예제 #1
0
파일: ews.py 프로젝트: musir-git/ewsposter
def kippo():

    MODUL = "KIPPO"
    logme(MODUL, "Starting Kippo Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("kippo", "nodeid", "mysqlhost", "mysqldb", "mysqluser", "mysqlpw")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # open database

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"],
                              user=HONEYPOT["mysqluser"],
                              passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"],
                              cursorclass=MySQLdb.cursors.DictCursor)

    except MySQLdb.Error, e:
        logme(MODUL, "[ERROR] %s" % (str(e)), ("P3", "LOG"), ECFG)
예제 #2
0
파일: ews.py 프로젝트: opsecisland/ews
def kippo():

    MODUL  = "KIPPO"
    logme(MODUL,"Starting Kippo Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("kippo","nodeid","mysqlhost","mysqldb","mysqluser","mysqlpw")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
       HONEYPOT["ip"] = ECFG["ip"]

    # open database

    try:
        con = MySQLdb.connect(host=HONEYPOT["mysqlhost"], user=HONEYPOT["mysqluser"], passwd=HONEYPOT["mysqlpw"],
                              db=HONEYPOT["mysqldb"], cursorclass=MySQLdb.cursors.DictCursor)

    except MySQLdb.Error,e:
        logme(MODUL,"[ERROR] %s" %(str(e)),("P3","LOG"),ECFG)
예제 #3
0
파일: ews.py 프로젝트: musir-git/ewsposter
def cowrie():

    MODUL = "COWRIE"
    logme(MODUL, "Starting Cowrie Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("cowrie", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    # dict to gather session information
    cowriesessions = {}
    sessionstosend = []

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
        currentline = imin + I

        if len(line) == 0:
            break
        else:
            # parse json
            try:
                content = json.loads(line)
            except ValueError, e:
                logme(
                    MODUL, "Invalid json entry found in line " + str(I) +
                    ", skipping entry.", ("P3"), ECFG)
                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)
                pass  # invalid json
            else:
                # if new session is started, store session-related info
                if (content['eventid'] == "cowrie.session.connect"):
                    # create empty session content: structure will be the same as kippo
                    # | id  | username | password | success | logintimestamp | session | sessionstarttime| sessionendtime | ip | cowrieip | version| src_port|dst_port
                    cowriesessions[content["session"]] = [
                        I, '', '', '', '', content["session"],
                        content["timestamp"], '', content["src_ip"],
                        content["sensor"], '', content["src_port"],
                        content["dst_port"]
                    ]

                # store correponding ssh client version
                if (content['eventid'] == "cowrie.client.version"):
                    if content["session"] in cowriesessions:
                        cowriesessions[
                            content["session"]][10] = content["version"]

                # create successful login
                if (content['eventid'] == "cowrie.login.success"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Success"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # create failed login
                elif (content['eventid'] == "cowrie.login.failed"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Fail"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # store session close
                if (content['eventid'] == "cowrie.session.closed"):
                    for n, i in enumerate(sessionstosend):
                        if (i[5] == content["session"]):
                            i[7] = content["timestamp"]
예제 #4
0
파일: ews.py 프로젝트: musir-git/ewsposter
def glastopfv3():

    MODUL = "GLASTOPFV3"
    logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(
            MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
            ". Skip !", ("P3", "LOG"), ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter empty requests and nagios checks

        if row["request_url"] == os.sep or row[
                "request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL, 'sqliteid', row["id"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
            "aid": HONEYPOT["nodeid"],
            "timestamp": row["time"],
            "sadr": re.sub(":.*$", "", row["source"]),
            "sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
            "sprot": "tcp",
            "sport": "",
            "tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
            "tadr": HONEYPOT["ip"],
            "tprot": "tcp",
            "tport": "80",
        }

        REQUEST = {
            "description": "WebHoneypot : Glastopf v3.1",
            "url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
        }

        if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
            REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
                'ascii', 'ignore'))

        if "filename" in row.keys() and row["filename"] != None:
            error, malwarefile = malware(HONEYPOT["malwaredir"],
                                         row["filename"],
                                         ECFG["del_malware_after_send"])
            if error == 0:
                REQUEST["binary"] = malwarefile
            else:
                logme(MODUL, "Mission Malwarefile %s" % row["filename"],
                      ("P1", "LOG"), ECFG)

        # Collect additional Data

        ADATA = {
            "sqliteid": row["id"],
        }

        if "request_method" in row.keys():
            ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in row.keys():
            m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        jesm = buildjson(jesm, DATA, REQUEST, ADATA)

        countme(MODUL, 'sqliteid', row["id"], ECFG)
        countme(MODUL, 'daycounter', -2, ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL, DATA, REQUEST, ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
              ECFG)
    return
예제 #5
0
파일: ews.py 프로젝트: musir-git/ewsposter
        logme(MODUL, "EWSrun finish.", ("P1", "EXIT"), ECFG)

    while True:

        if ECFG["a.daycounter"] is True:
            daycounterreset(lock, ECFG)

        if ECFG["a.ewsonly"] is False:
            sender()

        for i in ("glastopfv3", "glastopfv2", "kippo", "dionaea", "honeytrap",
                  "rdpdetect", "emobility", "conpot", "cowrie"):

            if ECFG["a.modul"]:
                if ECFG["a.modul"] == i:
                    if readonecfg(i.upper(), i,
                                  ECFG["cfgfile"]).lower() == "true":
                        eval(i + '()')
                        break
                else:
                    continue

            if readonecfg(i.upper(), i, ECFG["cfgfile"]).lower() == "true":
                eval(i + '()')

        if int(ECFG["a.loop"]) == 0:
            logme(MODUL, "EWSrun finish.", ("P1"), ECFG)
            break
        else:
            logme(MODUL, "Sleeping for %s seconds ...." % ECFG["a.loop"],
                  ("P1"), ECFG)
            time.sleep(int(ECFG["a.loop"]))
예제 #6
0
def ecfg(name, version):
    MODUL = "EINIT"

    ECFG = {}

    parser = argparse.ArgumentParser()
    parser.add_argument("-c",
                        "--configpath",
                        help="Load configuration file from Path")
    parser.add_argument("-v",
                        "--verbose",
                        help="set output verbosity",
                        action="store_true")
    parser.add_argument("-d",
                        "--debug",
                        help="set output debug",
                        action="store_true")
    parser.add_argument(
        "-l",
        "--loop",
        help="Go in endless loop. Set {xx} for seconds to wait for next loop",
        type=int,
        default=0,
        action="store")
    parser.add_argument("-m",
                        "--modul",
                        help="only send alerts for this modul",
                        choices=[
                            'glastopfv3', 'glastopfv2', 'kippo', 'dionaea',
                            'honeytrap', 'rdpdetect', 'emobility', 'conpot',
                            'cowrie', 'elasticpot', 'suricata', 'rdpy',
                            'mailoney', 'vnclowpot', 'heralding', 'ciscoasa',
                            'tanner', 'glutton'
                        ],
                        action="store")
    parser.add_argument("-s",
                        "--silent",
                        help="silent mode without output",
                        action="store_true")
    parser.add_argument("-i",
                        "--ignorecert",
                        help="ignore certificate warnings",
                        action="store_true")
    parser.add_argument("-S",
                        "--sendonly",
                        help="only send unsend alerts",
                        action="store_true")
    parser.add_argument("-E",
                        "--ewsonly",
                        help="only generate ews alerts files",
                        action="store_true")
    parser.add_argument("-dcr",
                        "--daycounter",
                        help="reset and log daycounters for all honeypots",
                        action="store_true")
    parser.add_argument("-j",
                        "--jsonpath",
                        help="Write JSON output file to path")
    parser.add_argument(
        "-L",
        "--sendlimit",
        help="Set {xxx} for max alerts will send in one session",
        type=int,
        action="store")
    parser.add_argument("-V",
                        "--version",
                        help="show the EWS Poster Version",
                        action="version",
                        version=name + " " + version)

