def buildews(esm,DATA,REQUEST,ADATA):
ewsalert(esm,DATA,REQUEST,ADATA)
if int(esm.xpath('count(//Alert)')) >= 100:
sendews(esm)
esm = ewsauth(ECFG["username"],ECFG["token"])
return esm
def buildews(esm, DATA, REQUEST, ADATA):
ewsalert(esm, DATA, REQUEST, ADATA)
if int(esm.xpath('count(//Alert)')) >= 100:
sendews(esm)
esm = ewsauth(ECFG["username"], ECFG["token"])
return esm
def dionaea():
MODUL = "DIONAEA"
logme(MODUL, "Starting Dionaea Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("dionaea", "nodeid", "sqlitedb", "malwaredir")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# Malwaredir exist ?
if os.path.isdir(HONEYPOT["malwaredir"]) is False:
logme(
MODUL, "[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] +
". Abort !", ("P3", "LOG"), ECFG)
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(
MODUL, "[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
". Abort !", ("P3", "LOG"), ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(connection) from connections;")
maxid = c.fetchone()["max(connection)"]
if maxid is None:
logme(MODUL, "[INFO] No entry's in Dionaea Database. Skip !",
("P2", "LOG"), ECFG)
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute(
"SELECT * from connections where connection > ? and connection <= ?;",
(
imin,
imax,
))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter empty remote_host
if row["remote_host"] == "":
countme(MODUL, 'sqliteid', row["connection"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
datetime.fromtimestamp(int(
row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
"sadr":
str(row["remote_host"]),
"sipv":
"ipv" + ip4or6(str(row["remote_host"])),
"sprot":
str(row["connection_type"]),
"sport":
str(row["remote_port"]),
"tipv":
"ipv" + ip4or6(str(row["local_host"])),
"tadr":
str(row["local_host"]),
"tprot":
str(row["connection_type"]),
"tport":
str(row["local_port"]),
}
REQUEST = {
"description": "Network Honeyport Dionaea v0.1.0",
}
# Check for malware bin's
c.execute(
"SELECT download_md5_hash from downloads where connection = ?;",
(str(row["connection"]), ))
check = c.fetchone()
if check is not None:
error, malwarefile = malware(HONEYPOT["malwaredir"], check[0],
ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL, "Mission Malwarefile %s" % check[0],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {
"sqliteid": str(row["connection"]),
}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'sqliteid', row["connection"], ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
ECFG)
return
def cowrie():
MODUL = "COWRIE"
logme(MODUL, "Starting Cowrie Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("cowrie", "nodeid", "logfile")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# logfile file exists ?
if os.path.isfile(HONEYPOT["logfile"]) is False:
logme(MODUL,
"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
# dict to gather session information
cowriesessions = {}
sessionstosend = []
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
currentline = imin + I
if len(line) == 0:
break
else:
# parse json
try:
content = json.loads(line)
except ValueError, e:
logme(
MODUL, "Invalid json entry found in line " + str(I) +
", skipping entry.", ("P3"), ECFG)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
pass # invalid json
else:
# if new session is started, store session-related info
if (content['eventid'] == "cowrie.session.connect"):
# create empty session content: structure will be the same as kippo
# | id | username | password | success | logintimestamp | session | sessionstarttime| sessionendtime | ip | cowrieip | version| src_port|dst_port
cowriesessions[content["session"]] = [
I, '', '', '', '', content["session"],
content["timestamp"], '', content["src_ip"],
content["sensor"], '', content["src_port"],
content["dst_port"]
]
# store correponding ssh client version
if (content['eventid'] == "cowrie.client.version"):
if content["session"] in cowriesessions:
cowriesessions[
content["session"]][10] = content["version"]
# create successful login
if (content['eventid'] == "cowrie.login.success"):
if content["session"] in cowriesessions:
cowriesessions[content["session"]][0] = currentline
cowriesessions[content["session"]][3] = "Success"
cowriesessions[
content["session"]][1] = content["username"]
cowriesessions[
content["session"]][2] = content["password"]
