From 1d0e046924918549123d478eb6c5b467ada39b3e Mon Sep 17 00:00:00 2001 From: "David J. Bianco" Date: Thu, 6 Feb 2025 10:16:42 -0500 Subject: [PATCH] Added 'sensor_name' and 'sensor_protocol' to logs * 'sensor_name` is an arbitrary string that identifies the specific honeypot sensor that generated the log. Set it in the config.ini file. If not set, it will default to the honeypot system's hostname. * 'sensor_protocol' identifies the specific protocol this honeypot sensor uses. For SSH, it's always "ssh" but as other protocols are added to DECEIVE in the future, this will have different values for their logs. --- SSH/config.ini.TEMPLATE | 4 ++++ SSH/ssh_server.py | 17 ++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/SSH/config.ini.TEMPLATE b/SSH/config.ini.TEMPLATE index c1aa2a9..b5b3b99 100644 --- a/SSH/config.ini.TEMPLATE +++ b/SSH/config.ini.TEMPLATE @@ -6,6 +6,10 @@ # The name of the file you wish to write the honeypot log to. log_file = ssh_log.log +# The name of the sensor, used to identify this honeypot in the logs. +# If you leave this blank, the honeypot will use the system's hostname. +sensor_name = deceive + # Settings for the SSH honeypot [ssh] # The port the SSH honeypot will listen on. You will probably want to set diff --git a/SSH/ssh_server.py b/SSH/ssh_server.py index 645bfe8..f2c3a25 100755 --- a/SSH/ssh_server.py +++ b/SSH/ssh_server.py @@ -24,8 +24,13 @@ from langchain_core.runnables.history import RunnableWithMessageHistory from langchain_core.prompts import ChatPromptTemplate, MessagesPlaceholder from langchain_core.runnables import RunnablePassthrough from asyncssh.misc import ConnectionLost +import socket class JSONFormatter(logging.Formatter): + def __init__(self, sensor_name, *args, **kwargs): + super().__init__(*args, **kwargs) + self.sensor_name = sensor_name + def format(self, record): log_record = { "timestamp": datetime.datetime.fromtimestamp(record.created, datetime.timezone.utc).isoformat(sep="T", timespec="milliseconds"), @@ -35,7 +40,9 @@ class JSONFormatter(logging.Formatter): "src_port": record.src_port, "dst_ip": record.dst_ip, "dst_port": record.dst_port, - "message": record.getMessage() + "message": record.getMessage(), + "sensor_name": self.sensor_name, + "sensor_protocol": "ssh" } if hasattr(record, 'interactive'): log_record["interactive"] = record.interactive @@ -168,6 +175,7 @@ representative examples. judgement = "MALICIOUS" logger.info("Session summary", extra={"details": llm_response.content, "judgement": judgement}) + server.summary_generated = True async def handle_client(process: asyncssh.SSHServerProcess, server: MySSHServer) -> None: @@ -277,7 +285,7 @@ class ContextFilter(logging.Filter): record.dst_port = thread_local.__dict__.get('dst_port', '-') record.task_name = task_name - + return True def llm_get_session_history(session_id: str) -> BaseChatMessageHistory: @@ -367,6 +375,9 @@ try: # Read the user accounts from the configuration file accounts = get_user_accounts() + # Get the sensor name from the config or use the system's hostname + sensor_name = config['honeypot'].get('sensor_name', socket.gethostname()) + # Set up the honeypot logger logger = logging.getLogger(__name__) logger.setLevel(logging.INFO) @@ -374,7 +385,7 @@ try: log_file_handler = logging.FileHandler(config['honeypot'].get("log_file", "ssh_log.log")) logger.addHandler(log_file_handler) - log_file_handler.setFormatter(JSONFormatter()) + log_file_handler.setFormatter(JSONFormatter(sensor_name)) f = ContextFilter() logger.addFilter(f)