Пример #1
0
 def __init__(self, pcapObj, hp):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.p = pcapObj
     self.outdir = ""
     self.hp = hp
     self.dataFound = False
     self.tf = options['time_convert_fn']
     self.cdList = [90, 91, 92, 93]
     self.commandCode = {
         90:
         'Request granted',
         91:
         'Request rejected or failed',
         92:
         'Request rejected: SOCKS server cannot connect to identd on the client',
         93:
         'Request rejected: Client program and identd report different user-ids'
     }
     self.replyCode = {
         0: 'Succeeded',
         1: 'General socks server failure',
         2: 'Connection not allowed by ruleset',
         3: 'Network unreachable',
         4: 'Host unreachable',
         5: 'Connection refused',
         6: 'TTL expired',
         7: 'Command not supported',
         8: 'Address type not supported'
     }
     self.requestCommand = [1, 2, 3]
Пример #2
0
 def __init__(self, pcapObj, hp): 
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.p = pcapObj
     self.outdir = ""
     self.hp = hp
     self.dataFound = False  
     self.tf = options['time_convert_fn']     
     self.cdList = [90,91,92,93]
     self.commandCode = {
         90:'Request granted', 
         91:'Request rejected or failed',
         92:'Request rejected: SOCKS server cannot connect to identd on the client',
         93:'Request rejected: Client program and identd report different user-ids'
     }   
     self.replyCode = {
         0:'Succeeded', 
         1:'General socks server failure',
         2:'Connection not allowed by ruleset',
         3:'Network unreachable',
         4:'Host unreachable',
         5:'Connection refused',
         6:'TTL expired',
         7:'Command not supported',
         8:'Address type not supported'
     }   
     self.requestCommand = [1,2,3]
Пример #3
0
 def __init__(self, hp):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.p = pcap.pcap(options["tmpf"], promisc=False)
     self.p.setfilter("host %s and tcp port 23" % (hp))
     self.log = {}
     self.fp = sys.stdout
     self.outdir = None
Пример #4
0
 def __init__(self):
     super(flowDecode, self).__init__()  
     hs = HoneysnapSingleton.getInstance() 
     self.options = hs.getOptions()   
     self.requested_files = {}
     self.served_files = {}
     for hp in self.options['honeypots']: 
         self.served_files[hp] = [] 
         self.requested_files[hp] = []
Пример #5
0
 def __init__(self):
     super(flowDecode, self).__init__()
     hs = HoneysnapSingleton.getInstance()
     self.options = hs.getOptions()
     self.requested_files = {}
     self.served_files = {}
     for hp in self.options['honeypots']:
         self.served_files[hp] = []
         self.requested_files[hp] = []
Пример #6
0
 def __init__(self, ts, pkt, eventtype, source, target, arguments=None):
     irclib.Event.__init__(self, eventtype, source, target, arguments)
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.tf = options['time_convert_fn']
     self.time = ts
     self.src = inet_ntoa(pkt.src)
     self.dst = inet_ntoa(pkt.dst)
     self.dport = pkt.data.dport
     self.sport = pkt.data.sport
Пример #7
0
 def __init__(self, pcapObj):
     Base.__init__(self)
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.tcpports = {}
     self.udpports = {}
     self.icmp = {}
     self.p = pcapObj
     self.outdir = ""
     self.tf = options['time_convert_fn']
Пример #8
0
 def __init__(self, ts, pkt, eventtype, source, target, arguments=None): 
     irclib.Event.__init__(self, eventtype, source, target, arguments)
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.tf = options['time_convert_fn']
     self.time  = ts
     self.src   = inet_ntoa(pkt.src)
     self.dst   = inet_ntoa(pkt.dst)
     self.dport = pkt.data.dport
     self.sport = pkt.data.sport 
Пример #9
0
 def __init__(self, pcapObj): 
     Base.__init__(self)
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.tcpports = {}
     self.udpports = {}
     self.icmp = {}
     self.p = pcapObj
     self.outdir = ""
     self.tf = options['time_convert_fn']  
Пример #10
0
 def __init__(self, pcapObj):
     """Initialise the flow. Assume ethernet for now"""
     Base.__init__(self)
     self.p = pcapObj
     self.states = flow_state_manager()
     self.outdir = ""
     self.fname = []
     self.plugins = []
     self.hs = HoneysnapSingleton.getInstance()
     self.honeypots = self.hs.getOptions()["honeypots"]
     self.fp = None
Пример #11
0
 def __init__(self, pcapObj):
     """Initialise the flow. Assume ethernet for now""" 
     Base.__init__(self)
     self.p = pcapObj
     self.states = flow_state_manager()
     self.outdir = ""
     self.fname = []
     self.plugins = []
     self.hs = HoneysnapSingleton.getInstance()
     self.honeypots = self.hs.getOptions()["honeypots"]
     self.fp = None
Пример #12
0
 def __init__(self, hp, direction="queried"):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.p = pcap.pcap(options["tmpf"], promisc=False)     
     self.direction = direction
     if direction == "queried":
         self.p.setfilter("(src host %s and udp and dst port 53) or (dst host %s and udp and src port 53)" % (hp, hp))
     else:
         self.p.setfilter("(dst host %s and udp and dst port 53) or (src host %s and udp and src port 53)" % (hp, hp))
     self.log = {}
     self.fp = sys.stdout   
     self.tf = options['time_convert_fn']
Пример #13
0
 def __init__(self, hp, direction="queried"):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.p = pcap.pcap(options["tmpf"], promisc=False)
     self.direction = direction
     if direction == "queried":
         self.p.setfilter(
             "(src host %s and udp and dst port 53) or (dst host %s and udp and src port 53)"
             % (hp, hp))
     else:
         self.p.setfilter(
             "(dst host %s and udp and dst port 53) or (src host %s and udp and src port 53)"
             % (hp, hp))
     self.log = {}
     self.fp = sys.stdout
     self.tf = options['time_convert_fn']
Пример #14
0
 def __init__(self, hp):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.excludes = options['sebek_excludes']  
     self.data_excludes = options['sebek_data_excludes']
     self.p = pcap.pcap(options["tmpf"], promisc=False)
     self.p.setfilter("src host %s and udp dst port %s" % (hp, options["sebek_port"]))
     self.log = {}
     self.output = {}
     self.output['keystrokes'] = [] 
     self.output['sbk_write'] = []
     self.output['sbk_sock'] = []
     self.output['sbk_open'] = []     
     self.verbose = options['sebek_all_data']
     self.fp = sys.stdout                   
     self.tf = options['time_convert_fn']     
Пример #15
0
 def __init__(self, hp):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     self.excludes = options['sebek_excludes']
     self.data_excludes = options['sebek_data_excludes']
     self.p = pcap.pcap(options["tmpf"], promisc=False)
     self.p.setfilter("src host %s and udp dst port %s" %
                      (hp, options["sebek_port"]))
     self.log = {}
     self.output = {}
     self.output['keystrokes'] = []
     self.output['sbk_write'] = []
     self.output['sbk_sock'] = []
     self.output['sbk_open'] = []
     self.verbose = options['sebek_all_data']
     self.fp = sys.stdout
     self.tf = options['time_convert_fn']
Пример #16
0
def main():
    """Set everything off and handle files/stdin etc"""
    print_help, options, args = parseOptions()
    if len(sys.argv)>1:
        if options['honeypots'] is None:
            print "No honeypots specified. Please use either -H or config file to specify honeypots.\n"
            sys.exit(2)
        hsingleton = HoneysnapSingleton.getInstance(options)
        if not os.path.exists(options['output_data_directory']):
            make_dir(options['output_data_directory'])
        if os.path.exists(options['output_data_directory']):
            for i in options["honeypots"]:
                make_dir(options["output_data_directory"]+"/"+i)
        # by default treat args as files to be processed
        # handle multiple files being passed as args
        if len(args):
            for f in args:
                if os.path.exists(f) and os.path.isfile(f): 
                    processFile(f)
                else:
                    print "File not found: %s" % f
                    sys.exit(2)
        # no args indicating files, read from stdin
        else:
            # can't really do true stdin input, since we repeatedly parse
            # the file, so create a tempfile that is read from stdin
            # pass it to processFile
            fh = sys.stdin
            tmph, tmpf = tempfile.mkstemp()
            tmph = open(tmpf, 'wb')
            for l in fh:
                tmph.write(l)
            tmph.close()
            processFile(tmpf)
            # all done, delete the tmp file
            os.unlink(tmpf)
        cleanup(options)
    else:
        print_help()  
Пример #17
0
def main():
    """Set everything off and handle files/stdin etc"""
    print_help, options, args = parseOptions()
    if len(sys.argv) > 1:
        if options['honeypots'] is None:
            print "No honeypots specified. Please use either -H or config file to specify honeypots.\n"
            sys.exit(2)
        hsingleton = HoneysnapSingleton.getInstance(options)
        if not os.path.exists(options['output_data_directory']):
            make_dir(options['output_data_directory'])
        if os.path.exists(options['output_data_directory']):
            for i in options["honeypots"]:
                make_dir(options["output_data_directory"] + "/" + i)
        # by default treat args as files to be processed
        # handle multiple files being passed as args
        if len(args):
            for f in args:
                if os.path.exists(f) and os.path.isfile(f):
                    processFile(f)
                else:
                    print "File not found: %s" % f
                    sys.exit(2)
        # no args indicating files, read from stdin
        else:
            # can't really do true stdin input, since we repeatedly parse
            # the file, so create a tempfile that is read from stdin
            # pass it to processFile
            fh = sys.stdin
            tmph, tmpf = tempfile.mkstemp()
            tmph = open(tmpf, 'wb')
            for l in fh:
                tmph.write(l)
            tmph.close()
            processFile(tmpf)
            # all done, delete the tmp file
            os.unlink(tmpf)
        cleanup(options)
    else:
        print_help()
Пример #18
0
 def __init__(self, hp):        
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     Base.__init__(self)
     self.cmds = {}
     self.sources = {}
     self.targets = {}
     self.ips = {}
     self.users = {}
     self.channels = {}
     self.repeats = {}
     self.lines = {}      
     self.botwords = botwords
     self.words = words
     self.wordlines = []
     self.botlines = []    
     self.currenttopicsBotCmd = []
     self.currenttopicsKeyword = []
     self.serversvisited = []
     self.channelsvisited = []
     self.possbotnet = False
     self.honeypot = hp       
     self.privcount = 0     
     self.dir = ""
     self.fp = sys.stdout   
     self.limit=options['irc_limit']     
     self.tf = options['time_convert_fn']
     self.wordfile=options['wordfile'] 
     if self.wordfile:
         if os.path.exists(self.wordfile) and os.path.isfile(self.wordfile):
             wfp = open(self.wordfile, 'rb')
             filewords = wfp.readlines()
             filewords = [w.strip() for w in filewords]
             self.words = self.words + filewords 
         else:
             print "Can't open specified wordlist %s. Stopping" % self.wordfile
             print "Please check the existence of the wordfile, or delete the WORDFILE option from the config if it's not wanted"
             sys.exit(1)
Пример #19
0
 def __init__(self, hp):
     hs = HoneysnapSingleton.getInstance()
     options = hs.getOptions()
     Base.__init__(self)
     self.cmds = {}
     self.sources = {}
     self.targets = {}
     self.ips = {}
     self.users = {}
     self.channels = {}
     self.repeats = {}
     self.lines = {}
     self.botwords = botwords
     self.words = words
     self.wordlines = []
     self.botlines = []
     self.currenttopicsBotCmd = []
     self.currenttopicsKeyword = []
     self.serversvisited = []
     self.channelsvisited = []
     self.possbotnet = False
     self.honeypot = hp
     self.privcount = 0
     self.dir = ""
     self.fp = sys.stdout
     self.limit = options['irc_limit']
     self.tf = options['time_convert_fn']
     self.wordfile = options['wordfile']
     if self.wordfile:
         if os.path.exists(self.wordfile) and os.path.isfile(self.wordfile):
             wfp = open(self.wordfile, 'rb')
             filewords = wfp.readlines()
             filewords = [w.strip() for w in filewords]
             self.words = self.words + filewords
         else:
             print "Can't open specified wordlist %s. Stopping" % self.wordfile
             print "Please check the existence of the wordfile, or delete the WORDFILE option from the config if it's not wanted"
             sys.exit(1)
Пример #20
0
            o = self.outdir % i
            make_dir(o)

