示例#1
0
文件: ews.py 项目: opsecisland/ews
def buildews(esm,DATA,REQUEST,ADATA):

    ewsalert(esm,DATA,REQUEST,ADATA)

    if int(esm.xpath('count(//Alert)')) >= 100:
        sendews(esm)
        esm = ewsauth(ECFG["username"],ECFG["token"])

    return esm
示例#2
0
def buildews(esm, DATA, REQUEST, ADATA):

    ewsalert(esm, DATA, REQUEST, ADATA)

    if int(esm.xpath('count(//Alert)')) >= 100:
        sendews(esm)
        esm = ewsauth(ECFG["username"], ECFG["token"])

    return esm
示例#3
0
def dionaea():

    MODUL = "DIONAEA"
    logme(MODUL, "Starting Dionaea Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("dionaea", "nodeid", "sqlitedb", "malwaredir")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # Malwaredir exist ?

    if os.path.isdir(HONEYPOT["malwaredir"]) is False:
        logme(
            MODUL, "[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] +
            ". Abort !", ("P3", "LOG"), ECFG)

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(
            MODUL, "[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
            ". Abort !", ("P3", "LOG"), ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(connection) from connections;")

    maxid = c.fetchone()["max(connection)"]

    if maxid is None:
        logme(MODUL, "[INFO] No entry's in Dionaea Database. Skip !",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute(
        "SELECT * from connections where connection > ? and connection <= ?;",
        (
            imin,
            imax,
        ))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter empty remote_host

        if row["remote_host"] == "":
            countme(MODUL, 'sqliteid', row["connection"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
            "aid":
            HONEYPOT["nodeid"],
            "timestamp":
            datetime.fromtimestamp(int(
                row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
            "sadr":
            str(row["remote_host"]),
            "sipv":
            "ipv" + ip4or6(str(row["remote_host"])),
            "sprot":
            str(row["connection_type"]),
            "sport":
            str(row["remote_port"]),
            "tipv":
            "ipv" + ip4or6(str(row["local_host"])),
            "tadr":
            str(row["local_host"]),
            "tprot":
            str(row["connection_type"]),
            "tport":
            str(row["local_port"]),
        }

        REQUEST = {
            "description": "Network Honeyport Dionaea v0.1.0",
        }

        # Check for malware bin's

        c.execute(
            "SELECT download_md5_hash from downloads where connection = ?;",
            (str(row["connection"]), ))
        check = c.fetchone()

        if check is not None:
            error, malwarefile = malware(HONEYPOT["malwaredir"], check[0],
                                         ECFG["del_malware_after_send"])
            if error == 0:
                REQUEST["binary"] = malwarefile
            else:
                logme(MODUL, "Mission Malwarefile %s" % check[0],
                      ("P1", "LOG"), ECFG)

        # Collect additional Data

        ADATA = {
            "sqliteid": str(row["connection"]),
        }

        # generate template and send

        esm = buildews(esm, DATA, REQUEST, ADATA)
        jesm = buildjson(jesm, DATA, REQUEST, ADATA)

        countme(MODUL, 'sqliteid', row["connection"], ECFG)
        countme(MODUL, 'daycounter', -2, ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL, DATA, REQUEST, ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
              ECFG)
    return
示例#4
0
def cowrie():

    MODUL = "COWRIE"
    logme(MODUL, "Starting Cowrie Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("cowrie", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    # dict to gather session information
    cowriesessions = {}
    sessionstosend = []

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
        currentline = imin + I

        if len(line) == 0:
            break
        else:
            # parse json
            try:
                content = json.loads(line)
            except ValueError, e:
                logme(
                    MODUL, "Invalid json entry found in line " + str(I) +
                    ", skipping entry.", ("P3"), ECFG)
                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)
                pass  # invalid json
            else:
                # if new session is started, store session-related info
                if (content['eventid'] == "cowrie.session.connect"):
                    # create empty session content: structure will be the same as kippo
                    # | id  | username | password | success | logintimestamp | session | sessionstarttime| sessionendtime | ip | cowrieip | version| src_port|dst_port
                    cowriesessions[content["session"]] = [
                        I, '', '', '', '', content["session"],
                        content["timestamp"], '', content["src_ip"],
                        content["sensor"], '', content["src_port"],
                        content["dst_port"]
                    ]

                # store correponding ssh client version
                if (content['eventid'] == "cowrie.client.version"):
                    if content["session"] in cowriesessions:
                        cowriesessions[
                            content["session"]][10] = content["version"]

                # create successful login
                if (content['eventid'] == "cowrie.login.success"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Success"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # create failed login
                elif (content['eventid'] == "cowrie.login.failed"):
                    if content["session"] in cowriesessions:
                        cowriesessions[content["session"]][0] = currentline
                        cowriesessions[content["session"]][3] = "Fail"
                        cowriesessions[
                            content["session"]][1] = content["username"]
                        cowriesessions[
                            content["session"]][2] = content["password"]
                        cowriesessions[
                            content["session"]][4] = content["timestamp"]
                        sessionstosend.append(
                            deepcopy(cowriesessions[content["session"]]))

                # store session close
                if (content['eventid'] == "cowrie.session.closed"):
                    for n, i in enumerate(sessionstosend):
                        if (i[5] == content["session"]):
                            i[7] = content["timestamp"]
示例#5
0
def glastopfv3():

    MODUL = "GLASTOPFV3"
    logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
        HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(
            MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
            ". Skip !", ("P3", "LOG"), ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
              ("P2", "LOG"), ECFG)
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter empty requests and nagios checks

        if row["request_url"] == os.sep or row[
                "request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL, 'sqliteid', row["id"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
            "aid": HONEYPOT["nodeid"],
            "timestamp": row["time"],
            "sadr": re.sub(":.*$", "", row["source"]),
            "sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
            "sprot": "tcp",
            "sport": "",
            "tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
            "tadr": HONEYPOT["ip"],
            "tprot": "tcp",
            "tport": "80",
        }

        REQUEST = {
            "description": "WebHoneypot : Glastopf v3.1",
            "url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
        }

        if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
            REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
                'ascii', 'ignore'))

        if "filename" in row.keys() and row["filename"] != None:
            error, malwarefile = malware(HONEYPOT["malwaredir"],
                                         row["filename"],
                                         ECFG["del_malware_after_send"])
            if error == 0:
                REQUEST["binary"] = malwarefile
            else:
                logme(MODUL, "Mission Malwarefile %s" % row["filename"],
                      ("P1", "LOG"), ECFG)

        # Collect additional Data

        ADATA = {
            "sqliteid": row["id"],
        }

        if "request_method" in row.keys():
            ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in row.keys():
            m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        if "request_body" in row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm, DATA, REQUEST, ADATA)
        jesm = buildjson(jesm, DATA, REQUEST, ADATA)

        countme(MODUL, 'sqliteid', row["id"], ECFG)
        countme(MODUL, 'daycounter', -2, ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL, DATA, REQUEST, ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
              ECFG)
    return
示例#6
0
def conpot():
    MODUL = "CONPOT"
    logme(MODUL, "Starting Conpot Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("conpot", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # parse json
            try:
                content = json.loads(line)
            except ValueError, e:
                logme(
                    MODUL, "Invalid json entry found in line " + str(I) +
                    ", skipping entry.", ("P3"), ECFG)
                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)
                pass  # invalid json
            else:
                DATA = {
                    "aid":
                    HONEYPOT["nodeid"],
                    "timestamp":
                    "%s-%s-%s %s" %
                    (content['timestamp'][0:4], content['timestamp'][5:7],
                     content['timestamp'][8:10], content['timestamp'][11:19]),
                    "sadr":
                    "%s" % content['src_ip'],
                    "sipv":
                    "ipv4",
                    "sprot":
                    "tcp",
                    "sport":
                    "%d" % content['src_port'],
                    "tipv":
                    "ipv4",
                    "tadr":
                    "%s" % content['dst_ip'],
                    "tprot":
                    "tcp",
                    "tport":
                    "undefined",
                }

