def dionaea():
MODUL = "DIONAEA"
logme(MODUL, "Starting Dionaea Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("dionaea", "nodeid", "sqlitedb", "malwaredir")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# Malwaredir exist ?
if os.path.isdir(HONEYPOT["malwaredir"]) is False:
logme(
MODUL, "[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] +
". Abort !", ("P3", "LOG"), ECFG)
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(
MODUL, "[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
". Abort !", ("P3", "LOG"), ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(connection) from connections;")
maxid = c.fetchone()["max(connection)"]
if maxid is None:
logme(MODUL, "[INFO] No entry's in Dionaea Database. Skip !",
("P2", "LOG"), ECFG)
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute(
"SELECT * from connections where connection > ? and connection <= ?;",
(
imin,
imax,
))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter empty remote_host
if row["remote_host"] == "":
countme(MODUL, 'sqliteid', row["connection"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
datetime.fromtimestamp(int(
row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
"sadr":
str(row["remote_host"]),
"sipv":
"ipv" + ip4or6(str(row["remote_host"])),
"sprot":
str(row["connection_type"]),
"sport":
str(row["remote_port"]),
"tipv":
"ipv" + ip4or6(str(row["local_host"])),
"tadr":
str(row["local_host"]),
"tprot":
str(row["connection_type"]),
"tport":
str(row["local_port"]),
}
REQUEST = {
"description": "Network Honeyport Dionaea v0.1.0",
}
# Check for malware bin's
c.execute(
"SELECT download_md5_hash from downloads where connection = ?;",
(str(row["connection"]), ))
check = c.fetchone()
if check is not None:
error, malwarefile = malware(HONEYPOT["malwaredir"], check[0],
ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL, "Mission Malwarefile %s" % check[0],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {
"sqliteid": str(row["connection"]),
}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'sqliteid', row["connection"], ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
ECFG)
return
def rdpdetect():
MODUL = "RDPDETECT"
logme(MODUL, "Starting RDPDetect Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("rdpdetect", "nodeid", "iptableslog", "targetip")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# iptables file exists ?
if os.path.isfile(HONEYPOT["iptableslog"]) is False:
logme(
MODUL, "[ERROR] Missing Iptables LogFile " +
HONEYPOT["iptableslog"] + ". Abort !", ("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["iptableslog"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ', r' ', re.sub(r'[\[\]\-\>]', r'', line))
if HONEYPOT["targetip"] == re.search('SRC=(.*?) ',
line).groups()[0]:
continue
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8],
line[9:11], line[12:14], line[15:17]),
"sadr":
re.search('SRC=(.*?) ', line).groups()[0],
"sipv":
"ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
"sprot":
re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"sport":
re.search('SPT=(.*?) ', line).groups()[0],
"tipv":
"ipv" + ip4or6(ECFG["ip"]),
"tadr":
ECFG["ip"],
"tprot":
re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"tport":
re.search('DPT=(.*?) ', line).groups()[0],
}
REQUEST = {"description": "RDPDetect"}
# Collect additional Data
ADATA = {}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
ECFG)
return
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(
MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
". Skip !", ("P3", "LOG"), ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
("P2", "LOG"), ECFG)
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row[
"request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL, 'sqliteid', row["id"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid": HONEYPOT["nodeid"],
"timestamp": row["time"],
"sadr": re.sub(":.*$", "", row["source"]),
"sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
"sprot": "tcp",
"sport": "",
"tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr": HONEYPOT["ip"],
"tprot": "tcp",
"tport": "80",
}
REQUEST = {
"description": "WebHoneypot : Glastopf v3.1",
"url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
'ascii', 'ignore'))
if "filename" in row.keys() and row["filename"] != None:
error, malwarefile = malware(HONEYPOT["malwaredir"],
row["filename"],
ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL, "Mission Malwarefile %s" % row["filename"],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {
"sqliteid": row["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'sqliteid', row["id"], ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
ECFG)
return
x, y = viewcounter(MODUL, x, y)
# filter nagios checks
if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL, 'mysqlid', row["id"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid": HONEYPOT["nodeid"],
"timestamp": str(row["attime"]),
"sadr": row["ip"],
"sipv": "ipv" + ip4or6(row["ip"]),
"sprot": "tcp",
"sport": "",
"tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr": HONEYPOT["ip"],
"tprot": "tcp",
"tport": "80",
}
REQUEST = {
"description": "Webhoneypot : Glastopf v2.x",
"url": urllib.quote(row["req"])
}
if row["filename"] != None:
error, malwarefile = malware(HONEYPOT["malwaredir"],
def honeytrap():
MODUL = "HONEYTRAP"
logme(MODUL, "Starting Honeytrap Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("honeytrap", "nodeid", "attackerfile", "payloaddir", "newversion")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# Attacking file exists ?
if os.path.isfile(HONEYPOT["attackerfile"]) is False:
logme(
MODUL, "[ERROR] Missing Attacker File " +
HONEYPOT["attackerfile"] + ". Abort !", ("P3", "LOG"), ECFG)
# Payloaddir exist ?
if os.path.isdir(HONEYPOT["payloaddir"]) is False:
logme(
MODUL, "[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] +
". Abort !", ("P3", "LOG"), ECFG)
# New Version are use ?
if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(
HONEYPOT["payloaddir"]):
logme(
MODUL, "[ERROR] Missing Payload Directory " +
HONEYPOT["payloaddir"] + ". Abort !", ("P3", "LOG"), ECFG)
# Calc MD5sum for Payloadfiles
if HONEYPOT["newversion"].lower() == "true":
logme(MODUL, "Calculate MD5sum for Payload Files", ("P2"), ECFG)
for i in os.listdir(HONEYPOT["payloaddir"]):
if not "_md5_" in i:
filein = HONEYPOT["payloaddir"] + os.sep + i
os.rename(
filein, filein + "_md5_" +
hashlib.md5(open(filein, 'rb').read()).hexdigest())
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["attackerfile"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ', r' ', re.sub(r'[\[\]\-\>]', r'', line))
if HONEYPOT["newversion"].lower() == "false":
date, time, _, source, dest, _ = line.split(" ", 5)
protocol = ""
md5 = ""
else:
date, time, _, protocol, source, dest, md5, _ = line.split(
" ", 7)
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
"sadr":
re.sub(":.*$", "", source),
"sipv":
"ipv" + ip4or6(re.sub(":.*$", "", source)),
"sprot":
protocol,
"sport":
re.sub("^.*:", "", source),
"tipv":
"ipv" + ip4or6(re.sub(":.*$", "", dest)),
"tadr":
re.sub(":.*$", "", dest),
"tprot":
protocol,
"tport":
re.sub("^.*:", "", dest),
}
REQUEST = {"description": "NetworkHoneypot Honeytrap v1.1"}
# Search for Payload
if HONEYPOT["newversion"].lower() == "true":
sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub(
"^.*:", "",
dest), protocol, date[0:4], date[4:6], date[6:8], md5)
for mfile in os.listdir(HONEYPOT["payloaddir"]):
if fnmatch.fnmatch(mfile, sfile):
error, payloadfile = malware(HONEYPOT["payloaddir"],
mfile, False)
if error == 0:
REQUEST["raw"] = payloadfile
else:
logme(MODUL,
"Mission Malwarefile %s" % row["filename"],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
ECFG)
return
def rdpdetect():
MODUL = "RDPDETECT"
logme(MODUL,"Starting RDPDetect Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("rdpdetect","nodeid","iptableslog","targetip")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# iptables file exists ?
if os.path.isfile(HONEYPOT["iptableslog"]) is False:
logme(MODUL,"[ERROR] Missing Iptables LogFile " + HONEYPOT["iptableslog"] + ". Abort !",("P3","LOG"),ECFG)
# count limit
imin = int(countme(MODUL,'fileline',-1,ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
I = 0 ; x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
while True:
x,y = viewcounter(MODUL,x,y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["iptableslog"],(imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ',r' ',re.sub(r'[\[\]\-\>]',r'',line))
if HONEYPOT["targetip"] == re.search('SRC=(.*?) ', line).groups()[0]:
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8], line[9:11], line[12:14], line[15:17]),
"sadr" : re.search('SRC=(.*?) ', line).groups()[0],
"sipv" : "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
"sprot" : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"sport" : re.search('SPT=(.*?) ', line).groups()[0],
"tipv" : "ipv" + ip4or6(ECFG["ip"]),
"tadr" : ECFG["ip"],
"tprot" : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"tport" : re.search('DPT=(.*?) ', line).groups()[0],
}
REQUEST = {
"description" : "RDPDetect"
}
# Collect additional Data
ADATA = {
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'fileline',-2,ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
return
def honeytrap():
MODUL = "HONEYTRAP"
logme(MODUL,"Starting Honeytrap Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("honeytrap","nodeid","attackerfile","payloaddir","newversion")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# Attacking file exists ?
