def sendMonitorIDMEF(sensorIP, text, processName, addInfo=None):
try:
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Classification
idmef.Set("alert.classification.text", text)
# Source
idmef.Set("alert.source(0).node.address(0).address", sensorIP)
idmef.Set("alert.assessment.impact.severity", "medium")
idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.source(0).process.name", processName)
if addInfo != None:
idmef.Set("alert.additional_data(0).type", "string")
idmef.Set("alert.additional_data(0).meaning", "info")
idmef.Set("alert.additional_data(0).data", addInfo)
client.SendIDMEF(idmef)
return
# example : sendMonitorIDMEF() : exception : TLS server certificate is NOT trusted.
except Exception, e:
msg = "sendMonitorIDMEF() : exception : " + e.__str__()
syslog.syslog(msg)
print msg
return
def sendHoneytrapIDMEF(srcIP, dstIP, dstPort, p0f, logEntry):
try:
attackerIP = srcIP
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, attackerIP,
logEntry)
# Classification
idmef.Set("alert.classification.text",
"Inbound TCP connection to Honeytrap daemon")
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.port", dstPort)
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
idmef.Set("alert.target(0).service.ip_version", 4)
# Process
idmef.Set("alert.source(0).process.name", "honeytrap")
# Assessment
idmef.Set("alert.assessment.impact.severity", "info")
idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.description",
"Incoming connection to honeytrap TCP daemon")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"p0f info")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
p0f)
client.SendIDMEF(idmef)
return
except Exception, e:
return
def sendSpamholedEhloIDMEF(srcIP, dstIP, dstPort, text, ehloStr, logEntry):
try:
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, attackerIP,
logEntry)
# Classification
idmef.Set("alert.classification.text", text)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.port", dstPort)
# Service info
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.source(0).process.name", "spamhole")
# Assessment
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.severity", "medium")
idmef.Set("alert.assessment.impact.description", text)
# Additional Data
#idmef.Set("alert.additional_data(0).type", "string")
#idmef.Set("alert.additional_data(0).meaning", "HELO/EHLO sent by spammer")
#idmef.Set("alert.additional_data(0).data", ehloStr)
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"HELO/EHLO sent by Spammer")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
ehloStr)
result = client.SendIDMEF(idmef)
#print result.__str__()
return
except Exception, e:
print "Exception : " + e.__str__()
return
def botjuicePHPIDMEF(fullFilename,logEntry):
try:
logEntry = logEntry.split("BOTJUICER=")[1]
# Create a new Prelude client
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef,"Analyst Honeypot","02DEBE56",None,None,None,None,logEntry)
# Classification
if "Undetermined" in logEntry:
idmef.Set("alert.classification.text","PHP file - no bot identified")
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set("alert.assessment.impact.description", "PHP file not found to contain bot code")
else:
idmef.Set("alert.classification.text","PHP file - bot code identified")
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.assessment.impact.description", "PHP file found to contain bot code")
#idmef.Set("alert.target(0).file(0).name", fullFilename)
idmef.Set("alert.target(0).file(0).path", fullFilename)
# Assessment
#idmef.Set("alert.assessment.impact.description", "PHP file contains bot code")
idmef.Set("alert.assessment.impact.type", "file")
# Additional Data
#fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Team Cymru MHA % of AV triggered")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", cymruHash)
#fieldsOffset = fieldsOffset + 1
#if fileMD5 != None:
# idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
# idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "MD5")
# idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", fileMD5)
client.SendIDMEF(idmef)
return
except Exception,e:
msg = "kojoney_anubis_idmef.py : sendFiledownloadIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
return
def nmapIDMEF(dstIP,logEntry):
try:
# Create a new Prelude client
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef,"Analyst Honeypot","02DEBE56",None,dstIP,None,dstIP,"None")
logEntry = logEntry.split("NMAP ")[1]
if "open={}" not in logEntry: # Attacker has open ports
idmef.Set("alert.classification.text","Nmap against attacker - port(s) open")
else:
idmef.Set("alert.classification.text","Nmap against attacker - port(s) closed")
# Classification
idmef.Set("alert.assessment.impact.severity", "info")
# Target
idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Assessment
idmef.Set("alert.assessment.impact.description", "Nmap from honeypot to attacker IP")
idmef.Set("alert.assessment.impact.type", "recon")
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Open ports")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", logEntry)
fieldsOffset = fieldsOffset + 1
client.SendIDMEF(idmef)
return
except Exception,e:
msg = "kojoney_anubis_idmef.py : nmapIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
return
def tracerouteIDMEF(dstIP,logEntry):
try:
# Create a new Prelude client
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef,"Analyst Honeypot","02DEBE56",None,dstIP,None,dstIP,"None")
# Classification
idmef.Set("alert.assessment.impact.severity", "info")
idmef.Set("alert.classification.text","Traceroute to attacker")
idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Assessment
idmef.Set("alert.assessment.impact.description", "Traceroute from honeypot to attacker IP")
idmef.Set("alert.assessment.impact.type", "recon")
# Additional Data
logEntry = logEntry.split("TRACEROUTE : ")[1]
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "AS Path to attacker")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", logEntry)
fieldsOffset = fieldsOffset + 1
client.SendIDMEF(idmef)
return
except Exception,e:
msg = "kojoney_anubis_idmef.py : tracerouteIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
return
def sendBlackholeIDMEF(srcIP,text):
try:
attackerIP = srcIP
logEntry = "None"
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef,"Honeypot","02DEBE56",srcIP,None,None,attackerIP,logEntry)
# Classification
idmef.Set( "alert.classification.text", text)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
# Location - this works !
#idmef.Set("alert.source(0).node.location", "Hampshire")
# Assessment
idmef.Set("alert.assessment.impact.severity", "medium")
idmef.Set("alert.assessment.impact.type", "recon") # i.e. triggered by a port scan
if "added" in text.lower() :
idmef.Set("alert.assessment.action(0).category" , "block-installed") # Blackhole route added
else:
idmef.Set("alert.assessment.action(0).category" , "other") # Block removed
#idmef.Set("alert.assessment.action(1).category" , "notification-sent") # Tweet generated
client.SendIDMEF(idmef)
return
except Exception,e:
print "exception : " + e.__str__()
return
def sendMaldetIDMEF(attackType, signature, filepath, bitly, logEntry):
try:
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", None, None, None, None, logEntry)
# Classification
idmef.Set("alert.classification.text", attackType)
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.assessment.impact.description",
"Malware detected on Honeypot")
# Target(s)
#idmef.Set("alert.target(0).file(0).name", fileMD5)
idmef.Set("alert.target(0).file(0).path", filepath)
# Assessment
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.type", "file")
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Team Cymru MHA % of AV triggered")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", cymruHash)
client.SendIDMEF(idmef)
except Exception, e:
msg = "sendMaldetIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
def sendWebAppIDMEF(attackType, url, service, dstPort, completion, srcIP,
dstIP, apacheCLF, attackerIP, line):
try:
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Web Honeypot", "02DEBE56", srcIP, dstIP, dstPort,
attackerIP, line)
# Classification
idmef.Set("alert.classification.text", attackType)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.source(0).service.ip_version", 4)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Service
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.target(0).service.name", service)
idmef.Set("alert.target(0).service.port", dstPort)
# Web Service specific details
if "GET" in attackType:
idmef.Set("alert.target(0).service.web_service.http_method", "GET")
elif "POST" in attackType:
idmef.Set("alert.target(0).service.web_service.http_method",
"POST")
idmef.Set("alert.target(0).service.web_service.url", url)
cgi, arg = kojoney_idmef_common.extractCGI(url)
if cgi != None:
idmef.Set("alert.target(0).service.web_service.cgi", cgi)
if arg != None:
idmef.Set("alert.target(0).service.web_service.arg", arg)
# Assessment
idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.completion", completion)
if completion == "succeeded":
idmef.Set("alert.assessment.impact.severity", "high")
else:
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set(
"alert.assessment.impact.description",
"Attempted Web Application Remote File Inclusion (RFI) attack")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Apache CLF Record")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
apacheCLF)
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_glastopf_idmef.py : sendWebAppIDMEF() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
#!/usr/bin/python
import sys
sys.path.append('.')
sys.path.append('./.libs')
try:
import PreludeEasy
except:
print "Import failed"
print "Try 'cd ./.libs && ln -s libprelude_python.so _PreludeEasy.so'"
sys.exit(1)
def foo(id):
print "callback: id = " + str(id)
idmef = PreludeEasy._get_IDMEF(id)
idmef.PrintToStdout()
#print bar.Get("alert.classification.text") # XXX not yet implemented
return 0
PreludeEasy.set_pymethod(foo)
PreludeEasy.test_fct()
def sendWebAppFile(attackType, fileMD5, logEntry):
try:
cymruHash = kojoney_cymru_hash.cymruHash(fileMD5)
print "cymruHash : " + cymruHash
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Web Honeypot", "02DEBE56", None, None, None, None,
logEntry)
# Classification
if cymruHash == "0":
cymruHash = "None"
idmef.Set("alert.classification.text", attackType)
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set("alert.assessment.impact.description",
"File retrieved - no AV triggered")
else:
idmef.Set("alert.classification.text",
attackType + " contains malware")
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.assessment.impact.description",
"Malware file retrieved - at least one AV triggered")
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", "192.168.1.62")
idmef.Set("alert.target(0).file(0).name", fileMD5)
idmef.Set("alert.target(0).file(0).path",
'/usr/local/src/glastopf/files/' +
fileMD5) # not actually true
# Assessment
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.type", "file")
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Team Cymru MHA % of AV triggered")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
cymruHash)
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_glastopf_idmef.py : sendWebAppFile() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
#!/usr/bin/python
import sys
import PreludeEasy
idmef = PreludeEasy.IDMEF()
idmef.Set("alert.classification.text", "Bar")
client = PreludeEasy.ClientEasy("MyTest")
client << idmef
try:
import PreludeEasy
except Exception, e:
print "Import failed: ", e
print "Try 'cd ./.libs && ln -s libprelude_python.so _PreludeEasy.so'"
sys.exit(1)
src_dir = "alerts"
if len(sys.argv) > 1:
src_dir = sys.argv[1]
if os.path.exists(src_dir) == 0:
print "dir ", src_dir, " does not exist"
sys.exit(1)
def replay(alert):
""" The real code goes here """
print alert
for root, dirs, files in os.walk(src_dir):
for name in files:
if name.endswith(".idmef"):
idmef = PreludeEasy.IDMEF()
f = open(os.path.join(src_dir, name), "r")
idmef >> f
f.close()
replay(idmef)
def sendFlowClamdIDMEF(sensorId, srcIP, srcPort, dstIP, dstPort, clamavSig,
line, tweet):
try:
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
attackerIP = srcIP
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", sensorId, srcIP, dstIP, dstPort, attackerIP,
line)
# Classification
idmef.Set("alert.classification.text",
"Malware detected in network flow")
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.source(0).service.ip_version", 4)
idmef.Set("alert.source(0).service.port", srcPort)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.target(0).service.port", dstPort)
# Service
#idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
#idmef.Set("alert.target(0).service.ip_version", 4)
#idmef.Set("alert.target(0).service.name", service)
#idmef.Set("alert.target(0).service.port", dstPort)
# Assessment
#idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.assessment.impact.description",
"clsniffer detected malware in a netflow flow")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"ClamAV Signature")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
clamavSig)
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Tweet")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
tweet.__str__())
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"sensorId")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
sensorId.__str__())
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_clamd_idmef.py : sendFlowClamdIDMEF : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
#!/usr/bin/python
import sys
sys.path.append('.')
sys.path.append('./.libs')
try:
import PreludeEasy
except:
print "Import failed"
print "Try 'cd ./.libs && ln -s libprelude_python.so _PreludeEasy.so'"
sys.exit(1)
def foo(id):
print "callback: id = " + str(id)
idmef = PreludeEasy._get_IDMEF(id)
idmef.PrintToStdout()
#print bar.Get("alert.classification.text") # XXX not yet implemented
return 0
PreludeEasy.set_pymethod(foo)
PreludeEasy.test_fct()
def portScanIDMEF(srcIP, scanType, dstPort, line):
#def sendWebAppIDMEF(attackType,url,service,dstPort,completion,srcIP,dstIP,geoIP):
try:
#username = username.rstrip()
#password = password.rstrip()
# bug - also truncate attacker entered fields to 64 characters
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
#idmef.Set("analyzer(-1).name", "honeytweeter")
#idmef.Set("analyzer(-1).manufacturer", "Blackrain Technologies")
#idmef.Set("analyzer(-1).class", "Honeypot")
# Classification
idmef.Set("alert.classification.text", scanType)
#idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
#idmef.Set("alert.target(0).service.iana_protocol_number", 6)
#idmef.Set("alert.target(0).service.ip_version", 4)
#idmef.Set("alert.target(0).service.name", service)
idmef.Set("alert.target(0).service.port", dstPort)
#idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
#idmef.Set("alert.target(0).node.address(0).port", dstPort)
# Target(s)
#idmef.Set("alert.target(0).node.address(0).address", dstIP)
#idmef.Set("alert.target(0).node.port", dstPort)
#idmef.Set("alert.target(1).node.address(0).address", "10.0.0.3")
#idmef.Set("alert.target(0).user.category","os-device")
#idmef.Set("alert.target(0).user.user_id(0).type","target-user")
#idmef.Set("alert.target(0).user.user_id(0).type","current-user")
#idmef.Set("alert.target(0).user.user_id(0).name",username)
# Assessment
idmef.Set("alert.assessment.impact.severity", "info")
#idmef.Set("alert.assessment.impact.completion", "succeeded")
#idmef.Set("alert.assessment.impact.completion", completion)
#idmef.Set("alert.assessment.impact.type", "user")
#idmef.Set("alert.assessment.impact.type", "user")
#idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.description",
"Port scan detected against honeypot")
#idmef.Set("alert.category" , "block-installed")
# Additional Data
idmef.Set("alert.additional_data(0).type", "string")
idmef.Set("alert.additional_data(0).meaning", "Original log entry")
idmef.Set("alert.additional_data(0).data", line.rstrip())
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_iplog_idmef.py : portScanIDMEF() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
def sendFiledownloadIDMEF(url,fullFilename,filename,fileMD5,completion,logEntry):
try:
if fileMD5 != None:
cymruHash = kojoney_cymru_hash.cymruHash(fileMD5)
print "cymruHash : " + cymruHash
else:
cymruHash = "0"
# Extract IP from URL
domain = kojoney_idmef_common.extractDomain(url)
if domain != None :
a = re.findall("(\d+\.\d+\.\d+\.\d+)",domain)
if len(a) > 0 :
dstIP = domain
else:
dnsInfo = ipintellib.ip2name(domain)
dstIP = dnsInfo['name']
else:
dstIP = "0.0.0.0"
print "kojoney_anubis_idmef.py : sendFiledownloadIDMEF() : dstIP = " + dstIP.__str__()
# Create a new Prelude client
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef,"Analyst Honeypot","02DEBE56",None,dstIP,None,dstIP,logEntry)
# Classification
if cymruHash == "0" :
cymruHash = "None"
idmef.Set("alert.classification.text","File identified by URL-snarf method")
idmef.Set("alert.assessment.impact.severity", "low")
else:
idmef.Set("alert.classification.text","Malware file identified by URL-snarf method" + " contains malware")
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).file(0).name", filename)
idmef.Set("alert.target(0).file(0).path", fullFilename)
# Assessment
idmef.Set("alert.assessment.impact.completion", completion)
if completion == "succeeded" :
idmef.Set("alert.assessment.impact.description", "File downloaded OK")
else:
idmef.Set("alert.assessment.impact.description", "File download failed")
idmef.Set("alert.assessment.impact.type", "file")
if url == '/':
url = "None"
idmef.Set("alert.target(0).service.web_service.url", url)
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Team Cymru MHA % of AV triggered")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", cymruHash)
fieldsOffset = fieldsOffset + 1
if fileMD5 != None:
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "MD5")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", fileMD5)
client.SendIDMEF(idmef)
return
except Exception,e:
msg = "kojoney_anubis_idmef.py : sendFiledownloadIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
return
def writeExternalHpotIDMEF(normalisedTweet, status, group, filepath):
try:
srcIP = "192.0.2.254" # just a dummy IP
dstIP = srcIP
# Create a new Prelude client
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Twitterverse", "02DEBE56", None, None, None, None, None)
# Classification
#idmef.Set("alert.classification.text","Interesting Tweet from Twitterverse Stream matched to group " + group.upper())
idmef.Set("alert.classification.text",
"Tweet matched " + group.upper() + " via API")
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set("alert.target(0).file(0).path", filepath)
# Assessment
#idmef.Set("alert.assessment.impact.completion", completion)
#if completion == "succeeded" :
#idmef.Set("alert.assessment.impact.description", "File downloaded OK")
#Belse:
#idmef.Set("alert.assessment.impact.description", "File download failed")
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.ip_version", 4)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.assessment.impact.type", "file")
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Match group")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
group)
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Tweeter")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
"@" + status.author.screen_name)
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Normalised Tweet")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
normalisedTweet)
fieldsOffset = fieldsOffset + 1
# Send the IDMEF message
client.SendIDMEF(idmef)
except Exception, e:
msg = "twitter_streamer.py : writeExternalHpotIDMEF() : exception : " + e.__str__(
) + " : " + normalisedTweet.__str__()
print msg
syslog.syslog(msg)
return
def sendIDMEF(sensorId, srcIP, dstIP, dstPort, attackerIP, logEntry):
try:
