diff --git a/Makefile b/Makefile index 7e1de01f..4c84a1e6 100644 --- a/Makefile +++ b/Makefile @@ -49,5 +49,5 @@ dependency-upgrade: git checkout -b "dependency-upgrade-`date -u +%Y-%m-%d`" pur -r requirements.txt pur -r requirements-dev.txt - pur --skip csirtgsdk -r requirements-output.txt + pur -r requirements-output.txt git commit -m "dependency upgrade `date -u`" requirements*.txt diff --git a/etc/cowrie.cfg.dist b/etc/cowrie.cfg.dist index 0d1e8b2b..c25e17f0 100644 --- a/etc/cowrie.cfg.dist +++ b/etc/cowrie.cfg.dist @@ -914,7 +914,8 @@ enabled = false username = wes feed = scanners description = random scanning activity -token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +token = a1b2c3d4 +debug = false [output_socketlog] diff --git a/honeyfs/etc/shadow b/honeyfs/etc/shadow index 72056f9c..5894a98f 100644 Binary files a/honeyfs/etc/shadow and b/honeyfs/etc/shadow differ diff --git a/requirements-output.txt b/requirements-output.txt index 3e0bdcdd..e3dc667b 100644 --- a/requirements-output.txt +++ b/requirements-output.txt @@ -1,5 +1,6 @@ -# csirtg -csirtgsdk==0.0.0a22 # TODO: csirtgsdk need to be updated for current API +# csirtg. it has an implicit dependency on geoip2 +csirtgsdk==1.1.5 +geoip2 # dshield requests==2.25.1 diff --git a/setup.py b/setup.py index bd09785f..48935823 100755 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ setup( ], setup_requires=["incremental", "click"], install_requires=[ - "twisted>=17.1.0", + "twisted==21.1.0", "cryptography>=0.9.1", "configparser", "pyopenssl", @@ -48,7 +48,7 @@ setup( "service_identity>=14.0.0", ], extras_require={ - "csirtg": ["csirtgsdk>=0.0.0a17"], + "csirtg": ["csirtgsdk==1.1.5"], "dshield": ["requests"], "elasticsearch": ["pyes"], "mysql": ["mysqlclient"], diff --git a/src/cowrie/output/csirtg.py b/src/cowrie/output/csirtg.py index ff1e4900..308ae3fe 100644 --- a/src/cowrie/output/csirtg.py +++ b/src/cowrie/output/csirtg.py @@ -1,41 +1,50 @@ import os from datetime import datetime -from csirtgsdk.client import Client -from csirtgsdk.indicator import Indicator - from twisted.python import log import cowrie.core.output from cowrie.core.config import CowrieConfig -USERNAME = os.environ.get("CSIRTG_USER") -FEED = os.environ.get("CSIRTG_FEED") -TOKEN = os.environ.get("CSIRG_TOKEN") -DESCRIPTION = os.environ.get("CSIRTG_DESCRIPTION", "random scanning activity") +token = CowrieConfig.get("output_csirtg", "token", fallback="a1b2c3d4") +if token == "a1b2c3d4": + log.msg("output_csirtg: token not found in configuration file") + exit(1) + +os.environ["CSIRTG_TOKEN"] = token +import csirtgsdk # noqa: E402 class Output(cowrie.core.output.Output): """ - csirtg output + CSIRTG output """ - def start( - self, - ): - self.user = CowrieConfig.get("output_csirtg", "username") or USERNAME - self.feed = CowrieConfig.get("output_csirtg", "feed") or FEED - self.token = CowrieConfig.get("output_csirtg", "token") or TOKEN - self.description = CowrieConfig.get( - "output_csirtg", "description", fallback=DESCRIPTION - ) + def start(self): + """ + Start the output module. + Note that csirtsdk is imported here because it reads CSIRTG_TOKEN on import + Cowrie sets this environment variable. + """ + self.user = CowrieConfig.get("output_csirtg", "username") + self.feed = CowrieConfig.get("output_csirtg", "feed") + self.debug = CowrieConfig.getboolean("output_csirtg", "debug", fallback=False) + self.description = CowrieConfig.get("output_csirtg", "description") + self.context = {} - self.client = Client(token=self.token) + # self.client = csirtgsdk.client.Client() def stop(self): pass def write(self, e): + """ + Only pass on connection events + """ + if e["eventid"] == "cowrie.session.connect": + self.submitIp(e) + + def submitIp(self, e): peerIP = e["src_ip"] ts = e["timestamp"] system = e.get("system", None) @@ -77,5 +86,12 @@ class Output(cowrie.core.output.Output): "description": self.description, } - ret = Indicator(self.client, i).submit() - log.msg("logged to csirtg {} ".format(ret["location"])) + if self.debug is True: + log.msg(f"output_csirtg: Submitting {i!r} to CSIRTG") + + ind = csirtgsdk.indicator.Indicator(i).submit() + + if self.debug is True: + log.msg(f"output_csirtg: Submitted {ind!r} to CSIRTG") + + log.msg("output_csirtg: submitted to csirtg at {} ".format(ind["location"]))