def start(self): ihandler.__init__(self, self.path) self.submit_url = g_dionaea.config()['modules']['python']['jsonfeeds']['submit_url'] certificate = g_dionaea.config()['modules']['python']['jsonfeeds'].get('certificate', False) if certificate: self.cert = (certificate['cert'], certificate['key']) else: self.cert = False self.sensor = g_dionaea.config()['modules']['python']['jsonfeeds'].get('sensor', {}) # delete malware file after download -> True self.deleteFile = g_dionaea.config()['modules']['python']['jsonfeeds'].get('delete', False) == "True" self.verify = g_dionaea.config()['modules']['python']['jsonfeeds'].get('verify', False) == "True" self.externalIP = { "disable": g_dionaea.config()['modules']['python']['jsonfeeds']['externalIP'].get('disable', False) == "True", "cachetime": int(g_dionaea.config()['modules']['python']['jsonfeeds']['externalIP'].get('cachetime', 0)), "lastcheck": 0, "ip": g_dionaea.config()['modules']['python']['jsonfeeds']['externalIP'].get('ip', "") } # a cachetime of "0" implies to return self.externalIP["ip"] and to avoid updateExternalIP. So if the ip is set in the config we don't need to updateExternalIP if self.externalIP["ip"] != "": self.externalIP["cachetime"] = 0 #mapping socket -> attackid self.attacks = {} '''
def __init__(self): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, "*") offers = g_dionaea.config()['modules']['python']['fail2ban']['offers'] downloads = g_dionaea.config()['modules']['python']['fail2ban']['downloads'] self.offers = open(offers, "a") self.downloads = open(downloads, "a")
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.apikey = config.get("apikey") comment = config.get("comment") if comment is None: comment = "This sample was captured in the wild and uploaded by the dionaea honeypot.\n#honeypot #malware #networkworm" self.comment = comment self.cookies = {} self.loop = pyev.default_loop() self.backlog_timer = pyev.Timer(0, 20, self.loop, self.__handle_backlog_timeout) self.backlog_timer.start() p = config.get("file") self.dbh = sqlite3.connect(p) self.cursor = self.dbh.cursor() self.cursor.execute(""" CREATE TABLE IF NOT EXISTS backlogfiles ( backlogfile INTEGER PRIMARY KEY, status TEXT NOT NULL, -- new, submit, query, comment md5_hash TEXT NOT NULL, path TEXT NOT NULL, timestamp INTEGER NOT NULL, scan_id TEXT, lastcheck_time INTEGER, submit_time INTEGER );""")
def __init__(self, path, config=None): logger.debug('hpfeedhandler init') port = config.get("port") if port is None: port = self.default_port try: port = int(port) except (TypeError, ValueError): logger.warning("Unable to convert value '%s' for port to int" % port) port = self.default_port self.client = hpfeeds.client.new(config['server'], port, config['ident'], config['secret']) ihandler.__init__(self, path) self.tags = config['tags'] logger.debug('Set tags to: {}'.format(self.tags)) self.dynip_resolve = config.get('dynip_resolve', '') self.dynip_timer = None self.ownip = None if isinstance(self.dynip_resolve, str) and self.dynip_resolve.startswith("http"): if pyev is None: logger.debug( 'You are missing the python pyev binding in your dionaea installation.' ) else: logger.debug('hpfeedihandler will use dynamic IP resolving!') self.loop = pyev.default_loop() self.dynip_timer = pyev.Timer(2., 300, self.loop, self._dynip_resolve) self.dynip_timer.start()
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.path = path self._config = config self.db_session = None self.attacks = {} self.handlers = [] self.flat_data = config.get("flat_data", False) handlers = config.get("handlers") if not isinstance(handlers, list) or len(handlers) == 0: logger.warning("No handlers specified") # Set empty list on error handlers = [] for handler in handlers: url = urlparse(handler) for h in ( FileHandler, HTTPHandler, ): if url.scheme in h.handle_schemes: self.handlers.append(h(url=handler)) break
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.apikey = g_dionaea.config()['modules']['python'][ 'virustotal']['apikey'] self.cookies = {} self.loop = pyev.default_loop() self.backlog_timer = pyev.Timer( 0, 20, self.loop, self.__handle_backlog_timeout) self.backlog_timer.start() p = g_dionaea.config()['modules']['python']['virustotal']['file'] self.dbh = sqlite3.connect(p) self.cursor = self.dbh.cursor() self.cursor.execute(""" CREATE TABLE IF NOT EXISTS backlogfiles ( backlogfile INTEGER PRIMARY KEY, status TEXT NOT NULL, -- new, submit, query, comment md5_hash TEXT NOT NULL, path TEXT NOT NULL, timestamp INTEGER NOT NULL, scan_id TEXT, lastcheck_time INTEGER, submit_time INTEGER );""")
def __init__(self, config=None): logger.debug("nfqhandler") ihandler.__init__(self, 'dionaea.connection.tcp.pending') if config is None: config = {} config_throttle = config.get("throttle", {}) self.throttle_window = config_throttle.get("window", 30) self.window = [[0, 0] for x in range(self.throttle_window)] self.throttle_nfaction = config.get("nfaction", 0) config_throttle_limits = config_throttle.get("limits", {}) self.throttle_total = config_throttle_limits.get("total", 30) self.throttle_slot = config_throttle_limits.get("slot", 30) config_timeouts = config.get("timeouts", {}) config_timeouts_client = config_timeouts.get("client", {}) self.mirror_client_timeout_idle = config_timeouts_client.get( "idel", 10) self.mirror_client_timeout_sustain = config_timeouts_client.get( "sustain", 240) config_timeouts_server = config_timeouts.get("server", {}) self.mirror_server_timeout_listen = config_timeouts_server.get( "listen", 5)