# Create a new Prelude client.
#client = PreludeEasy.ClientEasy("honeytweeter")
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "test-honeypot", sensorId, srcIP, dstIP, dstPort,
attackerIP, logEntry)
# Classification
idmef.Set("alert.classification.text", "Test IDMEF message")
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
idmef.Set("alert.target(0).service.ip_version", 4)
#idmef.Set("alert.target(0).service.name", service)
#idmef.Set("alert.target(0).service.port", dstPort)
idmef.Set("alert.target(0).node.address(0).address", "2.2.2.2")
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
#idmef.Set("alert.source(0).user.user_id(0).name","target-user")
#idmef.Set("alert.target(0).node.address(0).port", dstPort)
# Target(s)
#idmef.Set("alert.target(0).node.address(0).address", dstIP)
#idmef.Set("alert.target(0).node.port", dstPort)
#idmef.Set("alert.target(1).node.address(0).address", "10.0.0.3")
#idmef.Set("alert.target(0).user.category","os-device")
#idmef.Set("alert.target(0).user.user_id(0).type","target-user")
#idmef.Set("alert.target(0).user.user_id(0).type","current-user")
#idmef.Set("alert.target(0).user.user_id(0).name",username)
# Assessment
idmef.Set("alert.assessment.impact.severity", "info")
#idmef.Set("alert.assessment.impact.completion", "succeeded")
#idmef.Set("alert.assessment.impact.completion", completion)
#idmef.Set("alert.assessment.impact.type", "user")
#idmef.Set("alert.assessment.impact.type", "user")
#idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.description",
"This is a test message - ignore it")
#idmef.Set("alert.category" , "block-installed")
client.SendIDMEF(idmef)
return fieldsSet
except Exception, e:
msg = "idmef_test.py : sendIDMEF() : exception : " + e.__str__()
print msg
syslog.syslog(msg)
return None
def sendGyustIDMEF(line):
try:
line = line.rstrip('\n')
print line
if "Royal Highness" not in line:
return
ips = re.findall("\d+\.\d+\.\d+\.\d+", line)
if len(ips) > 0:
srcIP = ips[0]
attackerIP = srcIP
proto = "tcp"
dstPort = "2222"
dstIP = "192.0.2.3"
attackType = "SSH attack"
print " -> @gjust : attackType=" + attackType + " attacker=" + srcIP + " dstIP=" + dstIP + " dstPort=" + dstPort + " proto=" + proto
else:
msg = "sendGyust() : error : no IP address found in : " + line
syslog.syslog(msg)
return
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Twitterverse", "00000003", srcIP, dstIP, dstPort,
attackerIP, line)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.iana_protocol_name", proto)
idmef.Set("alert.source(0).service.ip_version", 4)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Service
idmef.Set("alert.target(0).service.iana_protocol_name", proto)
idmef.Set("alert.target(0).service.ip_version", 4)
#idmef.Set("alert.target(0).service.name", service)
idmef.Set("alert.target(0).service.port", dstPort)
# Classification
classification = attackType + " against @gjust Honeypot"
idmef.Set("alert.classification.text", classification)
# Assessment
idmef.Set("alert.assessment.impact.type", "other")
#idmef.Set("alert.assessment.impact.completion", completion)
#if completion == "succeeded" :
# idmef.Set("alert.assessment.impact.severity", "high")
#else:
idmef.Set("alert.assessment.impact.severity", "low")
#idmef.Set("alert.assessment.impact.description", "Attempted Web Application Remote File Inclusion (RFI) attack")
idmef.Set("alert.assessment.impact.description",
"Honeypot event from @gjust Twitter-enabled Honeypot")
# Additional Data
#fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Apache CLF Record")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", apacheCLF)
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_netmences_idmef.py : sendGyustIDMEF() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
def sendNetmenacesIDMEF(line):
try:
global ATTACKS
line = line.rstrip('\n')
print line
sock = 'NONE,0,0.0.0.0,NONE' # N + zero
for keyword in ATTACKS:
if keyword in line:
sock = ATTACKS[keyword]
#print "socket attacked : " + sock.__str__()
if sock == 'NONE,0,0.0.0.0,NONE':
msg = "sendNetmenaces() : error : Unknown attack type in : " + line
syslog.syslog(msg)
return
ips = re.findall("\d+\.\d+\.\d+\.\d+", line)
if len(ips) > 0:
srcIP = ips[0]
attackerIP = srcIP
proto = sock.split(',')[0]
dstPort = sock.split(',')[1]
dstIP = sock.split(',')[2]
attackType = sock.split(',')[3]
print " -> @netmenaces : attackType=" + attackType + " attacker=" + srcIP + " dstIP=" + dstIP + " dstPort=" + dstPort + " proto=" + proto
else:
msg = "sendNetmenaces() : error : no IP address found in : " + line
syslog.syslog(msg)
return
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Twitterverse", "00000001", srcIP, dstIP, dstPort,
attackerIP, line)
# Classification
#classification = attackType + " against #netmenaces Twitter Honeypot"
#idmef.Set("alert.classification.text",classification)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.iana_protocol_name", proto)
idmef.Set("alert.source(0).service.ip_version", 4)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
# Service
idmef.Set("alert.target(0).service.iana_protocol_name", proto)
idmef.Set("alert.target(0).service.ip_version", 4)
#idmef.Set("alert.target(0).service.name", service)
idmef.Set("alert.target(0).service.port", dstPort)
# Web Service specific details - override attackType
if "GET" in line:
idmef.Set("alert.target(0).service.web_service.http_method", "GET")
attackType = "WebApp GET-based attack"
elif "POST" in line:
idmef.Set("alert.target(0).service.web_service.http_method",
"POST")
attackType = "WebApp POST-based attack"
# Classification
classification = attackType + " against @netmenaces Honeypot"
idmef.Set("alert.classification.text", classification)
# Assessment
idmef.Set("alert.assessment.impact.type", "other")
#idmef.Set("alert.assessment.impact.completion", completion)
#if completion == "succeeded" :
# idmef.Set("alert.assessment.impact.severity", "high")
#else:
idmef.Set("alert.assessment.impact.severity", "low")
#idmef.Set("alert.assessment.impact.description", "Attempted Web Application Remote File Inclusion (RFI) attack")
idmef.Set("alert.assessment.impact.description",
"Honeypot event from @netmenaces Twitter-enabled Honeypot")
# Additional Data
#fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "Apache CLF Record")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", apacheCLF)
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_netmences_idmef.py : sendNetmencesIDMEF() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
def foo(id):
print "callback: id = " + str(id)
idmef = PreludeEasy._get_IDMEF(id)
idmef.PrintToStdout()
#print bar.Get("alert.classification.text") # XXX not yet implemented
return 0
def sendWebAppURLIDMEF(attackType, url, dstService, srcIP, dstIP, dstPort,
completion, apacheCLF, attackerIP, logEntry):
try:
print "sendWebAppURLIDMEF() : srcIP : " + srcIP
print "sendWebAppURLIDMEF() : dstIP : " + dstIP
print "sendWebAppURLIDMEF() : apacheCLF : " + apacheCLF
print "sendWebAppURLIDMEF() : attackerIP : " + attackerIP
print "sendWebAppURLIDMEF() : url : " + url
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Web Honeypot", "02DEBE56", srcIP, dstIP, dstPort,
attackerIP, logEntry)
# Classification
idmef.Set("alert.classification.text", attackType)
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.target(0).service.name",
dstService) # bug : is this working ?
# Source - no info in the Glastopf log so need to construct it
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.source(0).service.ip_version", 4)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.port", dstPort)
if url == '/':
url = "None"
idmef.Set("alert.target(0).service.web_service.url", url)
# Assessment
idmef.Set("alert.assessment.impact.severity", "medium")
idmef.Set("alert.assessment.impact.completion", completion)
idmef.Set("alert.assessment.impact.type", "file")
idmef.Set("alert.assessment.impact.description", "Web URL request")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"Apache CLF Record")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
apacheCLF)
client.SendIDMEF(idmef)
return
except Exception, e:
msg = "kojoney_glastopf_idmef.py : sendWebAppURLIDMEF() : exception : " + e.__str__(
)
print msg
syslog.syslog(msg)
return
def processOssec(line, file):
print "processOssec() : first line read is " + line
srcIP = "0.0.0.0"
dstIP = "0.0.0.0"
user = "******"
if line.find("** Alert") == -1:
print "Ignore additional log details : " + line
return
#continue
print "*** Sync : NEW EVENT in Ossec alerts logfile to process !"
# Header
#print "first line : " + line
time.sleep(0.2)
# Log source
where = file.tell()
line2 = file.readline()
line2 = line2.rstrip('\n')
#print "line2 = " + line2
fields = line2.split(" ")
source = fields[4]
#print "++ Log source = " + source.__str__()
# Rule number
# Rule: 5716 (level 5) -> 'SSHD authentication failed.'
where = file.tell()
line3 = file.readline()
line3 = line3.rstrip('\n')
#print "line3 = " + line3
m = re.findall(r'Rule: (\d+) \(level (\d+)\) -> (.*)', line3)
if len(m) > 0:
#print m.__str__()
rule = m[0][0]
#print "++ Rule number = " + rule
#if m.group(2) != None :
level = m[0][1]
print "level=" + level
if int(level) < 6:
print "OSSEC Level is too low, so ignore this Alert, Level=" + level.__str__(
)
return
#print "++ Level = " + level
#if int(level) >= 5:
#print "++ Important event, level >= 5"
#if m.group(3) != None :
message = m[0][2]
message = message.lstrip("'")
message = message.rstrip("'")
message = "OSSEC HIDS : " + message
#print "++ Message = " + message
# Source IP
# Src IP: 190.68.110.26
where = file.tell()
line4 = file.readline()
line4 = line4.rstrip('\n')
#print "line4 = " + line4
m = re.findall(r'Src IP: (.*)', line4)
if len(m) > 0:
srcIP = m[0]
#print "++ Source IP = " + srcIP
else:
srcIP = "0.0.0.0"
attackerIP = srcIP
# User
# User: admin
where = file.tell()
line5 = file.readline()
line5 = line5.rstrip('\n')
#print "line5 = " + line5
if "Dst IP" in line:
m = re.findall(r'Dst IP: (.*)', line5)
if len(m) > 0:
dstIP = m[0]
print "++ Destination IP = " + dstIP
else:
dstIP = "0.0.0.0"
#elif "Usr" in line:
# m = re.findall(r'User: (.*)',line5)
# if len(m) > 0 :
# user = m[0].split(" ")[1]
# print "++ User = "******"err"
# Log entry
where = file.tell()
line6 = file.readline()
line6 = line6.rstrip('\n')
#print "line6 = " + line6
#print "Combined log entry is : " + line + ":" + line2 + ":" + line3 + ":" + line4 + ":" + line5 + ":" + line6
#print "header : " + line
#print "log source : " + line2
#print "rule : " + rule
#print "level : " + level
#print "srcIP : " + srcIP
#print "dstIP : " + dstIP
#print "user : "******"log entry : " + line6
#print "========"
#print "Combined log entry is : " + line + ":" + line2 + ":" + line3 + ":" + line4 + ":" + line5 + ":" + line6
msg = "srcIP=" + srcIP + " attackerIP=" + attackerIP + " rule=" + rule + " level=" + level + " msg=" + message
#print msg
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(idmef, "Honeypot",
"02DEBE56", srcIP, dstIP,
None, attackerIP, None)
# Classification
idmef.Set("alert.classification.text", message)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.ip_version", 4)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.ip_version", 4)
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"OSSEC Rule")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
rule)
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"OSSEC Level")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
level.__str__())
fieldsOffset = fieldsOffset + 1
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"OSSEC Log Source")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
source)
client.SendIDMEF(idmef)
return None
def sendArgusIDMEF(srcIP, dstIP, dstPort, protocol, dir, flags, pkts, bytes,
p0f, hops, FLOW_TYPE):
try:
if FLOW_TYPE == "AFLOW_IN":
direction = "Inbound "
elif FLOW_TYPE == "AFLOW_OUT":
direction = "Outbound "
else:
direction = ""
return None # radical - why are there flows that are not In or Out ?