    args = parser.parse_args()

    if args.sendlimit:
        ECFG["sendlimit2"] = args.sendlimit
    else:
        ECFG["sendlimit2"] = ""

    if args.loop:
        ECFG["a.loop"] = args.loop
    else:
        ECFG["a.loop"] = 0

    if args.verbose:
        ECFG["a.verbose"] = True
    else:
        ECFG["a.verbose"] = False

    if args.debug:
        ECFG["a.debug"] = True
    else:
        ECFG["a.debug"] = False

    if args.ignorecert:
        ECFG["a.ignorecert"] = True
    else:
        ECFG["a.ignorecert"] = False

    if args.silent:
        ECFG["a.silent"] = True
    else:
        ECFG["a.silent"] = False

    if args.daycounter:
        ECFG["a.daycounter"] = True
    else:
        ECFG["a.daycounter"] = False

    if args.sendonly:
        ECFG["a.sendonly"] = True
    else:
        ECFG["a.sendonly"] = False

    if args.ewsonly:
        ECFG["a.ewsonly"] = True
    else:
        ECFG["a.ewsonly"] = False

    if args.configpath:
        ECFG["path2"] = args.configpath

        if os.path.isdir(args.configpath) is not True:
            logme(MODUL,
                  "ConfigPath %s did not exist. Abort !" % (args.configpath),
                  ("P1", "EXIT"), ECFG)
    else:
        ECFG["path2"] = ""

    if args.modul and args.modul in [
            'glastopfv3', 'glastopfv2', 'kippo', 'dionaea', 'honeytrap',
            'rdpdetect', 'emobility', 'conpot', 'cowrie', 'elasticpot',
            'suricata', 'rdpy', 'mailoney', 'vnclowpot', 'heralding',
            'ciscoasa', 'tanner', 'glutton'
    ]:
        ECFG["a.modul"] = args.modul
    else:
        ECFG["a.modul"] = ""

    if args.jsonpath:
        ECFG["a.jsondir"] = args.jsonpath

        if os.path.isdir(args.jsonpath) is not True:
            logme(MODUL,
                  "JsonPath %s did not exist. Abort !" % (args.jsonpath),
                  ("P1", "EXIT"), ECFG)

    else:
        ECFG["a.jsondir"] = ""

    # say hello

    logme(
        MODUL, name + " " + version +
        " (c) by Markus Schroer <*****@*****.**>\n", ("P0"), ECFG)

    # read EWSPoster Main Path

    ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace(
        "/moduls", "")

    if ECFG["path2"] == "":
        ECFG["path2"] = ECFG["path"]

    if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg") is False:
        logme(
            MODUL, "Missing EWS Config %s. Abort !" %
            (ECFG["path2"] + os.sep + "ews.cfg"), ("P1", "EXIT"), ECFG)
    else:
        ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"

    # Create IDX File if not exist

    if os.path.isfile(ECFG["path"] + os.sep + "ews.idx") is False:
        os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR | os.O_CREAT)
        logme(MODUL, "Create ews.idx counterfile", ("P1"), ECFG)

    # Read Main Config Parameter

    ITEMS = ("homedir", "spooldir", "logdir", "contact",
             "del_malware_after_send", "send_malware", "sendlimit")
    MCFG = readcfg("MAIN", ITEMS, ECFG["cfgfile"])

    # IP Handling

    # try to determine the external IP
    MCFG["ip"] = getOwnExternalIP(ECFG)

    if not MCFG["ip"]:
        logme(
            MODUL,
            "External IP address cannot be determined. Set external IP in ews.cfg, ews.ip or env variable MY_EXTIP or allow external api request.. Abort !",
            ("P1", "EXIT"), ECFG)

    logme(MODUL, "Using external IP address " + str(MCFG["ip"]), ("P1", "Log"),
          ECFG)

    # sendlimit expect

    if ECFG["sendlimit2"] != "":
        MCFG["sendlimit"] = ECFG["sendlimit2"]

    if int(MCFG["sendlimit"]) > 500:
        logme(
            MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
            " to high. Max 500 ! ", ("P1", "EXIT"), ECFG)
    elif int(MCFG["sendlimit"]) < 1:
        logme(
            MODUL,
            "Error Sendlimit " + str(MCFG["sendlimit"]) + " to low. Min 1 ! ",
            ("P1", "EXIT"), ECFG)
    elif MCFG["sendlimit"] == "NULL" or str(MCFG["sendlimit"]) == "UNKNOW":
        logme(
            MODUL, "Error Sendlimit " + str(MCFG["sendlimit"]) +
            " Must set between 1 and 500. ", ("P1", "EXIT"), ECFG)

    # send_malware ?

    if MCFG["send_malware"].lower() == "true":
        MCFG["send_malware"] = True
    else:
        MCFG["send_malware"] = False

    # del_malware_after_send ?

    if MCFG["del_malware_after_send"].lower() == "true":
        MCFG["del_malware_after_send"] = True
    else:
        MCFG["del_malware_after_send"] = False

    # home dir available ?

    if os.path.isdir(MCFG["homedir"]) is not True:
        logme(MODUL, "Error missing homedir " + MCFG["homedir"] + " Abort !",
              ("P1", "EXIT"), ECFG)
    else:
        os.chdir(MCFG["homedir"])

    # spool dir available ?

    if os.path.isdir(MCFG["spooldir"]) is not True:
        logme(MODUL, "Error missing spooldir " + MCFG["spooldir"] + " Abort !",
              ("P1", "EXIT"), ECFG)

    # log dir available ?

    MCFG["logdir"] = readonecfg("MAIN", "logdir", ECFG["cfgfile"])

    if MCFG["logdir"] != "NULL" and MCFG[
            "logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
    elif MCFG["logdir"] != "NULL" and MCFG[
            "logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        logme(MODUL, "Error missing logdir " + MCFG["logdir"] + " Abort !",
              ("P1", "EXIT"), ECFG)
    else:
        MCFG["logfile"] = "/var/log" + os.sep + "ews.log"

    # Proxy Settings ?

    MCFG["proxy"] = readonecfg(MODUL, "proxy", ECFG["cfgfile"])

    # Read EWS Config Parameter

    ITEMS = ("ews", "username", "token", "rhost_first", "rhost_second")
    EWSCFG = readcfg("EWS", ITEMS, ECFG["cfgfile"])

    # Set ews real true or false

    if EWSCFG["ews"].lower() == "true":
        EWSCFG["ews"] = True
    else:
        EWSCFG["ews"] = False

    # ignore cert validation if ignorecert-parameter is set

    EWSCFGCERT = readonecfg("EWS", "ignorecert", ECFG["cfgfile"])

    if EWSCFGCERT.lower() == "true":
        ECFG["a.ignorecert"] = True

    # Read HPFEED Config Parameter

    ITEMS = ("hpfeed", "host", "port", "channels", "ident", "secret")
    HCFG = readcfg("HPFEED", ITEMS, ECFG["cfgfile"])

    if HCFG["hpfeed"].lower() == "true":
        HCFG["hpfeed"] = True
    else:
        HCFG["hpfeed"] = False

    # Read EWSJSON Config Parameter

    ITEMS = ("json", "jsondir")
    EWSJSON = readcfg("EWSJSON", ITEMS, ECFG["cfgfile"])

    if EWSJSON["json"].lower() == "true":
        EWSJSON["json"] = True

        if os.path.isdir(EWSJSON["jsondir"]) is True:
            EWSJSON["jsondir"] = EWSJSON["jsondir"] + os.sep + "ews.json"
        else:
            logme(MODUL,
                  "Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",
                  ("P1", "EXIT"), ECFG)

    else:
        EWSJSON["json"] = False

    if ECFG["a.jsondir"] != "" and os.path.isdir(ECFG["a.jsondir"]) is True:
        EWSJSON["json"] = True
        EWSJSON["jsondir"] = ECFG["a.jsondir"] + os.sep + "ews.json"

