def deployContainer(self): try: logger.debug("Deploying new VictimContainer [%s]" % Configuration().get("victimContainerName")) container = self.cli.containers.run( image=Configuration().get("victimContainerImage"), name=Configuration().get("victimContainerName"), network=Configuration().get("victimNetworkName"), privileged=True, restart_policy={"Name": "on-failure"}, ports={'2375/tcp': 2375}, detach=True, dns=['8.8.8.8', '8.8.4.4']) self.container = container logger.debug( "waiting 10 seconds for container to stabilise and baseline for file changes..." ) time.sleep(10) self.resetBaselineFileChanges() logger.info("deployed new container [%s]" % container.name) except Exception as e: logger.error("failed deploying new container [%s]" % e)
def __init__(self): logger.info("Initialising Whaler") self.victimCli = docker.DockerClient( base_url=Configuration().get("dockerDaemonVictimUrl")) self.hostCli = docker.DockerClient( base_url=Configuration().get("dockerDaemonHostUrl")) self.fingerprintService = FingerprintService() self.reports = self.loadReports()
def redeployContainer(self): if Configuration().get("victimContainerDisableRedeploy"): logger.info( "Skipping redeploy container, disabled in configuration for testing" ) else: BaseContainer.redeployContainer(self)
def onStart(self, container): #let the container run for some time, to generate evidence image = container.image logger.info( "New container reported [%s] image %s will terminate in [%s] seconds" % (container.name, container.image.tags, Configuration().get("maliciousContainerRunDurationSeconds"))) outputFolder = "%s/%s/%s/%s/%s" % ( Configuration().get("dataDirectory"), datetime.datetime.now().strftime('%Y%m%d'), datetime.datetime.now().strftime('%H%M'), container.image.tags[0], container.name) if not os.path.exists(outputFolder): os.makedirs(outputFolder) time.sleep(Configuration().get("maliciousContainerRunDurationSeconds")) self.victimContainer.stopContainer(container) #get report report = self.getReport(container, image) self.saveReport(report) if self.fingerprintService.isKnownContainer(report['fingerprint']): logger.info( "Found fingerprint match, will not archive container, or pcap") self.victimContainer.redeployContainer() self.captureContainer.redeployContainer() else: #New attack -snapshot container(s) and pcap self.victimContainer.snapshotContainer(container, outputFolder + "/snapshots") self.captureContainer.archiveCaptureFile(container, outputFolder) #restart capture container and save pcap self.victimContainer.snapshotVictimContainer(outputFolder) self.victimContainer.redeployContainer() self.captureContainer.redeployContainer() self.victimCli.volumes.prune() self.hostCli.volumes.prune()
def loadReports(self): reportFolder = Configuration().get("reportFolder") if not os.path.exists(reportFolder): os.makedirs(reportFolder) if os.path.exists(reportFolder + '/reports.json'): with open(reportFolder + '/reports.json') as json_data_file: reports = json.load(json_data_file) else: reports = [] return reports
def __init__(self): BaseContainer.__init__(self, Configuration().get("dockerDaemonHostUrl"), Configuration().get("victimContainerName")) self.victimCli = self.getCli( Configuration().get("dockerDaemonVictimUrl"))
def saveReport(self, report): reportFolder = Configuration().get("reportFolder") self.reports.append(report) with open(reportFolder + '/reports.json', 'w') as outfile: json.dump(self.reports, outfile)