                REQUEST = {
                    "description": "Conpot Honeypot",
                }

                # Collect additional Data

                ADATA = {
                    "conpot_event_type": "%s" % content['event_type'],
                    "conpot_data_type": "%s" % content['data_type'],
                    "conpot_sensor_id": "%s" % content['sensorid'],
                    "conpot_request": "%s" % content['request'],
                    "conpot_id": "%s" % content['id'],
                    "conpot_response": "%s" % content['response']
                }

                # generate template and send

                esm = buildews(esm, DATA, REQUEST, ADATA)
                jesm = buildjson(jesm, DATA, REQUEST, ADATA)

                countme(MODUL, 'fileline', -2, ECFG)
                countme(MODUL, 'daycounter', -2, ECFG)

                if ECFG["a.verbose"] is True:
                    verbosemode(MODUL, DATA, REQUEST, ADATA)
示例#7
0
def emobility():

    MODUL = "EMOBILITY"
    logme(MODUL, "Starting eMobility Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("eMobility", "nodeid", "logfile")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,
              "[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
              ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # Prepair and collect Alert Data

            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            srcipandport, dstipandport, url, dateandtime = line.split("|", 3)

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6],
                                 dateandtime[6:8], dateandtime[9:17]),
                "sadr":
                "%s.%s.%s.%s" %
                (srcipandport.split(".")[0], srcipandport.split(".")[1],
                 srcipandport.split(".")[2], srcipandport.split(".")[3]),
                "sipv":
                "ipv4",
                "sprot":
                "tcp",
                "sport":
                srcipandport.split(".")[4],
                "tipv":
                "ipv4",
                "tadr":
                "%s.%s.%s.%s" %
                (dstipandport.split(".")[0], dstipandport.split(".")[1],
                 dstipandport.split(".")[2], dstipandport.split(".")[3]),
                "tprot":
                "tcp",
                "tport":
                dstipandport.split(".")[4],
            }

            REQUEST = {
                "description": "eMobility Honeypot",
                "url": urllib.quote(url.encode('ascii', 'ignore'))
            }

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
示例#8
0
def rdpdetect():

    MODUL = "RDPDETECT"
    logme(MODUL, "Starting RDPDetect Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("rdpdetect", "nodeid", "iptableslog", "targetip")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # iptables file exists ?

    if os.path.isfile(HONEYPOT["iptableslog"]) is False:
        logme(
            MODUL, "[ERROR] Missing Iptables LogFile " +
            HONEYPOT["iptableslog"] + ". Abort !", ("P3", "LOG"), ECFG)

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["iptableslog"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            if HONEYPOT["targetip"] == re.search('SRC=(.*?) ',
                                                 line).groups()[0]:
                continue

            # Prepair and collect Alert Data

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8],
                                       line[9:11], line[12:14], line[15:17]),
                "sadr":
                re.search('SRC=(.*?) ', line).groups()[0],
                "sipv":
                "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
                "sprot":
                re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                "sport":
                re.search('SPT=(.*?) ', line).groups()[0],
                "tipv":
                "ipv" + ip4or6(ECFG["ip"]),
                "tadr":
                ECFG["ip"],
                "tprot":
                re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                "tport":
                re.search('DPT=(.*?) ', line).groups()[0],
            }

            REQUEST = {"description": "RDPDetect"}

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
示例#9
0
def honeytrap():

    MODUL = "HONEYTRAP"
    logme(MODUL, "Starting Honeytrap Modul.", ("P1"), ECFG)

    # collect honeypot config dic

    ITEMS = ("honeytrap", "nodeid", "attackerfile", "payloaddir", "newversion")
    HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])

    # Attacking file exists ?

    if os.path.isfile(HONEYPOT["attackerfile"]) is False:
        logme(
            MODUL, "[ERROR] Missing Attacker File " +
            HONEYPOT["attackerfile"] + ". Abort !", ("P3", "LOG"), ECFG)

    # Payloaddir exist ?

    if os.path.isdir(HONEYPOT["payloaddir"]) is False:
        logme(
            MODUL, "[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] +
            ". Abort !", ("P3", "LOG"), ECFG)