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.apikey = g_dionaea.config( )['modules']['python']['virustotal']['apikey'] self.cookies = {} self.loop = pyev.default_loop() self.backlog_timer = pyev.Timer(0, 20, self.loop, self.__handle_backlog_timeout) self.backlog_timer.start() p = g_dionaea.config()['modules']['python']['virustotal']['file'] self.dbh = sqlite3.connect(p) self.cursor = self.dbh.cursor() self.cursor.execute(""" CREATE TABLE IF NOT EXISTS backlogfiles ( backlogfile INTEGER PRIMARY KEY, status TEXT NOT NULL, -- new, submit, query, comment md5_hash TEXT NOT NULL, path TEXT NOT NULL, timestamp INTEGER NOT NULL, scan_id TEXT, lastcheck_time INTEGER, submit_time INTEGER );""")
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) # mapping socket -> attackid self.attacks = {} self.dbh = None
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) # mapping socket -> attackid self.attacks = {} self.dbh = None
def __init__(self, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, "*") if config is None: config = {} offers = config.get("offers", "var/dionaea/offers.f2b") downloads = config.get("downloads", "var/dionaea/downloads.f2b") self.offers = open(offers, "a") self.downloads = open(downloads, "a")
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.backendurl = config.get("url") self.email = config.get("email") self.user = config.get("user", "") self.passwd = config.get("pass", "") self.cookies = {}
def start(self): ihandler.__init__(self, self.path) # mapping socket -> attackid engine = create_engine(self._config.get("url"), echo=False, convert_unicode=True) self.db_session = scoped_session( sessionmaker(autocommit=False, autoflush=False, bind=engine)) model.Base.query = self.db_session.query_property() model.Base.metadata.create_all(bind=engine)
def __init__(self, server, port, username, password, resource, muc, config): self.muc = muc self.config = config.copy() for e in self.config: self.config[e]['pcre'] = [] for p in self.config[e]['events']: self.config[e]['pcre'].append(re.compile(p)) self.resource = resource self.username = username.split('@')[0] self.client = xmppclient(server=server, port=port, username=username, password=password, resource=resource, muc=muc, channels=list(self.config.keys())) ihandler.__init__(self, '*')
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.bucket_name = config.get("bucket_name") self.region_name = config.get("region_name") self.access_key_id = config.get("access_key_id") self.secret_access_key = config.get("secret_access_key") self.endpoint_url = config.get("endpoint_url") self.verify = config.get("verify") self.s3_dest_folder = config.get("s3_dest_folder") self.s3 = ''
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) dionaea_config = g_dionaea.config().get("dionaea") self.download_dir = dionaea_config.get("download.dir") if self.download_dir is None: raise LoaderError("Setting download.dir not configured") else: if not os.path.isdir(self.download_dir): raise LoaderError("'%s' is not a directory", self.download_dir) if not os.access(self.download_dir, os.W_OK): raise LoaderError("Not allowed to create files in the '%s' directory", self.download_dir)
def __init__(self, path, config=None): logger.warning("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) dionaea_config = g_dionaea.config().get("dionaea") self.download_dir = dionaea_config.get("download.dir") if self.download_dir is None: raise LoaderError("Setting download.dir not configured") else: if not os.path.isdir(self.download_dir): raise LoaderError("'%s' is not a directory", self.download_dir) if not os.access(self.download_dir, os.W_OK): raise LoaderError("Not allowed to create files in the '%s' directory", self.download_dir)
def __init__(self, path): logger.info("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.mwsconfig = g_dionaea.config()['mycert_sensor']['submit'] self.sensorid = self.mwsconfig['sensorid'] self.connection_url = self.mwsconfig['connection_url'].format(id=self.sensorid) self.artifact_url = self.mwsconfig['artifact_url'] self.cookies = {} self.attacker = {} self.connection = {} self.mysql = {} self.mssql = {} self.ftp = {}
def __init__(self): ihandler.__init__(self, '*') self.connections = {} self.services = {} self.packets = {} self.logger = Logger() self.api = API(self.logger) self.scheduler = sched.scheduler(time.time, time.sleep) self.scheduler.enter(15, 15, self.send_data) threading.Thread(target=lambda: self.scheduler.run(), daemon=True).start()
def start(self): ihandler.__init__(self, self.path) # mapping socket -> attackid engine = create_engine(self._config.get("url"), echo=False, convert_unicode=True) self.db_session = scoped_session( sessionmaker( autocommit=False, autoflush=False, bind=engine ) ) model.Base.query = self.db_session.query_property() model.Base.metadata.create_all(bind=engine)
def __init__(self, server, port, nick, password, ident, realname, channel, ssl, adminhost, adminpw): logger.info("logirc started!") self.server = server self.port = port self.realname = realname self.ident = ident self.nick = nick self.password = password self.channel = channel self.state = "Offline" self.ssl = ssl self.adminhost = adminhost self.adminpw = adminpw # self.client = ircclient(server=server, port=port, realname=realname, ident=ident, nick=nick, password=password, channel=channel) ihandler.__init__(self, "*")
