コード例 #1
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def setUp(self):
        app.app.config['WTF_CSRF_ENABLED'] = False
        app.app.config['CERT_PATH'] = os.path.join(os.path.dirname(__file__), 'beeswarmcfg.json.test')
        app.app.config['SERVER_CONFIG'] = os.path.join(os.path.dirname(__file__), 'beeswarmcfg.json.test')

        self.app = app.app.test_client()
        self.authenticator = Authenticator()

        database.setup_db('sqlite://')
        session = database.get_session()

        #dummy entities
        self.authenticator.add_user('test', 'test', 0)

        self.client_id = str(uuid.uuid4())
        self.client_password = str(uuid.uuid4())
        self.authenticator.add_user(self.client_id, self.client_password, 2)

        self.honeypot_id = str(uuid.uuid4())
        self.honeypot_password = str(uuid.uuid4())
        self.authenticator.add_user(self.honeypot_id, self.honeypot_password, 1)

        session.add_all([Client(id=self.client_id, configuration='test_client_config'),
                         Honeypot(id=self.honeypot_id, configuration='test_honeypot_config') ])

        session.commit()
コード例 #2
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def populate_honeybees(self):
        """ Populates the database with 3 Honeybees """

        db_session = database.get_session()
        for i in xrange(3):
            h = BaitSession(
                id=str(uuid.uuid4()),
                timestamp=datetime.utcnow(),
                received=datetime.utcnow(),
                protocol='ssh',
                destination_ip='1.2.3.4',
                destination_port=1234,
                source_ip='4.3.2.1',
                source_port=4321,
                did_connect=True,
                did_login=False,
                did_complete=True
            )
            a = Authentication(id=str(uuid.uuid4()), username='******', password='******',
                               successful=False,
                               timestamp=datetime.utcnow())
            h.authentication.append(a)
            db_session.add(h)

        db_session.commit()
コード例 #3
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def test_correlation_bait_session(self):
        """
        Test if bait session is correctly identified as related to a specific honeypot session.
        We expect the bait entity to be classified as a legit (successfully completed) 'bait_Session' and that the honeypot
        session is deleted.
        """

        #setup the honeypot session we expect to match the bait_session
        db_session = database.get_session()
        honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one()

        s_id = str(uuid.uuid4())
        s = Session(id=s_id, source_ip='321', destination_ip='123',
                    received=datetime.now(), timestamp=self.bait_session_datetime - timedelta(seconds=2),
                    protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot)
        a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True,
                           timestamp=datetime.utcnow())
        s.authentication.append(a)
        db_session.add(s)
        db_session.commit()

        c = Classifier()
        c.classify_bait_session(0)

        bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one()
        session = db_session.query(Session).filter(Session.id == s_id).first()

        #test that the bait session got classified
        self.assertTrue(
            bait_session.classification == db_session.query(Classification).filter(Classification.type == 'bait_session').one())
        #test that the honeypot session got deleted
        self.assertIsNone(session)
コード例 #4
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def test_client_delete(self):
        """ Tests the '/ws/client/delete' route."""

        self.login('test', 'test')
        self.populate_clients()
        data = [self.clients[0], self.clients[1]]
        self.app.post('/ws/client/delete', data=json.dumps(data))
        db_session = database.get_session()
        nclients = db_session.query(Client).count()
        self.assertEquals(3, nclients)
コード例 #5
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def test_honeypot_delete(self):
        """ Tests the '/ws/honeypot/delete' route."""

        self.login('test', 'test')
        self.populate_honeypots()
        data = [ self.honeypots[0], self.honeypots[1]]
        self.app.post('/ws/honeypot/delete', data=json.dumps(data))
        db_session = database.get_session()
        honeypot_count = db_session.query(Honeypot).count()
        self.assertEquals(3, honeypot_count)
コード例 #6
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def populate_honeypots(self):
        """ Populates the database with 4 honeypots """

        db_session = database.get_session()
        self.honeypots = []
        for i in xrange(4):  # We add 4 here, but one is added in the setup method
            curr_id = str(uuid.uuid4())
            curr_id = curr_id.encode('utf-8')
            self.honeypots.append(curr_id)
            h = Honeypot(id=curr_id)
            u = User(id=curr_id, password=str(uuid.uuid4()), utype=1)
            db_session.add(h)
            db_session.add(u)
        db_session.commit()
コード例 #7
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def test_data_transcripts(self):
        """ Tests that if given a session ID we can extract the relevant transcripts"""
        db_session = database.get_session()
        self.login('test', 'test')
        session_id = str(uuid.uuid4())

        timestamp = datetime.utcnow()

        db_session.add(Transcript(timestamp=timestamp, direction='outgoing', data='whoami', session_id=session_id))
        db_session.add(Transcript(timestamp=timestamp, direction='outgoing', data='root\r\n', session_id=session_id))
        db_session.commit()
        resp = self.app.get('/data/session/{0}/transcript'.format(session_id))
        data = json.loads(resp.data)
        string_timestamp = timestamp.strftime('%Y-%m-%d %H:%M:%S')
        expected_result = [{u'direction': u'outgoing', u'data': u'whoami', u'time': u'{0}'.format(string_timestamp)},
                           {u'direction': u'outgoing', u'data': u'root\r\n', u'time': u'{0}'.format(string_timestamp)}]
        self.assertDictEqual(sorted(data)[0], sorted(expected_result)[0])
コード例 #8
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def test_classify_sessions_probe(self):
        """
        Test if session without authentication attempts is tagged as probes.
        """

        db_session = database.get_session()
        honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one()

        session_id = str(uuid.uuid4())
        s = Session(id=session_id, source_ip='111', destination_ip='222',
                    received=datetime.utcnow(), timestamp=datetime.utcnow(),
                    protocol='telnet', source_port=1, destination_port=1, honeypot=honeypot)
        db_session.add(s)
        db_session.commit()

        c = Classifier()
        c.classify_sessions(0, db_session)

        result = db_session.query(Session).filter(Session.classification_id == 'probe').one()
        #we expect the resultset to contain session1010
        self.assertEquals(result.id, session_id)
コード例 #9
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def setUp(self):
        #'sqlite://' gives a in-memory sqlite database
        database.setup_db('sqlite://')

        self.client_id = str(uuid.uuid4())
        self.honeypot_id = str(uuid.uuid4())
        self.bait_session_id = str(uuid.uuid4())
        self.bait_session_datetime = datetime.utcnow()

        db_session = database.get_session()
        client = Client(id=self.client_id)
        honeypot = Honeypot(id=self.honeypot_id)

        bait_session = BaitSession(id=self.bait_session_id, source_ip='321', destination_ip='123',
                            received=datetime.utcnow(), timestamp=self.bait_session_datetime, protocol='pop3',
                            source_port=1, destination_port=1, did_complete=True, client=client, honeypot=honeypot)

        authentication = Authentication(id=str(uuid.uuid4()), username='******', password='******',
                                        successful=True, timestamp=datetime.utcnow())
        bait_session.authentication.append(authentication)
        db_session.add_all([client, honeypot, bait_session])
        db_session.commit()
コード例 #10
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def test_classify_sessions_reuse_credentails(self):
        """
        Test if attack which uses previously transmitted credentials is tagged correctly
        """

        db_session = database.get_session()
        honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one()

        s = Session(id='session1010', source_ip='321', destination_ip='123',
                    received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=-25),
                    protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot)
        a = Authentication(id=str(uuid.uuid4()), username='******', password='******')
        s.authentication.append(a)
        db_session.add(s)
        db_session.commit()

        c = Classifier()
        c.classify_sessions(0, db_session)

        result = db_session.query(Session).filter(Session.classification_id == 'credentials_reuse').one()
        #we expect the resultset to contain session1010
        self.assertEquals(result.id, 'session1010')
コード例 #11
0
ファイル: test_webapp.py プロジェクト: nghiemnv/beeswarm
    def populate_sessions(self):
        """ Populates the database with 3 Sessions """

        db_session = database.get_session()
        for i in xrange(4):
            s = Session(
                id=str(uuid.uuid4()),
                timestamp=datetime.utcnow(),
                received=datetime.utcnow(),
                protocol='telnet',
                destination_ip='123.123.123.123',
                destination_port=1234,
                source_ip='12.12.12.12',
                source_port=12345,
                classification_id='asd'
            )
            a = Authentication(id=str(uuid.uuid4()), username='******', password='******',
                               successful=False,
                               timestamp=datetime.utcnow())
            s.authentication.append(a)
            db_session.add(s)