    # New Version are use ?

    if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(
            HONEYPOT["payloaddir"]):
        logme(
            MODUL, "[ERROR] Missing Payload Directory " +
            HONEYPOT["payloaddir"] + ". Abort !", ("P3", "LOG"), ECFG)

    # Calc MD5sum for Payloadfiles

    if HONEYPOT["newversion"].lower() == "true":
        logme(MODUL, "Calculate MD5sum for Payload Files", ("P2"), ECFG)

        for i in os.listdir(HONEYPOT["payloaddir"]):
            if not "_md5_" in i:
                filein = HONEYPOT["payloaddir"] + os.sep + i
                os.rename(
                    filein, filein + "_md5_" +
                    hashlib.md5(open(filein, 'rb').read()).hexdigest())

    # count limit

    imin = int(countme(MODUL, 'fileline', -1, ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(
            MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
            ". Adapting to limit!", ("P1"), ECFG)

    I = 0
    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    while True:

        x, y = viewcounter(MODUL, x, y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["attackerfile"], (imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ', r' ', re.sub(r'[\[\]\-\>]', r'', line))

            if HONEYPOT["newversion"].lower() == "false":
                date, time, _, source, dest, _ = line.split(" ", 5)
                protocol = ""
                md5 = ""
            else:
                date, time, _, protocol, source, dest, md5, _ = line.split(
                    " ", 7)

            #  Prepair and collect Alert Data

            DATA = {
                "aid":
                HONEYPOT["nodeid"],
                "timestamp":
                "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
                "sadr":
                re.sub(":.*$", "", source),
                "sipv":
                "ipv" + ip4or6(re.sub(":.*$", "", source)),
                "sprot":
                protocol,
                "sport":
                re.sub("^.*:", "", source),
                "tipv":
                "ipv" + ip4or6(re.sub(":.*$", "", dest)),
                "tadr":
                re.sub(":.*$", "", dest),
                "tprot":
                protocol,
                "tport":
                re.sub("^.*:", "", dest),
            }

            REQUEST = {"description": "NetworkHoneypot Honeytrap v1.1"}

            # Search for Payload

            if HONEYPOT["newversion"].lower() == "true":
                sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub(
                    "^.*:", "",
                    dest), protocol, date[0:4], date[4:6], date[6:8], md5)

                for mfile in os.listdir(HONEYPOT["payloaddir"]):
                    if fnmatch.fnmatch(mfile, sfile):
                        error, payloadfile = malware(HONEYPOT["payloaddir"],
                                                     mfile, False)
                        if error == 0:
                            REQUEST["raw"] = payloadfile
                        else:
                            logme(MODUL,
                                  "Mission Malwarefile %s" % row["filename"],
                                  ("P1", "LOG"), ECFG)

            # Collect additional Data

            ADATA = {}

            # generate template and send

            esm = buildews(esm, DATA, REQUEST, ADATA)
            jesm = buildjson(jesm, DATA, REQUEST, ADATA)

            countme(MODUL, 'fileline', -2, ECFG)
            countme(MODUL, 'daycounter', -2, ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL, DATA, REQUEST, ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y > 1:
        logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
              ECFG)
    return
示例#10
0
        return

    imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
                            int(maxid), ECFG)

    # read alerts from database

    c.execute("SELECT * from log where id > %s and id <= %s;", (imin, imax))
    rows = c.fetchall()

    # counter inits

    x = 0
    y = 1

    esm = ewsauth(ECFG["username"], ECFG["token"])
    jesm = ""

    for row in rows:

        x, y = viewcounter(MODUL, x, y)

        # filter nagios checks

        if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL, 'mysqlid', row["id"], ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
示例#11
0
文件: ews.py 项目: opsecisland/ews
def rdpdetect():

    MODUL  = "RDPDETECT"
    logme(MODUL,"Starting RDPDetect Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("rdpdetect","nodeid","iptableslog","targetip")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # iptables file exists ?

