(
            MODUL, "[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] +
            ". Abort !", ("P3", "LOG"), ECFG)

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(
            MODUL, "[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
            ". Abort !", ("P3", "LOG"), ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(connection) from connections;")

    maxid = c.fetchone()["max(connection)"]

    if maxid is None:
        logme(MODUL, "[INFO] No entry's in Dionaea Database. Skip !",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute(
        "SELECT * from connections where connection > ? and connection <= ?;",
        (
            imin,
            imax,
        ))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter empty remote_host

        if row["remote_host"] == "":
            countme(MODUL, 'sqliteid', row["connection"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
            "aid":
            HONEYPOT["nodeid"],
            "timestamp":
            datetime.fromtimestamp(int(
                row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
            "sadr":
            str(row["remote_host"]),
            "sipv":
            "ipv" + ip4or6(str(row["remote_host"])),
            "sprot":
            str(row["connection_type"]),
            "sport":
            str(row["remote_port"]),
            "tipv":
            "ipv" + ip4or6(str(row["local_host"])),
            "tadr":
            str(row["local_host"]),
            "tprot":
            str(row["connection_type"]),
            "tport":
            str(row["local_port"]),
        }

        REQUEST = {
            "description": "Network Honeyport Dionaea v0.1.0",
        }

        # Check for malware bin's

        c.execute(
            "SELECT download_md5_hash from downloads where connection = ?;",
            (str(row["connection"]), ))
        check = c.fetchone()

        if check is not None:
            error, malwarefile = malware(HONEYPOT["malwaredir"], check[0],
                                         ECFG["del_malware_after_send"])
            if error == 0:
                REQUEST["binary"] = malwarefile
            else:
                logme(MODUL, "Mission Malwarefile %s" % check[0],
                      ("P1", "LOG"), ECFG)

        # Collect additional Data

        ADATA = {
            "sqliteid": str(row["connection"]),
        }

        # generate template and send

        esm = buildews(esm, DATA, REQUEST, ADATA)
        jesm = buildjson(jesm, DATA, REQUEST, ADATA)

        countme(MODUL, 'sqliteid', row["connection"], ECFG)
        countme(MODUL, 'daycounter', -2, ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL, DATA, REQUEST, ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
              ECFG)
    return
Beispiel #47
0
def sqlitedb(MODUL, DBPATH, ECFG):

    rows = []

    # is sqlitedb exist ?

    if os.path.isfile(DBPATH) == False:
        logme(MODUL, "[ERROR] Missing sqlitedb file " + DBPATH + ". Abort !",
              ("P3", "LOG"), ECFG)
        return 1, rows

    # open database

    try:
        con = sqlite3.connect(DBPATH, 30)
        con.row_factory = sqlite3.Row
        cur = con.cursor()

    except sqlite.Error as e:
        logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0],
              ("P3", "LOG"), ECFG)
        return 1, rows

    # calculate max alerts

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT max(id) from events")
        maxid = cur.fetchone()["max(id)"]
    elif MODUL == "DIONAEA":
        cur.execute("SELECT max(connection) from connections;")
        maxid = cur.fetchone()["max(connection)"]
    else:
        logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!",
              ("P2", "LOG"), ECFG)
        return 1, rows

    if maxid is None:
        logme(MODUL, "[ERROR] No entry's in Database %s. Abort!" % DBPATH,
              ("P2", "LOG"), ECFG)
        return 1, rows

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    if MODUL == "GLASTOPFV3":
        cur.execute("SELECT * from events where id > ? and id <= ?;", (
            imin,
            imax,
        ))
    elif MODUL == "DIONAEA":
        cur.execute(
            "SELECT * from connections where connection > ? and connection <= ?;",
            (
                imin,
                imax,
            ))
    else:
        logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!",
              ("P2", "LOG"), ECFG)
        return 1, rows

    rows = cur.fetchall()
    con.close()

    return 0, rows