portName = mapPortNumber(dstPort)
if int(bytes) >= 1024 or int(pkts) >= 32:
size = "Long "
direction = direction.lower()
else:
size = ""
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain") # blackrain = Profile
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
if "nbound" in direction: # attackerIP = srcIP
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, srcIP,
"None")
idmef.Set("alert.assessment.impact.severity",
"info") # normal inbound flows
elif "utbound" in direction: # attackerIP = dstIP
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, dstIP,
"None")
idmef.Set("alert.assessment.impact.severity",
"high") # outgoing session !
else:
return None # code should never get here
#if protocol == "OTHER" :
# protocol = ""
classification = size + direction + protocol + " ArgusFlow " + portName
classification = classification.rstrip(" ")
#print "argus IDMEF classification = [" + classification + "]"
# Classification
#idmef.Set("alert.classification.text", "ARGUS flow")
idmef.Set("alert.classification.text", classification)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
#idmef.Set("alert.target(0).node.address(0).port", dstPort)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.port", dstPort)
# Set protcol if one of the well known ones
if protocol == "TCP":
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
elif protocol == "UDP":
idmef.Set("alert.target(0).service.iana_protocol_name", "udp")
idmef.Set("alert.target(0).service.iana_protocol_number", 17)
elif protocol == "ICMP":
idmef.Set("alert.target(0).service.iana_protocol_name", "icmp")
idmef.Set("alert.target(0).service.iana_protocol_number", 1)
idmef.Set("alert.target(0).service.ip_version", 4)
# Assessment
idmef.Set("alert.assessment.impact.type", "other")
idmef.Set("alert.assessment.impact.description", "flow")
# Additional Data
#idmef.Set("alert.additional_data(0).type", "string" )
#idmef.Set("alert.additional_data(0).meaning", "flags" )
#idmef.Set("alert.additional_data(0).data", flags.__str__() )
#idmef.Set("alert.additional_data(1).type", "string" )
#idmef.Set("alert.additional_data(1).meaning", "pkts" )
#idmef.Set("alert.additional_data(1).data", pkts.__str__())
#idmef.Set("alert.additional_data(2).type", "string" )
#idmef.Set("alert.additional_data(2).meaning", "bytes" )
#idmef.Set("alert.additional_data(2).data", bytes.__str__())
#idmef.Set("alert.additional_data(3).type", "string" )
#idmef.Set("alert.additional_data(3).meaning", "clientOS" )
#idmef.Set("alert.additional_data(3).data", p0f.__str__())
#idmef.Set("alert.additional_data(4).type", "string" )
#idmef.Set("alert.additional_data(4).meaning", "direction" )
#idmef.Set("alert.additional_data(4).data", dir.__str__())
#idmef.Set("alert.additional_data(5).type", "string" )
#idmef.Set("alert.additional_data(5).meaning", "IP hops" )
#idmef.Set("alert.additional_data(5).data", hops.__str__())
client.SendIDMEF(idmef)
return
except Exception, e:
print "sendArgusIDMEF() : exception : " + e.__str__()
return
severity_high_y = 50 + header_size_y
severity_medium_y = 150 + header_size_y
severity_low_y = 250 + header_size_y
severity_info_y = 350 + header_size_y
im = gd.image((image_width, image_height))
white = im.colorAllocate((255, 255, 255))
black = im.colorAllocate((0, 0, 0))
red = im.colorAllocate((255, 0, 0))
orange = im.colorAllocate((255, 100, 0))
blue = im.colorAllocate((0, 0, 255))
green = im.colorAllocate((0, 255, 0))
client = PreludeEasy.Client("PoolingTest")
client.Init()
client.PoolInit("192.168.33.215", 1)
def gd_init():
FONT = "/usr/share/fonts/truetype/ttf-bitstream-vera/VeraMono.ttf"
# Headers
im.line((0, header_size_y), (image_width, header_size_y), black)
im.string_ttf(FONT, 8, 0, (70, 12), "timeline", black)
im.line((200, 0), (200, header_size_y), black)
im.string_ttf(FONT, 8, 0, (250, 12), "impact.severity", black)
im.line((400, 0), (400, header_size_y), black)
im.string_ttf(FONT, 8, 0, (450, 12), "classification.text", black)
import rtg_cli
except:
print "Cannot import rtg_cli"
try:
import PreludeEasy
except:
print "Import failed"
print "Try 'cd ./.libs && ln -s libprelude_python.so _PreludeEasy.so'"
sys.exit(1)
#
# GD Constants
#
client = PreludeEasy.Client("PreludeRTG")
client.Init()
client.PoolInit("192.168.33.215", 1)
#
# 10000 could be considered as the maximum, since
# it would cover already a big classification.text
#
def unique_alert_number(ClassificationText):
number = 0
for c in ClassificationText:
number += ord(c)
return number
def foo(id):
print "callback: id = " + str(id)
idmef = PreludeEasy._get_IDMEF(id)
idmef.PrintToStdout()
#print bar.Get("alert.classification.text") # XXX not yet implemented
return 0
def processOssecSyslog(txnId, sensorId, line):
try:
srcIP = None
srcPort = None
dstIP = None
dstPort = None
user = None
rule = None
level = None
ruleMsg = None
sid = None
priority = None
addInfo1 = None
addInfo2 = None
line = line.rstrip("\n")
#if "IDS" not in line:
# return
#print "------------------"
print line
rule = re.findall("Rule\: (\d+)", line)
if len(rule) > 0:
rule = rule[0]
#print "OSSEC Rule : " + rule.__str__()
if "Rule:" in line:
ruleMsg = line.split("Rule: " + rule + " - ")[1]
ruleMsg = ruleMsg.split(";")[0]
ruleMsg = ruleMsg.rstrip(".")
