def kippo():
MODUL = "KIPPO"
logme(MODUL, "Starting Kippo Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("kippo", "nodeid", "mysqlhost", "mysqldb", "mysqluser", "mysqlpw")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# open database
try:
con = MySQLdb.connect(host=HONEYPOT["mysqlhost"],
user=HONEYPOT["mysqluser"],
passwd=HONEYPOT["mysqlpw"],
db=HONEYPOT["mysqldb"],
cursorclass=MySQLdb.cursors.DictCursor)
except MySQLdb.Error, e:
logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
def kippo():
MODUL = "KIPPO"
logme(MODUL,"Starting Kippo Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("kippo","nodeid","mysqlhost","mysqldb","mysqluser","mysqlpw")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# open database
try:
con = MySQLdb.connect(host=HONEYPOT["mysqlhost"], user=HONEYPOT["mysqluser"], passwd=HONEYPOT["mysqlpw"],
db=HONEYPOT["mysqldb"], cursorclass=MySQLdb.cursors.DictCursor)
except MySQLdb.Error,e:
logme(MODUL,"[ERROR] %s" %(str(e)),("P3","LOG"),ECFG)
def cowrie():
MODUL = "COWRIE"
logme(MODUL, "Starting Cowrie Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("cowrie", "nodeid", "logfile")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# logfile file exists ?
if os.path.isfile(HONEYPOT["logfile"]) is False:
logme(MODUL,
"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
# dict to gather session information
cowriesessions = {}
sessionstosend = []
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
currentline = imin + I
if len(line) == 0:
break
else:
# parse json
try:
content = json.loads(line)
except ValueError, e:
logme(
MODUL, "Invalid json entry found in line " + str(I) +
", skipping entry.", ("P3"), ECFG)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
pass # invalid json
else:
# if new session is started, store session-related info
if (content['eventid'] == "cowrie.session.connect"):
# create empty session content: structure will be the same as kippo
# | id | username | password | success | logintimestamp | session | sessionstarttime| sessionendtime | ip | cowrieip | version| src_port|dst_port
cowriesessions[content["session"]] = [
I, '', '', '', '', content["session"],
content["timestamp"], '', content["src_ip"],
content["sensor"], '', content["src_port"],
content["dst_port"]
]
# store correponding ssh client version
if (content['eventid'] == "cowrie.client.version"):
if content["session"] in cowriesessions:
cowriesessions[
content["session"]][10] = content["version"]
# create successful login
if (content['eventid'] == "cowrie.login.success"):
if content["session"] in cowriesessions:
cowriesessions[content["session"]][0] = currentline
cowriesessions[content["session"]][3] = "Success"
cowriesessions[
content["session"]][1] = content["username"]
cowriesessions[
content["session"]][2] = content["password"]
cowriesessions[
content["session"]][4] = content["timestamp"]
sessionstosend.append(
deepcopy(cowriesessions[content["session"]]))
# create failed login
elif (content['eventid'] == "cowrie.login.failed"):
if content["session"] in cowriesessions:
cowriesessions[content["session"]][0] = currentline
cowriesessions[content["session"]][3] = "Fail"
cowriesessions[
content["session"]][1] = content["username"]
cowriesessions[
content["session"]][2] = content["password"]
cowriesessions[
content["session"]][4] = content["timestamp"]
sessionstosend.append(
deepcopy(cowriesessions[content["session"]]))
# store session close
if (content['eventid'] == "cowrie.session.closed"):
for n, i in enumerate(sessionstosend):
if (i[5] == content["session"]):
i[7] = content["timestamp"]
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(
MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
