def get_intel_feed():
from mhn import new_clio_connection
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in ('hours_ago', 'limit', 'api_key',):
if name in extra:
del extra[name]
for name in options.keys():
if name not in ('hours_ago', 'limit',):
del options[name]
extra['ne__protocol'] = 'pcap'
results = new_clio_connection().session._tops(['source_ip', 'honeypot', 'protocol', 'destination_port'], top=limit, hours_ago=hours_ago, **extra)
results = [r for r in results if r['protocol'] != 'ftpdatalisten']
cache = {}
for r in results:
source_ip = r['source_ip']
if source_ip not in cache:
# TODO: may want to make one big query to mongo here...
cache[source_ip] = [m.to_dict() for m in new_clio_connection().metadata.get(ip=r['source_ip'], honeypot='p0f')]
r['meta'] = cache[source_ip]
return {
'data':results,
'meta':{
'size': len(results),
'query': 'intel_feed',
'options': options
}
}
def delete_sensor(uuid):
from mhn import new_clio_connection
sensor = Sensor.query.filter_by(uuid=uuid).first_or_404()
new_clio_connection().authkey.delete(identifier=uuid)
db.session.delete(sensor)
db.session.commit()
return jsonify({})
def delete_sensor(uuid):
from mhn import new_clio_connection
sensor = Sensor.query.filter_by(uuid=uuid).first_or_404()
new_clio_connection().authkey.delete(identifier=uuid)
db.session.delete(sensor)
db.session.commit()
return jsonify({})
def get_intel_feed():
from mhn import new_clio_connection
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in (
'hours_ago',
'limit',
'api_key',
):
if name in extra:
del extra[name]
for name in options.keys():
if name not in (
'hours_ago',
'limit',
):
del options[name]
extra['ne__protocol'] = 'pcap'
results = new_clio_connection().session._tops(
['source_ip', 'honeypot', 'protocol', 'destination_port'],
top=limit,
hours_ago=hours_ago,
**extra)
results = [r for r in results if r['protocol'] != 'ftpdatalisten']
cache = {}
for r in results:
source_ip = r['source_ip']
if source_ip not in cache:
# TODO: may want to make one big query to mongo here...
cache[source_ip] = [
m.to_dict()
for m in new_clio_connection().metadata.get(ip=r['source_ip'],
honeypot='p0f')
]
r['meta'] = cache[source_ip]
return {
'data': results,
'meta': {
'size': len(results),
'query': 'intel_feed',
'options': options
}
}
def dashboard():
from mhn import new_clio_connection
clio = new_clio_connection()
# Number of attacks in the last 24 hours.
attackcount = clio.session.count(hours_ago=24)
# TOP 5 attacker ips.
top_attackers = clio.session.top_attackers(top=5, hours_ago=24)
# TOP 5 attacked ports
top_ports = clio.session.top_targeted_ports(top=5, hours_ago=24)
#Top 5 honey pots with counts
top_hp = clio.session.top_hp(top=5, hours_ago=24)
#Top Honeypot sensors
top_sensor = clio.session.top_sensor(top=5, hours_ago=24)
# TOP 5 sigs
freq_sigs = clio.hpfeed.top_sigs(top=5, hours_ago=24)
return render_template('ui/dashboard.html',
attackcount=attackcount,
top_attackers=top_attackers,
top_ports=top_ports,
top_hp=top_hp,
top_sensor=top_sensor,
freq_sigs=freq_sigs,
get_sensor_name=get_sensor_name,
get_flag_ip=get_flag_ip)
def dashboard():
# clio = Clio()
from mhn import new_clio_connection
clio = new_clio_connection()
# Number of attacks in the last 24 hours.
attackcount = clio.session.count(hours_ago=24)
