def setUp(self): app.app.config['WTF_CSRF_ENABLED'] = False app.app.config['CERT_PATH'] = os.path.join(os.path.dirname(__file__), 'beeswarmcfg.json.test') app.app.config['SERVER_CONFIG'] = os.path.join(os.path.dirname(__file__), 'beeswarmcfg.json.test') self.app = app.app.test_client() self.authenticator = Authenticator() database.setup_db('sqlite://') session = database.get_session() #dummy entities self.authenticator.add_user('test', 'test', 0) self.client_id = str(uuid.uuid4()) self.client_password = str(uuid.uuid4()) self.authenticator.add_user(self.client_id, self.client_password, 2) self.honeypot_id = str(uuid.uuid4()) self.honeypot_password = str(uuid.uuid4()) self.authenticator.add_user(self.honeypot_id, self.honeypot_password, 1) session.add_all([Client(id=self.client_id, configuration='test_client_config'), Honeypot(id=self.honeypot_id, configuration='test_honeypot_config') ]) session.commit()
def populate_honeybees(self): """ Populates the database with 3 Honeybees """ db_session = database.get_session() for i in xrange(3): h = BaitSession( id=str(uuid.uuid4()), timestamp=datetime.utcnow(), received=datetime.utcnow(), protocol='ssh', destination_ip='1.2.3.4', destination_port=1234, source_ip='4.3.2.1', source_port=4321, did_connect=True, did_login=False, did_complete=True ) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=False, timestamp=datetime.utcnow()) h.authentication.append(a) db_session.add(h) db_session.commit()
def test_correlation_bait_session(self): """ Test if bait session is correctly identified as related to a specific honeypot session. We expect the bait entity to be classified as a legit (successfully completed) 'bait_Session' and that the honeypot session is deleted. """ #setup the honeypot session we expect to match the bait_session db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() s_id = str(uuid.uuid4()) s = Session(id=s_id, source_ip='321', destination_ip='123', received=datetime.now(), timestamp=self.bait_session_datetime - timedelta(seconds=2), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True, timestamp=datetime.utcnow()) s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_bait_session(0) bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one() session = db_session.query(Session).filter(Session.id == s_id).first() #test that the bait session got classified self.assertTrue( bait_session.classification == db_session.query(Classification).filter(Classification.type == 'bait_session').one()) #test that the honeypot session got deleted self.assertIsNone(session)
def test_client_delete(self): """ Tests the '/ws/client/delete' route.""" self.login('test', 'test') self.populate_clients() data = [self.clients[0], self.clients[1]] self.app.post('/ws/client/delete', data=json.dumps(data)) db_session = database.get_session() nclients = db_session.query(Client).count() self.assertEquals(3, nclients)
def test_honeypot_delete(self): """ Tests the '/ws/honeypot/delete' route.""" self.login('test', 'test') self.populate_honeypots() data = [ self.honeypots[0], self.honeypots[1]] self.app.post('/ws/honeypot/delete', data=json.dumps(data)) db_session = database.get_session() honeypot_count = db_session.query(Honeypot).count() self.assertEquals(3, honeypot_count)
def populate_honeypots(self): """ Populates the database with 4 honeypots """ db_session = database.get_session() self.honeypots = [] for i in xrange(4): # We add 4 here, but one is added in the setup method curr_id = str(uuid.uuid4()) curr_id = curr_id.encode('utf-8') self.honeypots.append(curr_id) h = Honeypot(id=curr_id) u = User(id=curr_id, password=str(uuid.uuid4()), utype=1) db_session.add(h) db_session.add(u) db_session.commit()
def test_data_transcripts(self): """ Tests that if given a session ID we can extract the relevant transcripts""" db_session = database.get_session() self.login('test', 'test') session_id = str(uuid.uuid4()) timestamp = datetime.utcnow() db_session.add(Transcript(timestamp=timestamp, direction='outgoing', data='whoami', session_id=session_id)) db_session.add(Transcript(timestamp=timestamp, direction='outgoing', data='root\r\n', session_id=session_id)) db_session.commit() resp = self.app.get('/data/session/{0}/transcript'.format(session_id)) data = json.loads(resp.data) string_timestamp = timestamp.strftime('%Y-%m-%d %H:%M:%S') expected_result = [{u'direction': u'outgoing', u'data': u'whoami', u'time': u'{0}'.format(string_timestamp)}, {u'direction': u'outgoing', u'data': u'root\r\n', u'time': u'{0}'.format(string_timestamp)}] self.assertDictEqual(sorted(data)[0], sorted(expected_result)[0])
def test_classify_sessions_probe(self): """ Test if session without authentication attempts is tagged as probes. """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() session_id = str(uuid.uuid4()) s = Session(id=session_id, source_ip='111', destination_ip='222', received=datetime.utcnow(), timestamp=datetime.utcnow(), protocol='telnet', source_port=1, destination_port=1, honeypot=honeypot) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(0, db_session) result = db_session.query(Session).filter(Session.classification_id == 'probe').one() #we expect the resultset to contain session1010 self.assertEquals(result.id, session_id)
def setUp(self): #'sqlite://' gives a in-memory sqlite database database.setup_db('sqlite://') self.client_id = str(uuid.uuid4()) self.honeypot_id = str(uuid.uuid4()) self.bait_session_id = str(uuid.uuid4()) self.bait_session_datetime = datetime.utcnow() db_session = database.get_session() client = Client(id=self.client_id) honeypot = Honeypot(id=self.honeypot_id) bait_session = BaitSession(id=self.bait_session_id, source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=self.bait_session_datetime, protocol='pop3', source_port=1, destination_port=1, did_complete=True, client=client, honeypot=honeypot) authentication = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True, timestamp=datetime.utcnow()) bait_session.authentication.append(authentication) db_session.add_all([client, honeypot, bait_session]) db_session.commit()
def test_classify_sessions_reuse_credentails(self): """ Test if attack which uses previously transmitted credentials is tagged correctly """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() s = Session(id='session1010', source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=-25), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******') s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(0, db_session) result = db_session.query(Session).filter(Session.classification_id == 'credentials_reuse').one() #we expect the resultset to contain session1010 self.assertEquals(result.id, 'session1010')
def populate_sessions(self): """ Populates the database with 3 Sessions """ db_session = database.get_session() for i in xrange(4): s = Session( id=str(uuid.uuid4()), timestamp=datetime.utcnow(), received=datetime.utcnow(), protocol='telnet', destination_ip='123.123.123.123', destination_port=1234, source_ip='12.12.12.12', source_port=12345, classification_id='asd' ) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=False, timestamp=datetime.utcnow()) s.authentication.append(a) db_session.add(s) db_session.commit()
def test_classify_sessions_bruteforce(self): """ Test if 'standalone' sessions older than X seconds get classified as brute-force attempts. """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() for id, offset in (('session99', -30), ('session88', -10), ('session77', -2)): s = Session(id=id, source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=offset), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******') s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(5) result = db_session.query(Session).filter(Session.classification_id == 'bruteforce').all() #we expect the resultset to contain session1 and session2 self.assertEquals(len(result), 2)
def test_matching_session(self): """ Test if the get_matching_session method returns the session that matches the given bait session. """ db_session = database.get_session() bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() #session2 is the matching session for id, offset in (('session1', -15), ('session2', 3), ('session3', 15)): s = Session(id=id, source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=bait_session.timestamp + timedelta(seconds=offset), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True, timestamp=datetime.utcnow()) s.authentication.append(a) db_session.add(s) db_session.commit() classifier = Classifier() result = classifier.get_matching_session(bait_session) self.assertEqual('session2', result.id)
def fill_dummy_data(): """ Populates the server data with dummy data to ease development. """ db_session = database.get_session() protocols = [('pop3', 110), ('ssh', 22), ('telnet', 23), ('ftp', 21), ('http', 80)] source_ips = ('192.168.1.2', '192.168.2.3', '192.168.3.4', '192.168.4.5') honeypots = [Honeypot(id=str(uuid.uuid4()))] client = [Client(id=str(uuid.uuid4()))] sessions = [] authentications = [] while len(sessions) < 100: session = BaitSession(id=str(uuid.uuid4()), timestamp=datetime.now(), source_ip=random.choice(source_ips), source_port=random.randint(1024, 65535), destination_ip='4.3.2.1', destination_port='1111') session.protocol, session.destination_port = random.choice(protocols) session.honeypot = random.choice(honeypots) session.client = random.choice(client) session.classification = db_session.query(Classification).filter(Classification.type == 'bait_session').one() username = ''.join(random.choice(string.lowercase) for x in range(8)) password = ''.join(random.choice(string.lowercase) for x in range(8)) authentication = Authentication(id=str(uuid.uuid4()), username=username, password=password) session.authentication.append(authentication) for x in range(10): data = ''.join(random.choice(string.lowercase) for x in range(15)) direction = ('in', 'out')[x % 2] transcript = Transcript(timestamp=datetime.now(), direction=direction, data=data) session.transcript.append(transcript) authentications.append(authentication) sessions.append(session) while len(sessions) < 200: session = Session(id=str(uuid.uuid4()), timestamp=datetime.now(), source_ip=random.choice(source_ips), source_port=random.randint(1024, 65535), destination_ip='4.3.2.1', destination_port='1111') session.protocol, session.destination_port = random.choice(protocols) session.honeypot = random.choice(honeypots) session.classification = db_session.query(Classification).filter(Classification.type == 'credentials_reuse').one() username = ''.join(random.choice(string.lowercase) for x in range(8)) password = ''.join(random.choice(string.lowercase) for x in range(8)) authentication = Authentication(id=str(uuid.uuid4()), username=username, password=password) session.authentication.append(authentication) authentications.append(authentication) sessions.append(session) db_session.add_all(authentications) db_session.add_all(sessions) db_session.add_all(honeypots) db_session.add_all(client) db_session.commit()