        db_session.commit()
コード例 #12
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def test_classify_sessions_bruteforce(self):
        """
        Test if 'standalone' sessions older than X seconds get classified as brute-force attempts.
        """

        db_session = database.get_session()
        honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one()

        for id, offset in (('session99', -30), ('session88', -10), ('session77', -2)):
            s = Session(id=id, source_ip='321', destination_ip='123',
                        received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=offset),
                        protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot)
            a = Authentication(id=str(uuid.uuid4()), username='******', password='******')
            s.authentication.append(a)
            db_session.add(s)
        db_session.commit()

        c = Classifier()
        c.classify_sessions(5)

        result = db_session.query(Session).filter(Session.classification_id == 'bruteforce').all()
        #we expect the resultset to contain session1 and session2
        self.assertEquals(len(result), 2)
コード例 #13
0
ファイル: test_classifier.py プロジェクト: nghiemnv/beeswarm
    def test_matching_session(self):
        """
        Test if the get_matching_session method returns the session that matches the given bait session.
        """

        db_session = database.get_session()
        bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one()
        honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one()

        #session2 is the matching session
        for id, offset in (('session1', -15), ('session2', 3), ('session3', 15)):
            s = Session(id=id, source_ip='321', destination_ip='123',
                        received=datetime.utcnow(), timestamp=bait_session.timestamp + timedelta(seconds=offset),
                        protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot)
            a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True,
                               timestamp=datetime.utcnow())
            s.authentication.append(a)
            db_session.add(s)
        db_session.commit()

        classifier = Classifier()
        result = classifier.get_matching_session(bait_session)

        self.assertEqual('session2', result.id)
コード例 #14
0
ファイル: dummydata.py プロジェクト: nghiemnv/beeswarm
def fill_dummy_data():
    """
    Populates the server data with dummy data to ease development.
    """

    db_session = database.get_session()

    protocols = [('pop3', 110), ('ssh', 22), ('telnet', 23), ('ftp', 21), ('http', 80)]
    source_ips = ('192.168.1.2', '192.168.2.3', '192.168.3.4', '192.168.4.5')

    honeypots = [Honeypot(id=str(uuid.uuid4()))]
    client = [Client(id=str(uuid.uuid4()))]
    sessions = []
    authentications = []

    while len(sessions) < 100:
        session = BaitSession(id=str(uuid.uuid4()), timestamp=datetime.now(),
                           source_ip=random.choice(source_ips), source_port=random.randint(1024, 65535),
                           destination_ip='4.3.2.1', destination_port='1111')

        session.protocol, session.destination_port = random.choice(protocols)
        session.honeypot = random.choice(honeypots)
        session.client = random.choice(client)
        session.classification = db_session.query(Classification).filter(Classification.type == 'bait_session').one()

        username = ''.join(random.choice(string.lowercase) for x in range(8))
        password = ''.join(random.choice(string.lowercase) for x in range(8))
        authentication = Authentication(id=str(uuid.uuid4()), username=username, password=password)
        session.authentication.append(authentication)

        for x in range(10):
            data = ''.join(random.choice(string.lowercase) for x in range(15))
            direction = ('in', 'out')[x % 2]
            transcript = Transcript(timestamp=datetime.now(), direction=direction, data=data)
            session.transcript.append(transcript)

        authentications.append(authentication)
        sessions.append(session)

    while len(sessions) < 200:
        session = Session(id=str(uuid.uuid4()), timestamp=datetime.now(),
                           source_ip=random.choice(source_ips), source_port=random.randint(1024, 65535),
                           destination_ip='4.3.2.1', destination_port='1111')

        session.protocol, session.destination_port = random.choice(protocols)
        session.honeypot = random.choice(honeypots)

        session.classification = db_session.query(Classification).filter(Classification.type == 'credentials_reuse').one()

        username = ''.join(random.choice(string.lowercase) for x in range(8))
        password = ''.join(random.choice(string.lowercase) for x in range(8))
        authentication = Authentication(id=str(uuid.uuid4()), username=username, password=password)
        session.authentication.append(authentication)

        authentications.append(authentication)
        sessions.append(session)

    db_session.add_all(authentications)
    db_session.add_all(sessions)
    db_session.add_all(honeypots)
    db_session.add_all(client)
    db_session.commit()