Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can I add extra fields into JSON output (ex: catch attack session)? #304

Open
AvEgA-ChuDoTvoreC opened this issue Nov 8, 2020 · 2 comments
Open

How can I add extra fields into JSON output (ex: catch attack session)? #304

AvEgA-ChuDoTvoreC opened this issue Nov 8, 2020 · 2 comments
Labels
Type: Question

Comments

@AvEgA-ChuDoTvoreC
Copy link

Hi Guys! This is my first comment in GitHub, I hope that you get what I mean and not be angry if I post it in wrong pace.
Look, I want to add extra fields to the JSON output (log_json.py) -> "session", "filehash"
to connect these fields with attack;

as an example I add some code in double brackets [[ ... ]] in ftp.py:

class FTPd(connection):

def __init__(self, proto='tcp'):
    connection.__init__(self, proto)
    logger.debug("ftp test")
    ....
   [[ self.session = uuid.uuid4().hex ]]

def processcmd(self, cmd, args):
    logger.debug("cmd '%s'" % cmd)
    l = [i.decode() for i in args]

    i = incident("dionaea.modules.python.ftp.command")
    i.con = self
    i.command = cmd
    i.arguments = l
    [[ i.session = self.session ]]
    i.report() 

and in log_json.py:

def handle_incident_dionaea_modules_python_ftp_command(self, icd):
    con = icd.con
    data = self.attacks.get(con)
    ....
    [[ data["session"] = icd.session ]]

This helps me to catch the session, but only in ftp.py. I didn't get how i = incident() work and how I can give arguments to it. Probably there is a better decision but I still don't find it out. I tried the same to do with smb.py but I'm stuck with this because there is no function for SMB kinda handle_incident_dionaea_modules_python_SMB_command . How can I get extra fields to JSON output? What file should I edit? Thank you!
@phibos
Copy link
Member

phibos commented Nov 12, 2020

The log_json incident handler collects all information for a connection and reports all collected values when the dionaea.connection.free incident is reported/handled. If you just need a unique id per connection generate and append the id in the handle_incident_dionaea_connection_free() function.

dionaea/modules/python/dionaea/log_json.py

Line 223 in d0e03ae

def handle_incident_dionaea_connection_free(self, icd):

@phibos phibos added the Status: Feedback needed Requires further conversation to figure out the next steps label Nov 12, 2020
@AvEgA-ChuDoTvoreC
Copy link
Author

Thank you for your response.
Could you help me with another thing? Is it possible to catch events: "start_connection" and "disconnection" in log_json.py?

For example, I add two functions in smb.py:

def start_connection(self):
    i = incident("dionaea.modules.python.start.connection")
    i.con = self
    i.session = self.session
    i.eventid = "connection"
    i.report()

def disconnection(self):
    i = incident("dionaea.modules.python.disconnection")
    i.con = self
    i.eventid = "disconnection"
    i.report()

And two functions in json_log.py:

def handle_incident_dionaea_modules_python_start_connection(self, icd):
    con = icd.con
    data = self.attacks.get(con)

    data["eventid"] = icd.eventid
    data["session"] = icd.session
    for handler in self.handlers:
        handler.submit(data)

def handle_incident_dionaea_modules_python_disconnection(self, icd):
    con = icd.con
    data = self.attacks.get(con)

    data["eventid"] = icd.eventid
    for handler in self.handlers:
        handler.submit(data)

I call them in smb.py as self.start_connection(), self.disconnection(). All seems ok but the problem is that it makes a mess in JSON:
{ ..., "eventid": "connection", ... } - 1st string
{ ..., "eventid": "disconnection", ... } - 2nd string
{"src_ip": "", "src_hostname": "", "timestamp": "2020-11-14T11:39:12.922405", "dest_port": 34097, "dest_ip": "172.19.0.2", "connection": {"type": "listen", "protocol": "ftpdatalisten", "transport": "tcp"}, "src_port": 0} - 3d string

Is it possible to divide these events? I mean order: "connection" -> "attack information" -> "disconnection"? If yes, where should I call my functions (here? -> handle_disconnect() ) or use your other functions in different files? To get this order:

{ ..., "eventid": "connection", ... } - 1st string
{"src_ip": "", "src_hostname": "", "timestamp": "2020-11-14T11:39:12.922405", "dest_port": 34097, ... } - 2d string
{ ..., "eventid": "disconnection", ... } - 3nd string

The log_json incident handler collects all information for a connection and reports all collected values when the dionaea.connection.free incident is reported/handled. If you just need a unique id per connection generate and append the id in the handle_incident_dionaea_connection_free() function.

dionaea/modules/python/dionaea/log_json.py

Line 223 in d0e03ae

def handle_incident_dionaea_connection_free(self, icd):

@phibos phibos removed the Status: Feedback needed Requires further conversation to figure out the next steps label Nov 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phibos @AvEgA-ChuDoTvoreC