def populate_sessions(self):
""" Populates the database with 3 Sessions """
db_session = database.get_session()
for i in xrange(4):
s = Session(id=str(uuid.uuid4()),
timestamp=datetime.utcnow(),
received=datetime.utcnow(),
protocol='telnet',
destination_ip='123.123.123.123',
destination_port=1234,
source_ip='12.12.12.12',
source_port=12345,
classification_id='asd')
a = Authentication(id=str(uuid.uuid4()),
username='******',
password='******',
successful=False,
timestamp=datetime.utcnow())
s.authentication.append(a)
db_session.add(s)
db_session.commit()
def persist_session(self, session_json, session_type):
try:
data = json.loads(session_json)
except UnicodeDecodeError:
data = json.loads(unicode(session_json, "ISO-8859-1"))
logger.debug('Persisting {0} session: {1}'.format(session_type, data))
db_session = self.db_session
classification = db_session.query(Classification).filter(
Classification.type == 'pending').one()
assert data['honeypot_id'] is not None
_honeypot = db_session.query(Honeypot).filter(
Honeypot.id == data['honeypot_id']).one()
if session_type == Messages.SESSION_HONEYPOT:
session = Session()
for entry in data['transcript']:
transcript_timestamp = datetime.strptime(
entry['timestamp'], '%Y-%m-%dT%H:%M:%S.%f')
transcript = Transcript(timestamp=transcript_timestamp,
direction=entry['direction'],
data=entry['data'])
session.transcript.append(transcript)
for auth in data['login_attempts']:
authentication = self.extract_auth_entity(auth)
session.authentication.append(authentication)
elif session_type == Messages.SESSION_CLIENT:
ignore_failed_bait_sessions = self.send_config_request(
'{0} {1}'.format(Messages.GET_CONFIG_ITEM,
'ignore_failed_bait_session'))
if not data['did_complete'] and ignore_failed_bait_sessions:
logger.debug('Ignore failed bait session.')
return
session = BaitSession()
client = db_session.query(Client).filter(
Client.id == data['client_id']).one()
client.last_activity = datetime.now()
session.did_connect = data['did_connect']
session.did_login = data['did_login']
session.did_complete = data['did_complete']
session.client = client
for auth in data['login_attempts']:
authentication = self.extract_auth_entity(auth)
session.authentication.append(authentication)
else:
logger.warn('Unknown message type: {0}'.format(session_type))
return
session.id = data['id']
session.classification = classification
session.timestamp = datetime.strptime(data['timestamp'],
'%Y-%m-%dT%H:%M:%S.%f')
session.received = datetime.utcnow()
session.protocol = data['protocol']
session.destination_ip = data['destination_ip']
session.destination_port = data['destination_port']
session.source_ip = data['source_ip']
session.source_port = data['source_port']
session.honeypot = _honeypot
db_session.add(session)
db_session.commit()
matching_session = self.get_matching_session(session, db_session)
if session_type == Messages.SESSION_HONEYPOT:
if matching_session:
self.merge_bait_and_session(session, matching_session,
db_session)
elif session_type == Messages.SESSION_CLIENT:
if matching_session:
self.merge_bait_and_session(matching_session, session,
db_session)
else:
assert False
def persist_session(self, session_type, session_json):
db_session = database_setup.get_session()
if self.max_session_count == 0:
return
elif db_session.query(Session).count() == self.max_session_count:
session_to_delete = db_session.query(Session, func.min(Session.timestamp)).first()[0]
db_session.delete(session_to_delete)
try:
data = json.loads(session_json)
except UnicodeDecodeError:
data = json.loads(unicode(session_json, "ISO-8859-1"))
logger.debug('Persisting {0} session: {1}'.format(session_type, data))
classification = db_session.query(Classification).filter(Classification.type == 'pending').one()
assert data['honeypot_id'] is not None
_honeypot = db_session.query(Honeypot).filter(Honeypot.id == data['honeypot_id']).one()
if session_type == Messages.SESSION_HONEYPOT.value:
session = Session()
for entry in data['transcript']:
transcript_timestamp = datetime.strptime(entry['timestamp'], '%Y-%m-%dT%H:%M:%S.%f')
transcript = Transcript(timestamp=transcript_timestamp, direction=entry['direction'],
data=entry['data'])
session.transcript.append(transcript)
for auth in data['login_attempts']:
authentication = self.extract_auth_entity(auth)
session.authentication.append(authentication)
elif session_type == Messages.SESSION_CLIENT.value:
ignore_failed_bait_sessions = self.send_config_request('{0} {1}'.format(Messages.GET_CONFIG_ITEM.value,
'ignore_failed_bait_session'))
if not data['did_complete'] and ignore_failed_bait_sessions:
logger.debug('Ignore failed bait session.')
return
session = BaitSession()
client = db_session.query(Client).filter(Client.id == data['client_id']).one()
client.last_activity = datetime.now()
session.did_connect = data['did_connect']
session.did_login = data['did_login']
session.did_complete = data['did_complete']
session.client = client
for auth in data['login_attempts']:
authentication = self.extract_auth_entity(auth)
session.authentication.append(authentication)
else:
logger.warn('Unknown message type: {0}'.format(session_type))
return
session.id = data['id']
session.classification = classification
session.timestamp = datetime.strptime(data['timestamp'], '%Y-%m-%dT%H:%M:%S.%f')
session.received = datetime.utcnow()
session.protocol = data['protocol']
session.destination_ip = data['destination_ip']
session.destination_port = data['destination_port']
session.source_ip = data['source_ip']
session.source_port = data['source_port']
session.honeypot = _honeypot
db_session.add(session)
db_session.commit()
matching_session = self.get_matching_session(session, db_session)
if session_type == Messages.SESSION_HONEYPOT.value:
if matching_session:
self.merge_bait_and_session(session, matching_session, db_session)
elif session_type == Messages.SESSION_CLIENT.value:
if matching_session:
self.merge_bait_and_session(matching_session, session, db_session)
else:
assert False
def fill_dummy_data():
"""
Populates the server data with dummy data to ease development.
"""
db_session = database_setup.get_session()
protocols = [('pop3', 110), ('ssh', 22), ('telnet', 23), ('ftp', 21),
('http', 80)]
source_ips = ('192.168.1.2', '192.168.2.3', '192.168.3.4', '192.168.4.5')
honeypots = [Honeypot(id=str(uuid.uuid4()))]
client = [Client(id=str(uuid.uuid4()))]
sessions = []
authentications = []
while len(sessions) < 100:
session = BaitSession(id=str(uuid.uuid4()),
timestamp=datetime.now(),
source_ip=random.choice(source_ips),
source_port=random.randint(1024, 65535),
destination_ip='4.3.2.1',
destination_port='1111')
session.protocol, session.destination_port = random.choice(protocols)
session.honeypot = random.choice(honeypots)
session.client = random.choice(client)
session.classification = db_session.query(Classification).filter(
Classification.type == 'bait_session').one()
username = ''.join(random.choice(string.lowercase) for x in range(8))
password = ''.join(random.choice(string.lowercase) for x in range(8))
authentication = Authentication(id=str(uuid.uuid4()),
username=username,
password=password)
session.authentication.append(authentication)
for x in range(10):
data = ''.join(random.choice(string.lowercase) for x in range(15))
direction = ('in', 'out')[x % 2]
transcript = Transcript(timestamp=datetime.now(),
direction=direction,
data=data)
session.transcript.append(transcript)
authentications.append(authentication)
sessions.append(session)
while len(sessions) < 200:
session = Session(id=str(uuid.uuid4()),
timestamp=datetime.now(),
source_ip=random.choice(source_ips),
source_port=random.randint(1024, 65535),
destination_ip='4.3.2.1',
destination_port='1111')
session.protocol, session.destination_port = random.choice(protocols)
session.honeypot = random.choice(honeypots)
session.classification = db_session.query(Classification).filter(
Classification.type == 'credentials_reuse').one()
username = ''.join(random.choice(string.lowercase) for x in range(8))
password = ''.join(random.choice(string.lowercase) for x in range(8))
authentication = Authentication(id=str(uuid.uuid4()),
username=username,
password=password)
session.authentication.append(authentication)
authentications.append(authentication)
sessions.append(session)
db_session.add_all(authentications)
db_session.add_all(sessions)
db_session.add_all(honeypots)
db_session.add_all(client)
db_session.commit()
def persist_session(self, session_json, session_type):
data = json.loads(session_json)
db_session = database_setup.get_session()
classification = db_session.query(Classification).filter(Classification.type == 'unclassified').one()
if data['honeypot_id'] is not None:
_honeypot = db_session.query(Honeypot).filter(Honeypot.id == data['honeypot_id']).one()
_honeypot.last_activity = datetime.now()
else:
_honeypot = None
if session_type == Messages.SESSION_HONEYPOT:
session = Session()
for entry in data['transcript']:
transcript_timestamp = datetime.strptime(entry['timestamp'], '%Y-%m-%dT%H:%M:%S.%f')
transcript = Transcript(timestamp=transcript_timestamp, direction=entry['direction'],
data=entry['data'])
session.transcript.append(transcript)
for auth in data['login_attempts']:
# TODO: Model this better in db model, not all capabilities authenticate with both username/password
username = auth.get('username', '')
password = auth.get('password', '')
a = Authentication(id=auth['id'], username=username, password=password,
successful=auth['successful'],
timestamp=datetime.strptime(auth['timestamp'], '%Y-%m-%dT%H:%M:%S.%f'))
session.authentication.append(a)
elif session_type == Messages.SESSION_CLIENT:
if not data['did_complete'] and self.config['ignore_failed_bait_session']:
return
session = BaitSession()
client = db_session.query(Client).filter(Client.id == data['client_id']).one()
client.last_activity = datetime.now()
session.did_connect = data['did_connect']
session.did_login = data['did_login']
session.did_complete = data['did_complete']
session.client = client
else:
logger.warn('Unknown message type: {0}'.format(session_type))
return
session.id = data['id']
session.classification = classification
session.timestamp = datetime.strptime(data['timestamp'], '%Y-%m-%dT%H:%M:%S.%f')
session.received = datetime.utcnow()
session.protocol = data['protocol']
session.destination_ip = data['destination_ip']
session.destination_port = data['destination_port']
session.source_ip = data['source_ip']
session.source_port = data['source_port']
session.honeypot = _honeypot
db_session.add(session)
db_session.commit()