From 616f2b745c75a7962791e6e1a6d6c7cf654b947b Mon Sep 17 00:00:00 2001
From: Michel Oosterhof <michel@oosterhof.net>
Date: Tue, 10 Mar 2015 10:36:38 +0000
Subject: [PATCH] remove isError, system, cache IP in output module

---
 kippo/core/output.py | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/kippo/core/output.py b/kippo/core/output.py
index a1a6ff64..1f1dad06 100644
--- a/kippo/core/output.py
+++ b/kippo/core/output.py
@@ -57,6 +57,7 @@ class Output(object):
     def __init__(self, cfg):
         self.cfg = cfg
         self.sessions = {}
+        self.ips = {}
         self.re_sessionlog = re.compile(
             '.*HoneyPotTransport,([0-9]+),[0-9.]+$')
         if self.cfg.has_option('honeypot', 'sensor_name'):
@@ -105,7 +106,10 @@ class Output(object):
             return
 
         ev = copy.copy(event)
-        del ev['isError']
+
+        if 'isError' in ev:
+            del ev['isError']
+        ev['sensor'] = self.sensor
 
         # add ISO timestamp and sensor data
         if not 'time' in ev:
@@ -114,9 +118,7 @@ class Output(object):
             ev['timestamp'] = datetime.datetime.fromtimestamp(ev['time']).isoformat() + 'Z'
             del ev['time']
 
-        ev['sensor'] = self.sensor
-
-        # disconnection is special, add the tty log
+        # on disconnect, add the tty log
         #if ev['eventid'] == 'KIPP0012':
             # FIXME: file is read for each output plugin
             #f = file(ev['ttylog'])
@@ -136,11 +138,20 @@ class Output(object):
             sessionno = int(match.groups()[0])
             del ev['system']
 
+        if sessionno in self.ips:
+            ev['src_ip'] = self.ips[sessionno]
+
         # connection event is special. adds to session list
         if ev['eventid'] == 'KIPP0001':
             self.sessions[sessionno] = uuid.uuid4().hex
+            self.ips[sessionno] = ev['src_ip']
+            del ev['system']
 
         self.handleLog( self.sessions[sessionno], ev )
-        # print "error calling handleLog for event  %s" % repr(ev)
+
+        # disconnect is special, remove cached data
+        if ev['eventid'] == 'KIPP0011':
+            del self.sessions[sessionno]
+            del self.ips[sessionno]
 
 # vim: set sw=4 et: