def get_intel_feed():
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in (
'hours_ago',
'limit',
'api_key',
):
if name in extra:
del extra[name]
for name in options.keys():
if name not in (
'hours_ago',
'limit',
):
del options[name]
extra['ne__protocol'] = 'pcap'
results = Clio().session._tops(
['source_ip', 'honeypot', 'protocol', 'destination_port'],
top=limit,
hours_ago=hours_ago,
**extra)
for r in results:
if 'protocol' not in r:
if r['destination_port'] == 3389:
r['protocol'] = 'RDP'
else:
r['protocol'] = ''
results = [r for r in results if r['protocol'] != 'ftpdatalisten']
cache = {}
for r in results:
source_ip = r['source_ip']
if source_ip not in cache:
# TODO: may want to make one big query to mongo here...
cache[source_ip] = [
m.to_dict()
for m in Clio().metadata.get(ip=r['source_ip'], honeypot='p0f')
]
r['meta'] = cache[source_ip]
return {
'data': results,
'meta': {
'size': len(results),
'query': 'intel_feed',
'options': options
}
}
def graph_top_attackers():
clio = Clio()
bar_chart = pygal.Bar(style=LightColorizedStyle,
show_x_labels=True,
config=PYGAL_CONFIG)
bar_chart.title = "Kippo/Cowrie Top Attackers"
clio = Clio()
top_attackers = top_kippo_cowrie_attackers(clio)
print top_attackers
for attacker in top_attackers:
bar_chart.add(str(attacker['source_ip']), attacker['count'])
return bar_chart.render_response()
def top_attackers():
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in (
'hours_ago',
'limit',
'api_key',
):
if name in extra:
del extra[name]
for name in options.keys():
if name not in (
'hours_ago',
'limit',
):
del options[name]
results = Clio().session._tops(['source_ip', 'honeypot'],
top=limit,
hours_ago=hours_ago,
**extra)
return jsonify(data=results,
meta={
'size': len(results),
'query': 'top_attackers',
'options': options
})
def graph_combos():
clio = Clio()
bar_chart = pygal.Bar(style=LightColorizedStyle,
show_x_labels=True,
config=PYGAL_CONFIG)
bar_chart.title = "Kippo/Cowrie Top User/Passwords"
clio = Clio()
top_combos = clio.hpfeed.count_combos(get_credentials_payloads(clio))
for combo in top_combos:
bar_chart.add(combo[0], [{
'label': str(combo[0]),
'xlink': '',
'value': combo[1]
}])
return bar_chart.render_response()
def get_attacks():
clio = Clio()
options = paginate_options(limit=10)
options['order_by'] = '-timestamp'
total = clio.session.count(**request.args.to_dict())
sessions = clio.session.get(options=options, **request.args.to_dict())
sessions = mongo_pages(sessions, total, limit=10)
return render_template('ui/attacks.html',
attacks=sessions,
sensors=Sensor.query,
view='ui.get_attacks',
get_flag_ip=get_flag_ip,
get_sensor_name=get_sensor_name,
**request.args.to_dict())
def get_feeds():
clio = Clio()
options = paginate_options(limit=10)
options['order_by'] = '-_id'
count, columns, feeds = clio.hpfeed.get_payloads(options,
request.args.to_dict())
channel_list = clio.hpfeed.channel_map.keys()
feeds = mongo_pages(feeds, count, limit=10)
return render_template('ui/feeds.html',
feeds=feeds,
columns=columns,
channel_list=channel_list,
view='ui.get_feeds',
**request.args.to_dict())
def attacker_stats(ip):
options = request.args.to_dict()
hours_ago = int(options.get('hours_ago', '720')) # 30 days
for name in options.keys():
if name not in (
'hours_ago',
'limit',
):
del options[name]
results = Clio().session.attacker_stats(ip, hours_ago=hours_ago)
return jsonify(data=results,
meta={
'query': 'attacker_stats',
'options': options
})
def get_feed():
from hnp.common.clio import Clio
from hnp.auth import current_user
authfeed = hnp.config['FEED_AUTH_REQUIRED']
if authfeed and not current_user.is_authenticated:
abort(404)
feed = AtomFeed('hnp HpFeeds Report', feed_url=request.url,
url=request.url_root)
sessions = Clio().session.get(options={'limit': 1000})
for s in sessions:
feedtext = u'Sensor "{identifier}" '
feedtext += '{source_ip}:{source_port} on sensorip:{destination_port}.'
feedtext = feedtext.format(**s.to_dict())
feed.add('Feed', feedtext, content_type='text',
published=s.timestamp, updated=s.timestamp,
url=makeurl(url_for('api.get_session', session_id=str(s._id))))
return feed
def create_sensor():
missing = Sensor.check_required(request.json)
if missing:
return error_response(errors.API_FIELDS_MISSING.format(missing), 400)
else:
sensor = Sensor(**request.json)
sensor.uuid = str(uuid1())
sensor.ip = request.remote_addr
Clio().authkey.new(**sensor.new_auth_dict()).post()
try:
db.session.add(sensor)
db.session.commit()
except IntegrityError:
return error_response(
errors.API_SENSOR_EXISTS.format(request.json['name']), 400)
else:
return jsonify(sensor.to_dict())
def dashboard():
clio = Clio()
# Number of attacks in the last 24 hours.
attackcount = clio.session.count(hours_ago=24)
# TOP 5 attacker ips.
top_attackers = clio.session.top_attackers(top=5, hours_ago=24)
# TOP 5 attacked ports
top_ports = clio.session.top_targeted_ports(top=5, hours_ago=24)
#Top 5 honey pots with counts
top_hp = clio.session.top_hp(top=5, hours_ago=24)
#Top Honeypot sensors
top_sensor = clio.session.top_sensor(top=5, hours_ago=24)
# TOP 5 sigs
freq_sigs = clio.hpfeed.top_sigs(top=5, hours_ago=24)
return render_template('ui/dashboard.html',
attackcount=attackcount,
top_attackers=top_attackers,
top_ports=top_ports,
top_hp=top_hp,
top_sensor=top_sensor,
freq_sigs=freq_sigs,
get_sensor_name=get_sensor_name,
get_flag_ip=get_flag_ip)
def get_dorks():
return _get_query_resource(Clio().dork, request.args.to_dict())
def get_session(session_id):
return _get_one_resource(Clio().session, session_id)
def get_url(url_id):
return _get_one_resource(Clio().url, url_id)
def get_file(file_id):
return _get_one_resource(Clio().file, file_id)
def delete_sensor(uuid):
sensor = Sensor.query.filter_by(uuid=uuid).first_or_404()
Clio().authkey.delete(identifier=uuid)
db.session.delete(sensor)
db.session.commit()
return jsonify({})
def get_dork(dork_id):
return _get_one_resource(Clio().dork, dork_id)
def get_feeds():
return _get_query_resource(Clio().hpfeed, request.args.to_dict())
def get_metadatum(metadata_id):
return _get_one_resource(Clio().metadata, metadata_id)
def get_feed(feed_id):
return _get_one_resource(Clio().hpfeed, feed_id)
def authkey(self):
return Clio().authkey.get(identifier=self.uuid)
def get_files():
return _get_query_resource(Clio().file, request.args.to_dict())
def get_urls():
return _get_query_resource(Clio().url, request.args.to_dict())
def get_sessions():
return _get_query_resource(Clio().session, request.args.to_dict())
def attacks_count(self):
return Clio().counts.get_count(identifier=self.uuid)
def get_metadata():
return _get_query_resource(Clio().metadata, request.args.to_dict())