#print "OSSEC RuleMsg : [" + ruleMsg.__str__() + "]"
# level is a <str>
level = re.findall("Alert Level\: (\d+)", line)
if len(level) > 0:
level = level[0]
#print "OSSEC Level : " + level
addInfo1 = "LEVEL=" + level.__str__()
if "Location:" in line:
location = line.split("Location: ")[1]
location = location.split(";")[0]
#print "OSSEC Location : [" + location.__str__() + "]"
if "user:"******"user: "******";")[0]
#print "OSSEC User : [" + user.__str__() + "]"
if "srcip:" in line:
ips = re.findall("srcip\: (\d+\.\d+\.\d+\.\d+)", line)
if len(ips) > 0:
srcIP = ips[0]
#print "OSSEC srcIP : " + srcIP.__str__()
if "dstip:" in line:
ips = re.findall("dstip\: (\d+\.\d+\.\d+\.\d+)", line)
if len(ips) > 0:
dstIP = ips[0]
#print "OSSEC dstIP : " + dstIP.__str__()
# -------- SPECIFIC RULES ----------
if ("IDS event" in ruleMsg
or "First time this IDS alert is generated" in ruleMsg):
# and ("{UDP}" in line or "{TCP}" in line) :
#print "Snort-specific decoding"
if ("{TCP}" in line or "{UDP}" in line):
ips = re.findall(
"(\d+\.\d+\.\d+\.\d+)\:(\d+) -> (\d+\.\d+\.\d+\.\d+)\:(\d+)",
line)
#print ips.__str__()
srcPort = ips[0][1]
dstPort = ips[0][3]
#elif ("{TCP}" in line or "{UDP}" in line):
# ips = re.findall("(\d+\.\d+\.\d+\.\d+)\:(\d+) -> (\d+\.\d+\.\d+\.\d+)\:(\d+)",line)
# #print ips.__str__()
# srcPort = ips[0][1]
# dstPort = ips[0][3]
sid = re.findall("\[(\d+)\:(\d+)\:\d+\]", line)
if len(sid) > 0:
#print "IDS sid=" + sid.__str__()
sid = sid[0][0] + ":" + sid[0][1]
msg = "kojoney_ossec_parse.py : parsed Snort SID " + sid.__str__(
) + " from " + line
#addInfo1 = sid.__str__()
#print msg
# Snort Message
snortMsg = line.replace("]: ", "")
snortMsg = snortMsg.split(']')[1]
snortMsg = snortMsg.split('[')[0]
snortMsg = snortMsg.lstrip(" ")
snortMsg = snortMsg.rstrip(" ")
#print "snortMsg=(" + snortMsg + ")"
# Classification - this is not in every Snort message
if "Classification" in line:
classification = line.split("Classification: ")[1]
classification = classification.split("]")[0]
classification = classification.replace(" ", "_")
classification = classification.upper()
else:
classification = "UNCLASSIFIED"
#print "classification=(" + classification + ")"
priority = re.findall("Priority\: (\d+)", line)
if len(priority) > 0:
priority = priority[0]
msg = "kojoney_ossec_parse.py : Snort Priority=" + priority
addInfo2 = snortMsg + ":" + "PRI=" + priority.__str__(
) + ":" + "CL=" + classification + ":" + "SID=" + sid.__str__(
)
#print msg
# Update Attacker Database
#print "kojoney_ossec_parse : priority=" + priority.__str__()
if (priority != None
and int(priority) == 1) or "ATTACK" in line.upper(): # Snort
kojoney_attacker_event.generateAttackerEvent(
txnId, srcIP, None, sensorId, "ATTACKING", "OSSEC", rule,
ruleMsg, None, None, None, addInfo1, addInfo2)
elif priority != None and int(priority) == 2: # Snort
kojoney_attacker_event.generateAttackerEvent(
txnId, srcIP, None, sensorId, "SCANNING", "OSSEC", rule,
ruleMsg, None, None, None, addInfo1, addInfo2)
elif priority != None and int(priority) == 3: # Snort
kojoney_attacker_event.generateAttackerEvent(
txnId, srcIP, None, sensorId, "PROBING", "OSSEC", rule,
ruleMsg, None, None, None, addInfo1, addInfo2)
elif int(level) < 12:
#print "OSSEC : generic classification"
kojoney_attacker_event.generateAttackerEvent(
txnId, srcIP, None, sensorId, "ATTACKING", "OSSEC", rule,
ruleMsg, None, None, None, addInfo1, addInfo2)
else:
kojoney_attacker_event.generateAttackerEvent(
txnId, srcIP, None, sensorId, "GAINED_ACCESS", "OSSEC", rule,
ruleMsg, None, None, None, addInfo1, addInfo2)
# ---------- IDMEF ----------
attackerIP = srcIP
#print "Combined log entry is : " + line + ":" + line2 + ":" + line3 + ":" + line4 + ":" + line5 + ":" + line6
#msg = "srcIP=" + srcIP + " attackerIP=" + attackerIP + " rule=" + rule + " level=" + level + " msg=" + message
#print msg
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", sensorId, srcIP, dstIP, None, attackerIP, line)
# Classification
idmef.Set("alert.classification.ident", rule) # ident = OSSEC Rule
text = "OSSEC " + rule + " : " + ruleMsg
if sid != None:
text = text + " [" + sid.__str__() + "]"
#print text
idmef.Set("alert.classification.text", text)
# Source
if srcIP != None:
idmef.Set("alert.source(0).node.address(0).address", srcIP)
idmef.Set("alert.source(0).service.ip_version", 4)
if srcPort != None:
idmef.Set("alert.source(0).service.port", dstPort)
# Target(s)
if dstIP != None:
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.ip_version", 4)
if dstPort != None:
idmef.Set("alert.target(0).service.port", dstPort)
# Targetted User
if user != None:
idmef.Set("alert.target(0).user.category", "application")
idmef.Set("alert.target(0).user.user_id(0).type", "target-user")
idmef.Set("alert.target(0).user.user_id(0).name", user)
# Severity is based on OSSEC Level
if int(level) >= 12:
severity = "high"
elif int(level) >= 7 and int(level) < 12:
severity = "medium"
else:
severity = "low"
#print "severity : " + severity
idmef.Set("alert.assessment.impact.severity", severity)
#idmef.Set("alert.source(0).process.name","OSSEC")
# Additional Data
fieldsOffset = fieldsSet