    if os.path.isfile(HONEYPOT["iptableslog"]) is False:
        logme(MODUL,"[ERROR] Missing Iptables LogFile " + HONEYPOT["iptableslog"] + ". Abort !",("P3","LOG"),ECFG)

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["iptableslog"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            if HONEYPOT["targetip"] == re.search('SRC=(.*?) ', line).groups()[0]:
                continue

            # Prepair and collect Alert Data

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8], line[9:11], line[12:14], line[15:17]),
                        "sadr"      : re.search('SRC=(.*?) ', line).groups()[0],
                        "sipv"      : "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
                        "sprot"     : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                        "sport"     : re.search('SPT=(.*?) ', line).groups()[0],
                        "tipv"      : "ipv" + ip4or6(ECFG["ip"]),
                        "tadr"      : ECFG["ip"],
                        "tprot"     : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
                        "tport"     : re.search('DPT=(.*?) ', line).groups()[0],
                      }

            REQUEST = {
                        "description" : "RDPDetect"
                      }


            # Collect additional Data

            ADATA =   {
                      }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)


    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return
示例#12
0
文件: ews.py 项目: opsecisland/ews
def honeytrap():

    MODUL  = "HONEYTRAP"
    logme(MODUL,"Starting Honeytrap Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("honeytrap","nodeid","attackerfile","payloaddir","newversion")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # Attacking file exists ?

    if os.path.isfile(HONEYPOT["attackerfile"]) is False:
        logme(MODUL,"[ERROR] Missing Attacker File " + HONEYPOT["attackerfile"] + ". Abort !",("P3","LOG"),ECFG)

    # Payloaddir exist ?

    if os.path.isdir(HONEYPOT["payloaddir"]) is False:
        logme(MODUL,"[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)

    # New Version are use ?

    if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(HONEYPOT["payloaddir"]):
        logme(MODUL,"[ERROR] Missing Payload Directory " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)

    # Calc MD5sum for Payloadfiles

    if HONEYPOT["newversion"].lower() == "true":
       logme(MODUL,"Calculate MD5sum for Payload Files",("P2"),ECFG)

       for i in os.listdir(HONEYPOT["payloaddir"]):
           if not "_md5_" in i:
            filein = HONEYPOT["payloaddir"] + os.sep + i
            os.rename(filein,filein + "_md5_" +  hashlib.md5(open(filein, 'rb').read()).hexdigest())

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["attackerfile"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            if HONEYPOT["newversion"].lower() == "false":
                date , time , _ , source, dest, _ = line.split(" ",5)
                protocol = "" ; md5 = ""
            else:
                date , time , _ , protocol, source, dest, md5, _ = line.split(" ",7)

            # Prepair and collect Alert Data

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
                        "sadr"      : re.sub(":.*$","",source),
                        "sipv"      : "ipv" + ip4or6(re.sub(":.*$","",source)),
                        "sprot"     : protocol,
                        "sport"     : re.sub("^.*:","",source),
                        "tipv"      : "ipv" + ip4or6(re.sub(":.*$","",dest)),
                        "tadr"      : re.sub(":.*$","",dest),
                        "tprot"     : protocol,
                        "tport"     : re.sub("^.*:","",dest),
                      }


            REQUEST = { 
                        "description" : "NetworkHoneypot Honeytrap vX.x"
                      }

            # Search for Payload

            if HONEYPOT["newversion"].lower() == "true":
                sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub("^.*:","",dest),protocol,date[0:4], date[4:6], date[6:8],md5)

                for mfile in os.listdir(HONEYPOT["payloaddir"]):
                   if fnmatch.fnmatch(mfile, sfile):
                       error , payloadfile = malware(HONEYPOT["payloaddir"],mfile,False)
                       if error == 0:
                           REQUEST["raw"] = payloadfile
                       else:
                           logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)


            # Collect additional Data

            ADATA = {
                    }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)


    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return
示例#13
0
文件: ews.py 项目: opsecisland/ews
def dionaea():

    MODUL  = "DIONAEA"
    logme(MODUL,"Starting Dionaea Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("dionaea","nodeid","sqlitedb","malwaredir")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # Malwaredir exist ?

