def mysqldb(): try: con = MySQLdb.connect(host=HONEYPOT["mysqlhost"], user=HONEYPOT["mysqluser"], passwd=HONEYPOT["mysqlpw"], db=HONEYPOT["mysqldb"], cursorclass=MySQLdb.cursors.DictCursor) except MySQLdb.Error as e: logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG) return c = con.cursor() # calculate send limit c.execute("SELECT max(id) from log") maxid = c.fetchone()["max(id)"] if maxid is None: logme(MODUL, "[ERROR] No entry's in Glastopf Database. Abort!", ("P2", "LOG"), ECFG) return imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1)), int(maxid), ECFG) # read alerts from database c.execute("SELECT * from log where id > %s and id <= %s;", (imin, imax)) rows = c.fetchall()
def dionaea(): MODUL = "DIONAEA" logme(MODUL, "Starting Dionaea Modul.", ("P1"), ECFG) # collect honeypot config dic ITEMS = ("dionaea", "nodeid", "sqlitedb", "malwaredir") HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"]) # Malwaredir exist ? if os.path.isdir(HONEYPOT["malwaredir"]) is False: logme( MODUL, "[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !", ("P3", "LOG"), ECFG) # is sqlitedb exist ? if os.path.isfile(HONEYPOT["sqlitedb"]) is False: logme( MODUL, "[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !", ("P3", "LOG"), ECFG) return # open database con = sqlite3.connect(HONEYPOT["sqlitedb"], 30) con.row_factory = sqlite3.Row c = con.cursor() # calculate send limit c.execute("SELECT max(connection) from connections;") maxid = c.fetchone()["max(connection)"] if maxid is None: logme(MODUL, "[INFO] No entry's in Dionaea Database. Skip !", ("P2", "LOG"), ECFG) return imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)), int(maxid), ECFG) # read alerts from database c.execute( "SELECT * from connections where connection > ? and connection <= ?;", ( imin, imax, )) rows = c.fetchall() # counter inits x = 0 y = 1 esm = ewsauth(ECFG["username"], ECFG["token"]) jesm = "" for row in rows: x, y = viewcounter(MODUL, x, y) # filter empty remote_host if row["remote_host"] == "": countme(MODUL, 'sqliteid', row["connection"], ECFG) continue # Prepair and collect Alert Data DATA = { "aid": HONEYPOT["nodeid"], "timestamp": datetime.fromtimestamp(int( row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'), "sadr": str(row["remote_host"]), "sipv": "ipv" + ip4or6(str(row["remote_host"])), "sprot": str(row["connection_type"]), "sport": str(row["remote_port"]), "tipv": "ipv" + ip4or6(str(row["local_host"])), "tadr": str(row["local_host"]), "tprot": str(row["connection_type"]), "tport": str(row["local_port"]), } REQUEST = { "description": "Network Honeyport Dionaea v0.1.0", } # Check for malware bin's c.execute( "SELECT download_md5_hash from downloads where connection = ?;", (str(row["connection"]), )) check = c.fetchone() if check is not None: error, malwarefile = malware(HONEYPOT["malwaredir"], check[0], ECFG["del_malware_after_send"]) if error == 0: REQUEST["binary"] = malwarefile else: logme(MODUL, "Mission Malwarefile %s" % check[0], ("P1", "LOG"), ECFG) # Collect additional Data ADATA = { "sqliteid": str(row["connection"]), } # generate template and send esm = buildews(esm, DATA, REQUEST, ADATA) jesm = buildjson(jesm, DATA, REQUEST, ADATA) countme(MODUL, 'sqliteid', row["connection"], ECFG) countme(MODUL, 'daycounter', -2, ECFG) if ECFG["a.verbose"] is True: verbosemode(MODUL, DATA, REQUEST, ADATA) con.close() if int(esm.xpath('count(//Alert)')) > 0: sendews(esm) writejson(jesm) if y > 1: logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"), ECFG) return
def glastopfv3(): MODUL = "GLASTOPFV3" logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG) # collect honeypot config dic ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir") HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"]) HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"]) if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null": HONEYPOT["ip"] = ECFG["ip"] # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded #if os.path.isdir(HONEYPOT["malwaredir"]) == False: # logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG) # return # is sqlitedb exist ? if os.path.isfile(HONEYPOT["sqlitedb"]) is False: logme( MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Skip !", ("P3", "LOG"), ECFG) return # open database con = sqlite3.connect(HONEYPOT["sqlitedb"], 30) con.row_factory = sqlite3.Row c = con.cursor() # calculate send limit c.execute("SELECT max(id) from events") maxid = c.fetchone()["max(id)"] if maxid is None: logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !", ("P2", "LOG"), ECFG) return imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)), int(maxid), ECFG) # read alerts from database c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax)) rows = c.fetchall() # counter inits x = 0 y = 1 esm = ewsauth(ECFG["username"], ECFG["token"]) jesm = "" for row in rows: x, y = viewcounter(MODUL, x, y) # filter empty requests and nagios checks if row["request_url"] == os.sep or row[ "request_url"] == "/index.do?hash=DEADBEEF&activate=1": countme(MODUL, 'sqliteid', row["id"], ECFG) continue # Prepair and collect Alert Data DATA = { "aid": HONEYPOT["nodeid"], "timestamp": row["time"], "sadr": re.sub(":.*$", "", row["source"]), "sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])), "sprot": "tcp", "sport": "", "tipv": "ipv" + ip4or6(HONEYPOT["ip"]), "tadr": HONEYPOT["ip"], "tprot": "tcp", "tport": "80", } REQUEST = { "description": "WebHoneypot : Glastopf v3.1", "url": urllib.quote(row["request_url"].encode('ascii', 'ignore')) } if "request_raw" in row.keys() and len(row["request_raw"]) > 0: REQUEST["raw"] = base64.encodestring(row["request_raw"].encode( 'ascii', 'ignore')) if "filename" in row.keys() and row["filename"] != None: error, malwarefile = malware(HONEYPOT["malwaredir"], row["filename"], ECFG["del_malware_after_send"]) if error == 0: REQUEST["binary"] = malwarefile else: logme(MODUL, "Mission Malwarefile %s" % row["filename"], ("P1", "LOG"), ECFG) # Collect additional Data ADATA = { "sqliteid": row["id"], } if "request_method" in row.keys(): ADATA["httpmethod"] = row["request_method"] if "request_raw" in row.keys(): m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M) if m: ADATA["host"] = str(m.group(1)) if "request_header" in row.keys(): if 'Host' in json.loads(row["request_header"]): ADATA["host"] = str(json.loads(row["request_header"])["Host"]) if "request_body" in row.keys(): if len(row["request_body"]) > 0: ADATA["requestbody"] = row["request_body"] esm = buildews(esm, DATA, REQUEST, ADATA) if "request_body" in row.keys(): if len(row["request_body"]) > 0: ADATA["requestbody"] = row["request_body"] esm = buildews(esm, DATA, REQUEST, ADATA) jesm = buildjson(jesm, DATA, REQUEST, ADATA) countme(MODUL, 'sqliteid', row["id"], ECFG) countme(MODUL, 'daycounter', -2, ECFG) if ECFG["a.verbose"] is True: verbosemode(MODUL, DATA, REQUEST, ADATA) con.close() if int(esm.xpath('count(//Alert)')) > 0: sendews(esm) writejson(jesm) if y > 1: logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"), ECFG) return
return c = con.cursor() # calculate send limit c.execute("SELECT max(id) from log") maxid = c.fetchone()["max(id)"] if maxid is None: logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip!", ("P2", "LOG"), ECFG) return imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)), int(maxid), ECFG) # read alerts from database c.execute("SELECT * from log where id > %s and id <= %s;", (imin, imax)) rows = c.fetchall() # counter inits x = 0 y = 1 esm = ewsauth(ECFG["username"], ECFG["token"]) jesm = "" for row in rows:
def dionaea(): MODUL = "DIONAEA" logme(MODUL,"Starting Dionaea Modul.",("P1"),ECFG) # collect honeypot config dic ITEMS = ("dionaea","nodeid","sqlitedb","malwaredir") HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"]) # Malwaredir exist ? if os.path.isdir(HONEYPOT["malwaredir"]) is False: logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG) # is sqlitedb exist ? if os.path.isfile(HONEYPOT["sqlitedb"]) is False: logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG) return # open database con = sqlite3.connect(HONEYPOT["sqlitedb"],30) con.row_factory = sqlite3.Row c = con.cursor() # calculate send limit c.execute("SELECT max(connection) from connections;") maxid = c.fetchone()["max(connection)"] if maxid is None: logme(MODUL,"[ERROR] No entry's in Dionaea Database. Abort!",("P2","LOG"),ECFG) return imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG) # read alerts from database c.execute("SELECT * from connections where connection > ? and connection <= ?;",(imin,imax,)) rows = c.fetchall() # counter inits x = 0 ; y = 1 esm = ewsauth(ECFG["username"],ECFG["token"]) jesm = [ ] for row in rows: x,y = viewcounter(MODUL,x,y) # filter empty remote_host if row["remote_host"] == "": countme(MODUL,'sqliteid',row["connection"],ECFG) continue # Prepair and collect Alert Data DATA = { "aid" : HONEYPOT["nodeid"], "timestamp" : datetime.fromtimestamp(int(row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'), "sadr" : str(row["remote_host"]), "sipv" : "ipv" + ip4or6(str(row["remote_host"])), "sprot" : str(row["connection_type"]), "sport" : str(row["remote_port"]), "tipv" : "ipv" + ip4or6(str(row["local_host"])), "tadr" : str(row["local_host"]), "tprot" : str(row["connection_type"]), "tport" : str(row["local_port"]), } REQUEST = { "description" : "Network Honeyport Dionaea vX.x", } # Check for malware bin's c.execute("SELECT download_md5_hash from downloads where connection = ?;",(str(row["connection"]),)) check = c.fetchone() if check is not None: error,malwarefile = malware(HONEYPOT["malwaredir"],check[0],ECFG["del_malware_after_send"]) if error == 0: REQUEST["binary"] = malwarefile else: logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG) # Collect additional Data ADATA = { "sqliteid" : str(row["connection"]), } # generate template and send esm = buildews(esm,DATA,REQUEST,ADATA) jesm = buildjson(jesm,DATA,REQUEST,ADATA) countme(MODUL,'sqliteid',row["connection"],ECFG) countme(MODUL,'daycounter', -2,ECFG) if ECFG["a.verbose"] is True: verbosemode(MODUL,DATA,REQUEST,ADATA) con.close() if int(esm.xpath('count(//Alert)')) > 0: sendews(esm) writejson(jesm) if y > 1: logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG) return
def glastopfv3(): MODUL = "GLASTOPFV3" logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG) # collect honeypot config dic ITEMS = ("glastopfv3","nodeid","sqlitedb","malwaredir") HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"]) HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"]) if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null": HONEYPOT["ip"] = ECFG["ip"] # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded #if os.path.isdir(HONEYPOT["malwaredir"]) == False: # logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG) # return # is sqlitedb exist ? if os.path.isfile(HONEYPOT["sqlitedb"]) is False: logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG) return # open database con = sqlite3.connect(HONEYPOT["sqlitedb"],30) con.row_factory = sqlite3.Row c = con.cursor() # calculate send limit c.execute("SELECT max(id) from events") maxid = c.fetchone()["max(id)"] if maxid is None: logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG) return imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG) # read alerts from database c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax)) rows = c.fetchall() # counter inits x = 0 ; y = 1 esm = ewsauth(ECFG["username"],ECFG["token"]) jesm = [ ] for row in rows: x,y = viewcounter(MODUL,x,y) # filter empty requests and nagios checks if row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1": countme(MODUL,'sqliteid',row["id"],ECFG) continue # Prepair and collect Alert Data DATA = { "aid" : HONEYPOT["nodeid"], "timestamp" : row["time"], "sadr" : re.sub(":.