# TOP 5 attacker ips.
top_attackers = clio.session.top_attackers(top=5, hours_ago=24)
# TOP 5 attacked ports
top_ports = clio.session.top_targeted_ports(top=5, hours_ago=24)
#Top 5 honey pots with counts
top_hp = clio.session.top_hp(top=5, hours_ago=24)
#Top Honeypot sensors
top_sensor = clio.session.top_sensor(top=5, hours_ago=24)
# TOP 5 sigs
freq_sigs = clio.hpfeed.top_sigs(top=5, hours_ago=24)
return render_template('ui/dashboard.html',
attackcount=attackcount,
top_attackers=top_attackers,
top_ports=top_ports,
top_hp=top_hp,
top_sensor=top_sensor,
freq_sigs=freq_sigs,
get_sensor_name=get_sensor_name,
get_flag_ip=get_flag_ip)
def top_attackers():
from mhn import new_clio_connection
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in (
'hours_ago',
'limit',
'api_key',
):
if name in extra:
del extra[name]
for name in options.keys():
if name not in (
'hours_ago',
'limit',
):
del options[name]
results = new_clio_connection().session._tops(['source_ip', 'honeypot'],
top=limit,
hours_ago=hours_ago,
**extra)
return jsonify(data=results,
meta={
'size': len(results),
'query': 'top_attackers',
'options': options
})
def create_sensor():
from mhn import new_clio_connection
missing = Sensor.check_required(request.json)
if missing:
return error_response(errors.API_FIELDS_MISSING.format(missing), 400)
else:
sensor = Sensor(**request.json)
sensor.uuid = str(uuid1())
sensor.ip = request.remote_addr
new_clio_connection().authkey.new(**sensor.new_auth_dict()).post()
try:
db.session.add(sensor)
db.session.commit()
except IntegrityError:
return error_response(
errors.API_SENSOR_EXISTS.format(request.json['name']), 400)
else:
return jsonify(sensor.to_dict())
def create_sensor():
from mhn import new_clio_connection
missing = Sensor.check_required(request.json)
if missing:
return error_response(
errors.API_FIELDS_MISSING.format(missing), 400)
else:
sensor = Sensor(**request.json)
sensor.uuid = str(uuid1())
sensor.ip = request.remote_addr
new_clio_connection().authkey.new(**sensor.new_auth_dict()).post()
try:
db.session.add(sensor)
db.session.commit()
except IntegrityError:
return error_response(
errors.API_SENSOR_EXISTS.format(request.json['name']), 400)
else:
return jsonify(sensor.to_dict())
def get_feeds():
from mhn import new_clio_connection
clio = new_clio_connection()
options = paginate_options(limit=10)
options['order_by'] = '-_id'
count,columns,feeds = clio.hpfeed.get_payloads(options, request.args.to_dict())
channel_list = clio.hpfeed.channel_map.keys()
feeds = mongo_pages(feeds, count, limit=10)
return render_template('ui/feeds.html', feeds=feeds, columns=columns,
channel_list=channel_list, view='ui.get_feeds',
**request.args.to_dict())
def graph_combos():
from mhn import new_clio_connection
clio=new_clio_connection()
bar_chart = pygal.Bar(style=LightColorizedStyle,show_x_labels=True, config=PYGAL_CONFIG)
bar_chart.title = "Kippo/Cowrie Top User/Passwords"
top_combos =clio.hpfeed.count_combos(get_credentials_payloads(clio))
for combo in top_combos:
bar_chart.add(combo[0],[{'label':str(combo[0]),'xlink':'','value':combo[1]}])
return bar_chart.render_response()
def graph_top_attackers():
from mhn import new_clio_connection
clio=new_clio_connection()
bar_chart = pygal.Bar(style=LightColorizedStyle,show_x_labels=True, config=PYGAL_CONFIG)
bar_chart.title = "Kippo/Cowrie Top Attackers"
top_attackers = top_kippo_cowrie_attackers(clio)
print top_attackers
for attacker in top_attackers:
bar_chart.add(str(attacker['source_ip']), attacker['count'])
return bar_chart.render_response()
def get_attacks():
from mhn import new_clio_connection
clio = new_clio_connection()
options = paginate_options(limit=10)
options['order_by'] = '-timestamp'
total = clio.session.count(**request.args.to_dict())
sessions = clio.session.get(
options=options, **request.args.to_dict())
sessions = mongo_pages(sessions, total, limit=10)
return render_template('ui/attacks.html', attacks=sessions,
sensors=Sensor.query, view='ui.get_attacks',
get_flag_ip=get_flag_ip, get_sensor_name=get_sensor_name,
**request.args.to_dict())
def attacker_stats(ip):
from mhn import new_clio_connection
options = request.args.to_dict()
hours_ago = int(options.get('hours_ago', '720')) # 30 days
for name in options.keys():
if name not in ('hours_ago', 'limit',):
del options[name]
results = new_clio_connection().session.attacker_stats(ip, hours_ago=hours_ago)
return jsonify(
data=results,
meta={
'query': 'attacker_stats',
'options': options
}
)
def attacker_stats(ip):
from mhn import new_clio_connection
options = request.args.to_dict()
hours_ago = int(options.get('hours_ago', '720')) # 30 days
for name in options.keys():
if name not in ('hours_ago', 'limit',):
del options[name]
# results = Clio().session.attacker_stats(ip, hours_ago=hours_ago)
results = new_clio_connection().session.attacker_stats(ip, hours_ago=hours_ago)
return jsonify(
data=results,
meta={
'query': 'attacker_stats',
'options': options
}
)
def graph_users():
# clio=Clio()
from mhn import new_clio_connection
clio = new_clio_connection()
bar_chart = pygal.Bar(style=LightColorizedStyle,
show_x_labels=True,
config=PYGAL_CONFIG)
bar_chart.title = "Kippo/Cowrie Top Users"
# clio=Clio()
top_users = clio.hpfeed.count_users(get_credentials_payloads(clio))
for user in top_users:
bar_chart.add(user[0], [{
'label': str(user[0]),
'xlink': '',
'value': user[1]
}])
return bar_chart.render_response()
def top_attackers():
from mhn import new_clio_connection
options = request.args.to_dict()
limit = int(options.get('limit', '1000'))
hours_ago = int(options.get('hours_ago', '4'))
extra = dict(options)
for name in ('hours_ago', 'limit', 'api_key',):
if name in extra:
del extra[name]
for name in options.keys():
if name not in ('hours_ago', 'limit',):
del options[name]
results = new_clio_connection().session._tops(['source_ip', 'honeypot'], top=limit, hours_ago=hours_ago, **extra)
return jsonify(
data=results,
meta={
'size': len(results),
'query': 'top_attackers',
'options': options
}
)
def get_feed(feed_id):
# return _get_one_resource(Clio().hpfeed, feed_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().hpfeed, feed_id)
def get_url(url_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().url, url_id)
def get_metadatum(metadata_id):
# return _get_one_resource(Clio().metadata, metadata_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().metadata, metadata_id)
def get_metadata():
# return _get_query_resource(Clio().metadata, request.args.to_dict())
from mhn import new_clio_connection
return _get_query_resource(new_clio_connection().metadata, request.args.to_dict())
def get_file(file_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().file, file_id)
def get_file(file_id):
# return _get_one_resource(Clio().file, file_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().file, file_id)
def get_metadatum(metadata_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().metadata, metadata_id)
def get_dork(dork_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().dork, dork_id)
def get_session(session_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().session, session_id)
def get_dorks():
from mhn import new_clio_connection
return _get_query_resource(new_clio_connection().dork, request.args.to_dict())
def get_metadata():
from mhn import new_clio_connection
return _get_query_resource(new_clio_connection().metadata, request.args.to_dict())
def get_session(session_id):
# return _get_one_resource(Clio().session, session_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().session, session_id)
def attacks_count(self):
from mhn import new_clio_connection
return new_clio_connection().counts.get_count(identifier=self.uuid)
def get_url(url_id):
# return _get_one_resource(Clio().url, url_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().url, url_id)
def authkey(self):
from mhn import new_clio_connection
return new_clio_connection().authkey.get(identifier=self.uuid)
def get_dork(dork_id):
# return _get_one_resource(Clio().dork, dork_id)
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().dork, dork_id)
def attacks_count(self):
# return Clio().counts.get_count(identifier=self.uuid)
from mhn import new_clio_connection
return new_clio_connection().counts.get_count(identifier=self.uuid)
def get_dorks():
# return _get_query_resource(Clio().dork, request.args.to_dict())
from mhn import new_clio_connection
return _get_query_resource(new_clio_connection().dork, request.args.to_dict())
def authkey(self):
# return Clio().authkey.get(identifier=self.uuid)
from mhn import new_clio_connection
return new_clio_connection().authkey.get(identifier=self.uuid)
def get_feed(feed_id):
from mhn import new_clio_connection
return _get_one_resource(new_clio_connection().hpfeed, feed_id)
def get_files():
from mhn import new_clio_connection
return _get_query_resource(new_clio_connection().file,
request.args.to_dict())