def __init__(self, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, "*") if config is None: config = {} offers = config.get("offers", "var/dionaea/offers.f2b") downloads = config.get("downloads", "var/dionaea/downloads.f2b") try: self.offers = open(offers, "a") except OSError as e: raise LoaderError("Unable to open file %s Error message '%s'", offers, e.strerror) try: self.downloads = open(downloads, "a") except OSError as e: raise LoaderError("Unable to open file %s Error message '%s'", downloads, e.strerror)
def __init__(self, path, config=None): logger.info("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.sensorid = config.get("sensorid") self.connection_url = config.get("connection_url").format( id=self.sensorid) self.artifact_url = config.get("artifact_url") self.file_fieldname = config.get("file_fieldname") self.cookies = {} self.attacker = {} self.connection = {} self.mysql = {} self.mssql = {} self.ftp = {}
def __init__(self, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, "*") if config is None: config = {} offers = config.get("offers", "var/dionaea/offers.f2b") downloads = config.get("downloads", "var/dionaea/downloads.f2b") try: self.offers = open(offers, "a") except OSError as e: raise LoaderError("Unable to open file %s Error message '%s'", offers, e.strerror) try: self.downloads = open(downloads, "a") except OSError as e: raise LoaderError("Unable to open file %s Error message '%s'", downloads, e.strerror)
def __init__(self, config): logger.debug('hpfeedhandler init') self.client = hpclient(config['server'], int(config['port']), config['ident'], config['secret']) ihandler.__init__(self, '*') self.dynip_resolve = config.get('dynip_resolve', '') self.dynip_timer = None self.ownip = None if self.dynip_resolve and 'http' in self.dynip_resolve: if pyev == None: logger.debug('You are missing the python pyev binding in your dionaea installation.') else: logger.debug('hpfeedihandler will use dynamic IP resolving!') self.loop = pyev.default_loop() self.dynip_timer = pyev.Timer(2., 300, self.loop, self._dynip_resolve) self.dynip_timer.start()
def __init__(self, config): logger.debug('hpfeedhandler init') self.client = hpclient(config['server'], int(config['port']), config['ident'], config['secret']) ihandler.__init__(self, '*') self.dynip_resolve = config.get('dynip_resolve', '') self.dynip_timer = None self.ownip = None if self.dynip_resolve and 'http' in self.dynip_resolve: if pyev == None: logger.debug('You are missing the python pyev binding in your dionaea installation.') else: logger.debug('hpfeedihandler will use dynamic IP resolving!') self.loop = pyev.default_loop() self.dynip_timer = pyev.Timer(2., 300, self.loop, self._dynip_resolve) self.dynip_timer.start()
def __init__(self, server, port, nick, password, ident, realname, channel, ssl, adminhost, adminpw): logger.info("logirc started!") self.server = server self.port = port self.realname = realname self.ident = ident self.nick = nick self.password = password self.channel = channel self.state = "Offline" self.ssl = ssl self.adminhost = adminhost self.adminpw = adminpw #self.client = ircclient(server=server, port=port, realname=realname, ident=ident, nick=nick, password=password, channel=channel) ihandler.__init__(self, '*')
def __init__(self, server, port, username, password, resource, muc, config): self.muc = muc self.config = config.copy() for e in self.config: self.config[e]['pcre'] = [] for p in self.config[e]['events']: self.config[e]['pcre'].append(re.compile(p)) self.resource = resource self.username = username.split('@')[0] self.client = xmppclient(server=server, port=port, username=username, password=password, resource=resource, muc=muc, channels=list(self.config.keys())) ihandler.__init__(self, '*')
def __init__(self, path): self.disabled = False self.attacks = {} self.logger = logging.getLogger('honeysens') self.logger.setLevel(logging.WARNING) self.config = configparser.ConfigParser() try: with open(g_dionaea.config()['modules']['python']['honeysens']['config']) as f: self.config.read_file(f) self.server_name = self.config.get('server', 'name') self.key = RSA.importKey(open(self.config.get('general', 'keyfile'), 'r').read()) self.servercertfile = self.config.get('server', 'certfile') self.sensor_id = self.config.get('general', 'sensor_id') self.logger.debug('HoneySens Configuration\n Server: {}\n Key file: {}\n Server certificate: {}\n Sensor ID: {}'.format(self.server_name, self.key, self.servercertfile, self.sensor_id)) ihandler.__init__(self, path) except Exception: self.logger.debug('Error: Invalid HoneySens configuration, module disabled') self.disabled = True
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.port_min = 62001 self.port_max = 63000 port_range = config.get("active_ports") try: (port_min, port_max) = port_range.split("-") self.port_min = int(port_min) self.port_max = int(port_max) except Exception: logger.warning("Unable to pars port range") self.host = config.get("active_host") dionaea_config = g_dionaea.config().get("dionaea") self.download_dir = dionaea_config.get("download.dir") self.download_suffix = dionaea_config.get("download.suffix")
def __init__(self): logger.debug("nfqhandler") ihandler.__init__(self, 'dionaea.connection.tcp.pending') conf = g_dionaea.config()['modules']['python']['nfq'] self.throttle_window = int(conf['throttle']['window']) self.window = [[0,0] for x in range(self.throttle_window)] self.throttle_nfaction = int(conf['nfaction']) self.throttle_total = int(conf['throttle']['limits']['total']) self.throttle_slot = int(conf['throttle']['limits']['slot']) self.mirror_server_timeout_listen = int( conf['timeouts']['server']['listen']) self.mirror_client_timeout_idle = int( conf['timeouts']['client']['idle']) self.mirror_client_timeout_sustain= int( conf['timeouts']['client']['sustain'])
def __init__(self): logger.debug("nfqhandler") ihandler.__init__(self, 'dionaea.connection.tcp.pending') conf = g_dionaea.config()['modules']['python']['nfq'] self.throttle_window = int(conf['throttle']['window']) self.window = [[0, 0] for x in range(self.throttle_window)] self.throttle_nfaction = int(conf['nfaction']) self.throttle_total = int(conf['throttle']['limits']['total']) self.throttle_slot = int(conf['throttle']['limits']['slot']) self.mirror_server_timeout_listen = int( conf['timeouts']['server']['listen']) self.mirror_client_timeout_idle = int( conf['timeouts']['client']['idle']) self.mirror_client_timeout_sustain = int( conf['timeouts']['client']['sustain'])
def __init__(self, path, config=None): logger.debug('hpfeedhandler init') reconnect_timeout = config.get("reconnect_timeout") if reconnect_timeout is None: reconnect_timeout = self.default_reconnect_timeout try: reconnect_timeout = float(reconnect_timeout) except (TypeError, ValueError) as e: logger.warn( "Unable to convert value '%s' for reconnect timeout to float" % reconnect_timeout) reconnect_timeout = self.default_reconnect_timeout port = config.get("port") if port is None: port = self.default_port try: port = int(port) except (TypeError, ValueError) as e: logger.warn("Unable to convert value '%s' for port to int" % port) port = self.default_port self.client = hpclient(config['server'], port, config['ident'], config['secret'], reconnect_timeout=reconnect_timeout) ihandler.__init__(self, path) self.dynip_resolve = config.get('dynip_resolve', '') self.dynip_timer = None self.ownip = None if isinstance(self.dynip_resolve, str) and self.dynip_resolve.startswith("http"): logger.debug('hpfeedihandler will use dynamic IP resolving!') self.dynip_timer = Timer( 300, self._dynip_resolve, delay=2, repeat=True, ) self.dynip_timer.start()
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) mwsconfig = g_dionaea.config()['modules']['python']['submit_http'] self.backendurl = mwsconfig['url'] self.email = 'email' in mwsconfig and mwsconfig['email'] or '*****@*****.**' self.user = '******' in mwsconfig and mwsconfig['user'] or '' self.passwd = 'pass' in mwsconfig and mwsconfig['pass'] or '' self.cookies = {} # heartbeats dinfo = g_dionaea.version() self.software = 'dionaea {0} {1}/{2} - {3} {4}'.format( dinfo['dionaea']['version'], dinfo['compiler']['os'], dinfo['compiler']['arch'], dinfo['compiler']['date'], dinfo['compiler']['time'], ) self.loop = pyev.default_loop()
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.backendurl = config.get("url") self.email = config.get("email") self.user = config.get("user", "") self.passwd = config.get("pass", "") self.cookies = {} # heartbeats #dinfo = g_dionaea.version() #self.software = 'dionaea {0} {1}/{2} - {3} {4}'.format( # dinfo['dionaea']['version'], # dinfo['compiler']['os'], # dinfo['compiler']['arch'], # dinfo['compiler']['date'], # dinfo['compiler']['time'], #) self.loop = pyev.default_loop()
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.backendurl = config.get("url") self.email = config.get("email") self.user = config.get("user", "") self.passwd = config.get("pass", "") self.cookies = {} # heartbeats #dinfo = g_dionaea.version() #self.software = 'dionaea {0} {1}/{2} - {3} {4}'.format( # dinfo['dionaea']['version'], # dinfo['compiler']['os'], # dinfo['compiler']['arch'], # dinfo['compiler']['date'], # dinfo['compiler']['time'], #) self.loop = pyev.default_loop()
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.path = path self._config = config self._connection_ids = {} self.handlers = [] handlers = config.get("handlers") if not isinstance(handlers, list) or len(handlers) == 0: logger.warning("No handlers specified") # Set empty list on error handlers = [] for handler in handlers: url = urlparse(handler) for h in (FileHandler, HTTPHandler,): if url.scheme in h.handle_schemes: self.handlers.append(h(url=handler)) break
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.path = path self._config = config self.handlers = [] self.connection_url_levels = {} self.max_subdownloads = 20 from .handler import PowerShell, RawURL, VBScript tmp_handlers = {} for h in (PowerShell, RawURL, VBScript): tmp_handlers[h.name] = h tmp = config.get("max_subdownloads") if isinstance(tmp, int): self.max_subdownloads = tmp enabled_handlers = config.get("enabled_handlers") if not isinstance(enabled_handlers, list) or len(enabled_handlers) == 0: logger.warning("No handlers specified") # Set empty list on error enabled_handlers = [] handler_configs = config.get("handler_configs") if not isinstance(handler_configs, dict): handler_configs = {} for handler_name in enabled_handlers: h = tmp_handlers.get(handler_name) if h is None: logger.warning("Unable to load handler '%s'", handler_name) continue handler_config = handler_configs.get(handler_name) if not isinstance(handler_config, dict): handler_config = {} self.handlers.append(h(config=handler_config))
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.path = path self._config = config self._connection_ids = {} self._disabled = False self._collector_host = None self._collector_port = None self._zmq_context = zmq.Context() if 'COLLECTOR_HOST' not in os.environ or 'COLLECTOR_PORT' not in os.environ: print( 'Error: No HoneySens collector specified, logging module disabled' ) self._disabled = True else: self._collector_host = os.environ['COLLECTOR_HOST'] self._collector_port = os.environ['COLLECTOR_PORT'] print('HoneySens collector available at tcp://{}:{}'.format( self._collector_host, self._collector_port))
def __init__(self, path, config=None): logger.debug("%s ready!", self.__class__.__name__) ihandler.__init__(self, path) self.path = path self._config = config self.handlers = [] self.connection_url_levels = {} self.max_subdownloads = 20 from .handler import PowerShell, RawURL, VBScript tmp_handlers = {} for h in (PowerShell, RawURL,VBScript): tmp_handlers[h.name] = h tmp = config.get("max_subdownloads") if isinstance(tmp, int): self.max_subdownloads = tmp enabled_handlers = config.get("enabled_handlers") if not isinstance(enabled_handlers, list) or len(enabled_handlers) == 0: logger.warning("No handlers specified") # Set empty list on error enabled_handlers = [] handler_configs = config.get("handler_configs") if not isinstance(handler_configs, dict): handler_configs = {} for handler_name in enabled_handlers: h = tmp_handlers.get(handler_name) if h is None: logger.warning("Unable to load handler '%s'", handler_name) continue handler_config = handler_configs.get(handler_name) if not isinstance(handler_config, dict): handler_config = {} self.handlers.append(h(config=handler_config))
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) mwsconfig = g_dionaea.config()['modules']['python']['mwserv'] self.backendurl = mwsconfig['url'] self.maintainer = mwsconfig['maintainer'] self.guid = mwsconfig['guid'] self.secret = mwsconfig['secret'] self.cookies = {} # heartbeats dinfo = g_dionaea.version() self.software = 'dionaea {0} {1}/{2} - {3} {4}'.format( dinfo['dionaea']['version'], dinfo['compiler']['os'], dinfo['compiler']['arch'], dinfo['compiler']['date'], dinfo['compiler']['time'], ) self.loop = pyev.default_loop() self.heartbeat_timer = pyev.Timer(5., 120, self.loop, self._heartbeat) self.heartbeat_timer.start()
def __init__(self, config=None): logger.debug("nfqhandler") ihandler.__init__(self, 'dionaea.connection.tcp.pending') if config is None: config = {} config_throttle = config.get("throttle", {}) self.throttle_window = config_throttle.get("window", 30) self.window = [[0, 0] for x in range(self.throttle_window)] self.throttle_nfaction = config.get("nfaction", 0) config_throttle_limits = config_throttle.get("limits", {}) self.throttle_total = config_throttle_limits.get("total", 30) self.throttle_slot = config_throttle_limits.get("slot", 30) config_timeouts = config.get("timeouts", {}) config_timeouts_client = config_timeouts.get("client", {}) self.mirror_client_timeout_idle = config_timeouts_client.get("idel", 10) self.mirror_client_timeout_sustain = config_timeouts_client.get("sustain", 240) config_timeouts_server = config_timeouts.get("server", {}) self.mirror_server_timeout_listen = config_timeouts_server.get("listen", 5)
def __init__(self, p0fpath): logger.debug("p0fHandler") ihandler.__init__(self, 'dionaea.connection.*') self.p0fpath = p0fpath
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path)
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path)
def __init__(self, ifaces=None): ihandler.__init__(self, "dionaea.*.addr.*") self.ifaces = ifaces self.services = [] self.daemons = {}
def __init__(self, config=None): logger.debug("p0fHandler") ihandler.__init__(self, 'dionaea.connection.*') self.p0fpath = config.get("path")
def __init__(self, config): logger.debug('hpfeedhandler init') self.client = hpclient(config['server'], int(config['port']), config['ident'], config['secret']) ihandler.__init__(self, '*')
def __init__(self): ihandler.__init__(self, "dionaea.*.addr.*") self.services = [] self.daemons = {}
def __init__(self, path, config=None): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) dionaea_config = g_dionaea.config().get("dionaea") self.download_dir = dionaea_config.get("download.dir")
def start(self): ihandler.__init__(self, self.path) # mapping socket -> attackid self.attacks = {} self.pending = {} # self.dbh = sqlite3.connect(user = g_dionaea.config()['modules']['python']['logsql']['file']) file = g_dionaea.config()['modules']['python']['logsql']['sqlite']['file'] self.dbh = sqlite3.connect(file) self.cursor = self.dbh.cursor() update = False self.cursor.execute("""CREATE TABLE IF NOT EXISTS connections ( connection INTEGER PRIMARY KEY, connection_type TEXT, connection_transport TEXT, connection_protocol TEXT, connection_timestamp INTEGER, connection_root INTEGER, connection_parent INTEGER, local_host TEXT, local_port INTEGER, remote_host TEXT, remote_hostname TEXT, remote_port INTEGER )""") self.cursor.execute("""CREATE TRIGGER IF NOT EXISTS connections_INSERT_update_connection_root_trg AFTER INSERT ON connections FOR EACH ROW WHEN new.connection_root IS NULL BEGIN UPDATE connections SET connection_root = connection WHERE connection = new.connection AND new.connection_root IS NULL; END""") for idx in ["type","timestamp","root","parent"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS connections_%s_idx ON connections (connection_%s)""" % (idx, idx)) for idx in ["local_host","local_port","remote_host"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS connections_%s_idx ON connections (%s)""" % (idx, idx)) # self.cursor.execute("""CREATE TABLE IF NOT EXISTS # bistreams ( # bistream INTEGER PRIMARY KEY, # connection INTEGER, # bistream_data TEXT # )""") # # self.cursor.execute("""CREATE TABLE IF NOT EXISTS # smbs ( # smb INTEGER PRIMARY KEY, # connection INTEGER, # smb_direction TEXT, # smb_action TEXT, # CONSTRAINT smb_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) # )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS dcerpcbinds ( dcerpcbind INTEGER PRIMARY KEY, connection INTEGER, dcerpcbind_uuid TEXT, dcerpcbind_transfersyntax TEXT -- CONSTRAINT dcerpcs_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["uuid","transfersyntax"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS dcerpcbinds_%s_idx ON dcerpcbinds (dcerpcbind_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS dcerpcrequests ( dcerpcrequest INTEGER PRIMARY KEY, connection INTEGER, dcerpcrequest_uuid TEXT, dcerpcrequest_opnum INTEGER -- CONSTRAINT dcerpcs_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["uuid","opnum"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS dcerpcrequests_%s_idx ON dcerpcrequests (dcerpcrequest_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS dcerpcservices ( dcerpcservice INTEGER PRIMARY KEY, dcerpcservice_uuid TEXT, dcerpcservice_name TEXT, CONSTRAINT dcerpcservice_uuid_uniq UNIQUE (dcerpcservice_uuid) )""") from uuid import UUID from dionaea.smb import rpcservices import inspect services = inspect.getmembers(rpcservices, inspect.isclass) for name, servicecls in services: if not name == 'RPCService' and issubclass(servicecls, rpcservices.RPCService): try: self.cursor.execute("INSERT INTO dcerpcservices (dcerpcservice_name, dcerpcservice_uuid) VALUES (?,?)", (name, str(UUID(hex=servicecls.uuid))) ) except Exception as e: # print("dcerpcservice %s existed %s " % (servicecls.uuid, e) ) pass logger.info("Getting RPC Services") r = self.cursor.execute("SELECT * FROM dcerpcservices") # print(r) names = [r.description[x][0] for x in range(len(r.description))] r = [ dict(zip(names, i)) for i in r] # print(r) r = dict([(UUID(i['dcerpcservice_uuid']).hex,i['dcerpcservice']) for i in r]) # print(r) self.cursor.execute("""CREATE TABLE IF NOT EXISTS dcerpcserviceops ( dcerpcserviceop INTEGER PRIMARY KEY, dcerpcservice INTEGER, dcerpcserviceop_opnum INTEGER, dcerpcserviceop_name TEXT, dcerpcserviceop_vuln TEXT, CONSTRAINT dcerpcop_service_opnum_uniq UNIQUE (dcerpcservice, dcerpcserviceop_opnum) )""") logger.info("Setting RPC ServiceOps") for name, servicecls in services: if not name == 'RPCService' and issubclass(servicecls, rpcservices.RPCService): for opnum in servicecls.ops: op = servicecls.ops[opnum] uuid = servicecls.uuid vuln = '' dcerpcservice = r[uuid] if opnum in servicecls.vulns: vuln = servicecls.vulns[opnum] try: self.cursor.execute("INSERT INTO dcerpcserviceops (dcerpcservice, dcerpcserviceop_opnum, dcerpcserviceop_name, dcerpcserviceop_vuln) VALUES (?,?,?,?)", (dcerpcservice, opnum, op, vuln)) except: # print("%s %s %s %s %s existed" % (dcerpcservice, uuid, name, op, vuln)) pass # NetPathCompare was called NetCompare in dcerpcserviceops try: logger.debug("Trying to update table: dcerpcserviceops") x = self.cursor.execute("""SELECT * FROM dcerpcserviceops WHERE dcerpcserviceop_name = 'NetCompare'""").fetchall() if len(x) > 0: self.cursor.execute("""UPDATE dcerpcserviceops SET dcerpcserviceop_name = 'NetPathCompare' WHERE dcerpcserviceop_name = 'NetCompare'""") logger.debug("... done") else: logger.info("... not required") except Exception as e: print(e) logger.info("... not required") self.cursor.execute("""CREATE TABLE IF NOT EXISTS emu_profiles ( emu_profile INTEGER PRIMARY KEY, connection INTEGER, emu_profile_json TEXT -- CONSTRAINT emu_profiles_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") # fix a typo on emu_services table definition # emu_services.emu_serive is wrong, should be emu_services.emu_service # 1) rename table, create the proper table try: logger.debug("Trying to update table: emu_services") self.cursor.execute("""SELECT emu_serivce FROM emu_services LIMIT 1""") self.cursor.execute("""ALTER TABLE emu_services RENAME TO emu_services_old""") update = True except Exception as e: logger.debug("... not required") update = False self.cursor.execute("""CREATE TABLE IF NOT EXISTS emu_services ( emu_serivce INTEGER PRIMARY KEY, connection INTEGER, emu_service_url TEXT -- CONSTRAINT emu_services_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") # 2) copy all values to proper table, drop old table try: if update == True: self.cursor.execute(""" INSERT INTO emu_services (emu_service, connection, emu_service_url) SELECT emu_serivce, connection, emu_service_url FROM emu_services_old""") self.cursor.execute("""DROP TABLE emu_services_old""") logger.debug("... done") except Exception as e: logger.debug("Updating emu_services failed, copying old table failed (%s)" % e) self.cursor.execute("""CREATE TABLE IF NOT EXISTS offers ( offer INTEGER PRIMARY KEY, connection INTEGER, offer_url TEXT -- CONSTRAINT offers_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") self.cursor.execute("""CREATE INDEX IF NOT EXISTS offers_url_idx ON offers (offer_url)""") # fix a type on downloads table definition # downloads.downloads is wrong, should be downloads.download # 1) rename table, create the proper table try: logger.debug("Trying to update table: downloads") self.cursor.execute("""SELECT downloads FROM downloads LIMIT 1""") self.cursor.execute("""ALTER TABLE downloads RENAME TO downloads_old""") update = True except Exception as e: # print(e) logger.debug("... not required") update = False self.cursor.execute("""CREATE TABLE IF NOT EXISTS downloads ( download INTEGER PRIMARY KEY, connection INTEGER, download_url TEXT, download_md5_hash TEXT -- CONSTRAINT downloads_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") # 2) copy all values to proper table, drop old table try: if update == True: self.cursor.execute(""" INSERT INTO downloads (download, connection, download_url, download_md5_hash) SELECT downloads, connection, download_url, download_md5_hash FROM downloads_old""") self.cursor.execute("""DROP TABLE downloads_old""") logger.debug("... done") except Exeption as e: logger.debug("Updating downloads failed, copying old table failed (%s)" % e) for idx in ["url", "md5_hash"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS downloads_%s_idx ON downloads (download_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS resolves ( resolve INTEGER PRIMARY KEY, connection INTEGER, resolve_hostname TEXT, resolve_type TEXT, resolve_result TEXT )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS p0fs ( p0f INTEGER PRIMARY KEY, connection INTEGER, p0f_genre TEXT, p0f_link TEXT, p0f_detail TEXT, p0f_uptime INTEGER, p0f_tos TEXT, p0f_dist INTEGER, p0f_nat INTEGER, p0f_fw INTEGER -- CONSTRAINT p0fs_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["genre","detail","uptime"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS p0fs_%s_idx ON p0fs (p0f_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS logins ( login INTEGER PRIMARY KEY, connection INTEGER, login_username TEXT, login_password TEXT -- CONSTRAINT logins_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["username","password"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS logins_%s_idx ON logins (login_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mssql_fingerprints ( mssql_fingerprint INTEGER PRIMARY KEY, connection INTEGER, mssql_fingerprint_hostname TEXT, mssql_fingerprint_appname TEXT, mssql_fingerprint_cltintname TEXT -- CONSTRAINT mssql_fingerprints_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["hostname","appname","cltintname"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mssql_fingerprints_%s_idx ON mssql_fingerprints (mssql_fingerprint_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mssql_commands ( mssql_command INTEGER PRIMARY KEY, connection INTEGER, mssql_command_status TEXT, mssql_command_cmd TEXT -- CONSTRAINT mssql_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["status"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mssql_commands_%s_idx ON mssql_commands (mssql_command_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS virustotals ( virustotal INTEGER PRIMARY KEY, virustotal_md5_hash TEXT NOT NULL, virustotal_timestamp INTEGER NOT NULL, virustotal_permalink TEXT NOT NULL )""") for idx in ["md5_hash"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS virustotals_%s_idx ON virustotals (virustotal_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS virustotalscans ( virustotalscan INTEGER PRIMARY KEY, virustotal INTEGER NOT NULL, virustotalscan_scanner TEXT NOT NULL, virustotalscan_result TEXT )""") for idx in ["scanner","result"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS virustotalscans_%s_idx ON virustotalscans (virustotalscan_%s)""" % (idx, idx)) self.cursor.execute("""CREATE INDEX IF NOT EXISTS virustotalscans_virustotal_idx ON virustotalscans (virustotal)""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS mysql_commands ( mysql_command INTEGER PRIMARY KEY, connection INTEGER, mysql_command_cmd NUMBER NOT NULL -- CONSTRAINT mysql_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS mysql_command_args ( mysql_command_arg INTEGER PRIMARY KEY, mysql_command INTEGER, mysql_command_arg_index NUMBER NOT NULL, mysql_command_arg_data TEXT NOT NULL -- CONSTRAINT mysql_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["command"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mysql_command_args_%s_idx ON mysql_command_args (mysql_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mysql_command_ops ( mysql_command_op INTEGER PRIMARY KEY, mysql_command_cmd INTEGER NOT NULL, mysql_command_op_name TEXT NOT NULL, CONSTRAINT mysql_command_cmd_uniq UNIQUE (mysql_command_cmd) )""") from dionaea.mysql.include.packets import MySQL_Commands logger.info("Setting MySQL Command Ops") for num,name in MySQL_Commands.items(): try: self.cursor.execute("INSERT INTO mysql_command_ops (mysql_command_cmd, mysql_command_op_name) VALUES (?,?)", (num, name)) except: pass self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_commands ( sip_command INTEGER PRIMARY KEY, connection INTEGER, sip_command_method , sip_command_call_id , sip_command_user_agent , sip_command_allow INTEGER -- CONSTRAINT sip_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_addrs ( sip_addr INTEGER PRIMARY KEY, sip_command INTEGER, sip_addr_type , sip_addr_display_name, sip_addr_uri_scheme, sip_addr_uri_user, sip_addr_uri_password, sip_addr_uri_host, sip_addr_uri_port -- CONSTRAINT sip_addrs_command_fkey FOREIGN KEY (sip_command) REFERENCES sip_commands (sip_command) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_vias ( sip_via INTEGER PRIMARY KEY, sip_command INTEGER, sip_via_protocol, sip_via_address, sip_via_port -- CONSTRAINT sip_vias_command_fkey FOREIGN KEY (sip_command) REFERENCES sip_commands (sip_command) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_sdp_origins ( sip_sdp_origin INTEGER PRIMARY KEY, sip_command INTEGER, sip_sdp_origin_username, sip_sdp_origin_sess_id, sip_sdp_origin_sess_version, sip_sdp_origin_nettype, sip_sdp_origin_addrtype, sip_sdp_origin_unicast_address -- CONSTRAINT sip_sdp_origins_fkey FOREIGN KEY (sip_command) REFERENCES sip_commands (sip_command) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_sdp_connectiondatas ( sip_sdp_connectiondata INTEGER PRIMARY KEY, sip_command INTEGER, sip_sdp_connectiondata_nettype, sip_sdp_connectiondata_addrtype, sip_sdp_connectiondata_connection_address, sip_sdp_connectiondata_ttl, sip_sdp_connectiondata_number_of_addresses -- CONSTRAINT sip_sdp_connectiondatas_fkey FOREIGN KEY (sip_command) REFERENCES sip_commands (sip_command) )""") self.cursor.execute("""CREATE TABLE IF NOT EXISTS sip_sdp_medias ( sip_sdp_media INTEGER PRIMARY KEY, sip_command INTEGER, sip_sdp_media_media, sip_sdp_media_port, sip_sdp_media_number_of_ports, sip_sdp_media_proto -- sip_sdp_media_fmt, -- sip_sdp_media_attributes -- CONSTRAINT sip_sdp_medias_fkey FOREIGN KEY (sip_command) REFERENCES sip_commands (sip_command) )""") # self.cursor.execute("""CREATE TABLE IF NOT EXISTS # httpheaders ( # httpheader INTEGER PRIMARY KEY, # connection INTEGER, # http_headerkey TEXT, # http_headervalue TEXT, # -- CONSTRAINT httpheaders_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) # )""") # # for idx in ["headerkey","headervalue"]: # self.cursor.execute("""CREATE INDEX IF NOT EXISTS httpheaders_%s_idx # ON httpheaders (httpheader_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mqtt_fingerprints ( mqtt_fingerprint INTEGER PRIMARY KEY, connection INTEGER, mqtt_fingerprint_clientid TEXT, mqtt_fingerprint_willtopic TEXT, mqtt_fingerprint_willmessage TEXT, mqtt_fingerprint_username TEXT, mqtt_fingerprint_password TEXT -- CONSTRAINT mqtt_fingerprints_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["clientid","willtopic","willmessage", "username", "password"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mqtt_fingerprints_%s_idx ON mqtt_fingerprints (mqtt_fingerprint_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mqtt_publish_commands ( mqtt_publish_command INTEGER PRIMARY KEY, connection INTEGER, mqtt_publish_command_topic TEXT, mqtt_publish_command_message TEXT -- CONSTRAINT mqtt_publish_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["topic", "message"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mqtt_publish_commands_%s_idx ON mqtt_publish_commands (mqtt_publish_command_%s)""" % (idx, idx)) self.cursor.execute("""CREATE TABLE IF NOT EXISTS mqtt_subscribe_commands ( mqtt_subscribe_command INTEGER PRIMARY KEY, connection INTEGER, mqtt_subscribe_command_messageid TEXT, mqtt_subscribe_command_topic TEXT -- CONSTRAINT mqtt_subscribe_commands_connection_fkey FOREIGN KEY (connection) REFERENCES connections (connection) )""") for idx in ["messageid", "topic"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS mqtt_subscribe_commands_%s_idx ON mqtt_subscribe_commands (mqtt_subscribe_command_%s)""" % (idx, idx)) # connection index for all for idx in ["dcerpcbinds", "dcerpcrequests", "emu_profiles", "emu_services", "offers", "downloads", "p0fs", "logins", "mssql_fingerprints", "mssql_commands","mysql_commands","sip_commands", "mqtt_fingerprints", "mqtt_publish_commands", "mqtt_subscribe_commands"]: self.cursor.execute("""CREATE INDEX IF NOT EXISTS %s_connection_idx ON %s (connection)""" % (idx, idx)) self.dbh.commit() # updates, database schema corrections for old versions # svn rev 2143 removed the table dcerpcs # and created the table dcerpcrequests # # copy the data to the new table dcerpcrequests # drop the old table try: logger.debug("Updating Table dcerpcs") self.cursor.execute("""INSERT INTO dcerpcrequests (connection, dcerpcrequest_uuid, dcerpcrequest_opnum) SELECT connection, dcerpc_uuid, dcerpc_opnum FROM dcerpcs""") self.cursor.execute("""DROP TABLE dcerpcs""") logger.debug("... done") except Exception as e: # print(e) logger.debug("... not required")
def __init__(self, path): logger.debug("%s ready!" % (self.__class__.__name__)) ihandler.__init__(self, path) self.username = g_dionaea.config()["modules"]["python"]["malwarelu"]["username"] self.password = g_dionaea.config()["modules"]["python"]["malwarelu"]["password"] self.m = MalwareLu(self.username, self.password)