    def setOutput(self, file):
        self.outfile = file

    def dump_extract(self):  
        for s in self.states.getFlowStates():
            s.close()
            for func in self.plugins:
                func(s, self.states)

    def writeResults(self):
        """TODO: I would like to implement some sort of summarization
        of the data files that were written during the run...
        """
        pass

if __name__ == "__main__":                               
    # for testing. Edit suitably
    import sys                                          
    options = { 'honeypots':['192.168.0.1', '192.168.0.2'] }
    hsingleton = HoneysnapSingleton.getInstance(options)
    f = sys.argv[1]
    pcapObj = pcap.pcap(f)
    tflow = tcpFlow(pcapObj)  
    make_dir ('output')
    tflow.setOutdir("output/%s/")
    tflow.setFilter("not port 445")
    tflow.start()
Пример #21
0
def processFile(file):
    """
    Process a pcap file.
    file is the pcap file to parse
    This function will run any enabled options for each pcap file
    """
    hs = HoneysnapSingleton.getInstance()
    options = hs.getOptions()

    tmpf, deletetmp = check_pcap_file(file)
    options["tmpf"] = tmpf

    try:
        if options["filename"] is not None:
            out = rawPathOutput(options["filename"], mode="a+")
        else:
            out = outputSTDOUT()
    except IOError:
        # we have some error opening the file
        # there is something at that path. Is it a directory?
        if not os.path.isdir(options["output_data_directory"]):
            print "Error: output_data_directory exists, but is not a directory."
        else:
            print "Unknown Error creating output file"
            sys.exit(1)

    out("\n\nAnalysing file: %s\n\n" % file)

    if options["do_pcap"] == "YES":
        out("Pcap file information:\n")
        pi = pcapInfo(tmpf)
        pi.setOutput(out)
        pi.getStats()
        myout = rawPathOutput(options["output_data_directory"] +
                              "/pcapinfo.txt")
        pi.setOutput(myout)
        pi.getStats()
        out("\n")

    if options["do_packets"] == "YES":
        out("\nIP packet summary for common ports:\n\n")
        out("%-40s %10s\n" % ("Filter", "Packets"))
        filters = setFilters(options)
        for i in filters:
            key, filt = i
            out(key + "\n")
            for hp in options['honeypots']:
                p = pcap.pcap(tmpf)
                c = Counter(p)
                c.setOutput(out)
                f = filt % hp
                c.setFilter(f)
                c.count()
                del p
            out("\n")

    if options["do_incoming"] == "YES":
        for hp in options["honeypots"]:
            out("Counting incoming connections for %s\n" % hp)
            outdir = options["output_data_directory"] + "/%s/conns" % hp
            make_dir(outdir)
            p = pcap.pcap(tmpf)
            s = Summarize(p)
            filt = 'dst host %s' % hp
            s.setFilter(filt)
            s.start()
            fileout = rawPathOutput(outdir + "/incoming.txt", mode="a")
            if options["print_verbose"] == "YES":
                outputs = (fileout, out)
            else:
                outputs = (fileout, )
            for output in outputs:
                s.setOutput(output)
                s.doOutput("\nIncoming connections for %s\n" % hp)
                s.writeResults(limit=options["flow_count_limit"])
            del p

    if options["do_outgoing"] == "YES":
        for hp in options["honeypots"]:
            out("\nCounting outgoing connections for %s\n" % hp)
            outdir = options["output_data_directory"] + "/%s/conns" % hp
            make_dir(outdir)
            p = pcap.pcap(tmpf)
            s = Summarize(p)
            filt = 'src host %s' % hp
            s.setFilter(filt)
            s.start()
            fileout = rawPathOutput(outdir + "/outgoing.txt", mode="a")
            if options["print_verbose"] == "YES":
                outputs = (fileout, out)
            else:
                outputs = (fileout, )
            for output in outputs:
                s.setOutput(output)
                s.doOutput("\nOutgoing connections for %s\n" % hp)
                s.writeResults(limit=options["flow_count_limit"])
            del p

    if options["do_dns"] == "YES":
        out("\nExtracting DNS data to file\n\n")
        for hp in options["honeypots"]:
            #out("\nHoneypot %s\n\n" % hp)
            dns = dnsDecode(hp, direction="queried")
            dns.setOutdir(options["output_data_directory"] + "/%s/dns" % hp)
            dns.setOutput(out)
            dns.run()
            del dns
            dns = dnsDecode(hp, direction="served")
            dns.setOutdir(options["output_data_directory"] + "/%s/dns" % hp)
            dns.setOutput(out)
            dns.run()
            del dns

    if options["do_telnet"] == "YES":
        out("\nExtracting telnet data to file\n")
        for hp in options["honeypots"]:
            #out("\nHoneypot %s\n\n" % hp)
            tel = telnetDecode(hp)
            tel.setOutdir(options["output_data_directory"] + "/%s/telnet" % hp)
            tel.setOutput(out)
            tel.run()
            del tel

