cowrie/cowrie
1
0
Fork 0
mirror of https://github.com/cowrie/cowrie.git synced 2025-07-01 18:07:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

adding csirtg.io sdk support (#357)

Browse Source
This commit is contained in:
Wes
2016-12-05 05:46:49 -05:00
committed by Michel Oosterhof
parent 98a31b5e76
commit 0bd9777f59
3 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cowrie.cfg.dist
View File

@ -432,3 +432,10 @@ logfile = log/cowrie.json
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# #
# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#username=wes
#feed=scanners
#token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

65
cowrie/output/csirtg.py Normal file
View File

@ -0,0 +1,65 @@
import cowrie.core.output
from csirtgsdk.indicator import Indicator
from csirtgsdk.client import Client
from datetime import datetime
from pprint import pprint
import logging
import os
logger = logging.getLogger(__name__)
USERNAME = os.environ.get('CSIRTG_USER')
FEED = os.environ.get('CSIRTG_FEED')
TOKEN = os.environ.get('CSIRG_TOKEN')
class Output(cowrie.core.output.Output):
def __init__(self, cfg):
cowrie.core.output.Output.__init__(self, cfg)
self.user = cfg.get('output_csirtg', 'username') or USERNAME
self.feed = cfg.get('output_csirtg', 'feed') or FEED
self.token = cfg.get('output_csirtg', 'token') or TOKEN
self.port = os.environ.get('COWRIE_PORT', 22)
self.context = {}
self.client = Client(token=self.token)
def start(self,):
pass
def stop(self):
pass
def write(self, e):
sid = e['session']
peerIP = e['src_ip']
ts = e['timestamp']
today = str(datetime.now().date())
logger.info('today is %s' % today)
if not self.context.get(today):
logger.info('resetting context for %s' % today)
self.context = {}
self.context[today] = {}
if not self.context[today].get(peerIP):
self.context[today][peerIP] = []
i = {
'user': self.user,
'feed': self.feed,
'indicator': peerIP,
'portlist': self.port,
'protocol': 'tcp',
'tags': 'scanner,ssh',
'firsttime': ts,
'lasttime': ts
}
ret = Indicator(self.client, i).submit()
logger.info('logged to csirtg %s ' % ret['indicator']['location'])
else:
pprint(self.context)
self.context[today][peerIP].append(sid)

1
requirements.txt
View File

@ -7,3 +7,4 @@ service_identity
pycrypto pycrypto
python-dateutil python-dateutil
tftpy tftpy
csirtgsdk