splunk/DECEIVE
1
0
Fork 0
mirror of https://github.com/splunk/DECEIVE.git synced 2025-07-02 00:57:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Improved honeypot logging

Browse Source 
Logs now include the protocol (SSH) and the src/dest IPs and ports on each log line.
This commit is contained in:
David J. Bianco
2024-08-23 13:52:36 -04:00
parent e2854e960c
commit ed95eda824
1 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ssh_server.py
View File

@ -3,6 +3,7 @@
from configparser import ConfigParser from configparser import ConfigParser
import asyncio import asyncio
import asyncssh import asyncssh
import threading
import sys import sys
import json import json
from typing import Optional from typing import Optional
@ -71,7 +72,18 @@ async def handle_client(process: asyncssh.SSHServerProcess) -> None:
class MySSHServer(asyncssh.SSHServer): class MySSHServer(asyncssh.SSHServer):
def connection_made(self, conn: asyncssh.SSHServerConnection) -> None: def connection_made(self, conn: asyncssh.SSHServerConnection) -> None:
logger.info(f"SSH connection received from {conn.get_extra_info('peername')[0]}.") # Get the source and destination IPs and ports
(src_ip, src_port, _, _) = conn.get_extra_info('peername')
(dst_ip, dst_port, _, _) = conn.get_extra_info('sockname')
# Store the connection details in thread-local storage
thread_local.src_ip = src_ip
thread_local.src_port = src_port
thread_local.dst_ip = dst_ip
thread_local.dst_port = dst_port
# Log the connection details
logger.info(f"SSH connection received from {src_ip}/{src_port} to {dst_ip}/{dst_port}.")
def connection_lost(self, exc: Optional[Exception]) -> None: def connection_lost(self, exc: Optional[Exception]) -> None:
if exc: if exc:
@ -132,6 +144,11 @@ class ContextFilter(logging.Filter):
else: else:
task_name = "NONE" task_name = "NONE"
record.src_ip = thread_local.__dict__.get('src_ip', '-')
record.src_port = thread_local.__dict__.get('src_port', '-')
record.dst_ip = thread_local.__dict__.get('dst_ip', '-')
record.dst_port = thread_local.__dict__.get('dst_port', '-')
record.task_name = task_name record.task_name = task_name
return True return True
@ -196,7 +213,7 @@ logger.setLevel(logging.INFO)
log_file_handler = logging.FileHandler(config['honeypot'].get("log_file", "ssh_log.log")) log_file_handler = logging.FileHandler(config['honeypot'].get("log_file", "ssh_log.log"))
logger.addHandler(log_file_handler) logger.addHandler(log_file_handler)
log_file_handler.setFormatter(logging.Formatter("%(asctime)s %(levelname)s:%(task_name)s %(message)s", datefmt="%Y-%m-%d %H:%M:%S. %Z")) log_file_handler.setFormatter(logging.Formatter("%(asctime)s %(levelname)s:%(task_name)s SSH [%(src_ip)s:%(src_port)s -> %(dst_ip)s:%(dst_port)s] %(message)s", datefmt="%Y-%m-%d %H:%M:%S. %Z"))
f = ContextFilter() f = ContextFilter()
logger.addFilter(f) logger.addFilter(f)
@ -241,6 +258,8 @@ with_message_history = RunnableWithMessageHistory(
llm_get_session_history, llm_get_session_history,
input_messages_key="messages" input_messages_key="messages"
) )
# Thread-local storage for connection details
thread_local = threading.local()
# Kick off the server! # Kick off the server!
loop = asyncio.new_event_loop() loop = asyncio.new_event_loop()