#print "fieldsOffset = " + fieldsOffset.__str__()
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").meaning", "OSSEC Rule")
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data", rule)
#fieldsOffset = fieldsOffset + 1
msg = "Level " + level
#print msg
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"OSSEC Level")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
msg)
fieldsOffset = fieldsOffset + 1
#idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type", "string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"OSSEC Log Location")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
location)
client.SendIDMEF(idmef)
return None
except Exception, e:
msg = "processOssecSyslog() : exception : " + e.__str__(
) + " line=" + line + "]"
print msg
syslog.syslog(msg)
def sendTelnetIDMEF(srcIP, dstIP, dstPort, user, password, success, logEntry):
try:
attackerIP = srcIP
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, attackerIP,
logEntry)
# Classification
idmef.Set("alert.classification.text", "Telnetd honeypot login")
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.port", dstPort)
# This works but not yet tied into Argus calling function
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.target(0).user.category", "application")
idmef.Set("alert.target(0).user.user_id(0).type", "target-user")
idmef.Set("alert.target(0).user.user_id(0).name", user)
idmef.Set("alert.source(0).process.name", "telnetd")
# Assessment
if success == True:
idmef.Set("alert.assessment.impact.severity", "high")
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.description",
"Successful attempt to login to Telnet Honeypot")
else:
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set("alert.assessment.impact.completion", "failed")
idmef.Set("alert.assessment.impact.description",
"Failed attempt to login to Telnet Honeypot")
if user.lower() == "admin" or user.lower() == "root":
idmef.Set("alert.assessment.impact.type", "admin")
else:
idmef.Set("alert.assessment.impact.type", "user")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"password")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
password)
result = client.SendIDMEF(idmef)
#print result.__str__()
return
except Exception, e:
print "Exception : " + e.__str__()
return
##################
# this program will save all alerts to the "alerts" directory.
#
# known bu^Wfeatures: directory must exist, and old alerts are overwritten if present
##################
i = 0
dest_dir = "alerts"
if len(sys.argv) > 1:
dest_dir = sys.argv[1]
if os.path.exists(dest_dir) == 0:
print "dir ", dest_dir, " does not exist"
sys.exit(1)
client = PreludeEasy.ClientEasy("PolluxTest", PreludeEasy.Client.IDMEF_READ)
client.SetFlags(client.GetFlags() & ~PreludeEasy.Client.HEARTBEAT)
#client.Init()
client.Start()
#ret = client.PoolInit("192.168.33.215", 1)
#print "PoolInit =>",ret
def handle_alert(idmef):
global i
try:
print idmef
i += 1
f = open("%s/%d.idmef" % (dest_dir, i), "w")
idmef >> f
def sendSpamholedIDMEF(srcIP, dstIP, dstPort, text, count, passthrough,
logEntry):
try:
attackerIP = srcIP
# Create a new Prelude client.
client = PreludeEasy.ClientEasy("blackrain")
client.Start()
# Create the IDMEF message
idmef = PreludeEasy.IDMEF()
# Sensor
fieldsSet = kojoney_idmef_common.setIDMEFcommon(
idmef, "Honeypot", "02DEBE56", srcIP, dstIP, dstPort, attackerIP,
logEntry)
# Classification
idmef.Set("alert.classification.text", text)
# Source
idmef.Set("alert.source(0).node.address(0).address", srcIP)
# Target(s)
idmef.Set("alert.target(0).node.address(0).address", dstIP)
idmef.Set("alert.target(0).service.port", dstPort)
# Service info
idmef.Set("alert.target(0).service.iana_protocol_name", "tcp")
idmef.Set("alert.target(0).service.iana_protocol_number", 6)
idmef.Set("alert.target(0).service.ip_version", 4)
idmef.Set("alert.source(0).process.name", "spamhole")
# Assessment
idmef.Set("alert.assessment.impact.severity", "medium")
if passthrough == True:
idmef.Set("alert.assessment.impact.completion", "succeeded")
idmef.Set("alert.assessment.impact.severity",
"medium") # we are allowing a SPAM through
idmef.Set(
"alert.assessment.impact.description",
"Spammer connected with SMTP Honeypot - probe mails permitted")
else:
idmef.Set("alert.assessment.impact.completion", "failed")
idmef.Set("alert.assessment.impact.severity", "low")
idmef.Set(
"alert.assessment.impact.description",
"Spammer connected with SMTP Honeypot - probe mails blocked")
# Additional Data
fieldsOffset = fieldsSet
print "fieldsOffset = " + fieldsOffset.__str__()
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").type",
"string")
idmef.Set(
"alert.additional_data(" + fieldsOffset.__str__() + ").meaning",
"connection count")
idmef.Set("alert.additional_data(" + fieldsOffset.__str__() + ").data",
count)
#idmef.Set("alert.additional_data(0).type", "string")
#idmef.Set("alert.additional_data(0).meaning", "connection count")
#idmef.Set("alert.additional_data(0).data", count)
result = client.SendIDMEF(idmef)
#print result.__str__()
return
except Exception, e:
print "Exception : " + e.__str__()
return