*$","",row["source"]), "sipv" : "ipv" + ip4or6(re.sub(":.*$","",row["source"])), "sprot" : "tcp", "sport" : "", "tipv" : "ipv" + ip4or6(HONEYPOT["ip"]), "tadr" : HONEYPOT["ip"], "tprot" : "tcp", "tport" : "80", } REQUEST = { "description" : "WebHoneypot : Glastopf v3.1", "url" : urllib.quote(row["request_url"]) } if "request_raw" in row.keys() and len(row["request_raw"]) > 0: #REQUEST["raw"] = base64.standard_b64encode(row["request_raw"]) REQUEST["raw"] = base64.encodestring(row["request_raw"]) if "filename" in row.keys() and row["filename"] != None: error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"]) if error == 0: REQUEST["binary"] = malwarefile else: logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG) # Collect additional Data ADATA = { "sqliteid" : row ["id"], } if "request_method" in row.keys(): ADATA["httpmethod"] = row["request_method"] if "request_raw" in row.keys(): m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M) if m: ADATA["host"] = str(m.group(1)) if "request_header" in row.keys(): if 'Host' in json.loads(row["request_header"]): ADATA["host"] = str(json.loads(row["request_header"])["Host"]) if "request_body" in row.keys(): if len(row["request_body"]) > 0: ADATA["requestbody"] = row["request_body"] esm = buildews(esm,DATA,REQUEST,ADATA) jesm = buildjson(jesm,DATA,REQUEST,ADATA) countme(MODUL,'sqliteid',row["id"],ECFG) countme(MODUL,'daycounter', -2,ECFG) if ECFG["a.verbose"] is True: verbosemode(MODUL,DATA,REQUEST,ADATA) con.close() if int(esm.xpath('count(//Alert)')) > 0: sendews(esm) writejson(jesm) if y > 1: logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG) return
logme(MODUL,"[ERROR] %s" %(str(e)),("P3","LOG"),ECFG) return c = con.cursor() # calculate send limit c.execute("SELECT max(id) from log") maxid = c.fetchone()["max(id)"] if maxid is None: logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG) return imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG) # read alerts from database c.execute("SELECT * from log where id > %s and id <= %s;",(imin,imax)) rows = c.fetchall() # counter inits x = 0 ; y = 1 esm = ewsauth(ECFG["username"],ECFG["token"]) jesm = [ ] for row in rows:
def sqlitedb(MODUL, DBPATH, ECFG): rows = [] # is sqlitedb exist ? if os.path.isfile(DBPATH) == False: logme(MODUL, "[ERROR] Missing sqlitedb file " + DBPATH + ". Abort !", ("P3", "LOG"), ECFG) return 1, rows # open database try: con = sqlite3.connect(DBPATH, 30) con.row_factory = sqlite3.Row cur = con.cursor() except sqlite.Error as e: logme(MODUL, "[ERROR] Sqlite Error : %s . Abort !" % e.args[0], ("P3", "LOG"), ECFG) return 1, rows # calculate max alerts if MODUL == "GLASTOPFV3": cur.execute("SELECT max(id) from events") maxid = cur.fetchone()["max(id)"] elif MODUL == "DIONAEA": cur.execute("SELECT max(connection) from connections;") maxid = cur.fetchone()["max(connection)"] else: logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!", ("P2", "LOG"), ECFG) return 1, rows if maxid is None: logme(MODUL, "[ERROR] No entry's in Database %s. Abort!" % DBPATH, ("P2", "LOG"), ECFG) return 1, rows imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)), int(maxid), ECFG) # read alerts from database if MODUL == "GLASTOPFV3": cur.execute("SELECT * from events where id > ? and id <= ?;", ( imin, imax, )) elif MODUL == "DIONAEA": cur.execute( "SELECT * from connections where connection > ? and connection <= ?;", ( imin, imax, )) else: logme(MODUL, "[ERROR] Unknow Modul for Sqlite Database Access. Abort!", ("P2", "LOG"), ECFG) return 1, rows rows = cur.fetchall() con.close() return 0, rows