    ECFG.update(MCFG)
    ECFG.update(EWSCFG)
    ECFG.update(HCFG)
    ECFG.update(EWSJSON)

    return ECFG
예제 #7
0
파일: einit.py 프로젝트: opsecisland/ews
def ecfg(name,version):
    MODUL = "EINIT"

    ECFG= {}

    parser = argparse.ArgumentParser()
    parser.add_argument("-c","--configpath", help="Load configuration file from Path")
    parser.add_argument("-v","--verbose", help="set output verbosity",action="store_true")
    parser.add_argument("-d","--debug", help="set output debug",action="store_true")
    parser.add_argument("-s","--silent", help="silent mode without output",action="store_true")
    parser.add_argument("-S","--sendonly", help="only send unsend alerts",action="store_true")
    parser.add_argument("-E","--ewsonly", help="only generate ews alerts files",action="store_true")
    parser.add_argument("-dcr","--daycounter", help="reset and log daycounters for all honeypots",action="store_true")
    parser.add_argument("-V","--version", help="show the EWS Poster Version",action="version", version=name + " " + version)

    args = parser.parse_args()

    if args.verbose:
        ECFG["a.verbose"] = True
    else:
        ECFG["a.verbose"] = False
 
    if args.debug:
        ECFG["a.debug"] = True
    else:
        ECFG["a.debug"] = False

    if args.silent:
        ECFG["a.silent"] = True
    else:
        ECFG["a.silent"] = False

    if args.daycounter:
        ECFG["a.daycounter"] = True
    else:
        ECFG["a.daycounter"] = False

    if args.sendonly:
        ECFG["a.sendonly"] = True
    else:
        ECFG["a.sendonly"] = False

    if args.ewsonly:
        ECFG["a.ewsonly"] = True
    else:
        ECFG["a.ewsonly"] = False

    if args.configpath:
        ECFG["path2"] = args.configpath

        if os.path.isdir(args.configpath) is not True:
            logme(MODUL,"ConfigPath %s did not exist. Abort !" % (args.configpath),("P1","EXIT"),ECFG)
    else:
        ECFG["path2"] = ""

    # say hello

    logme(MODUL,name + " " + version + " (c) by Markus Schroer <*****@*****.**>\n",("P0"),ECFG)

    # read EWSPoster Main Path

    ECFG["path"] = os.path.dirname(os.path.abspath(__file__)).replace("/moduls","")

    if ECFG["path2"] == "":
        ECFG["path2"] = ECFG["path"]

    if os.path.isfile(ECFG["path2"] + os.sep + "ews.cfg" ) is False:
        logme(MODUL,"Missing EWS Config %s. Abort !"%(ECFG["path2"] + os.sep + "ews.cfg"),("P1","EXIT"),ECFG)
    else:
        ECFG["cfgfile"] = ECFG["path2"] + os.sep + "ews.cfg"

    # Create IDX File if not exist

    if os.path.isfile(ECFG["path"] + os.sep + "ews.idx" ) is False:
        os.open(ECFG["path"] + os.sep + "ews.idx", os.O_RDWR|os.O_CREAT )
        logme(MODUL,"Create ews.idx counterfile",("P1"),ECFG)

    # Read Main Config Parameter

    ITEMS = ("homedir","spooldir","logdir","contact","del_malware_after_send","send_malware","sendlimit")
    MCFG = readcfg("MAIN",ITEMS, ECFG["cfgfile"])

    # IP Handling

    ewsip = ECFG["path2"] + os.sep + "ews.ip"

    MCFG["ip"] = readonecfg("MAIN","ip", ECFG["cfgfile"])

    if os.path.isfile(ewsip) is True:
        MCFG["ip"] = readonecfg("MAIN","ip", ewsip)
        if MCFG["ip"].lower() == "null":
             logme(MODUL,"Error IP Address in File " + ewsip + " not set. Abort !",("P1","EXIT"),ECFG)

    if MCFG["ip"].lower() == "null" or MCFG["ip"].lower() == "false":
        logme(MODUL,"Error IP Address in ews.cfg not set or null. Abort !",("P1","EXIT"),ECFG)