cowriesessions[
content["session"]][4] = content["timestamp"]
sessionstosend.append(
deepcopy(cowriesessions[content["session"]]))
# create failed login
elif (content['eventid'] == "cowrie.login.failed"):
if content["session"] in cowriesessions:
cowriesessions[content["session"]][0] = currentline
cowriesessions[content["session"]][3] = "Fail"
cowriesessions[
content["session"]][1] = content["username"]
cowriesessions[
content["session"]][2] = content["password"]
cowriesessions[
content["session"]][4] = content["timestamp"]
sessionstosend.append(
deepcopy(cowriesessions[content["session"]]))
# store session close
if (content['eventid'] == "cowrie.session.closed"):
for n, i in enumerate(sessionstosend):
if (i[5] == content["session"]):
i[7] = content["timestamp"]
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL, "Starting Glastopf V3.x Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3", "nodeid", "sqlitedb", "malwaredir")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL, "ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(
MODUL, "[INFO] Missing sqlitedb file " + HONEYPOT["sqlitedb"] +
". Skip !", ("P3", "LOG"), ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"], 30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL, "[INFO] No entry's in Glastopf Database. Skip !",
("P2", "LOG"), ECFG)
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;", (imin, imax))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row[
"request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL, 'sqliteid', row["id"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid": HONEYPOT["nodeid"],
"timestamp": row["time"],
"sadr": re.sub(":.*$", "", row["source"]),
"sipv": "ipv" + ip4or6(re.sub(":.*$", "", row["source"])),
"sprot": "tcp",
"sport": "",
"tipv": "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr": HONEYPOT["ip"],
"tprot": "tcp",
"tport": "80",
}
REQUEST = {
"description": "WebHoneypot : Glastopf v3.1",
"url": urllib.quote(row["request_url"].encode('ascii', 'ignore'))
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
REQUEST["raw"] = base64.encodestring(row["request_raw"].encode(
'ascii', 'ignore'))
if "filename" in row.keys() and row["filename"] != None:
error, malwarefile = malware(HONEYPOT["malwaredir"],
row["filename"],
ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL, "Mission Malwarefile %s" % row["filename"],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {
"sqliteid": row["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search(r'Host: (\b.+\b)', row["request_raw"], re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'sqliteid', row["id"], ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 1), ("P2"),
ECFG)
return
def conpot():
MODUL = "CONPOT"
logme(MODUL, "Starting Conpot Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("conpot", "nodeid", "logfile")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# logfile file exists ?
if os.path.isfile(HONEYPOT["logfile"]) is False:
logme(MODUL,
"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
# parse json
try:
content = json.loads(line)
except ValueError, e:
logme(
MODUL, "Invalid json entry found in line " + str(I) +
", skipping entry.", ("P3"), ECFG)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
pass # invalid json
else:
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s" %
(content['timestamp'][0:4], content['timestamp'][5:7],
content['timestamp'][8:10], content['timestamp'][11:19]),
"sadr":
"%s" % content['src_ip'],
"sipv":
"ipv4",
"sprot":
"tcp",
"sport":
"%d" % content['src_port'],
"tipv":
"ipv4",
"tadr":
"%s" % content['dst_ip'],
"tprot":
"tcp",
"tport":
"undefined",
}
REQUEST = {
"description": "Conpot Honeypot",
}
# Collect additional Data
ADATA = {
"conpot_event_type": "%s" % content['event_type'],
"conpot_data_type": "%s" % content['data_type'],
"conpot_sensor_id": "%s" % content['sensorid'],
"conpot_request": "%s" % content['request'],
"conpot_id": "%s" % content['id'],
"conpot_response": "%s" % content['response']
}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
def emobility():
MODUL = "EMOBILITY"
logme(MODUL, "Starting eMobility Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("eMobility", "nodeid", "logfile")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# logfile file exists ?
if os.path.isfile(HONEYPOT["logfile"]) is False:
logme(MODUL,
"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",
("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["logfile"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
# Prepair and collect Alert Data
line = re.sub(r' ', r' ', re.sub(r'[\[\]\-\>]', r'', line))
srcipandport, dstipandport, url, dateandtime = line.split("|", 3)
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6],
dateandtime[6:8], dateandtime[9:17]),
"sadr":
"%s.%s.%s.%s" %
(srcipandport.split(".")[0], srcipandport.split(".")[1],
srcipandport.split(".")[2], srcipandport.split(".")[3]),
"sipv":
"ipv4",
"sprot":
"tcp",
"sport":
srcipandport.split(".")[4],
"tipv":
"ipv4",
"tadr":
"%s.%s.%s.%s" %
(dstipandport.split(".")[0], dstipandport.split(".")[1],
dstipandport.split(".")[2], dstipandport.split(".")[3]),
"tprot":
"tcp",
"tport":
dstipandport.split(".")[4],
}
REQUEST = {
"description": "eMobility Honeypot",
"url": urllib.quote(url.encode('ascii', 'ignore'))
}
# Collect additional Data
ADATA = {}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
ECFG)
return
def rdpdetect():
MODUL = "RDPDETECT"
logme(MODUL, "Starting RDPDetect Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("rdpdetect", "nodeid", "iptableslog", "targetip")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# iptables file exists ?
if os.path.isfile(HONEYPOT["iptableslog"]) is False:
logme(
MODUL, "[ERROR] Missing Iptables LogFile " +
HONEYPOT["iptableslog"] + ". Abort !", ("P3", "LOG"), ECFG)
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["iptableslog"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ', r' ', re.sub(r'[\[\]\-\>]', r'', line))
if HONEYPOT["targetip"] == re.search('SRC=(.*?) ',
line).groups()[0]:
continue
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8],
line[9:11], line[12:14], line[15:17]),
"sadr":
re.search('SRC=(.*?) ', line).groups()[0],
"sipv":
"ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
"sprot":
re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"sport":
re.search('SPT=(.*?) ', line).groups()[0],
"tipv":
"ipv" + ip4or6(ECFG["ip"]),
"tadr":
ECFG["ip"],
"tprot":
re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"tport":
re.search('DPT=(.*?) ', line).groups()[0],
}
REQUEST = {"description": "RDPDetect"}
# Collect additional Data
ADATA = {}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
ECFG)
return
def honeytrap():
MODUL = "HONEYTRAP"
logme(MODUL, "Starting Honeytrap Modul.", ("P1"), ECFG)
# collect honeypot config dic
ITEMS = ("honeytrap", "nodeid", "attackerfile", "payloaddir", "newversion")
HONEYPOT = readcfg(MODUL, ITEMS, ECFG["cfgfile"])
# Attacking file exists ?
if os.path.isfile(HONEYPOT["attackerfile"]) is False:
logme(
MODUL, "[ERROR] Missing Attacker File " +
HONEYPOT["attackerfile"] + ". Abort !", ("P3", "LOG"), ECFG)
# Payloaddir exist ?
if os.path.isdir(HONEYPOT["payloaddir"]) is False:
logme(
MODUL, "[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] +
". Abort !", ("P3", "LOG"), ECFG)
