Do not store the same malware several times

this decreases disk space consumption + also log sha sum
2025-07-01 18:07:27 -04:00 · 2014-11-05 16:59:40 +01:00
parent 9bce85cbe9
commit 637e813151
4 changed files with 58 additions and 4 deletions
--- a/kippo/commands/wget.py
+++ b/kippo/commands/wget.py
@ -12,8 +12,10 @@ import urlparse
 import random
 import re
 import exceptions
-import os.path
+import os
 import getopt
+import hashlib
+import shutil

 commands = {}

@ -93,13 +95,15 @@ class command_wget(HoneyPotCommand):
        if cfg.has_option('honeypot', 'download_limit_size'):
            self.limit_size = int(cfg.get('honeypot', 'download_limit_size'))

+        self.download_path = cfg.get('honeypot', 'download_path')
+
        self.safeoutfile = '%s/%s_%s' % \
-            (cfg.get('honeypot', 'download_path'),
+            (self.download_path,
            time.strftime('%Y%m%d%H%M%S'),
            re.sub('[^A-Za-z0-9]', '_', url))
        self.deferred = self.download(url, outfile, self.safeoutfile)
        if self.deferred:
-            self.deferred.addCallback(self.success)
+            self.deferred.addCallback(self.success, outfile)
            self.deferred.addErrback(self.error, url)

    def download(self, url, fakeoutfile, outputfile, *args, **kwargs):
@ -137,7 +141,30 @@ class command_wget(HoneyPotCommand):
        self.writeln('^C')
        self.connection.transport.loseConnection()

-    def success(self, data):
+    def success(self, data, outfile):
+        if not os.path.isfile(self.safeoutfile):
+            print "there's no file " + self.safeoutfile
+            self.exit()
+
+        shasum = hashlib.sha256(open(self.safeoutfile, 'rb').read()).hexdigest()
+        hash_path = '%s/%s' % (self.download_path, shasum)
+
+        msg = 'SHA sum %s of URL %s in file %s' % \
+            (shasum, self.url, self.fileName)
+        print msg
+        self.honeypot.logDispatch(msg)
+
+        if not os.path.exists(hash_path):
+            print "moving " + self.safeoutfile + " -> " + hash_path
+            shutil.move(self.safeoutfile, hash_path)
+        else:
+            print "deleting " + self.safeoutfile + " SHA sum: " + shasum
+            os.remove(self.safeoutfile)
+        self.safeoutfile = hash_path
+
+        print "Updating realfile to " + hash_path
+        f = self.fs.getfile(outfile)
+        f[9] = hash_path
        self.exit()

    def error(self, error, url):
@ -257,6 +284,8 @@ class HTTPProgressDownloader(client.HTTPDownloader):
        self.wget.fs.update_realfile(
            self.wget.fs.getfile(self.fakeoutfile),
            self.wget.safeoutfile)
+
+        self.wget.fileName = self.fileName
        return client.HTTPDownloader.pageEnd(self)

 # vim: set sw=4 et:
--- a/kippo/core/dblog.py
+++ b/kippo/core/dblog.py
@ -32,6 +32,10 @@ class DBLogger(object):
                self.handleUnknownCommand),
            ('^:dispatch: Saving URL \((?P<url>.*)\) to (?P<outfile>.*)$',
                self.handleFileDownload),
+            ('^:dispatch: SHA sum (?P<shasum>.*) of URL (?P<url>.*) in file (?P<outfile>.*)$',
+                self.handleShaSum),
+            ('^:dispatch: Updated outfile (?P<outfile>.*) to (?P<dl_file>.*) with SHA sum (?P<shasum>.*)$',
+                self.handleUpdatedFile),
            ('^INPUT \((?P<realm>[a-zA-Z0-9]+)\): (?P<input>.*)$',
                self.handleInput),
            ('^Terminal size: (?P<height>[0-9]+) (?P<width>[0-9]+)$',
@ -145,4 +149,12 @@ class DBLogger(object):
    def handleFileDownload(self, session, args):
        pass

+    # args has: shasum, url, outfile
+    def handleShaSum(self, session, args):
+        pass
+
+    # args has: outfile, dl_file, shasum
+    def handleUpdatedFile(self, session, args):
+        pass
+
 # vim: set sw=4 et:
--- a/kippo/dblog/mysql.py
+++ b/kippo/dblog/mysql.py
@ -146,4 +146,9 @@ class DBLogger(dblog.DBLogger):
            ' VALUES (%s, FROM_UNIXTIME(%s), %s, %s)',
            (session, self.nowUnix(), args['url'], args['outfile']))

+    def handleShaSum(self, session, args):
+         self.simpleQuery('UPDATE `downloads` SET `shasum` = %s' + \
+            '  WHERE `outfile` = %s',
+            (args['shasum'], args['outfile']))
+
 # vim: set sw=4 et:
--- a/kippo/dblog/textlog.py
+++ b/kippo/dblog/textlog.py
@ -56,4 +56,12 @@ class DBLogger(dblog.DBLogger):
        self.write(session, 'File download: [%s] -> %s' % \
            (args['url'], args['outfile']))

+    def handleShaSum(self, session, args):
+        self.write(session, 'File SHA sum: %s [%s] -> %s' % \
+            (args['shasum'], args['url'], args['outfile']))
+
+    def handleUpdatedFile(self, session, args):
+        self.write(session, 'Updated wget outfile %s to %s' % \
+            (args['outfile'], args['dl_file']))
+
 # vim: set sw=4 et: