From e65a1c3ef3f22132fab8326069339dd476553925 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 22:54:34 +0200 Subject: [PATCH 1/9] Update geoloc.json --- geoloc.json | 1 + 1 file changed, 1 insertion(+) diff --git a/geoloc.json b/geoloc.json index 9ee866d..20057a7 100644 --- a/geoloc.json +++ b/geoloc.json @@ -4,6 +4,7 @@ "IDENT": "geoloc", "SECRET": "", "CHANNELS": [ + "amun.events", "dionaea.connections", "dionaea.capture", "glastopf.events", From 269d5615b43802e4ba06644236950497c6c05964 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 22:57:03 +0200 Subject: [PATCH 2/9] Update processors.py --- examples/geoloc/processors.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/examples/geoloc/processors.py b/examples/geoloc/processors.py index a3a7006..d87f0c5 100644 --- a/examples/geoloc/processors.py +++ b/examples/geoloc/processors.py @@ -234,3 +234,29 @@ def snort_alerts(identifier, payload, gi): }) return message + +def amun_events(identifier, payload, gi): + try: + dec = ezdict(json.loads(str(payload))) + tstamp = datetime.datetime.now() + except: + print 'exception processing amun event' + traceback.print_exc() + return + + a_family = get_addr_family(dec.attackerIP) + if a_family == socket.AF_INET: + geoloc = geoloc_none( gi[a_family].record_by_addr(dec.attackerIP) ) + geoloc2 = geoloc_none( gi[a_family].record_by_addr(dec.victimIP) ) + elif a_family == socket.AF_INET6: + geoloc = geoloc_none( gi[a_family].record_by_addr_v6(dec.attackerIP) ) + geoloc2 = geoloc_none( gi[a_family].record_by_addr_v6(dec.victimIP) ) + + + return {'type': 'amun.events', 'sensor': identifier, 'time': timestr(tstamp), + 'latitude': geoloc['latitude'], 'longitude': geoloc['longitude'], 'source': dec.attackerIP, + 'latitude2': geoloc2['latitude'], 'longitude2': geoloc2['longitude'], 'dest': dec.victimIP, + 'city': geoloc['city'], 'country': geoloc['country_name'], 'countrycode': geoloc['country_code'], + 'city2': geoloc2['city'], 'country2': geoloc2['country_name'], 'countrycode2': geoloc2['country_code']} + + From caf490ff82d46f9f803fa8dc6e3e7af12aef2a64 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 22:58:23 +0200 Subject: [PATCH 3/9] add support for amun honeypot --- examples/geoloc/geoloc.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/geoloc/geoloc.py b/examples/geoloc/geoloc.py index 8755e76..47364e5 100644 --- a/examples/geoloc/geoloc.py +++ b/examples/geoloc/geoloc.py @@ -11,6 +11,7 @@ HOST = 'localhost' PORT = 10000 CHANNELS = [ + 'amun.events', 'dionaea.connections', 'dionaea.capture', 'glastopf.events', @@ -38,6 +39,7 @@ print >>sys.stderr, "Warning: no config found, using default values for hpfeeds server" PROCESSORS = { + 'amun.events': [amun_events], 'glastopf.events': [glastopf_event,], 'dionaea.capture': [dionaea_capture,], 'dionaea.connections': [dionaea_connections,], From eebbc90d0df7b669967bfeeb5e9329fa3acc031b Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 23:03:31 +0200 Subject: [PATCH 4/9] Create log_hpfeeds.py --- appsupport/amun/log_hpfeeds.py | 276 +++++++++++++++++++++++++++++++++ 1 file changed, 276 insertions(+) create mode 100644 appsupport/amun/log_hpfeeds.py diff --git a/appsupport/amun/log_hpfeeds.py b/appsupport/amun/log_hpfeeds.py new file mode 100644 index 0000000..3366c76 --- /dev/null +++ b/appsupport/amun/log_hpfeeds.py @@ -0,0 +1,276 @@ +""" +[Amun - low interaction honeypot] +Copyright (C) [2013] [Jan Goebel] + +This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with this program; if not, see +""" + +try: + import psyco ; psyco.full() + from psyco.classes import * +except ImportError: + pass + +import time +import amun_logging +import amun_config_parser +import base64 + +#from kippo/hpfeeds.py +import os +import struct +import hashlib +import json +import socket + +BUFSIZ = 16384 + +OP_ERROR = 0 +OP_INFO = 1 +OP_AUTH = 2 +OP_PUBLISH = 3 +OP_SUBSCRIBE = 4 + +MAXBUF = 1024**2 +SIZES = { + OP_ERROR: 5+MAXBUF, + OP_INFO: 5+256+20, + OP_AUTH: 5+256+20, + OP_PUBLISH: 5+MAXBUF, + OP_SUBSCRIBE: 5+256*2, +} + +AMUNCHAN = 'amun.events' +#AMUNCHAN = 'HoneyNED' + +class BadClient(Exception): + pass + +# packs a string with 1 byte length field +def strpack8(x): + if isinstance(x, str): x = x.encode('latin1') + return struct.pack('!B', len(x)) + x + +# unpacks a string with 1 byte length field +def strunpack8(x): + l = x[0] + return x[1:1+l], x[1+l:] + +def msghdr(op, data): + return struct.pack('!iB', 5+len(data), op) + data +def msgpublish(ident, chan, data): + return msghdr(OP_PUBLISH, strpack8(ident) + strpack8(chan) + data) +def msgsubscribe(ident, chan): + if isinstance(chan, str): chan = chan.encode('latin1') + return msghdr(OP_SUBSCRIBE, strpack8(ident) + chan) +def msgauth(rand, ident, secret): + hash = hashlib.sha1(bytes(rand)+secret).digest() + return msghdr(OP_AUTH, strpack8(ident) + hash) + +class FeedUnpack(object): + def __init__(self): + self.buf = bytearray() + def __iter__(self): + return self + def next(self): + return self.unpack() + def feed(self, data): + self.buf.extend(data) + def unpack(self): + if len(self.buf) < 5: + raise StopIteration('No message.') + + ml, opcode = struct.unpack('!iB', buffer(self.buf,0,5)) + if ml > SIZES.get(opcode, MAXBUF): + raise BadClient('Not respecting MAXBUF.') + + if len(self.buf) < ml: + raise StopIteration('No message.') + + data = bytearray(buffer(self.buf, 5, ml-5)) + del self.buf[:ml] + return opcode, data + +class hpclient(object): + def __init__(self, server, port, ident, secret, debug, loLogger): + self.debug = debug + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.debug: self.log_obj.log("log-hpfeeds hpfeeds client init broker {0}:{1}, identifier {2}".format(server, port, ident), 12, "crit", Log=True, display=True) + self.server, self.port = server, int(port) + self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1') + self.unpacker = FeedUnpack() + self.state = 'INIT' + + self.connect() + self.sendfiles = [] + self.filehandle = None + + def connect(self): + self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.s.settimeout(3) + try: self.s.connect((self.server, self.port)) + except: + self.log_obj.log("log-hpfeeds hpfeeds client could not connect to broker.", 12, "crit", Log=True, display=True) + self.s = None + else: + self.s.settimeout(None) + self.handle_established() + + def send(self, data): + if not self.s: return + self.s.send(data) + + def close(self): + self.s.close() + self.s = None + + def handle_established(self): + if self.debug: self.log_obj.log("log-hpfeeds hpclient established", 12, "crit", Log=True, display=True) + while self.state != 'GOTINFO': + self.read() + + #quickly try to see if there was an error message + self.s.settimeout(0.5) + self.read() + self.s.settimeout(None) + + def read(self): + if not self.s: return + try: d = self.s.recv(BUFSIZ) + except socket.timeout: + return + + if not d: + if self.debug: self.log_obj.log("log-hpfeeds hpclient connection closed?", 12, "crit", Log=True, display=True) + self.close() + return + + self.unpacker.feed(d) + try: + for opcode, data in self.unpacker: + if self.debug: self.log_obj.log("log-hpfeeds hpclient msg opcode {0} data {1}".format(opcode, data), 12, "crit", Log=True, display=True) + if opcode == OP_INFO: + name, rand = strunpack8(data) + if self.debug: self.log_obj.log("log-hpfeeds hpclient server name {0} rand {1}".format(name, rand), 12, "crit", Log=True, display=True) + self.send(msgauth(rand, self.ident, self.secret)) + self.state = 'GOTINFO' + + elif opcode == OP_PUBLISH: + ident, data = strunpack8(data) + chan, data = strunpack8(data) + if self.debug: self.log_obj.log("log-hpfeeds publish to {0} by {1}: {2}".format(chan, ident, data), 12, "crit", Log=True, display=True) + + elif opcode == OP_ERROR: + self.log_obj.log("log-hpfeeds errormessage from server: {0}".format(data), 12, "crit", Log=True, display=True) + else: + self.log_obj.log("log-hpfeeds unknown opcode message: {0}".format(opcode), 12, "crit", Log=True, display=True) + except BadClient: + self.log_obj.log("log-hpfeeds unpacker error, disconnecting.", 12, "crit", Log=True, display=True) + self.close() + + def publish(self, channel, **kwargs): + try: + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + except Exception, e: + self.log_obj.log("log-hpfeeds connection to hpfriends lost: {0}".format(e), 12, "crit", Log=True, display=True) + self.log_obj.log("log-hpfeeds connecting", 12, "crit", Log=True, display=True) + self.connect() + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + + def sendfile(self, filepath): + # does not read complete binary into memory, read and send chunks + if not self.filehandle: + self.sendfileheader(i.file) + self.sendfiledata() + else: self.sendfiles.append(filepath) + + def sendfileheader(self, filepath): + self.filehandle = open(filepath, 'rb') + fsize = os.stat(filepath).st_size + headc = strpack8(self.ident) + strpack8(UNIQUECHAN) + headh = struct.pack('!iB', 5+len(headc)+fsize, OP_PUBLISH) + self.send(headh + headc) + + def sendfiledata(self): + tmp = self.filehandle.read(BUFSIZ) + if not tmp: + if self.sendfiles: + fp = self.sendfiles.pop(0) + self.sendfileheader(fp) + else: + self.filehandle = None + self.handle_io_in(b'') + else: + self.send(tmp) + +class log: + def __init__(self): + try: + self.log_name = "log hpfeeds" + conffile = "conf/log-hpfeeds.conf" + config = amun_config_parser.AmunConfigParser(conffile) + self.server = config.getSingleValue("server") + self.port = config.getSingleValue("port") + self.ident = config.getSingleValue("identifier") + self.secret = config.getSingleValue("secret") + self.debug = int(config.getSingleValue("debug")) + del config + + except KeyboardInterrupt: + raise + + def connectClient(self, loLogger): + try: + self.client = hpclient(self.server, self.port, self.ident, self.secret, self.debug, loLogger) + return True + except KeyboardInterrupt: + raise + + def initialConnection(self, attackerIP, attackerPort, victimIP, victimPort, identifier, initialConnectionsDict, loLogger): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort + ) + + except KeyboardInterrupt: + raise + + def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort, + vulnName=vulnName, timestamp=timestamp, downloadMethod=downloadMethod, attackerID=attackerID, shellcodeName=shellcodeName + ) + + except KeyboardInterrupt: + raise + + + def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort, + downloadURL=downloadURL, md5hash=md5hash, data=data, filelength=filelength, downMethod=downMethod, vulnName=vulnName, fexists=fexists + ) + + except KeyboardInterrupt: + raise From aab7680a475e92f2ea638aeb3c3d9bd0497e1d44 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 23:04:48 +0200 Subject: [PATCH 5/9] Create example_publish.txt --- appsupport/amun/example_publish.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 appsupport/amun/example_publish.txt diff --git a/appsupport/amun/example_publish.txt b/appsupport/amun/example_publish.txt new file mode 100644 index 0000000..69d1472 --- /dev/null +++ b/appsupport/amun/example_publish.txt @@ -0,0 +1 @@ +[feedcli] publish to amun.events by 7e584120-051e-11e4-8538-00224da3e346: {"attackerPort": 40013, "victimPort": 5000, "victimIP": "92.12.12.50", "attackerIP": "188.24.58.132"} From 37304d9d2a34d0252f83f3669b6013a3254579c8 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 23:08:47 +0200 Subject: [PATCH 6/9] Create log-hpfeeds.conf --- appsupport/amun/log-hpfeeds.conf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 appsupport/amun/log-hpfeeds.conf diff --git a/appsupport/amun/log-hpfeeds.conf b/appsupport/amun/log-hpfeeds.conf new file mode 100644 index 0000000..6065734 --- /dev/null +++ b/appsupport/amun/log-hpfeeds.conf @@ -0,0 +1,6 @@ +[log-hpfeeds] +server: hpfriends.honeycloud.net +port: 20000 +identifier: vfpaokr3 +secret: C3QuqEQhFq28AT3F +debug: 0 From 45844a8679ab87643138921f2c344374581e4b25 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Sun, 6 Jul 2014 23:14:21 +0200 Subject: [PATCH 7/9] Create README --- appsupport/amun/README | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 appsupport/amun/README diff --git a/appsupport/amun/README b/appsupport/amun/README new file mode 100644 index 0000000..4115a64 --- /dev/null +++ b/appsupport/amun/README @@ -0,0 +1,6 @@ + + - place log-hpfeeds.py into /log_modules/log-hpfeeds/ + - add the config file 'log-hpfeeds.conf' to the /conf directory + - edit /conf/amun.conf and add 'log-hpfeeds' under log_modules: + - done! + From 947d4de8983fab57b126cf43cf1bfe0014563bf9 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Mon, 7 Jul 2014 13:15:14 +0200 Subject: [PATCH 8/9] Update geoloc.py --- examples/geoloc/geoloc.py | 102 +++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/examples/geoloc/geoloc.py b/examples/geoloc/geoloc.py index 47364e5..1d54165 100644 --- a/examples/geoloc/geoloc.py +++ b/examples/geoloc/geoloc.py @@ -11,14 +11,14 @@ HOST = 'localhost' PORT = 10000 CHANNELS = [ - 'amun.events', - 'dionaea.connections', - 'dionaea.capture', - 'glastopf.events', - 'beeswarm.hive', - 'kippo.sessions', - 'conpot.events', - 'snort.alerts' + 'amun.events', + 'dionaea.connections', + 'dionaea.capture', + 'glastopf.events', + 'beeswarm.hive', + 'kippo.sessions', + 'conpot.events', + 'snort.alerts' ] GEOLOC_CHAN = 'geoloc.events' IDENT = '' @@ -39,7 +39,7 @@ print >>sys.stderr, "Warning: no config found, using default values for hpfeeds server" PROCESSORS = { - 'amun.events': [amun_events], + 'amun.events': [amun_events], 'glastopf.events': [glastopf_event,], 'dionaea.capture': [dionaea_capture,], 'dionaea.connections': [dionaea_connections,], @@ -50,54 +50,54 @@ } def main(): - import socket - gi = {} - gi[socket.AF_INET] = GeoIP.open("/opt/GeoLiteCity.dat",GeoIP.GEOIP_STANDARD) - gi[socket.AF_INET6] = GeoIP.open("/opt/GeoLiteCityv6.dat",GeoIP.GEOIP_STANDARD) + import socket + gi = {} + gi[socket.AF_INET] = GeoIP.open("/opt/GeoLiteCity.dat",GeoIP.GEOIP_STANDARD) + gi[socket.AF_INET6] = GeoIP.open("/opt/GeoLiteCityv6.dat",GeoIP.GEOIP_STANDARD) - try: - hpc = hpfeeds.new(HOST, PORT, IDENT, SECRET) - except hpfeeds.FeedException, e: - print >>sys.stderr, 'feed exception:', e - return 1 + try: + hpc = hpfeeds.new(HOST, PORT, IDENT, SECRET) + except hpfeeds.FeedException, e: + print >>sys.stderr, 'feed exception:', e + return 1 - print >>sys.stderr, 'connected to', hpc.brokername + print >>sys.stderr, 'connected to', hpc.brokername - def on_message(identifier, channel, payload): - procs = PROCESSORS.get(channel, []) - p = None - for p in procs: - try: - m = p(identifier, payload, gi) - except: - print "invalid message %s" % payload - continue - try: tmp = json.dumps(m) - except: print 'DBG', m - if m != None: hpc.publish(GEOLOC_CHAN, json.dumps(m)) + def on_message(identifier, channel, payload): + procs = PROCESSORS.get(channel, []) + p = None + for p in procs: + try: + m = p(identifier, payload, gi) + except: + print "invalid message %s" % payload + continue + try: tmp = json.dumps(m) + except: print 'DBG', m + if m != None: hpc.publish(GEOLOC_CHAN, json.dumps(m)) - if not p: - print 'not p?' + if not p: + print 'not p?' - def on_error(payload): - print >>sys.stderr, ' -> errormessage from server: {0}'.format(payload) - hpc.stop() + def on_error(payload): + print >>sys.stderr, ' -> errormessage