def create_session(self, address, socket):
protocol = self.__class__.__name__
session = Session(address[0], address[1], protocol, socket)
session.destination_port = self.port
self.sessions[session.id] = session
logger.info('Accepted {0} session on port {1} from {2}:{3}. ({4})'.format(protocol, self.port, address[0],
address[1], str(session.id)))
return session
def create_session(self, address):
protocol = self.__class__.__name__.lower()
session = Session(address[0], address[1], protocol, self.users)
session.destination_port = self.port
self.sessions[session.id] = session
logger.info(
'Accepted {0} session on port {1} from {2}:{3}. ({4})'.format(
protocol, self.port, address[0], address[1], str(session.id)))
return session
def create_session(self, address):
protocol = self.__class__.__name__.lower()
session = Session(address[0], address[1], protocol, self.users)
self.sessions[session.id] = session
session.destination_port = self.port
logger.debug(
'Accepted {0} session on port {1} from {2}:{3}. ({4})'.format(protocol, self.port, address[0],
address[1], str(session.id)))
logger.debug('Size of session list for {0}: {1}'.format(protocol, len(self.sessions)))
return session
def test_matching_quick_succession(self):
"""
Tests that attack sessions coming in quick succession are classified correctly.
This test relates to issue #218
"""
honeypot_id = 1
honeypot = Honeypot(id=honeypot_id)
db_session = database_setup.get_session()
db_session.add(honeypot)
db_session.commit()
drone_data_socket = beeswarm.shared.zmq_context.socket(zmq.PUB)
drone_data_socket.bind(SocketNames.DRONE_DATA.value)
# startup session database
database_actor = DatabaseActor(999, delay_seconds=2)
database_actor.start()
gevent.sleep(1)
for x in xrange(0, 100):
honeypot_session = HoneypotSession(source_ip='192.168.100.22',
source_port=52311,
protocol='pop3',
users={},
destination_port=110)
honeypot_session.add_auth_attempt('plaintext',
True,
username='******',
password='******')
honeypot_session.honeypot_id = honeypot_id
drone_data_socket.send('{0} {1} {2}'.format(
Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(),
default=json_default,
ensure_ascii=False)))
gevent.sleep(1)
database_actor_request_socket = beeswarm.shared.zmq_context.socket(
zmq.REQ)
database_actor_request_socket.connect(
SocketNames.DATABASE_REQUESTS.value)
sessions = send_zmq_request_socket(
database_actor_request_socket,
'{0}'.format(Messages.GET_SESSIONS_ALL.value))
for session in sessions:
self.assertEqual(session['classification'], 'Bruteforce')
self.assertEqual(len(sessions), 100)
def populate_bait(self, honeypot_first):
honeypot_id = 1
client_id = 2
honeypot = Honeypot(id=honeypot_id)
client = Client(id=client_id)
db_session = database_setup.get_session()
db_session.add(honeypot)
db_session.add(client)
db_session.commit()
drone_data_socket = beeswarm.shared.zmq_context.socket(zmq.PUB)
drone_data_socket.bind(SocketNames.DRONE_DATA.value)
fd, config_file = tempfile.mkstemp()
os.close(fd)
os.remove(config_file)
# persistence actor needs to communicate with on config REQ/REP socket
config_actor = ConfigActor(config_file, '')
config_actor.start()
# startup session database
database_actor = DatabaseActor(999, delay_seconds=2)
database_actor.start()
gevent.sleep(1)
BaitSession.client_id = client_id
honeypot_session = HoneypotSession(source_ip='192.168.100.22', source_port=52311, protocol='pop3', users={},
destination_port=110)
honeypot_session.add_auth_attempt('plaintext', True, username='******', password='******')
honeypot_session.honeypot_id = honeypot_id
bait_session = BaitSession('pop3', '1234', 110, honeypot_id)
bait_session.add_auth_attempt('plaintext', True, username='******', password='******')
bait_session.honeypot_id = honeypot_id
bait_session.did_connect = bait_session.did_login = bait_session.alldone = bait_session.did_complete = True
if honeypot_first:
drone_data_socket.send('{0} {1} {2}'.format(Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(), default=json_default,
ensure_ascii=False)))
drone_data_socket.send('{0} {1} {2}'.format(Messages.SESSION_CLIENT.value, client_id,
json.dumps(bait_session.to_dict(), default=json_default,
ensure_ascii=False)))
else:
drone_data_socket.send('{0} {1} {2}'.format(Messages.SESSION_CLIENT.value, client_id,
json.dumps(bait_session.to_dict(), default=json_default,
ensure_ascii=False)))
drone_data_socket.send('{0} {1} {2}'.format(Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(), default=json_default,
ensure_ascii=False)))
# some time for the session actor to work
gevent.sleep(2)
config_actor.stop()
database_actor.stop()
if os.path.isfile(config_file):
os.remove(config_file)
def test_matching_quick_succession(self):
"""
Tests that attack sessions coming in quick succession are classified correctly.