    if os.path.isdir(HONEYPOT["malwaredir"]) is False:
        logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)

     # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(connection) from connections;")

    maxid = c.fetchone()["max(connection)"]

    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Dionaea Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from connections where connection > ? and connection <= ?;",(imin,imax,))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter empty remote_host

        if row["remote_host"] == "": 
            countme(MODUL,'sqliteid',row["connection"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA =   {
                    "aid"       : HONEYPOT["nodeid"],
                    "timestamp" : datetime.fromtimestamp(int(row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
                    "sadr"      : str(row["remote_host"]),
                    "sipv"      : "ipv" + ip4or6(str(row["remote_host"])),
                    "sprot"     : str(row["connection_type"]),
                    "sport"     : str(row["remote_port"]),
                    "tipv"      : "ipv" + ip4or6(str(row["local_host"])),
                    "tadr"      : str(row["local_host"]),
                    "tprot"     : str(row["connection_type"]),
                    "tport"     : str(row["local_port"]),
                  }

        REQUEST = {
                    "description" : "Network Honeyport Dionaea vX.x",
                  }

        # Check for malware bin's

        c.execute("SELECT download_md5_hash from downloads where connection = ?;",(str(row["connection"]),))
        check = c.fetchone()

        if check is not None:
           error,malwarefile = malware(HONEYPOT["malwaredir"],check[0],ECFG["del_malware_after_send"])
           if error == 0:
               REQUEST["binary"] = malwarefile
           else:
               logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)

        # Collect additional Data

        ADATA = {
                 "sqliteid"    : str(row["connection"]),
                }

        # generate template and send

        esm = buildews(esm,DATA,REQUEST,ADATA)
        jesm = buildjson(jesm,DATA,REQUEST,ADATA)

        countme(MODUL,'sqliteid',row["connection"],ECFG)
        countme(MODUL,'daycounter', -2,ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL,DATA,REQUEST,ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
    return
示例#14
0
文件: ews.py 项目: opsecisland/ews
def glastopfv3():

    MODUL  = "GLASTOPFV3"
    logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("glastopfv3","nodeid","sqlitedb","malwaredir")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])

    if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
       HONEYPOT["ip"] = ECFG["ip"]

    # Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded

    #if os.path.isdir(HONEYPOT["malwaredir"]) == False:
    #    logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
    #    return

    # is sqlitedb exist ?

    if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
        logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
        return

    # open database

    con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
    con.row_factory = sqlite3.Row
    c = con.cursor()

    # calculate send limit

    c.execute("SELECT max(id) from events")

    maxid = c.fetchone()["max(id)"]

    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter empty requests and nagios checks

        if  row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL,'sqliteid',row["id"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
                    "aid"       : HONEYPOT["nodeid"],
                    "timestamp" : row["time"],
                    "sadr"      : re.sub(":.*$","",row["source"]),
                    "sipv"      : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
                    "sprot"     : "tcp",
                    "sport"     : "",
                    "tipv"      : "ipv" + ip4or6(HONEYPOT["ip"]),
                    "tadr"      : HONEYPOT["ip"],
                    "tprot"     : "tcp",
                    "tport"     : "80",
                  }

        REQUEST = {
                    "description" : "WebHoneypot : Glastopf v3.1",
                    "url"         : urllib.quote(row["request_url"])
                  }

        if "request_raw" in  row.keys() and len(row["request_raw"]) > 0:
            #REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
            REQUEST["raw"] = base64.encodestring(row["request_raw"])

        if "filename" in  row.keys() and row["filename"] != None:
           error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
           if error == 0:
                REQUEST["binary"] = malwarefile
           else:
                logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
 