# New Version are use ?
if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(
HONEYPOT["payloaddir"]):
logme(
MODUL, "[ERROR] Missing Payload Directory " +
HONEYPOT["payloaddir"] + ". Abort !", ("P3", "LOG"), ECFG)
# Calc MD5sum for Payloadfiles
if HONEYPOT["newversion"].lower() == "true":
logme(MODUL, "Calculate MD5sum for Payload Files", ("P2"), ECFG)
for i in os.listdir(HONEYPOT["payloaddir"]):
if not "_md5_" in i:
filein = HONEYPOT["payloaddir"] + os.sep + i
os.rename(
filein, filein + "_md5_" +
hashlib.md5(open(filein, 'rb').read()).hexdigest())
# count limit
imin = int(countme(MODUL, 'fileline', -1, ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(
MODUL, "Send Limit is set to : " + str(ECFG["sendlimit"]) +
". Adapting to limit!", ("P1"), ECFG)
I = 0
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
while True:
x, y = viewcounter(MODUL, x, y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["attackerfile"], (imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ', r' ', re.sub(r'[\[\]\-\>]', r'', line))
if HONEYPOT["newversion"].lower() == "false":
date, time, _, source, dest, _ = line.split(" ", 5)
protocol = ""
md5 = ""
else:
date, time, _, protocol, source, dest, md5, _ = line.split(
" ", 7)
# Prepair and collect Alert Data
DATA = {
"aid":
HONEYPOT["nodeid"],
"timestamp":
"%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
"sadr":
re.sub(":.*$", "", source),
"sipv":
"ipv" + ip4or6(re.sub(":.*$", "", source)),
"sprot":
protocol,
"sport":
re.sub("^.*:", "", source),
"tipv":
"ipv" + ip4or6(re.sub(":.*$", "", dest)),
"tadr":
re.sub(":.*$", "", dest),
"tprot":
protocol,
"tport":
re.sub("^.*:", "", dest),
}
REQUEST = {"description": "NetworkHoneypot Honeytrap v1.1"}
# Search for Payload
if HONEYPOT["newversion"].lower() == "true":
sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub(
"^.*:", "",
dest), protocol, date[0:4], date[4:6], date[6:8], md5)
for mfile in os.listdir(HONEYPOT["payloaddir"]):
if fnmatch.fnmatch(mfile, sfile):
error, payloadfile = malware(HONEYPOT["payloaddir"],
mfile, False)
if error == 0:
REQUEST["raw"] = payloadfile
else:
logme(MODUL,
"Mission Malwarefile %s" % row["filename"],
("P1", "LOG"), ECFG)
# Collect additional Data
ADATA = {}
# generate template and send
esm = buildews(esm, DATA, REQUEST, ADATA)
jesm = buildjson(jesm, DATA, REQUEST, ADATA)
countme(MODUL, 'fileline', -2, ECFG)
countme(MODUL, 'daycounter', -2, ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL, DATA, REQUEST, ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL, "%s EWS alert records send ..." % (x + y - 2), ("P2"),
ECFG)
return
return
imin, imax = calcminmax(MODUL, int(countme(MODUL, 'sqliteid', -1, ECFG)),
int(maxid), ECFG)
# read alerts from database
c.execute("SELECT * from log where id > %s and id <= %s;", (imin, imax))
rows = c.fetchall()
# counter inits
x = 0
y = 1
esm = ewsauth(ECFG["username"], ECFG["token"])
jesm = ""
for row in rows:
x, y = viewcounter(MODUL, x, y)
# filter nagios checks
if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL, 'mysqlid', row["id"], ECFG)
continue
# Prepair and collect Alert Data
DATA = {
def rdpdetect():
MODUL = "RDPDETECT"
logme(MODUL,"Starting RDPDetect Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("rdpdetect","nodeid","iptableslog","targetip")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# iptables file exists ?
if os.path.isfile(HONEYPOT["iptableslog"]) is False:
logme(MODUL,"[ERROR] Missing Iptables LogFile " + HONEYPOT["iptableslog"] + ". Abort !",("P3","LOG"),ECFG)
# count limit
imin = int(countme(MODUL,'fileline',-1,ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
I = 0 ; x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
while True:
x,y = viewcounter(MODUL,x,y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["iptableslog"],(imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ',r' ',re.sub(r'[\[\]\-\>]',r'',line))
if HONEYPOT["targetip"] == re.search('SRC=(.*?) ', line).groups()[0]:
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : "%s-%s-%s %s:%s:%s" % (line[0:4], line[4:6], line[6:8], line[9:11], line[12:14], line[15:17]),
"sadr" : re.search('SRC=(.*?) ', line).groups()[0],
"sipv" : "ipv" + ip4or6(re.search('SRC=(.*?) ', line).groups()[0]),
"sprot" : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"sport" : re.search('SPT=(.*?) ', line).groups()[0],
"tipv" : "ipv" + ip4or6(ECFG["ip"]),
"tadr" : ECFG["ip"],
"tprot" : re.search('PROTO=(.*?) ', line).groups()[0].lower(),
"tport" : re.search('DPT=(.*?) ', line).groups()[0],
}
REQUEST = {
"description" : "RDPDetect"
}
# Collect additional Data
ADATA = {
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'fileline',-2,ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
return
def honeytrap():
MODUL = "HONEYTRAP"
logme(MODUL,"Starting Honeytrap Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("honeytrap","nodeid","attackerfile","payloaddir","newversion")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# Attacking file exists ?
if os.path.isfile(HONEYPOT["attackerfile"]) is False:
logme(MODUL,"[ERROR] Missing Attacker File " + HONEYPOT["attackerfile"] + ". Abort !",("P3","LOG"),ECFG)
# Payloaddir exist ?
if os.path.isdir(HONEYPOT["payloaddir"]) is False:
logme(MODUL,"[ERROR] Missing Payload Dir " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)
# New Version are use ?
if HONEYPOT["newversion"].lower() == "true" and not os.path.isdir(HONEYPOT["payloaddir"]):
logme(MODUL,"[ERROR] Missing Payload Directory " + HONEYPOT["payloaddir"] + ". Abort !",("P3","LOG"),ECFG)
# Calc MD5sum for Payloadfiles
if HONEYPOT["newversion"].lower() == "true":
logme(MODUL,"Calculate MD5sum for Payload Files",("P2"),ECFG)
for i in os.listdir(HONEYPOT["payloaddir"]):
if not "_md5_" in i:
filein = HONEYPOT["payloaddir"] + os.sep + i
os.rename(filein,filein + "_md5_" + hashlib.md5(open(filein, 'rb').read()).hexdigest())
# count limit
imin = int(countme(MODUL,'fileline',-1,ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
I = 0 ; x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
while True:
x,y = viewcounter(MODUL,x,y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["attackerfile"],(imin + I)).rstrip()
if len(line) == 0:
break
else:
line = re.sub(r' ',r' ',re.sub(r'[\[\]\-\>]',r'',line))
if HONEYPOT["newversion"].lower() == "false":
date , time , _ , source, dest, _ = line.split(" ",5)
protocol = "" ; md5 = ""
else:
date , time , _ , protocol, source, dest, md5, _ = line.split(" ",7)
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : "%s-%s-%s %s" % (date[0:4], date[4:6], date[6:8], time[0:8]),
"sadr" : re.sub(":.*$","",source),
"sipv" : "ipv" + ip4or6(re.sub(":.*$","",source)),
"sprot" : protocol,
"sport" : re.sub("^.*:","",source),
"tipv" : "ipv" + ip4or6(re.sub(":.*$","",dest)),
"tadr" : re.sub(":.*$","",dest),
"tprot" : protocol,
"tport" : re.sub("^.*:","",dest),
}
REQUEST = {
"description" : "NetworkHoneypot Honeytrap vX.x"
}
# Search for Payload
if HONEYPOT["newversion"].lower() == "true":
sfile = "from_port_%s-%s_*_%s-%s-%s_md5_%s" % (re.sub("^.*:","",dest),protocol,date[0:4], date[4:6], date[6:8],md5)
for mfile in os.listdir(HONEYPOT["payloaddir"]):
if fnmatch.fnmatch(mfile, sfile):
error , payloadfile = malware(HONEYPOT["payloaddir"],mfile,False)
if error == 0:
REQUEST["raw"] = payloadfile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'fileline',-2,ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
return
def dionaea():
MODUL = "DIONAEA"
logme(MODUL,"Starting Dionaea Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("dionaea","nodeid","sqlitedb","malwaredir")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# Malwaredir exist ?
