Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-14 20:28:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

merge hpfeeds changes from vorband

Browse source
This commit is contained in:
Marco Ochse 2018-06-05 14:14:41 +02:00
parent 9acd87730f
commit bf6fd94ea9
2 changed files with 63 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docker/ciscoasa/Dockerfile
View file

@ -21,7 +21,7 @@ RUN apk -U upgrade && \
# Get and install packages # Get and install packages
mkdir -p /opt/ && \ mkdir -p /opt/ && \
cd /opt/ && \ cd /opt/ && \
git clone --depth=1 https://github.com/cymmetria/ciscoasa_honeypot && \ git clone --depth=1 https://github.com/vorband/ciscoasa_honeypot && \
cd ciscoasa_honeypot && \ cd ciscoasa_honeypot && \
pip3 install --no-cache-dir --upgrade pip && \ pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir -r requirements.txt && \ pip3 install --no-cache-dir -r requirements.txt && \

70
docker/ciscoasa/dist/asa_server.py vendored
View file

@ -1,7 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import os import os
import datetime import time
import socket import socket
import logging import logging
logging.basicConfig(format='%(message)s') logging.basicConfig(format='%(message)s')
@ -12,11 +12,36 @@ from http.server import HTTPServer
from socketserver import ThreadingMixIn from socketserver import ThreadingMixIn
from http.server import SimpleHTTPRequestHandler from http.server import SimpleHTTPRequestHandler
import ike_server import ike_server
import datetime
class NonBlockingHTTPServer(ThreadingMixIn, HTTPServer): class NonBlockingHTTPServer(ThreadingMixIn, HTTPServer):
pass pass
class hpflogger:
def __init__(self, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose):
self.hpfserver=hpfserver
self.hpfport=hpfport
self.hpfident=hpfident
self.hpfsecret=hpfsecret
self.hpfchannel=hpfchannel
self.serverid=serverid
self.hpc=None
self.verbose=verbose
if (self.hpfserver and self.hpfport and self.hpfident and self.hpfport and self.hpfchannel and self.serverid):
import hpfeeds
try:
self.hpc = hpfeeds.new(self.hpfserver, self.hpfport, self.hpfident, self.hpfsecret)
logger.debug("Logging to hpfeeds using server: {0}, channel {1}.".format(self.hpfserver, self.hpfchannel))
except (hpfeeds.FeedException, socket.error, hpfeeds.Disconnect):
logger.critical("hpfeeds connection not successful")
def log(self, level, message):
if self.hpc:
if level in ['debug', 'info'] and not self.verbose:
return
self.hpc.publish(self.hpfchannel, "["+self.serverid+"] ["+level+"] ["+datetime.datetime.now().isoformat() +"] " + str(message))
def header_split(h): def header_split(h):
return [list(map(str.strip, l.split(': ', 1))) for l in h.strip().splitlines()] return [list(map(str.strip, l.split(': ', 1))) for l in h.strip().splitlines()]
@ -24,6 +49,7 @@ def header_split(h):
class WebLogicHandler(SimpleHTTPRequestHandler): class WebLogicHandler(SimpleHTTPRequestHandler):
logger = None logger = None
hpfl = None
protocol_version = "HTTP/1.1" protocol_version = "HTTP/1.1"
@ -153,6 +179,10 @@ class WebLogicHandler(SimpleHTTPRequestHandler):
(datetime.datetime.now().isoformat(), (datetime.datetime.now().isoformat(),
self.client_address[0], self.client_address[0],
format % args)) format % args))
self.hpfl.log('debug', "%s - - [%s] %s" %
(self.client_address[0],
self.log_date_time_string(),
format % args))
def handle_one_request(self): def handle_one_request(self):
"""Handle a single HTTP request. """Handle a single HTTP request.
@ -203,18 +233,37 @@ if __name__ == '__main__':
@click.option('-c', '--cert', default=None, help='Certificate File Path (will generate self signed ' @click.option('-c', '--cert', default=None, help='Certificate File Path (will generate self signed '
'cert if not supplied)') 'cert if not supplied)')
@click.option('-v', '--verbose', default=False, help='Verbose logging', is_flag=True) @click.option('-v', '--verbose', default=False, help='Verbose logging', is_flag=True)
def start(host, port, ike_port, enable_ssl, cert, verbose):
# hpfeeds options
@click.option('--hpfserver', default=os.environ.get('HPFEEDS_SERVER'), help='HPFeeds Server')
@click.option('--hpfport', default=os.environ.get('HPFEEDS_PORT'), help='HPFeeds Port', type=click.INT)
@click.option('--hpfident', default=os.environ.get('HPFEEDS_IDENT'), help='HPFeeds Ident')
@click.option('--hpfsecret', default=os.environ.get('HPFEEDS_SECRET'), help='HPFeeds Secret')
@click.option('--hpfchannel', default=os.environ.get('HPFEEDS_CHANNEL'), help='HPFeeds Channel')
@click.option('--serverid', default=os.environ.get('SERVERID'), help='Verbose logging')
def start(host, port, ike_port, enable_ssl, cert, verbose, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid):
""" """
A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101,
a DoS and remote code execution vulnerability a DoS and remote code execution vulnerability
""" """
hpfl=hpflogger(hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose)
def alert(cls, host, port, payloads): def alert(cls, host, port, payloads):
logger.critical({ logger.critical({
'timestamp': datetime.datetime.utcnow().isoformat(), 'timestamp': datetime.datetime.utcnow().isoformat(),
'src_ip': host, 'src_ip': host,
'src_port': port, 'src_port': port,
'payload_printable': payloads, 'payload_printable': payloads,
}) })
#log to hpfeeds
hpfl.log("critical", {
'src': host,
'spt': port,
'data': payloads,
})
if verbose: if verbose:
logger.setLevel(logging.DEBUG) logger.setLevel(logging.DEBUG)
@ -222,14 +271,15 @@ if __name__ == '__main__':
requestHandler = WebLogicHandler requestHandler = WebLogicHandler
requestHandler.alert_function = alert requestHandler.alert_function = alert
requestHandler.logger = logger requestHandler.logger = logger
requestHandler.hpfl = hpfl
def log_date_time_string(): def log_date_time_string():
"""Return the current time formatted for logging.""" """Return the current time formatted for logging."""
now = datetime.datetime.utcnow().isoformat() now = datetime.datetime.now().isoformat()
return now return now
def ike(): def ike():
ike_server.start(host, ike_port, alert, logger) ike_server.start(host, ike_port, alert, logger, hpfl)
t = threading.Thread(target=ike) t = threading.Thread(target=ike)
t.daemon = True t.daemon = True
t.start() t.start()
@ -243,11 +293,15 @@ if __name__ == '__main__':
httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cert, server_side=True) httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cert, server_side=True)
logger.info('Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port)) logger.info('Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
hpfl.log('info', 'Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
try: try:
httpd.serve_forever() httpd.serve_forever()
except KeyboardInterrupt: except KeyboardInterrupt:
pass pass
logger.info('Stopping server.') logger.info('Stopping server.')
hpfl.log('info', 'Stopping server.')
httpd.server_close() httpd.server_close()
start() start()