[FIX] Fix port number incorrectly reported in many services and add m…

…ore remote information to log.{request,response}
UHH-ISS · Dec 3, 2019 · 0b58c00 · 0b58c00
1 parent 8237d69
commit 0b58c00
Show file tree

Hide file tree

Showing 7 changed files with 167 additions and 147 deletions.
diff --git a/honeygrove/log.py b/honeygrove/log.py
@@ -187,20 +187,22 @@ def login(service: str, ip: str, port: int, successful: bool, user: str, secret:
     _log_alert(message)
 
 
-def request(service: str, ip: str, port: int, req: str, user: str = None, request_type: str = None):
+def request(service: str, remote_ip: str, remote_port: int, local_ip: str, local_port: int, req: str, user: str = None, request_type: str = None):
     """
     Log function to be called when a request is received
 
     :param service: the concerning service
-    :param ip: attacker's IP-Address
-    :param port: attackers port
+    :param remote_ip: attacker's IP-Address
+    :param remote_port: attackers port
+    :param local_ip: local IP that was accessed
+    :param local_port: local port that was accessed
     :param req: the received request
     :param user: the user whose session invoked the alert
     :param request_type: for HTTP if the request is a GET or a POST request
     """
 
     timestamp = format_time(get_time())
-    coordinates = get_coordinates(ip)
+    coordinates = get_coordinates(remote_ip)
 
     ecs_event = {'category': 'warning', 'action': 'request'}
     ecs_hg_request = {'service': service, 'original': req}
@@ -214,9 +216,8 @@ def request(service: str, ip: str, port: int, req: str, user: str = None, reques
     values = {'@timestamp': timestamp,
               'service': ECS_SERVICE,
               'event': ecs_event,
-              # XXX: we don't know the source port currently..
-              'source': get_ecs_address_dict(ip),
-              'destination': get_ecs_address_dict(Config.general.address, port),
+              'source': get_ecs_address_dict(remote_ip, remote_port),
+              'destination': get_ecs_address_dict(local_ip, local_port),
               'honeygrove': ecs_hg}
 
     # Append geo coordinates of source, if available
@@ -232,25 +233,27 @@ def request(service: str, ip: str, port: int, req: str, user: str = None, reques
         lat = '{:.4f}'.format(coordinates[0])
         lon = '{:.4f}'.format(coordinates[1])
 
-    message = ('{} [REQUEST] {}, {}:{}, Lat: {}, Lon: {}, {}, {}, {}'
-               '').format(timestamp, service, ip, port, lat, lon, req, user, request_type)
+    message = ('{} [REQUEST] {}, {}:{}->{}:{}, Lat: {}, Lon: {}, {}, {}, {}'
+               '').format(timestamp, service, remote_ip, remote_port, local_ip, local_port, lat, lon, req, user, request_type)
     _log_alert(message)
 
 
-def response(service: str, ip: str, port: int, resp: str, user: str = None, status_code=None):
+def response(service: str, remote_ip: str, remote_port: int, local_ip: str, local_port: int, resp: str, user: str = None, status_code=None):
     """
     Log function to be called when sending a response
 
     :param service: the concerning service
-    :param ip: attacker's IP-Address
-    :param port: attackers port
+    :param remote_ip: attacker's IP-Address
+    :param remote_port: attackers port
+    :param local_ip: local IP that was accessed
+    :param local_port: local port that was accessed
     :param resp: the response sent
     :param user: the user whose session invoked the alert
     :param status_code: the status code sent
     """
 
     timestamp = format_time(get_time())
-    coordinates = get_coordinates(ip)
+    coordinates = get_coordinates(remote_ip)
 
     ecs_event = {'category': 'warning', 'action': 'response'}
     ecs_hg_request = {'service': service, 'original': resp}
@@ -264,8 +267,8 @@ def response(service: str, ip: str, port: int, resp: str, user: str = None, stat
     values = {'@timestamp': timestamp,
               'service': ECS_SERVICE,
               'event': ecs_event,
-              'source': get_ecs_address_dict(Config.general.address),
-              'destination': get_ecs_address_dict(ip, port),
+              'source': get_ecs_address_dict(local_ip, local_port),
+              'destination': get_ecs_address_dict(remote_ip, remote_port),
               'honeygrove': ecs_hg}
 
     # Append geo coordinates of source, if available
@@ -281,8 +284,8 @@ def response(service: str, ip: str, port: int, resp: str, user: str = None, stat
         lat = '{:.4f}'.format(coordinates[0])
         lon = '{:.4f}'.format(coordinates[1])
 
-    message = ('{} [RESPONSE] {}, {}:{}, Lat: {}, Lon: {}, {}, {}, {}'
-               '').format(timestamp, service, ip, port, lat, lon, resp, user, status_code)
+    message = ('{} [RESPONSE] {}, {}:{}->{}:{}, Lat: {}, Lon: {}, {}, {}, {}'
+               '').format(timestamp, service, local_ip, local_port, remote_ip, remote_port, lat, lon, resp, user, status_code)
     _log_alert(message)
 
 

diff --git a/honeygrove/services/HTTPService.py b/honeygrove/services/HTTPService.py
@@ -76,7 +76,6 @@ class HTTPProtocol(Protocol):
     def __init__(self):
         self.state = None
 
-        self.peerOfAttacker = ""
         self.page = ""
         self.path = Config.http.resource_folder
         self.attackingSite = ""
@@ -87,12 +86,13 @@ def __init__(self):
 
     def connectionMade(self):
         # Add connection to dictionary
-        self.factory.clients[self] = ("<" + str(self.transport.getPeer().host) + ":"
-                                      + str(self.transport.getPeer().port) + ">")
-        self.peerOfAttacker = self.transport.getPeer().host
+        peer = self.transport.getPeer()
+        self.factory.clients[self] = ("<" + str(peer.host) + ":" + str(peer.port) + ">")
 
     def dataReceived(self, data):
 
+        local = self.transport.getHost()
+        remote = self.transport.getPeer()
         data = data.decode('utf-8')
 
         self.requestType = data.split(' ', 1)[0]
@@ -128,7 +128,7 @@ def dataReceived(self, data):
 
         elif self.requestType == "GET" and self.page in HTTPService.supportedSites:
 
-            log.request("HTTP", self.peerOfAttacker, HTTPService.port, self.page, "", "GET")
+            log.request("HTTP", remote.host, remote.port, local.host, local.port, self.page, "", "GET")
 
             message = HTTPService.okStatus + "\n"
             for k in HTTPService.responseHeadersOkStatus.keys():
@@ -139,7 +139,7 @@ def dataReceived(self, data):
 
             self.transport.write(message.encode('UTF-8'))
             if self.page in HTTPService.supportedSites:
-                log.response("HTTP", self.peerOfAttacker, HTTPService.port, self.page, "", "200 OK")
+                log.response("HTTP", remote.host, remote.port, local.host, local.port, self.page, "", "200 OK")
 
             self.transport.loseConnection()
 
@@ -159,14 +159,15 @@ def dataReceived(self, data):
             else:
                 password_string = data[password_index:data.find("&")]
 
-            log.request("HTTP", self.peerOfAttacker, HTTPService.port, self.page, login_string, "POST")
+            log.request("HTTP", remote.host, remote.port, local.host, local.port, self.page, "", "POST")
             result = HTTPService.htdb.requestAvatarId(HTTPAvatar(login_string, password_string))
             if isinstance(result, Deferred):
                 if isinstance(result.result, failure.Failure):  # Failure
                     result.addErrback(self.errorBack)
-                    log.response("HTTP", self.peerOfAttacker, HTTPService.port, "", login_string, "403 FORBIDDEN")
-                    log.login("HTTP", self.peerOfAttacker, HTTPService.port, False, login_string, password_string,
-                              str(HTTPService.htdb.getActual(login_string, password_string)))
+                    log.response("HTTP", remote.host, remote.port, local.host, local.port, self.page, login_string, "403 FORBIDDEN")
+                    # FIXME: Add remote port and local host
+                    log.login("HTTP", remote.host, local.port, False, login_string, password_string,
+                              str(HTTPService.htdb.try_get_tokens(login_string, password_string)))
                 else:  # Success
                     message = HTTPService.okStatus + "\n"
                     for k in HTTPService.responseHeadersOkStatus.keys():
@@ -177,9 +178,10 @@ def dataReceived(self, data):
 
                     self.transport.write(message.encode('UTF-8'))
                     self.page = "wp-admin_content.html"
-                    log.response("HTTP", self.peerOfAttacker, HTTPService.port, self.page, login_string, "200 OK")
-                    log.login("HTTP", self.peerOfAttacker, HTTPService.port, True, login_string, password_string,
-                              str(HTTPService.htdb.getActual(login_string, password_string)))
+                    log.response("HTTP", remote.host, remote.port, local.host, local.port, self.page, login_string, "200 OK")
+                    # FIXME: Add remote port and local host
+                    log.login("HTTP", remote.host, local.port, True, login_string, password_string,
+                              str(HTTPService.htdb.try_get_tokens(login_string, password_string)))
                     self.transport.loseConnection()
         else:
             message = HTTPService.notFoundStatus + "\n"
@@ -190,9 +192,9 @@ def dataReceived(self, data):
                 message = message + "\n" + file.read()
 
             self.transport.write(message.encode('UTF-8'))
-            log.request("HTTP", self.peerOfAttacker, HTTPService.port, self.page, "", "GET")
+            log.request("HTTP", remote.host, remote.port, local.host, local.port, self.page, "", "GET")
             self.page = "404_login.html"
-            log.response("HTTP", self.peerOfAttacker, HTTPService.port, self.page, "", "404 Not Found")
+            log.response("HTTP", remote.host, remote.port, local.host, local.port, self.page, login_string, "404 NOT FOUND")
             self.transport.loseConnection()
 
     def connectionLost(self, reason):