Merge pull request #344 from GovCERT-CZ/master

log destination ip and destination port - protocols that uses session_manager

conpot/core/attack_session.py

@@ -25,13 +25,15 @@
 
 # one instance per connection
 class AttackSession(object):
-    def __init__(self, protocol, source_ip, source_port, databus, log_queue):
+    def __init__(self, protocol, source_ip, source_port, destination_ip, destination_port, databus, log_queue):
         self.log_queue = log_queue
         self.id = uuid.uuid4()
         logger.info('New %s session from %s (%s)', protocol, source_ip, self.id)
         self.protocol = protocol
         self.source_ip = source_ip
         self.source_port = source_port
+        self.destination_ip = destination_ip
+        self.destination_port = destination_port
         self.timestamp = datetime.utcnow()
         self.databus = databus
         self.public_ip = None
@@ -42,6 +44,7 @@ def _dump_event(self, event_data):
         data = {
             "id": self.id,
             "remote": (self.source_ip, self.source_port),
+            "local": (self.destination_ip, self.destination_port),
             "data_type": self.protocol,
             "timestamp": self.timestamp,
             "public_ip": self.public_ip,
@@ -62,6 +65,7 @@ def dump(self):
         data = {
             "id": self.id,
             "remote": (self.source_ip, self.source_port),
+            "local": (self.destination_ip, self.destination_port),
             "data_type": self.protocol,
             "timestamp": self.timestamp,
             "public_ip": self.public_ip,

conpot/core/loggers/json_log.py

@@ -28,13 +28,19 @@ def __init__(self, filename, sensorid, public_ip):
         self.public_ip = public_ip
 
     def log(self, event):
+
+        if self.public_ip is not None:
+            dst_ip = self.public_ip
+        else:
+            dst_ip = event["local"][0]
         data = {
             'timestamp': event['timestamp'].isoformat(),
             'sensorid': self.sensorid,
             'id': event["id"],
             'src_ip': event["remote"][0],
             'src_port': event["remote"][1],
-            'dst_ip': self.public_ip,
+            'dst_ip': dst_ip,
+            'dst_port': event["local"][1],
             'data_type': event["data_type"],
             'request': event["data"].get('request'),
             'response': event["data"].get('response'),

conpot/core/session_manager.py

@@ -35,11 +35,11 @@ def _find_sessions(self, protocol, source_ip):
                     return session
         return None
 
-    def get_session(self, protocol, source_ip, source_port):
+    def get_session(self, protocol, source_ip, source_port, destination_ip=None, destination_port=None):
         # around here we would inject dependencies into the attack session
         attack_session = self._find_sessions(protocol, source_ip)
         if not attack_session:
-            attack_session = AttackSession(protocol, source_ip, source_port, self._databus, self.log_queue)
+            attack_session = AttackSession(protocol, source_ip, source_port, destination_ip, destination_port, self._databus, self.log_queue)
             self._sessions.append(attack_session)
         return attack_session
 

conpot/protocols/bacnet/bacnet_server.py

@@ -65,7 +65,7 @@ def __init__(self, template, template_directory, args):
         logger.info('Conpot Bacnet initialized using the %s template.', template)
 
     def handle(self, data, address):
-        session = conpot_core.get_session('bacnet', address[0], address[1])
+        session = conpot_core.get_session('bacnet', address[0], address[1], self.host, self.port)
         logger.info('New Bacnet connection from %s:%d. (%s)', address[0], address[1], session.id)
         session.add_event({'type': 'NEW_CONNECTION'})
         # I'm not sure if gevent DatagramServer handles issues where the
@@ -85,6 +85,8 @@ def handle(self, data, address):
         logger.info('Bacnet client disconnected %s:%d. (%s)', address[0], address[1], session.id)
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         self.server = DatagramServer(connection, self.handle)
         # start to init the socket

conpot/protocols/guardian_ast/guardian_ast_server.py

@@ -43,7 +43,7 @@ def __init__(self, template, template_directory, args):
         logger.info('Conpot GuardianAST initialized')
 
     def handle(self, sock, addr):
-        session = conpot_core.get_session('guardian_ast', addr[0], addr[1])
+        session = conpot_core.get_session('guardian_ast', addr[0], addr[1], self.host, self.port)
         logger.info('New GuardianAST connection from %s:%d. (%s)', addr[0], addr[1], session.id)
         session.add_event({'type': 'NEW_CONNECTION'})
         current_time = datetime.datetime.utcnow()
@@ -297,6 +297,8 @@ def I20500():
         session.add_event({'type': 'CONNECTION_LOST'})
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         self.server = StreamServer(connection, self.handle)
         logger.info('GuardianAST server started on: {0}'.format(connection))

conpot/protocols/kamstrup/management_protocol/kamstrup_management_server.py

@@ -35,7 +35,7 @@ def __init__(self, template, template_directory, args, timeout=0):
         self.server = None
 
     def handle(self, sock, address):
-        session = conpot_core.get_session('kamstrup_management_protocol', address[0], address[1])
+        session = conpot_core.get_session('kamstrup_management_protocol', address[0], address[1], self.host, self.port)
         logger.info('New Kamstrup connection from %s:%s. (%s)', address[0], address[1], session.id)
         session.add_event({'type': 'NEW_CONNECTION'})
 
@@ -69,6 +69,8 @@ def handle(self, sock, address):
         sock.close()
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         self.server = StreamServer(connection, self.handle)
         logger.info('Kamstrup management protocol server started on: %s', connection)

conpot/protocols/kamstrup/meter_protocol/kamstrup_server.py

@@ -51,7 +51,7 @@ def set_reboot_done(self):
         self.server_active = True
 
     def handle(self, sock, address):
-        session = conpot_core.get_session('kamstrup_protocol', address[0], address[1])
+        session = conpot_core.get_session('kamstrup_protocol', address[0], address[1], self.host, self.port)
         logger.info('New Kamstrup connection from %s:%s. (%s)', address[0], address[1], session.id)
         session.add_event({'type': 'NEW_CONNECTION'})
 
@@ -97,6 +97,8 @@ def handle(self, sock, address):
         sock.close()
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         self.server = StreamServer(connection, self.handle)
         logger.info('Kamstrup protocol server started on: %s', connection)

conpot/protocols/modbus/modbus_server.py

@@ -28,6 +28,8 @@ def __init__(self, template, template_directory, args, timeout=5):
         self.timeout = timeout
         self.delay = None
         self.mode = None
+        self.host = None
+        self.port = None
         databank = slave_db.SlaveBase(template)
 
         # Constructor: initializes the server settings
@@ -83,7 +85,7 @@ def _configure_slaves(self, template):
     def handle(self, sock, address):
         sock.settimeout(self.timeout)
 
-        session = conpot_core.get_session('modbus', address[0], address[1])
+        session = conpot_core.get_session('modbus', address[0], address[1], self.host, self.port)
 
         self.start_time = time.time()
         logger.info(
@@ -158,6 +160,8 @@ def handle(self, sock, address):
             session.add_event({'type': 'CONNECTION_LOST'})
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         server = StreamServer(connection, self.handle)
         logger.info('Modbus server started on: %s', connection)

conpot/protocols/s7comm/s7_server.py

@@ -60,7 +60,7 @@ def __init__(self, template, template_directory, args):
 
     def handle(self, sock, address):
         sock.settimeout(self.timeout)
-        session = conpot_core.get_session('s7comm', address[0], address[1])
+        session = conpot_core.get_session('s7comm', address[0], address[1], self.host, self.port)
 
         self.start_time = time.time()
         logger.info('New S7 connection from {0}:{1}. ({2})'.format(address[0], address[1], session.id))
@@ -188,6 +188,8 @@ def handle(self, sock, address):
             logger.info('Exception caught {0}, remote: {1}. ({2})'.format(e, address[0], session.id))
 
     def start(self, host, port):
+        self.host = host
+        self.port = port
         connection = (host, port)
         self.server = StreamServer(connection, self.handle)
         logger.info('S7Comm server started on: {0}'.format(connection))

conpot/protocols/snmp/command_responder.py

@@ -112,10 +112,10 @@ def __init__(self, host, port, mibpaths):
         snmpContext = context.SnmpContext(self.snmpEngine)
 
         # Register SNMP Applications at the SNMP engine for particular SNMP context
-        self.resp_app_get = conpot_cmdrsp.c_GetCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator)
-        self.resp_app_set = conpot_cmdrsp.c_SetCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator)
-        self.resp_app_next = conpot_cmdrsp.c_NextCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator)
-        self.resp_app_bulk = conpot_cmdrsp.c_BulkCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator)
+        self.resp_app_get = conpot_cmdrsp.c_GetCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator, host, port)
+        self.resp_app_set = conpot_cmdrsp.c_SetCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator, host, port)
+        self.resp_app_next = conpot_cmdrsp.c_NextCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator, host, port)
+        self.resp_app_bulk = conpot_cmdrsp.c_BulkCommandResponder(self.snmpEngine, snmpContext, self.databus_mediator, host, port)
 
     def addSocketTransport(self, snmpEngine, transportDomain, transport):
         """Add transport object to socket dispatcher of snmpEngine"""

conpot/protocols/snmp/conpot_cmdrsp.py

@@ -30,8 +30,8 @@ def _getStateInfo(self, snmpEngine, stateReference):
 
         return addr, snmp_version
 
-    def log(self, version, msg_type, addr, req_varBinds, res_varBinds=None):
-        session = conpot_core.get_session('snmp', addr[0], addr[1])
+    def log(self, version, msg_type, addr, dst_host, dst_port, req_varBinds, res_varBinds=None):
+        session = conpot_core.get_session('snmp', addr[0], addr[1], dst_host, dst_port)
         req_oid = req_varBinds[0][0]
         req_val = req_varBinds[0][1]
         event_type = 'SNMPv{0} {1}'.format(version, msg_type)
@@ -90,10 +90,12 @@ def check_evasive(self, state, threshold, addr, cmd):
 