    if options["do_irc"] == "YES":
        """
        Here we will use PcapRE to find packets on irc_port with "PRIVMSG"
        in the payload. 
        """
        for hp in options["honeypots"]:
            out("\nLooking for packets containing PRIVMSG for %s\n\n" % hp)
            p = pcap.pcap(tmpf)
            r = pcapReCounter(p)
            r.setFilter("host %s and tcp" % hp)
            r.setRE('PRIVMSG')
            r.setOutput(out)
            r.start()
            r.writeResults()
            for port in r.server_ports(options['irc_ports'][hp]):
                if port not in options['irc_ports'][hp]:
                    if port == 80:
                        out("\nSaw PRIVMSG on port 80, but cowardly not adding it to IRC port list - check manually\n"
                            )
                    else:
                        out("\nAdding port %s to irc list for %s\n" %
                            (port, hp))
                        options['irc_ports'][hp].add(port)
            del p
            del r

        out("\nAnalysing IRC\n")
        for hp in options["honeypots"]:
            outdir = options["output_data_directory"] + "/%s/irc" % hp
            for port in options["irc_ports"][hp]:
                out("\nHoneypot %s, port %s\n\n" % (hp, port))
                hirc = HoneySnapIRC()
                hirc.connect(tmpf, "host %s and tcp and port %s" % (hp, port))
                hd = ircDecode(hp)
                hd.setOutput(out)
                hd.setOutdir(outdir)
                hd.setOutfile('irclog-%s.txt' % port)
                hirc.addHandler("all_events", hd.decodeCB, -1)
                hirc.ircobj.add_global_handler("all_events", hd.printLines, -1)
                hirc.ircobj.process_once()
                hd.printSummary()
                del hd
                del hirc

    if options["all_flows"] == "YES":
        out("\nExtracting all flows\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        filt = "host "
        filt += " or host ".join(options["honeypots"])
        de.setFilter(filt)
        de.setOutdir(options["output_data_directory"] + "/%s/flows")
        de.setOutput(out)
        de.start()
        de.dump_extract()
        del de
        del p

    if options["do_http"] == "YES":
        out("\nExtracting from HTTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 80")
        de.setOutdir(options["output_data_directory"] + "/%s/http")
        de.setOutput(out)
        decode = httpDecode.httpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary()
        del de
        del p

    if options["do_ftp"] == "YES":
        out("\nExtracting from FTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 20 or port 21")
        de.setOutdir(options["output_data_directory"] + "/%s/ftp")
        de.setOutput(out)
        decode = ftpDecode.ftpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary()
        del de
        del p

    if options["do_smtp"] == "YES":
        out("\nExtracting from SMTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 25")
        de.setOutdir(options["output_data_directory"] + "/%s/smtp")
        de.setOutput(out)
        decode = smtpDecode.smtpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary()
        del de
        del p

    if options["do_sebek"] == "YES":
        out("\nExtracting Sebek data\n")
        for hp in options["honeypots"]:
            out("\nHoneypot %s\n\n" % hp)
            sbd = sebekDecode(hp)
            sbd.setOutdir(options["output_data_directory"] + "/%s/sebek" % hp)
            sbd.setOutput(out)
            sbd.run()
            sbd.print_summary()
            del sbd

    if options["do_socks"] == "YES":
        out("\nExtracting Socks proxy information:\n")
        for hp in options["honeypots"]:
            out("\nHoneypot %s\n\n" % hp)
            p = pcap.pcap(tmpf)
            socks = SocksDecode(p, hp)
            socks.setOutdir(options["output_data_directory"] +
                            "/%s/socks" % hp)
            socks.setOutput(out)
            socks.start()

    # delete the tmp file we used to hold unzipped data
    if deletetmp:
        os.unlink(tmpf)
Пример #22
0
def processFile(file):
    """
    Process a pcap file.
    file is the pcap file to parse
    This function will run any enabled options for each pcap file
    """
    hs = HoneysnapSingleton.getInstance()
    options = hs.getOptions()

    tmpf, deletetmp = check_pcap_file(file)
    options["tmpf"] = tmpf

    try:
        if options["filename"] is not None:
            out = rawPathOutput(options["filename"], mode="a+")
        else:
            out = outputSTDOUT()
    except IOError:
        # we have some error opening the file
        # there is something at that path. Is it a directory?
        if not os.path.isdir(options["output_data_directory"]):
            print "Error: output_data_directory exists, but is not a directory."
        else:
            print "Unknown Error creating output file"
            sys.exit(1)