This test relates to issue #218
"""
honeypot_id = 1
honeypot = Honeypot(id=honeypot_id)
db_session = database_setup.get_session()
db_session.add(honeypot)
db_session.commit()
drone_data_socket = beeswarm.shared.zmq_context.socket(zmq.PUB)
drone_data_socket.bind(SocketNames.DRONE_DATA.value)
# startup session database
database_actor = DatabaseActor(999, delay_seconds=2)
database_actor.start()
gevent.sleep(1)
for x in xrange(0, 100):
honeypot_session = HoneypotSession(source_ip='192.168.100.22', source_port=52311, protocol='pop3', users={},
destination_port=110)
honeypot_session.add_auth_attempt('plaintext', True, username='******', password='******')
honeypot_session.honeypot_id = honeypot_id
drone_data_socket.send('{0} {1} {2}'.format(Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(), default=json_default,
ensure_ascii=False)))
gevent.sleep(1)
database_actor_request_socket = beeswarm.shared.zmq_context.socket(zmq.REQ)
database_actor_request_socket.connect(SocketNames.DATABASE_REQUESTS.value)
sessions = send_zmq_request_socket(database_actor_request_socket, '{0}'.format(Messages.GET_SESSIONS_ALL.value))
for session in sessions:
self.assertEqual(session['classification'], 'Bruteforce')
self.assertEqual(len(sessions), 100)
def test_matching(self):
"""
Tests that attack sessions coming in quick succession are classified correctly.
This test relates to issue #218
"""
honeypot_id = 1
honeypot = Honeypot(id=honeypot_id)
db_session = database_setup.get_session()
db_session.add(honeypot)
db_session.commit()
raw_session_publisher = beeswarm.shared.zmq_context.socket(zmq.PUB)
raw_session_publisher.bind(SocketNames.RAW_SESSIONS)
# startup session database
persistence_actor = SessionPersister(999, delay_seconds=2)
persistence_actor.start()
gevent.sleep(1)
for x in xrange(0, 100):
honeypot_session = HoneypotSession(source_ip='192.168.100.22', source_port=52311, protocol='pop3', users={},
destination_port=110)
honeypot_session.try_auth('plaintext', username='******', password='******')
honeypot_session.honeypot_id = honeypot_id
raw_session_publisher.send('{0} {1} {2}'.format(Messages.SESSION_HONEYPOT, honeypot_id,
json.dumps(honeypot_session.to_dict(), default=json_default,
ensure_ascii=False)))
gevent.sleep(5)
sessions = db_session.query(Session).all()
for session in sessions:
self.assertEqual(session.classification_id, 'bruteforce')
self.assertEqual(len(sessions), 100)
def populate_bait(self, honeypot_first):
honeypot_id = 1
client_id = 2
honeypot = Honeypot(id=honeypot_id)
client = Client(id=client_id)
db_session = database_setup.get_session()
db_session.add(honeypot)
db_session.add(client)
db_session.commit()
drone_data_socket = beeswarm.shared.zmq_context.socket(zmq.PUB)
drone_data_socket.bind(SocketNames.DRONE_DATA.value)
config_file = tempfile.mkstemp()[1]
os.remove(config_file)
# persistence actor needs to communicate with on config REQ/REP socket
config_actor = ConfigActor(config_file, '')
config_actor.start()
# startup session database
database_actor = DatabaseActor(999, delay_seconds=2)
database_actor.start()
gevent.sleep(1)
BaitSession.client_id = client_id
honeypot_session = HoneypotSession(source_ip='192.168.100.22',
source_port=52311,
protocol='pop3',
users={},
destination_port=110)
honeypot_session.add_auth_attempt('plaintext',
True,
username='******',
password='******')
honeypot_session.honeypot_id = honeypot_id
bait_session = BaitSession('pop3', '1234', 110, honeypot_id)
bait_session.add_auth_attempt('plaintext',
True,
username='******',
password='******')
bait_session.honeypot_id = honeypot_id
bait_session.did_connect = bait_session.did_login = bait_session.alldone = bait_session.did_complete = True
if honeypot_first:
drone_data_socket.send('{0} {1} {2}'.format(
Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(),
default=json_default,
ensure_ascii=False)))
drone_data_socket.send('{0} {1} {2}'.format(
Messages.SESSION_CLIENT.value, client_id,
json.dumps(bait_session.to_dict(),
default=json_default,
ensure_ascii=False)))
else:
drone_data_socket.send('{0} {1} {2}'.format(
Messages.SESSION_CLIENT.value, client_id,
json.dumps(bait_session.to_dict(),
default=json_default,
ensure_ascii=False)))
drone_data_socket.send('{0} {1} {2}'.format(
Messages.SESSION_HONEYPOT.value, honeypot_id,
json.dumps(honeypot_session.to_dict(),
default=json_default,
ensure_ascii=False)))
# some time for the session actor to work
gevent.sleep(2)
config_actor.stop()
database_actor.stop()
if os.path.isfile(config_file):
os.remove(config_file)