". Skip !", ("P3", "LOG"), ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
("P2", "LOG"), ECFG)
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row[
"request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL, 'sqliteid', row["id"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid": HONEYPOT["nodeid"],
"timestamp": row["time"],
"sadr": re.sub(":.*$", "", row["source"]),
"sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
"sprot": "tcp",
"sport": "",
"tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr": HONEYPOT["ip"],
"tprot": "tcp",
"tport": "80",
}
REQUEST = {
"description": "WebHoneypot : Glastopf v3.1",
"url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
'ascii', 'ignore'))
if "filename" in row.keys() and row["filename"] != None:
error, malwarefile = malware(HONEYPOT["malwaredir"],
row["filename"],
ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL, "Mission Malwarefile %s" % row["filename"],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {
"sqliteid": row["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'sqliteid', row["id"], ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
ECFG)
return
logme(MODUL, "EWSrun finish.", ("P1", "EXIT"), ECFG)
while True:
if ECFG["a.daycounter"] is True:
daycounterreset(lock, ECFG)
if ECFG["a.ewsonly"] is False:
sender()
for i in ("glastopfv3", "glastopfv2", "kippo", "dionaea", "honeytrap",
"rdpdetect", "emobility", "conpot", "cowrie"):
if ECFG["a.modul"]:
if ECFG["a.modul"] == i:
if readonecfg(i.upper(), i,
ECFG["cfgfile"]).lower() == "true":
eval(i + '()')
break
else:
continue
if readonecfg(i.upper(), i, ECFG["cfgfile"]).lower() == "true":
eval(i + '()')
if int(ECFG["a.loop"]) == 0:
logme(MODUL, "EWSrun finish.", ("P1"), ECFG)
break
else:
logme(MODUL, "Sleeping for %s seconds ...." % ECFG["a.loop"],
("P1"), ECFG)
time.sleep(int(ECFG["a.loop"]))
def ecfg(name, version):
MODUL = "EINIT"
ECFG = {}
parser = argparse.ArgumentParser()
parser.add_argument("-c",
"--configpath",
help="Load configuration file from Path")
parser.add_argument("-v",
"--verbose",
help="set output verbosity",
action="store_true")
parser.add_argument("-d",
"--debug",
help="set output debug",
action="store_true")
parser.add_argument(
"-l",
"--loop",
help="Go in endless loop. Set {xx} for seconds to wait for next loop",
type=int,
default=0,
action="store")
parser.add_argument("-m",
"--modul",
help="only send alerts for this modul",
choices=[
'glastopfv3', 'glastopfv2', 'kippo', 'dionaea',
'honeytrap', 'rdpdetect', 'emobility', 'conpot',
'cowrie', 'elasticpot', 'suricata', 'rdpy',
'mailoney', 'vnclowpot', 'heralding', 'ciscoasa',
'tanner', 'glutton'
],
action="store")
parser.add_argument("-s",
"--silent",
help="silent mode without output",
action="store_true")
parser.add_argument("-i",
"--ignorecert",
help="ignore certificate warnings",
action="store_true")
parser.add_argument("-S",
"--sendonly",
help="only send unsend alerts",
action="store_true")
parser.add_argument("-E",
"--ewsonly",
help="only generate ews alerts files",
action="store_true")
parser.add_argument("-dcr",
"--daycounter",
help="reset and log daycounters for all honeypots",
action="store_true")
parser.add_argument("-j",
"--jsonpath",
help="Write JSON output file to path")
parser.add_argument(
"-L",
"--sendlimit",
help="Set {xxx} for max alerts will send in one session",
type=int,
action="store")
parser.add_argument("-V",
"--version",
help="show the EWS Poster Version",
action="version",
version=name + " " + version)
args = parser.parse_args()
if args.sendlimit:
ECFG["sendlimit2"] = args.sendlimit
else:
ECFG["sendlimit2"] = ""
if args.loop:
ECFG["a.loop"] = args.loop
else:
ECFG["a.loop"] = 0
if args.verbose:
ECFG["a.verbose"] = True