    out("\n\nAnalysing file: %s\n\n" % file)

    if options["do_pcap"] == "YES":
        out("Pcap file information:\n")
        pi = pcapInfo(tmpf)
        pi.setOutput(out)
        pi.getStats()
        myout = rawPathOutput(options["output_data_directory"] +"/pcapinfo.txt")
        pi.setOutput(myout)
        pi.getStats()
        out("\n")

    if options["do_packets"] == "YES":
        out("\nIP packet summary for common ports:\n\n")
        out("%-40s %10s\n" % ("Filter", "Packets"))
        filters = setFilters(options)
        for i in filters:
            key, filt = i
            out(key+"\n")
            for hp in options['honeypots']:
                p = pcap.pcap(tmpf)
                c = Counter(p)
                c.setOutput(out)   
                f = filt % hp
                c.setFilter(f)
                c.count()
                del p
            out("\n")

    if options["do_incoming"] == "YES":
        for hp in options["honeypots"]:
            out("Counting incoming connections for %s\n" % hp)
            outdir = options["output_data_directory"] + "/%s/conns" % hp
            make_dir(outdir)
            p = pcap.pcap(tmpf)
            s = Summarize(p)
            filt = 'dst host %s' % hp
            s.setFilter(filt)
            s.start()
            fileout = rawPathOutput(outdir+"/incoming.txt", mode="a")
            if options["print_verbose"] == "YES":
                outputs = (fileout, out)
            else:
                outputs = (fileout,)
            for output in outputs:
                s.setOutput(output)
                s.doOutput("\nIncoming connections for %s\n" % hp)
                s.writeResults(limit=options["flow_count_limit"])
            del p


    if options["do_outgoing"] == "YES":
        for hp in options["honeypots"]:
            out("\nCounting outgoing connections for %s\n" % hp)
            outdir = options["output_data_directory"] + "/%s/conns" % hp
            make_dir(outdir)
            p = pcap.pcap(tmpf)
            s = Summarize(p)
            filt = 'src host %s' % hp
            s.setFilter(filt)
            s.start()
            fileout = rawPathOutput(outdir+"/outgoing.txt", mode="a")
            if options["print_verbose"] == "YES":
                outputs = (fileout, out)
            else:
                outputs = (fileout,)
            for output in outputs:
                s.setOutput(output)
                s.doOutput("\nOutgoing connections for %s\n" % hp)
                s.writeResults(limit=options["flow_count_limit"])
            del p

    if options["do_dns"] == "YES":
        out("\nExtracting DNS data to file\n\n")
        for hp in options["honeypots"]:
            #out("\nHoneypot %s\n\n" % hp)
            dns = dnsDecode(hp, direction="queried")
            dns.setOutdir(options["output_data_directory"] + "/%s/dns" % hp)
            dns.setOutput(out)
            dns.run()
            del dns
            dns = dnsDecode(hp, direction="served")
            dns.setOutdir(options["output_data_directory"] + "/%s/dns" % hp)
            dns.setOutput(out)
            dns.run()
            del dns

    if options["do_telnet"] == "YES":
        out("\nExtracting telnet data to file\n")
        for hp in options["honeypots"]:
            #out("\nHoneypot %s\n\n" % hp)
            tel = telnetDecode(hp)
            tel.setOutdir(options["output_data_directory"] + "/%s/telnet" % hp)
            tel.setOutput(out)
            tel.run()
            del tel

    if options["do_irc"] == "YES":
        """
        Here we will use PcapRE to find packets on irc_port with "PRIVMSG"
        in the payload. 
        """
        for hp in options["honeypots"]:
            out("\nLooking for packets containing PRIVMSG for %s\n\n" % hp)
            p = pcap.pcap(tmpf)
            r = pcapReCounter(p)
            r.setFilter("host %s and tcp" % hp)
            r.setRE('PRIVMSG')
            r.setOutput(out)
            r.start()                         
            r.writeResults() 
            for port in r.server_ports(options['irc_ports'][hp]):
                if port not in options['irc_ports'][hp]:    
                    if port==80:
                        out("\nSaw PRIVMSG on port 80, but cowardly not adding it to IRC port list - check manually\n")
                    else:
                        out("\nAdding port %s to irc list for %s\n" % (port, hp)) 
                        options['irc_ports'][hp].add(port) 
            del p
            del r