 
 class c_GetCommandResponder(cmdrsp.GetCommandResponder, conpot_extension):
-    def __init__(self, snmpEngine, snmpContext, databus_mediator):
+    def __init__(self, snmpEngine, snmpContext, databus_mediator, host, port):
         self.databus_mediator = databus_mediator
         self.tarpit = '0;0'
         self.threshold = '0;0'
+        self.host = host
+        self.port = port
 
         cmdrsp.GetCommandResponder.__init__(self, snmpEngine, snmpContext)
         conpot_extension.__init__(self)
@@ -126,7 +128,7 @@ def handleMgmtOperation(
                 rspVarBinds = rspModBinds
 
         finally:
-            self.log(snmp_version, 'Get', addr, varBinds, rspVarBinds)
+            self.log(snmp_version, 'Get', addr, self.host, self.port, varBinds, rspVarBinds)
 
         # apply tarpit delay
         if self.tarpit is not 0:
@@ -138,10 +140,12 @@ def handleMgmtOperation(
 
 
 class c_NextCommandResponder(cmdrsp.NextCommandResponder, conpot_extension):
-    def __init__(self, snmpEngine, snmpContext, databus_mediator):
+    def __init__(self, snmpEngine, snmpContext, databus_mediator, host, port):
         self.databus_mediator = databus_mediator
         self.tarpit = '0;0'
         self.threshold = '0;0'
+        self.host = host
+        self.port = port
 
         cmdrsp.NextCommandResponder.__init__(self, snmpEngine, snmpContext)
         conpot_extension.__init__(self)
@@ -187,16 +191,18 @@ def handleMgmtOperation(self, snmpEngine, stateReference, contextName, PDU, acIn
                     break
 
         finally:
-            self.log(snmp_version, 'GetNext', addr, varBinds, rspVarBinds)
+            self.log(snmp_version, 'GetNext', addr, self.host, self.port, varBinds, rspVarBinds)
 
         self.releaseStateInformation(stateReference)
 
 
 class c_BulkCommandResponder(cmdrsp.BulkCommandResponder, conpot_extension):
-    def __init__(self, snmpEngine, snmpContext, databus_mediator):
+    def __init__(self, snmpEngine, snmpContext, databus_mediator, host, port):
         self.databus_mediator = databus_mediator
         self.tarpit = '0;0'
         self.threshold = '0;0'
+        self.host = host
+        self.port = port
 
         cmdrsp.BulkCommandResponder.__init__(self, snmpEngine, snmpContext)
         conpot_extension.__init__(self)
@@ -241,7 +247,7 @@ def handleMgmtOperation(self, snmpEngine, stateReference, contextName, PDU, acIn
                 varBinds = rspVarBinds[-R:]
                 M = M - 1
         finally:
-            self.log(snmp_version, 'Bulk', addr, varBinds, rspVarBinds)
+            self.log(snmp_version, 'Bulk', addr, self.host, self.port, varBinds, rspVarBinds)
 
         # apply tarpit delay
         if self.tarpit is not 0:
@@ -255,10 +261,12 @@ def handleMgmtOperation(self, snmpEngine, stateReference, contextName, PDU, acIn
             raise pysnmp.smi.error.SmiError()
 
 class c_SetCommandResponder(cmdrsp.SetCommandResponder, conpot_extension):
-    def __init__(self, snmpEngine, snmpContext, databus_mediator):
+    def __init__(self, snmpEngine, snmpContext, databus_mediator, host, port):
         self.databus_mediator = databus_mediator
         self.tarpit = '0;0'
         self.threshold = '0;0'
+        self.host = host
+        self.port = port
 
         conpot_extension.__init__(self)
         cmdrsp.SetCommandResponder.__init__(self, snmpEngine, snmpContext)
@@ -298,4 +306,4 @@ def handleMgmtOperation(self, snmpEngine, stateReference, contextName, PDU, acIn
             e.update(sys.exc_info()[1])
             raise e
         finally:
-            self.log(snmp_version, 'Set', addr, varBinds, rspVarBinds)
+            self.log(snmp_version, 'Set', addr, self.host, self.port, varBinds, rspVarBinds)

conpot/tests/test_logger_json.py

@@ -37,6 +37,7 @@ def test_log_event(self):
         filename = path.join(self.logging_dir, 'test.json')
         sensorid = 'default'
         public_ip = '0.0.0.0'
+        dst_port = 502
         timestamp = datetime.now()
         event_id = 1337
         src_ip = '127.0.0.1'
@@ -50,6 +51,7 @@ def test_log_event(self):
             'timestamp': timestamp,
             'id': event_id,
             'remote': (src_ip, src_port),
+            'local': (public_ip, dst_port),
             'data_type': data_type,
             'data': {
                 'request': request,
@@ -65,6 +67,7 @@ def test_log_event(self):
             self.assertEqual(e['src_ip'], src_ip)
             self.assertEqual(e['src_port'], src_port)
             self.assertEqual(e['dst_ip'], public_ip)
+            self.assertEqual(e['dst_port'], dst_port)
             self.assertEqual(e['data_type'], data_type)
             self.assertEqual(e['request'], request)
             self.assertEqual(e['response'], response)