    # sendlimit expect

    if int(MCFG["sendlimit"]) > 400:
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to high. Max 400 ! ",("P1","EXIT"),ECFG)
    elif int(MCFG["sendlimit"]) < 1:
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " to low. Min 1 ! ",("P1","EXIT"),ECFG)
    elif MCFG["sendlimit"] == "NULL" or MCFG["sendlimit"] == "UNKNOW":
        logme(MODUL,"Error Sendlimit " + MCFG["sendlimit"] + " Must set between 1 and 400. ",("P1","EXIT"),ECFG)

    # send_malware ?

    if MCFG["send_malware"].lower() == "true":
        MCFG["send_malware"] = True
    else:
        MCFG["send_malware"] = False

    # del_malware_after_send ?

    if MCFG["del_malware_after_send"].lower() == "true":
        MCFG["del_malware_after_send"] = True
    else:
        MCFG["del_malware_after_send"] = False

    # home dir available ?

    if os.path.isdir(MCFG["homedir"]) is not True:
        logme(MODUL,"Error missing homedir " + MCFG["homedir"] + " Abort !",("P1","EXIT"),ECFG)
    else:
        os.chdir(MCFG["homedir"])

    # spool dir available ?

    if os.path.isdir(MCFG["spooldir"]) is not True:
        logme(MODUL,"Error missing spooldir " + MCFG["spooldir"] + " Abort !",("P1","EXIT"),ECFG)

    # log dir available ?

    MCFG["logdir"] = readonecfg("MAIN","logdir", ECFG["cfgfile"])

    if MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        MCFG["logfile"] = MCFG["logdir"] + os.sep + "ews.log"
    elif MCFG["logdir"] != "NULL" and MCFG["logdir"] != "FALSE" and os.path.isdir(MCFG["logdir"]) is True:
        logme(MODUL,"Error missing logdir " + MCFG["logdir"] + " Abort !",("P1","EXIT"),ECFG)
    else:
        MCFG["logfile"] = "/var/log" + os.sep + "ews.log"

    # Proxy Settings ?

    MCFG["proxy"] = readonecfg(MODUL,"proxy", ECFG["cfgfile"])

    # Read EWS Config Parameter

    ITEMS = ("ews","username","token","rhost_first","rhost_second")
    EWSCFG = readcfg("EWS",ITEMS, ECFG["cfgfile"])

    # Set ews real true or false

    if EWSCFG["ews"].lower() == "true":
       EWSCFG["ews"] = True
    else:
       EWSCFG["ews"] = False

    # Read HPFEED Config Parameter 

    ITEMS = ("hpfeed","host","port","channels","ident","secret")
    HCFG = readcfg("HPFEED",ITEMS, ECFG["cfgfile"])

    if HCFG["hpfeed"].lower() == "true":
       HCFG["hpfeed"] = True
    else:
       HCFG["hpfeed"] = False

    # Read EWSJSON Config Parameter

    ITEMS = ("json","jsondir")
    EWSJSON = readcfg("EWSJSON",ITEMS, ECFG["cfgfile"])

    if EWSJSON["json"].lower() == "true":
       EWSJSON["json"] = True
    else:
       EWSJSON["json"] = False

    if EWSJSON["jsondir"] != "NULL" and  EWSJSON["jsondir"] != "FALSE" and os.path.isdir(EWSJSON["jsondir"]) is True:
         EWSJSON["jsondir"] =  EWSJSON["jsondir"] + os.sep + "ews.json"
    else:
        logme(MODUL,"Error missing jsondir " + EWSJSON["jsondir"] + " Abort !",("P1","EXIT"),ECFG)

    ECFG.update(MCFG)
    ECFG.update(EWSCFG)
    ECFG.update(HCFG)
    ECFG.update(EWSJSON)

    return ECFG
예제 #8
0
파일: ews.py 프로젝트: opsecisland/ews
def glastopfv3():

    MODUL  = "GLASTOPFV3"
    logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("glastopfv3","nodeid","sqlitedb","malwaredir")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
       HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter empty requests and nagios checks

        if  row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL,'sqliteid',row["id"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
                    "aid"       : HONEYPOT["nodeid"],
                    "timestamp" : row["time"],
                    "sadr"      : re.sub(":.*$","",row["source"]),
                    "sipv"      : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
                    "sprot"     : "tcp",
                    "sport"     : "",
                    "tipv"      : "ipv" + ip4or6(HONEYPOT["ip"]),
                    "tadr"      : HONEYPOT["ip"],
                    "tprot"     : "tcp",
                    "tport"     : "80",
                  }

        REQUEST = {
                    "description" : "WebHoneypot : Glastopf v3.1",
                    "url"         : urllib.quote(row["request_url"])
                  }

        if "request_raw" in  row.keys() and len(row["request_raw"]) > 0:
            #REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
            REQUEST["raw"] = base64.encodestring(row["request_raw"])

        if "filename" in  row.keys() and row["filename"] != None:
           error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
           if error == 0:
                REQUEST["binary"] = malwarefile
           else:
                logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
 
        # Collect additional Data

        ADATA = {
                 "sqliteid"    : row ["id"],
                }

        if "request_method" in  row.keys():
           ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in  row.keys():
            m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in  row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in  row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm,DATA,REQUEST,ADATA)
        jesm = buildjson(jesm,DATA,REQUEST,ADATA)

        countme(MODUL,'sqliteid',row["id"],ECFG)
        countme(MODUL,'daycounter', -2,ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL,DATA,REQUEST,ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
    return
예제 #9
0
파일: ews.py 프로젝트: opsecisland/ews
    lock = locksocket(name)

    if lock is True:
        logme(MODUL,"Create lock socket successfull.",("P1"),ECFG)
    else:
        logme(MODUL,"Another Instance is running !",("P1"),ECFG)
        logme(MODUL,"EWSrun finish.",("P1","EXIT"),ECFG)


    if ECFG["a.daycounter"] is True:
        daycounterreset(lock,ECFG)

    if ECFG["a.ewsonly"] is False:
        sender()

    if readonecfg("GLASTOPFV3","glastopfv3",ECFG["cfgfile"]).lower() == "true":
        glastopfv3()

    if readonecfg("GLASTOPFV2","glastopfv2",ECFG["cfgfile"]).lower() == "true":
        glastopfv2()

    if readonecfg("KIPPO","kippo",ECFG["cfgfile"]).lower() == "true":
        kippo()

    if readonecfg("DIONAEA","dionaea",ECFG["cfgfile"]).lower() == "true":
        dionaea()

    if readonecfg("HONEYTRAP","honeytrap",ECFG["cfgfile"]).lower() == "true":
        honeytrap()

    if readonecfg("RDPDETECT","rdpdetect",ECFG["cfgfile"]).lower() == "true":
예제 #10
0
파일: ews.py 프로젝트: armedpot/ewsposter
        logme(MODUL,"EWSrun finish.",("P1","EXIT"),ECFG)

    while True:

        if ECFG["a.daycounter"] is True:
            daycounterreset(lock,ECFG)

        if ECFG["a.ewsonly"] is False:
            sender()


        for i in ("glastopfv3", "glastopfv2", "kippo", "dionaea", "honeytrap", "rdpdetect", "emobility"):

            if ECFG["a.modul"]:
                if ECFG["a.modul"] == i:
                    if readonecfg(i.upper(),i,ECFG["cfgfile"]).lower() == "true":
                        eval(i+'()')
                        break
                else:
                    continue

            if readonecfg(i.upper(),i,ECFG["cfgfile"]).lower() == "true":
               eval(i+'()')

        if int(ECFG["a.loop"]) == 0:
            logme(MODUL,"EWSrun finish.",("P1"),ECFG)
            break
        else:
            logme(MODUL,"Sleeping for %s seconds ...." % ECFG["a.loop"] ,("P1"),ECFG)
            time.sleep(int(ECFG["a.loop"]))