Csirtg (#1564)

* update CSIRTG output plugin to use new library version
* update shadow file too. fix #1562

Makefile

@@ -49,5 +49,5 @@ dependency-upgrade:
 	git checkout -b "dependency-upgrade-`date -u +%Y-%m-%d`"
 	pur -r requirements.txt
 	pur -r requirements-dev.txt
-	pur --skip csirtgsdk -r requirements-output.txt
+	pur -r requirements-output.txt
 	git commit -m "dependency upgrade `date -u`" requirements*.txt

etc/cowrie.cfg.dist

@@ -914,7 +914,8 @@ enabled = false
 username = wes
 feed = scanners
 description = random scanning activity
-token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+token = a1b2c3d4
+debug = false
 
 
 [output_socketlog]

requirements-output.txt

@@ -1,5 +1,6 @@
-# csirtg
-csirtgsdk==0.0.0a22 # TODO: csirtgsdk need to be updated for current API
+# csirtg. it has an implicit dependency on geoip2
+csirtgsdk==1.1.5
+geoip2
 
 # dshield
 requests==2.25.1

setup.py

@@ -36,7 +36,7 @@ setup(
     ],
     setup_requires=["incremental", "click"],
     install_requires=[
-        "twisted>=17.1.0",
+        "twisted==21.1.0",
         "cryptography>=0.9.1",
         "configparser",
         "pyopenssl",
@@ -48,7 +48,7 @@ setup(
         "service_identity>=14.0.0",
     ],
     extras_require={
-        "csirtg": ["csirtgsdk>=0.0.0a17"],
+        "csirtg": ["csirtgsdk==1.1.5"],
         "dshield": ["requests"],
         "elasticsearch": ["pyes"],
         "mysql": ["mysqlclient"],

src/cowrie/output/csirtg.py

@@ -1,41 +1,50 @@
 import os
 from datetime import datetime
 
-from csirtgsdk.client import Client
-from csirtgsdk.indicator import Indicator
-
 from twisted.python import log
 
 import cowrie.core.output
 from cowrie.core.config import CowrieConfig
 
-USERNAME = os.environ.get("CSIRTG_USER")
-FEED = os.environ.get("CSIRTG_FEED")
-TOKEN = os.environ.get("CSIRG_TOKEN")
-DESCRIPTION = os.environ.get("CSIRTG_DESCRIPTION", "random scanning activity")
+token = CowrieConfig.get("output_csirtg", "token", fallback="a1b2c3d4")
+if token == "a1b2c3d4":
+    log.msg("output_csirtg: token not found in configuration file")
+    exit(1)
+
+os.environ["CSIRTG_TOKEN"] = token
+import csirtgsdk  # noqa: E402
 
 
 class Output(cowrie.core.output.Output):
     """
-    csirtg output
+    CSIRTG output
     """
 
-    def start(
-        self,
-    ):
-        self.user = CowrieConfig.get("output_csirtg", "username") or USERNAME
-        self.feed = CowrieConfig.get("output_csirtg", "feed") or FEED
-        self.token = CowrieConfig.get("output_csirtg", "token") or TOKEN
-        self.description = CowrieConfig.get(
-            "output_csirtg", "description", fallback=DESCRIPTION
-        )
+    def start(self):
+        """
+        Start the output module.
+        Note that csirtsdk is imported here because it reads CSIRTG_TOKEN on import
+        Cowrie sets this environment variable.
+        """
+        self.user = CowrieConfig.get("output_csirtg", "username")
+        self.feed = CowrieConfig.get("output_csirtg", "feed")
+        self.debug = CowrieConfig.getboolean("output_csirtg", "debug", fallback=False)
+        self.description = CowrieConfig.get("output_csirtg", "description")
+
         self.context = {}
-        self.client = Client(token=self.token)
+        # self.client = csirtgsdk.client.Client()
 
     def stop(self):
         pass
 
     def write(self, e):
+        """
+        Only pass on connection events
+        """
+        if e["eventid"] == "cowrie.session.connect":
+            self.submitIp(e)
+
+    def submitIp(self, e):
         peerIP = e["src_ip"]
         ts = e["timestamp"]
         system = e.get("system", None)
@@ -77,5 +86,12 @@ class Output(cowrie.core.output.Output):
             "description": self.description,
         }
 
-        ret = Indicator(self.client, i).submit()
-        log.msg("logged to csirtg {} ".format(ret["location"]))
+        if self.debug is True:
+            log.msg(f"output_csirtg: Submitting {i!r} to CSIRTG")
+
+        ind = csirtgsdk.indicator.Indicator(i).submit()
+
+        if self.debug is True:
+            log.msg(f"output_csirtg: Submitted {ind!r} to CSIRTG")
+
+        log.msg("output_csirtg: submitted to csirtg at {} ".format(ind["location"]))