else:
ECFG["a.verbose"] = False
if args.debug:
ECFG["a.debug"] = True
else:
ECFG["a.debug"] = False
if args.ignorecert:
ECFG["a.ignorecert"] = True
else:
ECFG["a.ignorecert"] = False
if args.silent:
ECFG["a.silent"] = True
else:
ECFG["a.silent"] = False
if args.daycounter:
ECFG["a.daycounter"] = True
else:
ECFG["a.daycounter"] = False
if args.sendonly:
ECFG["a.sendonly"] = True
else:
ECFG["a.sendonly"] = False
if args.ewsonly:
ECFG["a.ewsonly"] = True
else:
ECFG["a.ewsonly"] = False
if args.configpath:
ECFG["path2"] = args.configpath
if os.path.isdir(args.configpath) is not True:
logme(MODUL,
"ConfigPath %s did not exist. Abort !" % (args.configpath),
("P1", "EXIT"), ECFG)
else:
ECFG["path2"] = ""
if args.modul and args.modul in [
'glastopfv3', 'glastopfv2', 'kippo', 'dionaea', 'honeytrap',
'rdpdetect', 'emobility', 'conpot', 'cowrie', 'elasticpot',
'suricata', 'rdpy', 'mailoney', 'vnclowpot', 'heralding',
'ciscoasa', 'tanner', 'glutton'
]:
ECFG["a.modul"] = args.modul
else:
ECFG["a.modul"] = ""
if args.jsonpath:
ECFG["a.jsondir"] = args.jsonpath
if os.path.isdir(args.jsonpath) is not True:
logme(MODUL,
"JsonPath %s did not exist. Abort !" % (args.jsonpath),
("P1", "EXIT"), ECFG)
else:
ECFG["a.jsondir"] = ""
# say hello
logme(
MODUL, name + " " + version +
" (c) by Markus Schroer <*****@*****.**>\n", ("P0"), ECFG)
# read EWSPoster Main Path
ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace(
"/moduls", "")
if ECFG["path2"] == "":
ECFG["path2"] = ECFG["path"]
if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg") is False:
logme(
MODUL, "Missing EWS Config %s. Abort !" %
(ECFG["path2"] + os.sep + "ews.cfg"), ("P1", "EXIT"), ECFG)
else:
ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"
# Create IDX File if not exist
if os.path.isfile(ECFG["path"] + os.sep + "ews.idx") is False:
os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR | os.O_CREAT)
logme(MODUL, "Create ews.idx counterfile", ("P1"), ECFG)
# Read Main Config Parameter
ITEMS = ("homedir", "spooldir", "logdir", "contact",
"del_malware_after_send", "send_malware", "sendlimit")
MCFG = readcfg("MAIN", ITEMS, ECFG["cfgfile"])
# IP Handling
# try to determine the external IP
MCFG["ip"] = getOwnExternalIP(ECFG)
if not MCFG["ip"]:
logme(
MODUL,
"External IP address cannot be determined. Set external IP in ews.cfg, ews.ip or env variable MY_EXTIP or allow external api request.. Abort !",
("P1", "EXIT"), ECFG)
logme(MODUL, "Using external IP address " + str(MCFG["ip"]), ("P1", "Log"),
ECFG)
# sendlimit expect
if ECFG["sendlimit2"] != "":
MCFG["sendlimit"] = ECFG["sendlimit2"]
if int(MCFG["sendlimit"]) > 500:
logme(
MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
" to high. Max 500 ! ", ("P1", "EXIT"), ECFG)
elif int(MCFG["sendlimit"]) < 1:
logme(
MODUL,
"Error Sendlimit " + str(MCFG["sendlimit"]) + " to low. Min 1 ! ",
("P1", "EXIT"), ECFG)
elif MCFG["sendlimit"] == "NULL" or str(MCFG["sendlimit"]) == "UNKNOW":
logme(
MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
" Must set between 1 and 500. ", ("P1", "EXIT"), ECFG)
# send_malware ?
if MCFG["send_malware"].lower() == "true":
MCFG["send_malware"] = True
else:
MCFG["send_malware"] = False
# del_malware_after_send ?
if MCFG["del_malware_after_send"].lower() == "true":
MCFG["del_malware_after_send"] = True
else:
MCFG["del_malware_after_send"] = False
# home dir available ?
if os.path.isdir(MCFG["homedir"]) is not True:
logme(MODUL, "Error missing homedir " + MCFG["homedir"] + " Abort !",
("P1", "EXIT"), ECFG)
else:
os.chdir(MCFG["homedir"])
# spool dir available ?
if os.path.isdir(MCFG["spooldir"]) is not True:
logme(MODUL, "Error missing spooldir " + MCFG["spooldir"] + " Abort !",
("P1", "EXIT"), ECFG)
# log dir available ?
MCFG["logdir"] = readonecfg("MAIN", "logdir", ECFG["cfgfile"])
if MCFG["logdir"] != "NULL" and MCFG[
"logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
elif MCFG["logdir"] != "NULL" and MCFG[
"logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
logme(MODUL, "Error missing logdir " + MCFG["logdir"] + " Abort !",
("P1", "EXIT"), ECFG)
else:
MCFG["logfile"] = "/var/log" + os.sep + "ews.log"
# Proxy Settings ?
MCFG["proxy"] = readonecfg(MODUL, "proxy", ECFG["cfgfile"])
# Read EWS Config Parameter
ITEMS = ("ews", "username", "token", "rhost_first", "rhost_second")
EWSCFG = readcfg("EWS", ITEMS, ECFG["cfgfile"])
# Set ews real true or false
if EWSCFG["ews"].lower() == "true":
EWSCFG["ews"] = True
else:
EWSCFG["ews"] = False
# ignore cert validation if ignorecert-parameter is set
EWSCFGCERT = readonecfg("EWS", "ignorecert", ECFG["cfgfile"])
if EWSCFGCERT.lower() == "true":
ECFG["a.ignorecert"] = True
# Read HPFEED Config Parameter
ITEMS = ("hpfeed", "host", "port", "channels", "ident", "secret")
HCFG = readcfg("HPFEED", ITEMS, ECFG["cfgfile"])
if HCFG["hpfeed"].lower() == "true":
HCFG["hpfeed"] = True
else:
HCFG["hpfeed"] = False
# Read EWSJSON Config Parameter
ITEMS = ("json", "jsondir")
EWSJSON = readcfg("EWSJSON", ITEMS, ECFG["cfgfile"])
if EWSJSON["json"].lower() == "true":
EWSJSON["json"] = True
if os.path.isdir(EWSJSON["jsondir"]) is True:
EWSJSON["jsondir"] = EWSJSON["jsondir"] + os.sep + "ews.json"
else:
logme(MODUL,
"Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",
("P1", "EXIT"), ECFG)
else:
EWSJSON["json"] = False
if ECFG["a.jsondir"] != "" and os.path.isdir(ECFG["a.jsondir"]) is True:
EWSJSON["json"] = True
EWSJSON["jsondir"] = ECFG["a.jsondir"] + os.sep + "ews.json"
ECFG.update(MCFG)
ECFG.update(EWSCFG)
ECFG.update(HCFG)
ECFG.update(EWSJSON)
return ECFG
def ecfg(name,version):
MODUL = "EINIT"
ECFG= {}
parser = argparse.ArgumentParser()
parser.add_argument("-c","--configpath", help="Load configuration file from Path")
parser.add_argument("-v","--verbose", help="set output verbosity",action="store_true")
parser.add_argument("-d","--debug", help="set output debug",action="store_true")
parser.add_argument("-s","--silent", help="silent mode without output",action="store_true")
parser.add_argument("-S","--sendonly", help="only send unsend alerts",action="store_true")
parser.add_argument("-E","--ewsonly", help="only generate ews alerts files",action="store_true")
parser.add_argument("-dcr","--daycounter", help="reset and log daycounters for all honeypots",action="store_true")
parser.add_argument("-V","--version", help="show the EWS Poster Version",action="version", version=name + " " + version)
args = parser.parse_args()
if args.verbose:
ECFG["a.verbose"] = True
else:
ECFG["a.verbose"] = False
if args.debug:
ECFG["a.debug"] = True
else:
ECFG["a.debug"] = False
if args.silent:
ECFG["a.silent"] = True
else:
ECFG["a.silent"] = False
if args.daycounter:
ECFG["a.daycounter"] = True
else:
ECFG["a.daycounter"] = False
if args.sendonly:
ECFG["a.sendonly"] = True
else:
ECFG["a.sendonly"] = False
