Reversedns (#1064)

* structured logging for PTR logs, bugfix for timeout
2019-03-19 16:38:52 +04:00 · 2019-03-19 16:38:52 +04:00 · 2220afbc86
parent bf46431456
commit 2220afbc86
2 changed files with 15 additions and 9 deletions
--- a/src/cowrie/commands/ssh.py
+++ b/src/cowrie/commands/ssh.py
@ -49,7 +49,7 @@ class command_ssh(HoneyPotCommand):
            if opt[0] == '-V':
                self.write(CONFIG.get('shell', 'ssh_version',
                                      fallback="OpenSSH_7.9p1, \
-                                      OpenSSL 1.1.1a  20 Nov 2018\n"))
+                                      OpenSSL 1.1.1a  20 Nov 2018")+"\n")
                self.exit()
                return
        if not len(args):
--- a/src/cowrie/output/reversedns.py
+++ b/src/cowrie/output/reversedns.py
@ -13,7 +13,7 @@ class Output(cowrie.core.output.Output):
    """

    def __init__(self):
-        self.timeout = CONFIG.getint('output_reversedns', 'timeout', fallback=3)
+        self.timeout = [CONFIG.getint('output_reversedns', 'timeout', fallback=3)]
        cowrie.core.output.Output.__init__(self)

    def start(self):
@ -30,29 +30,35 @@ class Output(cowrie.core.output.Output):

    def write(self, entry):
        if entry['eventid'] == 'cowrie.session.connect':
-            self.reversedns(entry['src_ip'])
+            self.reversedns(entry)

-    def reversedns(self, addr):
+    def reversedns(self, entry):
        """
        Perform a reverse DNS lookup on an IP

        Arguments:
            addr -- IPv4 Address
        """
-        ptr = self.reverseNameFromIPAddress(addr)
+        src_ip = entry['src_ip']
+        ptr = self.reverseNameFromIPAddress(src_ip)
        d = client.lookupPointer(ptr, timeout=self.timeout)

        def cbError(failure):
-            log.msg("reversedns: Error in lookup")
+            log.msg("reversedns: Error in lookup for {}".format(src_ip))
            failure.printTraceback()

        def processResult(result):
            """
            Process the lookup result
            """
-            RR = result[0][0]
-            log.msg("Reverse DNS record for ip={0}: {1}".format(
-                addr, RR.payload))
+            payload = result[0][0].payload
+            log.msg(
+                eventid='cowrie.reversedns.ptr',
+                session=entry['session'],
+                format="reversedns: PTR record for IP %(src_ip)s is %(ptr)s ttl=%(ttl)i",
+                src_ip=src_ip,
+                ptr=str(payload.name).decode('ascii'),
+                ttl=payload.ttl)

        d.addCallback(processResult)
        d.addErrback(cbError)