if os.path.isdir(HONEYPOT["malwaredir"]) is False:
logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(connection) from connections;")
maxid = c.fetchone()["max(connection)"]
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Dionaea Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from connections where connection > ? and connection <= ?;",(imin,imax,))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter empty remote_host
if row["remote_host"] == "":
countme(MODUL,'sqliteid',row["connection"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : datetime.fromtimestamp(int(row["connection_timestamp"])).strftime('%Y-%m-%d %H:%M:%S'),
"sadr" : str(row["remote_host"]),
"sipv" : "ipv" + ip4or6(str(row["remote_host"])),
"sprot" : str(row["connection_type"]),
"sport" : str(row["remote_port"]),
"tipv" : "ipv" + ip4or6(str(row["local_host"])),
"tadr" : str(row["local_host"]),
"tprot" : str(row["connection_type"]),
"tport" : str(row["local_port"]),
}
REQUEST = {
"description" : "Network Honeyport Dionaea vX.x",
}
# Check for malware bin's
c.execute("SELECT download_md5_hash from downloads where connection = ?;",(str(row["connection"]),))
check = c.fetchone()
if check is not None:
error,malwarefile = malware(HONEYPOT["malwaredir"],check[0],ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
"sqliteid" : str(row["connection"]),
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'sqliteid',row["connection"],ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
return
def glastopfv3():
MODUL = "GLASTOPFV3"
logme(MODUL,"Starting Glastopf V3.x Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("glastopfv3","nodeid","sqlitedb","malwaredir")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
HONEYPOT["ip"] = readonecfg(MODUL,"ip", ECFG["cfgfile"])
if HONEYPOT["ip"].lower() == "false" or HONEYPOT["ip"].lower() == "null":
HONEYPOT["ip"] = ECFG["ip"]
# Malwaredir exist ? Issue in Glastopf ! RFI Directory first create when the first RFI was downloaded
#if os.path.isdir(HONEYPOT["malwaredir"]) == False:
# logme(MODUL,"[ERROR] Missing Malware Dir " + HONEYPOT["malwaredir"] + ". Abort !",("P3","LOG"),ECFG)
# return
# is sqlitedb exist ?
if os.path.isfile(HONEYPOT["sqlitedb"]) is False:
logme(MODUL,"[ERROR] Missing sqlitedb file " + HONEYPOT["sqlitedb"] + ". Abort !",("P3","LOG"),ECFG)
return
# open database
con = sqlite3.connect(HONEYPOT["sqlitedb"],30)
con.row_factory = sqlite3.Row
c = con.cursor()
# calculate send limit
c.execute("SELECT max(id) from events")
maxid = c.fetchone()["max(id)"]
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from events where id > ? and id <= ?;",(imin,imax))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter empty requests and nagios checks
if row["request_url"] == os.sep or row["request_url"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL,'sqliteid',row["id"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : row["time"],
"sadr" : re.sub(":.*$","",row["source"]),
"sipv" : "ipv" + ip4or6(re.sub(":.*$","",row["source"])),
"sprot" : "tcp",
"sport" : "",
"tipv" : "ipv" + ip4or6(HONEYPOT["ip"]),
"tadr" : HONEYPOT["ip"],
"tprot" : "tcp",
"tport" : "80",
}
REQUEST = {
"description" : "WebHoneypot : Glastopf v3.1",
"url" : urllib.quote(row["request_url"])
}
if "request_raw" in row.keys() and len(row["request_raw"]) > 0:
#REQUEST["raw"] = base64.standard_b64encode(row["request_raw"])
REQUEST["raw"] = base64.encodestring(row["request_raw"])
if "filename" in row.keys() and row["filename"] != None:
error,malwarefile = malware(HONEYPOT["malwaredir"],row["filename"],ECFG["del_malware_after_send"])
if error == 0:
REQUEST["binary"] = malwarefile
else:
logme(MODUL,"Mission Malwarefile %s" % row["filename"] ,("P1","LOG"),ECFG)
# Collect additional Data
ADATA = {
"sqliteid" : row ["id"],
}
if "request_method" in row.keys():
ADATA["httpmethod"] = row["request_method"]
if "request_raw" in row.keys():
m = re.search( r'Host: (\b.+\b)', row["request_raw"] , re.M)
if m:
ADATA["host"] = str(m.group(1))
if "request_header" in row.keys():
if 'Host' in json.loads(row["request_header"]):
ADATA["host"] = str(json.loads(row["request_header"])["Host"])
if "request_body" in row.keys():
if len(row["request_body"]) > 0:
ADATA["requestbody"] = row["request_body"]
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'sqliteid',row["id"],ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
con.close()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-1),("P2"),ECFG)
return
if maxid is None:
logme(MODUL,"[ERROR] No entry's in Glastopf Database. Abort!",("P2","LOG"),ECFG)
return
imin, imax = calcminmax(MODUL,int(countme(MODUL,'sqliteid',-1,ECFG)),int(maxid),ECFG)
# read alerts from database
c.execute("SELECT * from log where id > %s and id <= %s;",(imin,imax))
rows = c.fetchall()
# counter inits
x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = [ ]
for row in rows:
x,y = viewcounter(MODUL,x,y)
# filter nagios checks
if row["req"] == "/index.do?hash=DEADBEEF&activate=1":
countme(MODUL,'mysqlid',row["id"],ECFG)
continue
# Prepair and collect Alert Data
DATA = {
def emobility():
MODUL = "EMOBILITY"
logme(MODUL,"Starting eMobility Modul.",("P1"),ECFG)
# collect honeypot config dic
ITEMS = ("eMobility","nodeid","logfile")
HONEYPOT = readcfg(MODUL,ITEMS,ECFG["cfgfile"])
# logfile file exists ?
if os.path.isfile(HONEYPOT["logfile"]) is False:
logme(MODUL,"[ERROR] Missing LogFile " + HONEYPOT["logfile"] + ". Skip !",("P3","LOG"),ECFG)
# count limit
imin = int(countme(MODUL,'fileline',-1,ECFG))
if int(ECFG["sendlimit"]) > 0:
logme(MODUL,"Send Limit is set to : " + str(ECFG["sendlimit"]) + ". Adapting to limit!",("P1"),ECFG)
I = 0 ; x = 0 ; y = 1
esm = ewsauth(ECFG["username"],ECFG["token"])
jesm = ""
while True:
x,y = viewcounter(MODUL,x,y)
I += 1
if int(ECFG["sendlimit"]) > 0 and I > int(ECFG["sendlimit"]):
break
line = getline(HONEYPOT["logfile"],(imin + I)).rstrip()
if len(line) == 0:
break
else:
# Prepair and collect Alert Data
line = re.sub(r' ',r' ',re.sub(r'[\[\]\-\>]',r'',line))
srcipandport, dstipandport, url, dateandtime = line.split("|",3)
DATA = {
"aid" : HONEYPOT["nodeid"],
"timestamp" : "%s-%s-%s %s" % (dateandtime[0:4], dateandtime[4:6], dateandtime[6:8], dateandtime[9:17]),
"sadr" : "%s.%s.%s.%s" % (srcipandport.split(".")[0], srcipandport.split(".")[1], srcipandport.split(".")[2], srcipandport.split(".")[3]),
"sipv" : "ipv4",
"sprot" : "tcp",
"sport" : srcipandport.split(".")[4],
"tipv" : "ipv4",
"tadr" : "%s.%s.%s.%s" % (dstipandport.split(".")[0], dstipandport.split(".")[1], dstipandport.split(".")[2], dstipandport.split(".")[3]),
"tprot" : "tcp",
"tport" : dstipandport.split(".")[4],
}
REQUEST = {
"description" : "eMobility Honeypot",
"url" : urllib.quote(url.encode('ascii', 'ignore'))
}
# Collect additional Data
ADATA = {
}
# generate template and send
esm = buildews(esm,DATA,REQUEST,ADATA)
jesm = buildjson(jesm,DATA,REQUEST,ADATA)
countme(MODUL,'fileline',-2,ECFG)
countme(MODUL,'daycounter', -2,ECFG)
if ECFG["a.verbose"] is True:
verbosemode(MODUL,DATA,REQUEST,ADATA)
# Cleaning linecache
clearcache()
if int(esm.xpath('count(//Alert)')) > 0:
sendews(esm)
writejson(jesm)
if y > 1:
logme(MODUL,"%s EWS alert records send ..." % (x+y-2),("P2"),ECFG)
return