From daac04a044a72c5d1cffdfac105a1fd29e2967d7 Mon Sep 17 00:00:00 2001 From: Jason Trost Date: Wed, 26 Nov 2014 13:40:43 -0500 Subject: [PATCH 1/3] initial support for suricata events --- mnemosyne.cfg.dist | 2 +- normalizer/modules/suricata_events.py | 54 +++++++++++++++++++++++++++ normalizer/normalizer.py | 1 + 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 normalizer/modules/suricata_events.py diff --git a/mnemosyne.cfg.dist b/mnemosyne.cfg.dist index 4f95974..4daf61b 100644 --- a/mnemosyne.cfg.dist +++ b/mnemosyne.cfg.dist @@ -11,7 +11,7 @@ ident = secret = host = hpfriends.honeycloud.net port = 20000 -channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events +channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events [file_log] enabled = True diff --git a/normalizer/modules/suricata_events.py b/normalizer/modules/suricata_events.py new file mode 100644 index 0000000..4fab923 --- /dev/null +++ b/normalizer/modules/suricata_events.py @@ -0,0 +1,54 @@ +# Copyright (C) 2013 Johnny Vestergaard +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +import json + +from normalizer.modules.basenormalizer import BaseNormalizer + +class Suricata(BaseNormalizer): + channels = ('suricata.events',) + + def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True): + o_data = json.loads(data) + + if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']): + return [] + + session = { + 'timestamp': submission_timestamp, + 'source_ip': o_data['source_ip'], + 'destination_ip': o_data['destination_ip'], + + 'honeypot': 'suricata', + 'protocol': o_data['proto'], + + 'suricata': { + 'header': o_data['header'], + 'signature': o_data['signature'], + 'classification': o_data['classification'], + 'priority': o_data['priority'], + }, + 'sensor': o_data['sensor'] # UUID + } + + # ICMP will have no ports + if 'destination_port' in o_data: + session['destination_port'] = o_data['destination_port'] + if 'source_port' in o_data: + session['source_port'] = o_data['source_port'] + + return [{'session': session},] diff --git a/normalizer/normalizer.py b/normalizer/normalizer.py index 267ca03..15a0daa 100644 --- a/normalizer/normalizer.py +++ b/normalizer/normalizer.py @@ -33,6 +33,7 @@ from modules import wordpot_events from modules import shockpot_events from modules import p0f_events +from modules import suricata_events from bson import ObjectId import gevent From acb4994b365b6a5d1e973fd2863ce554d28e3963 Mon Sep 17 00:00:00 2001 From: Jason Trost Date: Wed, 26 Nov 2014 17:03:53 -0500 Subject: [PATCH 2/3] update to suricata suppot --- normalizer/modules/suricata_events.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/normalizer/modules/suricata_events.py b/normalizer/modules/suricata_events.py index 4fab923..6ba006a 100644 --- a/normalizer/modules/suricata_events.py +++ b/normalizer/modules/suricata_events.py @@ -29,18 +29,16 @@ def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True): return [] session = { + 'honeypot': 'suricata', 'timestamp': submission_timestamp, 'source_ip': o_data['source_ip'], 'destination_ip': o_data['destination_ip'], - - 'honeypot': 'suricata', 'protocol': o_data['proto'], - 'suricata': { - 'header': o_data['header'], + 'action': o_data['action'], 'signature': o_data['signature'], - 'classification': o_data['classification'], - 'priority': o_data['priority'], + 'signature_id': o_data['signature_id'], + 'signature_rev': o_data['signature_rev'], }, 'sensor': o_data['sensor'] # UUID } From 80d3a722a6ea60ec6811119b8ef57765023b943e Mon Sep 17 00:00:00 2001 From: root Date: Thu, 27 Nov 2014 01:36:20 +0000 Subject: [PATCH 3/3] added script to set the permissions for mnemosyne and hpfeeds geoloc --- scripts/ensure_permissions.js | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 scripts/ensure_permissions.js diff --git a/scripts/ensure_permissions.js b/scripts/ensure_permissions.js new file mode 100644 index 0000000..9eb37cf --- /dev/null +++ b/scripts/ensure_permissions.js @@ -0,0 +1,8 @@ +var channels = ["amun.events", "dionaea.connections", "dionaea.capture", "glastopf.events", "beeswarm.hive", "kippo.sessions", "conpot.events", "snort.alert", "wordpot.events", "shockpot.events", "p0f.events", "suricata.events"]; + +for(c in channels) { + var channel = channels[c]; + db.auth_key.update({'identifier': 'mnemosyne', subscribe:{$nin:[channel]}}, {$push: {subscribe: channel}}) + db.auth_key.update({'identifier': 'geoloc', subscribe:{$nin:[channel]}}, {$push: {subscribe: channel}}) +} +