if args.ewsonly:
ECFG["a.ewsonly"] = True
else:
ECFG["a.ewsonly"] = False
if args.configpath:
ECFG["path2"] = args.configpath
if os.path.isdir(args.configpath) is not True:
logme(MODUL,"ConfigPath %s did not exist. Abort !" % (args.configpath),("P1","EXIT"),ECFG)
else:
ECFG["path2"] = ""
# say hello
logme(MODUL,name + " " + version + " (c) by Markus Schroer <*****@*****.**>\n",("P0"),ECFG)
# read EWSPoster Main Path
ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace("/moduls","")
if ECFG["path2"] == "":
ECFG["path2"] = ECFG["path"]
if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg" ) is False:
logme(MODUL,"Missing EWS Config %s. Abort !"%(ECFG["path2"] + os.sep + "ews.cfg"),("P1","EXIT"),ECFG)
else:
ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"
# Create IDX File if not exist
if os.path.isfile(ECFG["path"] + os.sep + "ews.idx" ) is False:
os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR|os.O_CREAT )
logme(MODUL,"Create ews.idx counterfile",("P1"),ECFG)
# Read Main Config Parameter
ITEMS = ("homedir","spooldir","logdir","contact","del_malware_after_send","send_malware","sendlimit")
MCFG = readcfg("MAIN",ITEMS, ECFG["cfgfile"])
# IP Handling
ewsip = ECFG["path2"] + os.sep + "ews.ip"
MCFG["ip"] = readonecfg("MAIN","ip", ECFG["cfgfile"])
if os.path.isfile(ewsip) is True:
MCFG["ip"] = readonecfg("MAIN","ip", ewsip)
if MCFG["ip"].lower() == "null":
logme(MODUL,"Error IP Address in File " + ewsip + " not set. Abort !",("P1","EXIT"),ECFG)
if MCFG["ip"].lower() == "null" or MCFG["ip"].lower() == "false":
logme(MODUL,"Error IP Address in ews.cfg not set or null. Abort !",("P1","EXIT"),ECFG)
# sendlimit expect
if int(MCFG["sendlimit"]) > 400:
logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to high. Max 400 ! ",("P1","EXIT"),ECFG)
elif int(MCFG["sendlimit"]) < 1:
logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to low. Min 1 ! ",("P1","EXIT"),ECFG)
elif MCFG["sendlimit"] == "NULL" or MCFG["sendlimit"] == "UNKNOW":
logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " Must set between 1 and 400. ",("P1","EXIT"),ECFG)
# send_malware ?
if MCFG["send_malware"].lower() == "true":
MCFG["send_malware"] = True
else:
MCFG["send_malware"] = False
# del_malware_after_send ?
if MCFG["del_malware_after_send"].lower() == "true":
MCFG["del_malware_after_send"] = True
else:
MCFG["del_malware_after_send"] = False
# home dir available ?
if os.path.isdir(MCFG["homedir"]) is not True:
logme(MODUL,"Error missing homedir " + MCFG["homedir"] + " Abort !",("P1","EXIT"),ECFG)
else:
os.chdir(MCFG["homedir"])
# spool dir available ?
if os.path.isdir(MCFG["spooldir"]) is not True:
logme(MODUL,"Error missing spooldir " + MCFG["spooldir"] + " Abort !",("P1","EXIT"),ECFG)
# log dir available ?
MCFG["logdir"] = readonecfg("MAIN","logdir", ECFG["cfgfile"])
if MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
elif MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
logme(MODUL,"Error missing logdir " + MCFG["logdir"] + " Abort !",("P1","EXIT"),ECFG)
else:
MCFG["logfile"] = "/var/log" + os.sep + "ews.log"
# Proxy Settings ?
MCFG["proxy"] = readonecfg(MODUL,"proxy", ECFG["cfgfile"])
# Read EWS Config Parameter
ITEMS = ("ews","username","token","rhost_first","rhost_second")
EWSCFG = readcfg("EWS",ITEMS, ECFG["cfgfile"])
# Set ews real true or false
if EWSCFG["ews"].lower() == "true":
EWSCFG["ews"] = True
else:
EWSCFG["ews"] = False
# Read HPFEED Config Parameter
ITEMS = ("hpfeed","host","port","channels","ident","secret")
HCFG = readcfg("HPFEED",ITEMS, ECFG["cfgfile"])
if HCFG["hpfeed"].lower() == "true":
HCFG["hpfeed"] = True
else:
HCFG["hpfeed"] = False
# Read EWSJSON Config Parameter
ITEMS = ("json","jsondir")
EWSJSON = readcfg("EWSJSON",ITEMS, ECFG["cfgfile"])
if EWSJSON["json"].lower() == "true":
EWSJSON["json"] = True
else:
EWSJSON["json"] = False
if EWSJSON["jsondir"] != "NULL" and EWSJSON["jsondir"] != "FALSE" and os.path.isdir(EWSJSON["jsondir"]) is True:
EWSJSON["jsondir"] = EWSJSON["jsondir"] + os.sep + "ews.json"
else:
logme(MODUL,"Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",("P1","EXIT"),ECFG)
ECFG.update(MCFG)
ECFG.update(EWSCFG)
ECFG.update(HCFG)
ECFG.update(EWSJSON)
return ECFG
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3","nodeid","sqlitedb","malwaredir")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL,'sqliteid',row["id"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : row["time"],
"sadr" : re.sub(":.*$","",row["source"]),
"sipv" : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
"sprot" : "tcp",
"sport" : "",
"tipv" : "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr" : HONEYPOT["ip"],
"tprot" : "tcp",
"tport" : "80",
}
REQUEST = {
"description" : "WebHoneypot : Glastopf v3.1",
"url" : urllib.quote(row["request_url"])
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
#REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
REQUEST["raw"] = base64.encodestring(row["request_raw"])
if "filename" in row.keys() and row["filename"] != None:
error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
"sqliteid" : row ["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'sqliteid',row["id"],ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
return
lock = locksocket(name)
if lock is True:
logme(MODUL,"Create lock socket successfull.",("P1"),ECFG)
else:
logme(MODUL,"Another Instance is running !",("P1"),ECFG)
logme(MODUL,"EWSrun finish.",("P1","EXIT"),ECFG)
if ECFG["a.daycounter"] is True:
daycounterreset(lock,ECFG)
if ECFG["a.ewsonly"] is False:
sender()
if readonecfg("GLASTOPFV3","glastopfv3",ECFG["cfgfile"]).lower() == "true":
glastopfv3()
if readonecfg("GLASTOPFV2","glastopfv2",ECFG["cfgfile"]).lower() == "true":
glastopfv2()
if readonecfg("KIPPO","kippo",ECFG["cfgfile"]).lower() == "true":
kippo()
if readonecfg("DIONAEA","dionaea",ECFG["cfgfile"]).lower() == "true":
dionaea()
if readonecfg("HONEYTRAP","honeytrap",ECFG["cfgfile"]).lower() == "true":
honeytrap()
if readonecfg("RDPDETECT","rdpdetect",ECFG["cfgfile"]).lower() == "true":
logme(MODUL,"EWSrun finish.",("P1","EXIT"),ECFG)
while True:
if ECFG["a.daycounter"] is True:
daycounterreset(lock,ECFG)
if ECFG["a.ewsonly"] is False:
sender()
for i in ("glastopfv3", "glastopfv2", "kippo", "dionaea", "honeytrap", "rdpdetect", "emobility"):
if ECFG["a.modul"]:
if ECFG["a.modul"] == i:
if readonecfg(i.upper(),i,ECFG["cfgfile"]).lower() == "true":
eval(i+'()')
break
else:
continue
if readonecfg(i.upper(),i,ECFG["cfgfile"]).lower() == "true":
eval(i+'()')
if int(ECFG["a.loop"]) == 0:
logme(MODUL,"EWSrun finish.",("P1"),ECFG)
break
else:
logme(MODUL,"Sleeping for %s seconds ...." % ECFG["a.loop"] ,("P1"),ECFG)
time.sleep(int(ECFG["a.loop"]))