        # Collect additional Data

        ADATA = {
                 "sqliteid"    : row ["id"],
                }

        if "request_method" in  row.keys():
           ADATA["httpmethod"] = row["request_method"]

        if "request_raw" in  row.keys():
            m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
            if m:
                ADATA["host"] = str(m.group(1))

        if "request_header" in  row.keys():
            if 'Host' in json.loads(row["request_header"]):
                ADATA["host"] = str(json.loads(row["request_header"])["Host"])

        if "request_body" in  row.keys():
            if len(row["request_body"]) > 0:
                ADATA["requestbody"] = row["request_body"]

        esm = buildews(esm,DATA,REQUEST,ADATA)
        jesm = buildjson(jesm,DATA,REQUEST,ADATA)

        countme(MODUL,'sqliteid',row["id"],ECFG)
        countme(MODUL,'daycounter', -2,ECFG)

        if ECFG["a.verbose"] is True:
            verbosemode(MODUL,DATA,REQUEST,ADATA)

    con.close()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
    return
示例#15
0
文件: ews.py 项目: opsecisland/ews
    if maxid is None:
        logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
        return

    imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)

    # read alerts from database

    c.execute("SELECT * from log where id > %s and id <= %s;",(imin,imax))
    rows = c.fetchall()

    # counter inits

    x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = [ ]

    for row in rows:

        x,y = viewcounter(MODUL,x,y)

        # filter nagios checks

        if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
            countme(MODUL,'mysqlid',row["id"],ECFG)
            continue

        # Prepair and collect Alert Data

        DATA = {
示例#16
0
文件: ews.py 项目: armedpot/ewsposter
def emobility():

    MODUL  = "EMOBILITY"
    logme(MODUL,"Starting eMobility Modul.",("P1"),ECFG)

    # collect honeypot config dic

    ITEMS  = ("eMobility","nodeid","logfile")
    HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])

    # logfile file exists ?

    if os.path.isfile(HONEYPOT["logfile"]) is False:
        logme(MODUL,"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",("P3","LOG"),ECFG)

    # count limit

    imin = int(countme(MODUL,'fileline',-1,ECFG))

    if int(ECFG["sendlimit"]) > 0:
        logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)

    I = 0 ; x = 0 ; y = 1

    esm = ewsauth(ECFG["username"],ECFG["token"])
    jesm = ""

    while True:

        x,y = viewcounter(MODUL,x,y)

        I += 1

        if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
            break

        line = getline(HONEYPOT["logfile"],(imin + I)).rstrip()

        if len(line) == 0:
            break
        else:
            # Prepair and collect Alert Data

            line = re.sub(r'  ',r' ',re.sub(r'[\[\]\-\>]',r'',line))

            srcipandport, dstipandport, url, dateandtime =  line.split("|",3)

            DATA =    {
                        "aid"       : HONEYPOT["nodeid"],
                        "timestamp" : "%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6], dateandtime[6:8], dateandtime[9:17]),
                        "sadr"      : "%s.%s.%s.%s" % (srcipandport.split(".")[0], srcipandport.split(".")[1], srcipandport.split(".")[2], srcipandport.split(".")[3]),
                        "sipv"      : "ipv4",
                        "sprot"     : "tcp",
                        "sport"     : srcipandport.split(".")[4],
                        "tipv"      : "ipv4",
                        "tadr"      : "%s.%s.%s.%s" % (dstipandport.split(".")[0], dstipandport.split(".")[1], dstipandport.split(".")[2], dstipandport.split(".")[3]),
                        "tprot"     : "tcp",
                        "tport"     : dstipandport.split(".")[4],
                      }

            REQUEST = {
                        "description" : "eMobility Honeypot",
                        "url"         : urllib.quote(url.encode('ascii', 'ignore'))
                      }


            # Collect additional Data

            ADATA =   {
                      }

            # generate template and send

            esm = buildews(esm,DATA,REQUEST,ADATA)
            jesm = buildjson(jesm,DATA,REQUEST,ADATA)

            countme(MODUL,'fileline',-2,ECFG)
            countme(MODUL,'daycounter', -2,ECFG)

            if ECFG["a.verbose"] is True:
                verbosemode(MODUL,DATA,REQUEST,ADATA)

    # Cleaning linecache
    clearcache()

    if int(esm.xpath('count(//Alert)')) > 0:
        sendews(esm)

    writejson(jesm)

    if y  > 1:
        logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
    return