        out("\nAnalysing IRC\n")
        for hp in options["honeypots"]:
            outdir = options["output_data_directory"] + "/%s/irc" % hp
            for port in options["irc_ports"][hp]:
                out("\nHoneypot %s, port %s\n\n" % (hp, port))
                hirc = HoneySnapIRC()
                hirc.connect(tmpf, "host %s and tcp and port %s" % (hp, port))
                hd = ircDecode(hp)
                hd.setOutput(out)
                hd.setOutdir(outdir)
                hd.setOutfile('irclog-%s.txt' % port)
                hirc.addHandler("all_events", hd.decodeCB, -1)
                hirc.ircobj.add_global_handler("all_events", hd.printLines, -1)
                hirc.ircobj.process_once()
                hd.printSummary()
                del hd
                del hirc

    if options["all_flows"] == "YES":
        out("\nExtracting all flows\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        filt = "host "
        filt += " or host ".join(options["honeypots"])
        de.setFilter(filt)
        de.setOutdir(options["output_data_directory"]+ "/%s/flows")
        de.setOutput(out)
        de.start()
        de.dump_extract()
        del de
        del p

    if options["do_http"] == "YES":
        out("\nExtracting from HTTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 80")
        de.setOutdir(options["output_data_directory"]+ "/%s/http")
        de.setOutput(out)
        decode = httpDecode.httpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary()
        del de
        del p


    if options["do_ftp"] == "YES":
        out("\nExtracting from FTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 20 or port 21")
        de.setOutdir(options["output_data_directory"] + "/%s/ftp")
        de.setOutput(out)
        decode = ftpDecode.ftpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary() 
        del de
        del p

    if options["do_smtp"] == "YES":
        out("\nExtracting from SMTP\n\n")
        p = pcap.pcap(tmpf)
        de = tcpflow.tcpFlow(p)
        de.setFilter("port 25")
        de.setOutdir(options["output_data_directory"] + "/%s/smtp")
        de.setOutput(out)
        decode = smtpDecode.smtpDecode()
        decode.setOutput(out)
        de.registerPlugin(decode.decode)
        de.start()
        de.dump_extract()
        decode.print_summary() 
        del de
        del p

    if options["do_sebek"] == "YES":
        out("\nExtracting Sebek data\n")
        for hp in options["honeypots"]:
            out("\nHoneypot %s\n\n" % hp)
            sbd = sebekDecode(hp)
            sbd.setOutdir(options["output_data_directory"] + "/%s/sebek" % hp)
            sbd.setOutput(out)
            sbd.run()
            sbd.print_summary()
            del sbd

    if options["do_socks"] == "YES":
        out("\nExtracting Socks proxy information:\n")
        for hp in options["honeypots"]:
            out("\nHoneypot %s\n\n" % hp)
            p = pcap.pcap(tmpf)
            socks = SocksDecode(p,hp)
            socks.setOutdir(options["output_data_directory"] + "/%s/socks" % hp)
            socks.setOutput(out)
            socks.start()

    # delete the tmp file we used to hold unzipped data
    if deletetmp:
        os.unlink(tmpf)
Пример #23
0
            make_dir(o)

    def setOutput(self, file):
        self.outfile = file

    def dump_extract(self):
        for s in self.states.getFlowStates():
            s.close()
            for func in self.plugins:
                func(s, self.states)

    def writeResults(self):
        """TODO: I would like to implement some sort of summarization
        of the data files that were written during the run...
        """
        pass


if __name__ == "__main__":
    # for testing. Edit suitably
    import sys
    options = {'honeypots': ['192.168.0.1', '192.168.0.2']}
    hsingleton = HoneysnapSingleton.getInstance(options)
    f = sys.argv[1]
    pcapObj = pcap.pcap(f)
    tflow = tcpFlow(pcapObj)
    make_dir('output')
    tflow.setOutdir("output/%s/")
    tflow.setFilter("not port 445")
    tflow.start()
Пример #24
0
 def __init__(self):
     self.current_time = 0
     self.flow_hash = {}
     self.curent_time = 0
     self.outdir = None
     self.hs = HoneysnapSingleton.getInstance()
Пример #25
0
 def __init__(self):
     self.current_time = 0
     self.flow_hash = {}
     self.curent_time = 0
     self.outdir = None
     self.hs = HoneysnapSingleton.getInstance()