From 8307b86e4da82d0443558ebc85a64544a5c81468 Mon Sep 17 00:00:00 2001 From: fe7ch Date: Sat, 28 Jan 2017 10:55:14 +0300 Subject: [PATCH] Remove empty tftp files, double logging fix (#430) * Remove empty tftp files, double logging fix * Remove duplicate of os.symlink() call, add transportID, sessionID to safeoutfile name * Remove empty file in case of exception --- cowrie/commands/tftp.py | 61 ++++++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/cowrie/commands/tftp.py b/cowrie/commands/tftp.py index dc1a39fa..e4191e17 100644 --- a/cowrie/commands/tftp.py +++ b/cowrie/commands/tftp.py @@ -56,10 +56,12 @@ class command_tftp(HoneyPotCommand): self.download_path = cfg.get('honeypot', 'download_path') - self.safeoutfile = '%s/%s_%s' % \ - (self.download_path, - time.strftime('%Y%m%d%H%M%S'), - re.sub('[^A-Za-z0-9]', '_', self.file_to_get)) + tmp_fname = '%s_%s_%s_%s' % \ + (time.strftime('%Y%m%d%H%M%S'), + self.protocol.getProtoTransport().transportId, + self.protocol.terminal.transport.session.id, + re.sub('[^A-Za-z0-9]', '_', self.file_to_get)) + self.safeoutfile = os.path.join(self.download_path, tmp_fname) try: tclient.download(self.file_to_get, self.safeoutfile, progresshook) @@ -67,38 +69,41 @@ class command_tftp(HoneyPotCommand): self.fs.mkfile(self.file_to_get, 0, 0, tclient.context.metrics.bytes, 33188) self.fs.update_realfile(self.fs.getfile(self.file_to_get), self.safeoutfile) - shasum = hashlib.sha256(open(self.safeoutfile, 'rb').read()).hexdigest() - hash_path = '%s/%s' % (self.download_path, shasum) + if os.path.exists(self.safeoutfile): - # If we have content already, delete temp file - if not os.path.exists(hash_path): - os.rename(self.safeoutfile, hash_path) - else: - os.remove(self.safeoutfile) - log.msg("Not storing duplicate content " + shasum) + if os.path.getsize(self.safeoutfile) == 0: + os.remove(self.safeoutfile) + self.safeoutfile = None + return - log.msg(eventid='cowrie.session.file_download', - format='Downloaded tftpFile (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', - url=self.file_to_get, - outfile=hash_path, - shasum=shasum) + with open(self.safeoutfile, 'rb') as f: + shasum = hashlib.sha256(f.read()).hexdigest() + hash_path = os.path.join(self.download_path, shasum) - # Link friendly name to hash - os.symlink(shasum, self.safeoutfile) + # If we have content already, delete temp file + if not os.path.exists(hash_path): + os.rename(self.safeoutfile, hash_path) + else: + os.remove(self.safeoutfile) + log.msg("Not storing duplicate content " + shasum) - # FIXME: is this necessary? - self.safeoutfile = hash_path + log.msg(eventid='cowrie.session.file_download', + format='Downloaded tftpFile (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', + url=self.file_to_get, + outfile=hash_path, + shasum=shasum) - # Update the honeyfs to point to downloaded file - f = self.fs.getfile(self.file_to_get) - f[A_REALFILE] = hash_path + # Link friendly name to hash + os.symlink(shasum, self.safeoutfile) - log.msg(eventid='cowrie.session.file_download', - format='Downloaded tftpFile to %(outfile)s', - outfile=self.safeoutfile - ) + # Update the honeyfs to point to downloaded file + f = self.fs.getfile(self.file_to_get) + f[A_REALFILE] = hash_path except tftpy.TftpException, err: + if os.path.exists(self.safeoutfile): + if os.path.getsize(self.safeoutfile) == 0: + os.remove(self.safeoutfile) return except KeyboardInterrupt: