Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Model extensions. Closes #405 . #407

Merged
merged 23 commits into from
Dec 17, 2024
+319 −127
Merged

Model extensions. Closes #405 . #407

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
f95f38a
making pendng migration
regulartim Dec 2, 2024
26968f7
add cowrie session model and extend IOC model
regulartim Dec 3, 2024
358eb9e
apply psf black formatting
regulartim Dec 4, 2024
30d2c94
change ioc model default for more simple handling in _add_ioc function
regulartim Dec 4, 2024
175fb85
fix error in _add_ioc: new IOC instances not able to access ManyToMan…
regulartim Dec 5, 2024
da4001c
minor model modifications
regulartim Dec 6, 2024
68f46e1
remove unnecessary exception class
regulartim Dec 6, 2024
c70355c
add method to extract more information about attackers from TPot
regulartim Dec 6, 2024
fe9fabf
rewrite data extraction process for general honeypot class to extract…
regulartim Dec 6, 2024
5e19175
rewrite data extraction process for cowrie class to extract more data…
regulartim Dec 6, 2024
d7722fa
revert already made migration
regulartim Dec 13, 2024
169d120
rename times_seen to attack_count
regulartim Dec 13, 2024
dde7484
minor model tweaks
regulartim Dec 13, 2024
093ef3a
add model migration
regulartim Dec 13, 2024
62cd031
add data migration
regulartim Dec 13, 2024
4f421bf
fill attack and interaction count correctly
regulartim Dec 13, 2024
4640845
Rename header in frontend code
regulartim Dec 16, 2024
a420b36
base first_seen and last_seen on TPot timestamps instead of extractio…
regulartim Dec 16, 2024
d4fcba3
add model tests
regulartim Dec 16, 2024
1fb1a57
change default value of login_attempts to 0
regulartim Dec 16, 2024
eb45fb4
minor improvements
regulartim Dec 16, 2024
0b67c91
increment IOCs login attempt counter on detection in cowrie session e…
regulartim Dec 16, 2024
9855f32
bump alpine from 3.18 to 3.21 in frontend build
regulartim Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add method to extract more information about attackers from TPot
@regulartim
regulartim committed Dec 13, 2024
commit c70355ce7b2e26e2e92a0c66b1d5ab057b6ec8bd
26 changes: 25 additions & 1 deletion greedybear/cronjobs/attacks.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# This file is a part of GreedyBear https://github.com/honeynet/GreedyBear
# See the file 'LICENSE' for copying permission.
from abc import ABCMeta
from collections import defaultdict
from datetime import datetime
from ipaddress import IPv4Address

@@ -42,6 +43,7 @@ def _add_ioc(self, ioc, attack_type: str, general=None) -> bool:
ioc_record = ioc
ioc_record.save()
else:
ioc_record.times_seen += ioc.times_seen
ioc_record.related_urls = sorted(set(ioc_record.related_urls + ioc.related_urls))
ioc_record.destination_ports = sorted(set(ioc_record.destination_ports + ioc.destination_ports))
ioc_record.ip_reputation = ioc.ip_reputation
@@ -56,11 +58,33 @@ def _add_ioc(self, ioc, attack_type: str, general=None) -> bool:
ioc_record.days_seen.append(today)
ioc_record.number_of_days_seen += 1
ioc_record.last_seen = datetime.utcnow()
ioc_record.times_seen += 1
ioc_record.scanner = attack_type == SCANNER
ioc_record.payload_request = attack_type == PAYLOAD_REQUEST
ioc_record.save()

def _get_attacker_data(self, honeypot, fields: list) -> list:
hits_by_ip = defaultdict(list)
search = self._base_search(honeypot)
search.source(fields)
for hit in search.iterate():
if "src_ip" not in hit:
continue
hits_by_ip[hit.src_ip].append(hit.to_dict())
iocs = []
for ip, hits in hits_by_ip.items():
dest_ports = [hit.get("dest_port") for hit in hits]
ioc = IOC(
name=ip,
type=self._get_ioc_type(ip),
times_seen=len(hits),
ip_reputation=hits[0].get("ip_rep"),
asn=hits[0].get("geoip", {}).get("asn"),
destination_ports=sorted(set(port for port in dest_ports if port is not None)),
login_attempts=len(hits) if honeypot.name == "Heralding" else 0,
)
iocs.append(ioc)
return iocs

def _get_ioc_type(self, ioc):
try:
IPv4Address(ioc)