from server: {0}'.format(payload) + hpc.stop() - hpc.subscribe(CHANNELS) - try: - hpc.run(on_message, on_error) - except hpfeeds.FeedException, e: - print >>sys.stderr, 'feed exception:', e - except KeyboardInterrupt: - pass - except: - import traceback - traceback.print_exc() - finally: - hpc.close() - return 0 + hpc.subscribe(CHANNELS) + try: + hpc.run(on_message, on_error) + except hpfeeds.FeedException, e: + print >>sys.stderr, 'feed exception:', e + except KeyboardInterrupt: + pass + except: + import traceback + traceback.print_exc() + finally: + hpc.close() + return 0 if __name__ == '__main__': - try: sys.exit(main()) - except KeyboardInterrupt:sys.exit(0) + try: sys.exit(main()) + except KeyboardInterrupt:sys.exit(0) From e23f9d35b7fb366504ac1047ed9cc41482211b75 Mon Sep 17 00:00:00 2001 From: tweemeterjop Date: Thu, 10 Jul 2014 10:42:13 +0200 Subject: [PATCH 9/9] Update log_hpfeeds.py tabs to spaces --- appsupport/amun/log_hpfeeds.py | 432 ++++++++++++++++----------------- 1 file changed, 216 insertions(+), 216 deletions(-) diff --git a/appsupport/amun/log_hpfeeds.py b/appsupport/amun/log_hpfeeds.py index 3366c76..2ece009 100644 --- a/appsupport/amun/log_hpfeeds.py +++ b/appsupport/amun/log_hpfeeds.py @@ -10,10 +10,10 @@ """ try: - import psyco ; psyco.full() - from psyco.classes import * + import psyco ; psyco.full() + from psyco.classes import * except ImportError: - pass + pass import time import amun_logging @@ -37,11 +37,11 @@ MAXBUF = 1024**2 SIZES = { - OP_ERROR: 5+MAXBUF, - OP_INFO: 5+256+20, - OP_AUTH: 5+256+20, - OP_PUBLISH: 5+MAXBUF, - OP_SUBSCRIBE: 5+256*2, + OP_ERROR: 5+MAXBUF, + OP_INFO: 5+256+20, + OP_AUTH: 5+256+20, + OP_PUBLISH: 5+MAXBUF, + OP_SUBSCRIBE: 5+256*2, } AMUNCHAN = 'amun.events' @@ -52,225 +52,225 @@ class BadClient(Exception): # packs a string with 1 byte length field def strpack8(x): - if isinstance(x, str): x = x.encode('latin1') - return struct.pack('!B', len(x)) + x + if isinstance(x, str): x = x.encode('latin1') + return struct.pack('!B', len(x)) + x # unpacks a string with 1 byte length field def strunpack8(x): - l = x[0] - return x[1:1+l], x[1+l:] + l = x[0] + return x[1:1+l], x[1+l:] def msghdr(op, data): - return struct.pack('!iB', 5+len(data), op) + data + return struct.pack('!iB', 5+len(data), op) + data def msgpublish(ident, chan, data): - return msghdr(OP_PUBLISH, strpack8(ident) + strpack8(chan) + data) + return msghdr(OP_PUBLISH, strpack8(ident) + strpack8(chan) + data) def msgsubscribe(ident, chan): - if isinstance(chan, str): chan = chan.encode('latin1') - return msghdr(OP_SUBSCRIBE, strpack8(ident) + chan) + if isinstance(chan, str): chan = chan.encode('latin1') + return msghdr(OP_SUBSCRIBE, strpack8(ident) + chan) def msgauth(rand, ident, secret): - hash = hashlib.sha1(bytes(rand)+secret).digest() - return msghdr(OP_AUTH, strpack8(ident) + hash) + hash = hashlib.sha1(bytes(rand)+secret).digest() + return msghdr(OP_AUTH, strpack8(ident) + hash) class FeedUnpack(object): - def __init__(self): - self.buf = bytearray() - def __iter__(self): - return self - def next(self): - return self.unpack() - def feed(self, data): - self.buf.extend(data) - def unpack(self): - if len(self.buf) < 5: - raise StopIteration('No message.') - - ml, opcode = struct.unpack('!iB', buffer(self.buf,0,5)) - if ml > SIZES.get(opcode, MAXBUF): - raise BadClient('Not respecting MAXBUF.') - - if len(self.buf) < ml: - raise StopIteration('No message.') - - data = bytearray(buffer(self.buf, 5, ml-5)) - del self.buf[:ml] - return opcode, data + def __init__(self): + self.buf = bytearray() + def __iter__(self): + return self + def next(self): + return self.unpack() + def feed(self, data): + self.buf.extend(data) + def unpack(self): + if len(self.buf) < 5: + raise StopIteration('No message.') + + ml, opcode = struct.unpack('!iB', buffer(self.buf,0,5)) + if ml > SIZES.get(opcode, MAXBUF): + raise BadClient('Not respecting MAXBUF.') + + if len(self.buf) < ml: + raise StopIteration('No message.') + + data = bytearray(buffer(self.buf, 5, ml-5)) + del self.buf[:ml] + return opcode, data class hpclient(object): - def __init__(self, server, port, ident, secret, debug, loLogger): - self.debug = debug - self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) - if self.debug: self.log_obj.log("log-hpfeeds hpfeeds client init broker {0}:{1}, identifier {2}".format(server, port, ident), 12, "crit", Log=True, display=True) - self.server, self.port = server, int(port) - self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1') - self.unpacker = FeedUnpack() - self.state = 'INIT' - - self.connect() - self.sendfiles = [] - self.filehandle = None - - def connect(self): - self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - self.s.settimeout(3) - try: self.s.connect((self.server, self.port)) - except: - self.log_obj.log("log-hpfeeds hpfeeds client could not connect to broker.", 12, "crit", Log=True, display=True) - self.s = None - else: - self.s.settimeout(None) - self.handle_established() - - def send(self, data): - if not self.s: return - self.s.send(data) - - def close(self): - self.s.close() - self.s = None - - def handle_established(self): - if self.debug: self.log_obj.log("log-hpfeeds hpclient established", 12, "crit", Log=True, display=True) - while self.state != 'GOTINFO': - self.read() - - #quickly try to see if there was an error message - self.s.settimeout(0.5) - self.read() - self.s.settimeout(None) - - def read(self): - if not self.s: return - try: d = self.s.recv(BUFSIZ) - except socket.timeout: - return - - if not d: - if self.debug: self.log_obj.log("log-hpfeeds hpclient connection closed?", 12, "crit", Log=True, display=True) - self.close() - return - - self.unpacker.feed(d) - try: - for opcode, data in self.unpacker: - if self.debug: self.log_obj.log("log-hpfeeds hpclient msg opcode {0} data {1}".format(opcode, data), 12, "crit", Log=True, display=True) - if opcode == OP_INFO: - name, rand = strunpack8(data) - if self.debug: self.log_obj.log("log-hpfeeds hpclient server name {0} rand {1}".format(name, rand), 12, "crit", Log=True, display=True) - self.send(msgauth(rand, self.ident, self.secret)) - self.state = 'GOTINFO' - - elif opcode == OP_PUBLISH: - ident, data = strunpack8(data) - chan, data = strunpack8(data) - if self.debug: self.log_obj.log("log-hpfeeds publish to {0} by {1}: {2}".format(chan, ident, data), 12, "crit", Log=True, display=True) - - elif opcode == OP_ERROR: - self.log_obj.log("log-hpfeeds errormessage from server: {0}".format(data), 12, "crit", Log=True, display=True) - else: - self.log_obj.log("log-hpfeeds unknown opcode message: {0}".format(opcode), 12, "crit", Log=True, display=True) - except BadClient: - self.log_obj.log("log-hpfeeds unpacker error, disconnecting.", 12, "crit", Log=True, display=True) - self.close() - - def publish(self, channel, **kwargs): - try: - self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) - except Exception, e: - self.log_obj.log("log-hpfeeds connection to hpfriends lost: {0}".format(e), 12, "crit", Log=True, display=True) - self.log_obj.log("log-hpfeeds connecting", 12, "crit", Log=True, display=True) - self.connect() - self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) - - def sendfile(self, filepath): - # does not read complete binary into memory, read and send chunks - if not self.filehandle: - self.sendfileheader(i.file) - self.sendfiledata() - else: self.sendfiles.append(filepath) - - def sendfileheader(self, filepath): - self.filehandle = open(filepath, 'rb') - fsize = os.stat(filepath).st_size - headc = strpack8(self.ident) + strpack8(UNIQUECHAN) - headh = struct.pack('!iB', 5+len(headc)+fsize, OP_PUBLISH) - self.send(headh + headc) - - def sendfiledata(self): - tmp = self.filehandle.read(BUFSIZ) - if not tmp: - if self.sendfiles: - fp = self.sendfiles.pop(0) - self.sendfileheader(fp) - else: - self.filehandle = None - self.handle_io_in(b'') - else: - self.send(tmp) + def __init__(self, server, port, ident, secret, debug, loLogger): + self.debug = debug + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.debug: self.log_obj.log("log-hpfeeds hpfeeds client init broker {0}:{1}, identifier {2}".format(server, port, ident), 12, "crit", Log=True, display=True) + self.server, self.port = server, int(port) + self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1') + self.unpacker = FeedUnpack() + self.state = 'INIT' + + self.connect() + self.sendfiles = [] + self.filehandle = None + + def connect(self): + self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.s.settimeout(3) + try: self.s.connect((self.server, self.port)) + except: + self.log_obj.log("log-hpfeeds hpfeeds client could not connect to broker.", 12, "crit", Log=True, display=True) + self.s = None + else: + self.s.settimeout(None) + self.handle_established() + + def send(self, data): + if not self.s: return + self.s.send(data) + + def close(self): + self.s.close() + self.s = None + + def handle_established(self): + if self.debug: self.log_obj.log("log-hpfeeds hpclient established", 12, "crit", Log=True, display=True) + while self.state != 'GOTINFO': + self.read() + + #quickly try to see if there was an error message + self.s.settimeout(0.5) + self.read() + self.s.settimeout(None) + + def read(self): + if not self.s: return + try: d = self.s.recv(BUFSIZ) + except socket.timeout: + return + + if not d: + if self.debug: self.log_obj.log("log-hpfeeds hpclient connection closed?", 12, "crit", Log=True, display=True) + self.close() + return + + self.unpacker.feed(d) + try: + for opcode, data in self.unpacker: + if self.debug: self.log_obj.log("log-hpfeeds hpclient msg opcode {0} data {1}".format(opcode, data), 12, "crit", Log=True, display=True) + if opcode == OP_INFO: + name, rand = strunpack8(data) + if self.debug: self.log_obj.log("log-hpfeeds hpclient server name {0} rand {1}".format(name, rand), 12, "crit", Log=True, display=True) + self.send(msgauth(rand, self.ident, self.secret)) + self.state = 'GOTINFO' + + elif opcode == OP_PUBLISH: + ident, data = strunpack8(data) + chan, data = strunpack8(data) + if self.debug: self.log_obj.log("log-hpfeeds publish to {0} by {1}: {2}".format(chan, ident, data), 12, "crit", Log=True, display=True) + + elif opcode == OP_ERROR: + self.log_obj.log("log-hpfeeds errormessage from server: {0}".format(data), 12, "crit", Log=True, display=True) + else: + self.log_obj.log("log-hpfeeds unknown opcode message: {0}".format(opcode), 12, "crit", Log=True, display=True) + except BadClient: + self.log_obj.log("log-hpfeeds unpacker error, disconnecting.", 12, "crit", Log=True, display=True) + self.close() + + def publish(self, channel, **kwargs): + try: + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + except Exception, e: + self.log_obj.log("log-hpfeeds connection to hpfriends lost: {0}".format(e), 12, "crit", Log=True, display=True) + self.log_obj.log("log-hpfeeds connecting", 12, "crit", Log=True, display=True) + self.connect() + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + + def sendfile(self, filepath): + # does not read complete binary into memory, read and send chunks + if not self.filehandle: + self.sendfileheader(i.file) + self.sendfiledata() + else: self.sendfiles.append(filepath) + + def sendfileheader(self, filepath): + self.filehandle = open(filepath, 'rb') + fsize = os.stat(filepath).st_size + headc = strpack8(self.ident) + strpack8(UNIQUECHAN) + headh = struct.pack('!iB', 5+len(headc)+fsize, OP_PUBLISH) + self.send(headh + headc) + + def sendfiledata(self): + tmp = self.filehandle.read(BUFSIZ) + if not tmp: + if self.sendfiles: + fp = self.sendfiles.pop(0) + self.sendfileheader(fp) + else: + self.filehandle = None + self.handle_io_in(b'') + else: + self.send(tmp) class log: - def __init__(self): - try: - self.log_name = "log hpfeeds" - conffile = "conf/log-hpfeeds.conf" - config = amun_config_parser.AmunConfigParser(conffile) - self.server = config.getSingleValue("server") - self.port = config.getSingleValue("port") - self.ident = config.getSingleValue("identifier") - self.secret = config.getSingleValue("secret") - self.debug = int(config.getSingleValue("debug")) - del config - - except KeyboardInterrupt: - raise - - def connectClient(self, loLogger): - try: - self.client = hpclient(self.server, self.port, self.ident, self.secret, self.debug, loLogger) - return True - except KeyboardInterrupt: - raise - - def initialConnection(self, attackerIP, attackerPort, victimIP, victimPort, identifier, initialConnectionsDict, loLogger): - try: - self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) - if self.connectClient(loLogger): - self.client.publish(AMUNCHAN, - attackerIP=attackerIP, - attackerPort=attackerPort, - victimIP=victimIP, - victimPort=victimPort - ) - - except KeyboardInterrupt: - raise - - def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName): - try: - self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) - if self.connectClient(loLogger): - self.client.publish(AMUNCHAN, - attackerIP=attackerIP, - attackerPort=attackerPort, - victimIP=victimIP, - victimPort=victimPort, - vulnName=vulnName, timestamp=timestamp, downloadMethod=downloadMethod, attackerID=attackerID, shellcodeName=shellcodeName - ) - - except KeyboardInterrupt: - raise - - - def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists): - try: - self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) - if self.connectClient(loLogger): - self.client.publish(AMUNCHAN, - attackerIP=attackerIP, - attackerPort=attackerPort, - victimIP=victimIP, - victimPort=victimPort, - downloadURL=downloadURL, md5hash=md5hash, data=data, filelength=filelength, downMethod=downMethod, vulnName=vulnName, fexists=fexists - ) - - except KeyboardInterrupt: - raise + def __init__(self): + try: + self.log_name = "log hpfeeds" + conffile = "conf/log-hpfeeds.conf" + config = amun_config_parser.AmunConfigParser(conffile) + self.server = config.getSingleValue("server") + self.port = config.getSingleValue("port") + self.ident = config.getSingleValue("identifier") + self.secret = config.getSingleValue("secret") + self.debug = int(config.getSingleValue("debug")) + del config + + except KeyboardInterrupt: + raise + + def connectClient(self, loLogger): + try: + self.client = hpclient(self.server, self.port, self.ident, self.secret, self.debug, loLogger) + return True + except KeyboardInterrupt: + raise + + def initialConnection(self, attackerIP, attackerPort, victimIP, victimPort, identifier, initialConnectionsDict, loLogger): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort + ) + + except KeyboardInterrupt: + raise + + def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort, + vulnName=vulnName, timestamp=timestamp, downloadMethod=downloadMethod, attackerID=attackerID, shellcodeName=shellcodeName + ) + + except KeyboardInterrupt: + raise + + + def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists): + try: + self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger) + if self.connectClient(loLogger): + self.client.publish(AMUNCHAN, + attackerIP=attackerIP, + attackerPort=attackerPort, + victimIP=victimIP, + victimPort=victimPort, + downloadURL=downloadURL, md5hash=md5hash, data=data, filelength=filelength, downMethod=downMethod, vulnName=vulnName, fexists=fexists + ) + + except KeyboardInterrupt: + raise