From b80dad12b4a0b4351acd2950d9efd7a92e421985 Mon Sep 17 00:00:00 2001 From: Michel Oosterhof Date: Sun, 23 May 2021 15:12:53 +0800 Subject: [PATCH] Csirtg (#1564) * update CSIRTG output plugin to use new library version * update shadow file too. fix #1562 --- Makefile | 2 +- etc/cowrie.cfg.dist | 3 +- honeyfs/etc/shadow | Bin 7168 -> 750 bytes requirements-output.txt | 5 ++-- setup.py | 4 +-- src/cowrie/output/csirtg.py | 56 +++++++++++++++++++++++------------- 6 files changed, 44 insertions(+), 26 deletions(-) diff --git a/Makefile b/Makefile index 7e1de01f..4c84a1e6 100644 --- a/Makefile +++ b/Makefile @@ -49,5 +49,5 @@ dependency-upgrade: git checkout -b "dependency-upgrade-`date -u +%Y-%m-%d`" pur -r requirements.txt pur -r requirements-dev.txt - pur --skip csirtgsdk -r requirements-output.txt + pur -r requirements-output.txt git commit -m "dependency upgrade `date -u`" requirements*.txt diff --git a/etc/cowrie.cfg.dist b/etc/cowrie.cfg.dist index 0d1e8b2b..c25e17f0 100644 --- a/etc/cowrie.cfg.dist +++ b/etc/cowrie.cfg.dist @@ -914,7 +914,8 @@ enabled = false username = wes feed = scanners description = random scanning activity -token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +token = a1b2c3d4 +debug = false [output_socketlog] diff --git a/honeyfs/etc/shadow b/honeyfs/etc/shadow index 72056f9c7a558371fadf48ba8912f884b720e2a1..5894a98fe5453d11d9600bcd3fa558afa6a776e3 100644 GIT binary patch literal 750 zcmZ{i%W{G+6o&VGi_Wm>OqGkGX6L=u8(3CXa<VavH%n7Yfq?*Nt3-xoSfc zHj46;MGPrA7B~_DBk(S}U|nZOUZc!jJAA#|npZozV7<1%QD_?Gd_%vE&+d+bU^-)idPwo?Q-0!Q4<9UT^Jhod$H?PA0wr=3^6@vB+@7LbRvkh6P EKkfs@z5oCK literal 7168 zcmeHLe{bBz5%u5v6a%zCWyRv16iGpax~(Hywv#AQd@|aiD11wDNp4JXncd}`4)BNX zo89G!k{m!P5FjXguys6gclOQ9n_qnQ>cz|RSE;e?$#3?V&*#VUIX%JmH^)c*dwy^j zzUTA(gM))3+CQ8h9vvU=9~{nUzW??9;n5SC|7M6Lf(Pq_0kl@-wQMF2?p$J7S>Cxf z{R!pp8I_{xqu=xOsa_i;lRx-Rl6-PTtd#xqA^DUmlQ%L~{#q9@*DG8m|By|tTS-on zt0jf~^jf($Lqut+ zZ*(U&y>=u^EOaR#*21y8sM|w<>?TRn273jyvQR_Ide*9{Np(&dkvpY3x{ZM9h#)DX zRaGYo-qh%dGBY^I@N-GRIgx*aU?68jE!fsfr6#>JSc+pQ+xR76i!>>{?M66L7%jX) zJ6_OJQZAA0&ZZ|a)m60ghtOJ^kG2<}))wu0y@o|Opi^zCnPo7u0PIW(HyCLjgKd{i zYpt!1bu)C450Pa>WbjTQOEEO==}AIFyL2W#!j`I$k$r18I^&Sn6XZPu{Xf?mo@!Bt1;96UxkZr}rsMzBS7c{3EU2oNr{wJM&bOFoSS zY-Llf5zC#kWJ3-c{;|grK;V(~`Ay6y#yG8vN4+whQ}kOe5V$&{lM!LiAIw zHGr4&)2s9MbVCl#4F)+~v&fY~rebynQuy0QkW6`_~$IB*9*eCK@ z=HN&Rn-z#a`axIFy<)2s%D|C(4(L8w!d7cx3R;|l7&kk- zMg6^PIoy$HmC_Q4wBh=6lO-mpSFCI0khXE0nT;!9B0lN6#l??oe2;W%DmXJ|#{fMX zfycyJ*g?!17U5kkRzNS{U!>Muy3&M50S|<6Ai^($ z%0D6!nYxuiE{UNg$eGPELdH4)k&u+=j|e$0oU_-6|57`gYY!rn?5H;6`ds}P@Y zQ6YPYlGo)*+GmJY#7dOq!KCimeU@mq>^#dFoq=v#%uxq!bm8r>TyX*6`0)LXwC?0F zdhXJa6LvT>%}WIFUS!9gEJsbLs=#w-Z4IA{geh&>Gp{9M-qx&;H{l+Sgp*v6v9)+nj;shKplSA5K;#^to@d*}6#M*j zX=e{`k26w^?upwtZ351%TE{to*?b2iuagpm5mGq)=eh^GK{*u5*c1333%j95$hD=- zU9)8MMwo0aW$oazHfz}%q;y|0GJ!ma)N*@qt6lK`-KNyLcUI66BaFLu)Jm8cjvu`g zsr9qf9fQNv)Y&*3=)v^^=8rC9P*@4IhS7dr1cb5#mR-nfKvD4fw;NP8p6T3X#!Ky_ zFe1(Q+Qm8Y0re|jxDh#aBGwCL_kuXAODPT4+R|uDK=ARlMS?^5w>KRRU6aDhUS-&~ z=nRhLZSiQ@eNM)&anP!^hxVR^lOpSjIAQ}0Q)wT`46gs<)^IGS>c_fp_j9~w)hB(! z|8QdLIO2h!>);5A?a9>dD6ql_S|D?v6h9(2p8A3Zs-WA(m>HY**mY9DLeX>OMqsSu z@vn%pBYK!z_P)3?B+;wMq>)k>;k!Wg*p!bZgL}{chW_t{H;|0R9b+Qq2#_eY!md_m zZh91W6d26CZcN37cI7QcQ zR5qZCyjL`nZN8TVT=teyeW!@A1v9wy;~UJsl8x@UoBCd%n`GOgCBxJ)`U%rVCcr(g>m|c_ zElsO_8PG`V6!=|@KZEcq?oVT1`iyvfM1OA`N_8jK+=%mfI)Z#CAy*aObl%k_u;Px)gayAHPpA<*>j&CP+!-LE&a^Ln9A>0rM9XYO!cfP)^j|Knd+SP&&mX?zU^ebC#U+_ZV&_1Ip{?7#Eo zBDJgPZyEH->*t}jVM!mtjt5ByM{nP|-8+1I;?J(?u`a|~#K&8=Y216H;0dR zJ}V&}53BR5zWb+#2mJoy?%A`T_SiF2M)dV869s0jEtar*0_E4mCBNqvreCmqvA`D# Le6hg)i3R=(WFQuk diff --git a/requirements-output.txt b/requirements-output.txt index 3e0bdcdd..e3dc667b 100644 --- a/requirements-output.txt +++ b/requirements-output.txt @@ -1,5 +1,6 @@ -# csirtg -csirtgsdk==0.0.0a22 # TODO: csirtgsdk need to be updated for current API +# csirtg. it has an implicit dependency on geoip2 +csirtgsdk==1.1.5 +geoip2 # dshield requests==2.25.1 diff --git a/setup.py b/setup.py index bd09785f..48935823 100755 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ setup( ], setup_requires=["incremental", "click"], install_requires=[ - "twisted>=17.1.0", + "twisted==21.1.0", "cryptography>=0.9.1", "configparser", "pyopenssl", @@ -48,7 +48,7 @@ setup( "service_identity>=14.0.0", ], extras_require={ - "csirtg": ["csirtgsdk>=0.0.0a17"], + "csirtg": ["csirtgsdk==1.1.5"], "dshield": ["requests"], "elasticsearch": ["pyes"], "mysql": ["mysqlclient"], diff --git a/src/cowrie/output/csirtg.py b/src/cowrie/output/csirtg.py index ff1e4900..308ae3fe 100644 --- a/src/cowrie/output/csirtg.py +++ b/src/cowrie/output/csirtg.py @@ -1,41 +1,50 @@ import os from datetime import datetime -from csirtgsdk.client import Client -from csirtgsdk.indicator import Indicator - from twisted.python import log import cowrie.core.output from cowrie.core.config import CowrieConfig -USERNAME = os.environ.get("CSIRTG_USER") -FEED = os.environ.get("CSIRTG_FEED") -TOKEN = os.environ.get("CSIRG_TOKEN") -DESCRIPTION = os.environ.get("CSIRTG_DESCRIPTION", "random scanning activity") +token = CowrieConfig.get("output_csirtg", "token", fallback="a1b2c3d4") +if token == "a1b2c3d4": + log.msg("output_csirtg: token not found in configuration file") + exit(1) + +os.environ["CSIRTG_TOKEN"] = token +import csirtgsdk # noqa: E402 class Output(cowrie.core.output.Output): """ - csirtg output + CSIRTG output """ - def start( - self, - ): - self.user = CowrieConfig.get("output_csirtg", "username") or USERNAME - self.feed = CowrieConfig.get("output_csirtg", "feed") or FEED - self.token = CowrieConfig.get("output_csirtg", "token") or TOKEN - self.description = CowrieConfig.get( - "output_csirtg", "description", fallback=DESCRIPTION - ) + def start(self): + """ + Start the output module. + Note that csirtsdk is imported here because it reads CSIRTG_TOKEN on import + Cowrie sets this environment variable. + """ + self.user = CowrieConfig.get("output_csirtg", "username") + self.feed = CowrieConfig.get("output_csirtg", "feed") + self.debug = CowrieConfig.getboolean("output_csirtg", "debug", fallback=False) + self.description = CowrieConfig.get("output_csirtg", "description") + self.context = {} - self.client = Client(token=self.token) + # self.client = csirtgsdk.client.Client() def stop(self): pass def write(self, e): + """ + Only pass on connection events + """ + if e["eventid"] == "cowrie.session.connect": + self.submitIp(e) + + def submitIp(self, e): peerIP = e["src_ip"] ts = e["timestamp"] system = e.get("system", None) @@ -77,5 +86,12 @@ class Output(cowrie.core.output.Output): "description": self.description, } - ret = Indicator(self.client, i).submit() - log.msg("logged to csirtg {} ".format(ret["location"])) + if self.debug is True: + log.msg(f"output_csirtg: Submitting {i!r} to CSIRTG") + + ind = csirtgsdk.indicator.Indicator(i).submit() + + if self.debug is True: + log.msg(f"output_csirtg: Submitted {ind!r} to CSIRTG") + + log.msg("output_csirtg: submitted to csirtg at {} ".format(ind["location"]))