def deployContainer(self):
try:
logger.debug("Deploying new VictimContainer [%s]" %
Configuration().get("victimContainerName"))
container = self.cli.containers.run(
image=Configuration().get("victimContainerImage"),
name=Configuration().get("victimContainerName"),
network=Configuration().get("victimNetworkName"),
privileged=True,
restart_policy={"Name": "on-failure"},
ports={'2375/tcp': 2375},
detach=True,
dns=['8.8.8.8', '8.8.4.4'])
self.container = container
logger.debug(
"waiting 10 seconds for container to stabilise and baseline for file changes..."
)
time.sleep(10)
self.resetBaselineFileChanges()
logger.info("deployed new container [%s]" % container.name)
except Exception as e:
logger.error("failed deploying new container [%s]" % e)
def __init__(self):
logger.info("Initialising Whaler")
self.victimCli = docker.DockerClient(
base_url=Configuration().get("dockerDaemonVictimUrl"))
self.hostCli = docker.DockerClient(
base_url=Configuration().get("dockerDaemonHostUrl"))
self.fingerprintService = FingerprintService()
self.reports = self.loadReports()
def redeployContainer(self):
if Configuration().get("victimContainerDisableRedeploy"):
logger.info(
"Skipping redeploy container, disabled in configuration for testing"
)
else:
BaseContainer.redeployContainer(self)
def onStart(self, container):
#let the container run for some time, to generate evidence
image = container.image
logger.info(
"New container reported [%s] image %s will terminate in [%s] seconds"
% (container.name, container.image.tags,
Configuration().get("maliciousContainerRunDurationSeconds")))
outputFolder = "%s/%s/%s/%s/%s" % (
Configuration().get("dataDirectory"),
datetime.datetime.now().strftime('%Y%m%d'),
datetime.datetime.now().strftime('%H%M'), container.image.tags[0],
container.name)
if not os.path.exists(outputFolder): os.makedirs(outputFolder)
time.sleep(Configuration().get("maliciousContainerRunDurationSeconds"))
self.victimContainer.stopContainer(container)
#get report
report = self.getReport(container, image)
self.saveReport(report)
if self.fingerprintService.isKnownContainer(report['fingerprint']):
logger.info(
"Found fingerprint match, will not archive container, or pcap")
self.victimContainer.redeployContainer()
self.captureContainer.redeployContainer()
else:
#New attack -snapshot container(s) and pcap
self.victimContainer.snapshotContainer(container,
outputFolder + "/snapshots")
self.captureContainer.archiveCaptureFile(container, outputFolder)
#restart capture container and save pcap
self.victimContainer.snapshotVictimContainer(outputFolder)
self.victimContainer.redeployContainer()
self.captureContainer.redeployContainer()
self.victimCli.volumes.prune()
self.hostCli.volumes.prune()
def loadReports(self):
reportFolder = Configuration().get("reportFolder")
if not os.path.exists(reportFolder): os.makedirs(reportFolder)
if os.path.exists(reportFolder + '/reports.json'):
with open(reportFolder + '/reports.json') as json_data_file:
reports = json.load(json_data_file)
else:
reports = []
return reports
def __init__(self):
BaseContainer.__init__(self,
Configuration().get("dockerDaemonHostUrl"),
Configuration().get("victimContainerName"))
self.victimCli = self.getCli(
Configuration().get("dockerDaemonVictimUrl"))
def saveReport(self, report):
reportFolder = Configuration().get("reportFolder")
self.reports.append(report)
with open(reportFolder + '/reports.json', 'w') as outfile:
json.dump(self.reports, outfile)