if os.path.isfile(HONEYPOT["attackerfile"]) is False:
logme(MODUL,"[ERROR] Missing Attacker File " + HONEYPOT["attackerfile"] + ". Abort !",("P3","LOG"),ECFG)
# Payloaddir exist ?
if os.path.isdir(HONEYPOT["payloaddir"]) is False:
logme(MODUL,"[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)
# New Version are use ?
if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(HONEYPOT["payloaddir"]):
logme(MODUL,"[ERROR] Missing Payload Directory " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)
# Calc MD5sum for Payloadfiles
if HONEYPOT["newversion"].lower() == "true":
logme(MODUL,"Calculate MD5sum for Payload Files",("P2"),ECFG)
for i in os.listdir(HONEYPOT["payloaddir"]):
if not "_md5_" in i:
filein = HONEYPOT["payloaddir"] + os.sep + i
os.rename(filein,filein + "_md5_" + hashlib.md5(open(filein, 'rb').read()).hexdigest())
# count limit
imin = int(countme(MODUL,'fileline',-1,ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
I = 0 ; x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
while True:
x,y = viewcounter(MODUL,x,y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["attackerfile"],(imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ',r' ',re.sub(r'[\[\]\-\>]',r'',line))
if HONEYPOT["newversion"].lower() == "false":
date , time , _ , source, dest, _ = line.split(" ",5)
protocol = "" ; md5 = ""
else:
date , time , _ , protocol, source, dest, md5, _ = line.split(" ",7)
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
"sadr" : re.sub(":.*$","",source),
"sipv" : "ipv" + ip4or6(re.sub(":.*$","",source)),
"sprot" : protocol,
"sport" : re.sub("^.*:","",source),
"tipv" : "ipv" + ip4or6(re.sub(":.*$","",dest)),
"tadr" : re.sub(":.*$","",dest),
"tprot" : protocol,
"tport" : re.sub("^.*:","",dest),
}
REQUEST = {
"description" : "NetworkHoneypot Honeytrap vX.x"
}
# Search for Payload
if HONEYPOT["newversion"].lower() == "true":
sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub("^.*:","",dest),protocol,date[0:4], date[4:6], date[6:8],md5)
for mfile in os.listdir(HONEYPOT["payloaddir"]):
if fnmatch.fnmatch(mfile, sfile):
error , payloadfile = malware(HONEYPOT["payloaddir"],mfile,False)
if error == 0:
REQUEST["raw"] = payloadfile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'fileline',-2,ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
return
def dionaea():
MODUL = "DIONAEA"
logme(MODUL,"Starting Dionaea Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("dionaea","nodeid","sqlitedb","malwaredir")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# Malwaredir exist ?
if os.path.isdir(HONEYPOT["malwaredir"]) is False:
logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(connection) from connections;")
maxid = c.fetchone()["max(connection)"]
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Dionaea Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from connections where connection > ? and connection <= ?;",(imin,imax,))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter empty remote_host
if row["remote_host"] == "":
countme(MODUL,'sqliteid',row["connection"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : datetime.fromtimestamp(int(row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
"sadr" : str(row["remote_host"]),
"sipv" : "ipv" + ip4or6(str(row["remote_host"])),
"sprot" : str(row["connection_type"]),
"sport" : str(row["remote_port"]),
"tipv" : "ipv" + ip4or6(str(row["local_host"])),
"tadr" : str(row["local_host"]),
"tprot" : str(row["connection_type"]),
"tport" : str(row["local_port"]),
}
REQUEST = {
"description" : "Network Honeyport Dionaea vX.x",
}
# Check for malware bin's
c.execute("SELECT download_md5_hash from downloads where connection = ?;",(str(row["connection"]),))
check = c.fetchone()
if check is not None:
error,malwarefile = malware(HONEYPOT["malwaredir"],check[0],ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
"sqliteid" : str(row["connection"]),
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'sqliteid',row["connection"],ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
return
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3","nodeid","sqlitedb","malwaredir")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL,'sqliteid',row["id"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : row["time"],
"sadr" : re.sub(":.*$","",row["source"]),
"sipv" : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
"sprot" : "tcp",
"sport" : "",
"tipv" : "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr" : HONEYPOT["ip"],
"tprot" : "tcp",
"tport" : "80",
}
REQUEST = {
"description" : "WebHoneypot : Glastopf v3.1",
"url" : urllib.quote(row["request_url"])
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
#REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
REQUEST["raw"] = base64.encodestring(row["request_raw"])
if "filename" in row.keys() and row["filename"] != None:
error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
"sqliteid" : row ["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'sqliteid',row["id"],ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
return
x,y = viewcounter(MODUL,x,y)
# filter nagios checks
if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL,'mysqlid',row["id"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : str(row["attime"]),
"sadr" : row["ip"],
"sipv" : "ipv" + ip4or6(row["ip"]),
"sprot" : "tcp",
"sport" : "",
"tipv" : "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr" : HONEYPOT["ip"],
"tprot" : "tcp",
"tport" : "80",
}
REQUEST = {
"description" : "Webhoneypot : Glastopf v2.x",
"url" : urllib.quote(row["req"])
}
if row["filename"] != None:
error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
