From 1fea62fdee45d4b7427751ce1a6e449152eb9566 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 30 Dec 2015 12:18:00 +0000 Subject: [PATCH 1/2] Add log size to MySQL database --- cowrie/core/output.py | 3 +-- cowrie/insults/insults.py | 10 ++++++++-- cowrie/output/mysql.py | 4 ++-- doc/sql/mysql.sql | 3 ++- doc/sql/update9.sql | 2 ++ 5 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 doc/sql/update9.sql diff --git a/cowrie/core/output.py b/cowrie/core/output.py index 609314d..bf54ff6 100644 --- a/cowrie/core/output.py +++ b/cowrie/core/output.py @@ -37,7 +37,7 @@ import copy import socket # COW0001 : create session -# COW0002 : succesful login +# COW0002 : successful login # COW0003 : failed login # COW0004 : TTY log opened # COW0005 : handle command @@ -168,4 +168,3 @@ class Output(object): if ev['eventid'] == 'COW0011': del self.sessions[sessionno] del self.ips[sessionno] - diff --git a/cowrie/insults/insults.py b/cowrie/insults/insults.py index 8cd0870..2205a78 100644 --- a/cowrie/insults/insults.py +++ b/cowrie/insults/insults.py @@ -59,11 +59,13 @@ class LoggingServerProtocol(insults.ServerProtocol): time.strftime('%Y%m%d-%H%M%S'), transportId, channelId) self.stdinlog_open = False - insults.ServerProtocol.connectionMade(self) + self.ttylog_size = {self.ttylog_file: 0} + insults.ServerProtocol.connectionMade(self) def write(self, bytes): """ + Output sent back to user """ for i in self.interactors: i.sessionWrite(bytes) @@ -72,11 +74,14 @@ class LoggingServerProtocol(insults.ServerProtocol): ttylog.ttylog_write(self.ttylog_file, len(bytes), ttylog.TYPE_OUTPUT, time.time(), bytes) + self.ttylog_size[self.ttylog_file] += len(bytes) + insults.ServerProtocol.write(self, bytes) def dataReceived(self, data): """ + Input received from user """ self.bytesReceived += len(data) if self.bytesReceivedLimit and self.bytesReceived > self.bytesReceivedLimit: @@ -154,8 +159,9 @@ class LoggingServerProtocol(insults.ServerProtocol): self.stdinlog_open = False if self.ttylog_open: + size = self.ttylog_size[self.ttylog_file] log.msg(eventid='COW0012', format='Closing TTY Log: %(ttylog)s', - ttylog=self.ttylog_file) + ttylog=self.ttylog_file, size=size) ttylog.ttylog_close(self.ttylog_file, time.time()) self.ttylog_open = False diff --git a/cowrie/output/mysql.py b/cowrie/output/mysql.py index f40509b..7e090b0 100644 --- a/cowrie/output/mysql.py +++ b/cowrie/output/mysql.py @@ -187,7 +187,7 @@ class Output(cowrie.core.output.Output): elif entry["eventid"] == 'COW0012': self.simpleQuery( - 'INSERT INTO `ttylog` (`session`, `ttylog`) VALUES (%s, %s)', - (entry["session"], entry["ttylog"])) + 'INSERT INTO `ttylog` (`session`, `ttylog`, `size`) VALUES (%s, %s, %s)', + (entry["session"], entry["ttylog"], entry["size"])) # vim: set sw=4 et: diff --git a/doc/sql/mysql.sql b/doc/sql/mysql.sql index f9c19ad..7fc64ae 100644 --- a/doc/sql/mysql.sql +++ b/doc/sql/mysql.sql @@ -46,7 +46,8 @@ CREATE TABLE `sessions` ( CREATE TABLE `ttylog` ( `id` int(11) NOT NULL auto_increment, `session` char(32) NOT NULL, - `ttylog` mediumblob NOT NULL, + `ttylog` varchar(100) NOT NULL, + `size` int(11) NOT NULL, PRIMARY KEY (`id`) ) ; diff --git a/doc/sql/update9.sql b/doc/sql/update9.sql new file mode 100644 index 0000000..d0d8160 --- /dev/null +++ b/doc/sql/update9.sql @@ -0,0 +1,2 @@ +ALTER TABLE `ttylog` CHANGE `ttylog` `ttylog` VARCHAR(100) NOT NULL; +ALTER TABLE `ttylog` ADD `size` INT(11) NOT NULL; From 8e3ab8a0a5d1ce7e6637fb10630bfc1e5fe11b49 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 30 Dec 2015 13:00:39 +0000 Subject: [PATCH 2/2] Log SSH fingerprints --- cowrie/insults/insults.py | 6 ++++-- cowrie/output/mysql.py | 4 ++++ doc/sql/mysql.sql | 22 +++++++++++++++------- doc/sql/update10.sql | 7 +++++++ 4 files changed, 30 insertions(+), 9 deletions(-) create mode 100644 doc/sql/update10.sql diff --git a/cowrie/insults/insults.py b/cowrie/insults/insults.py index 2205a78..a068d43 100644 --- a/cowrie/insults/insults.py +++ b/cowrie/insults/insults.py @@ -160,8 +160,10 @@ class LoggingServerProtocol(insults.ServerProtocol): if self.ttylog_open: size = self.ttylog_size[self.ttylog_file] - log.msg(eventid='COW0012', format='Closing TTY Log: %(ttylog)s', - ttylog=self.ttylog_file, size=size) + log.msg(eventid='COW0012', + format='Closing TTY Log: %(ttylog)s', + ttylog=self.ttylog_file, + size=size) ttylog.ttylog_close(self.ttylog_file, time.time()) self.ttylog_open = False diff --git a/cowrie/output/mysql.py b/cowrie/output/mysql.py index 7e090b0..359e686 100644 --- a/cowrie/output/mysql.py +++ b/cowrie/output/mysql.py @@ -190,4 +190,8 @@ class Output(cowrie.core.output.Output): 'INSERT INTO `ttylog` (`session`, `ttylog`, `size`) VALUES (%s, %s, %s)', (entry["session"], entry["ttylog"], entry["size"])) + elif entry["eventid"] == 'COW0016': + self.simpleQuery( + 'INSERT INTO `keyfingerprints` (`session`, `username`, `fingerprint`) VALUES (%s, %s, %s)', + (entry["session"], entry["username"], entry["fingerprint"])) # vim: set sw=4 et: diff --git a/doc/sql/mysql.sql b/doc/sql/mysql.sql index 7fc64ae..94348ea 100644 --- a/doc/sql/mysql.sql +++ b/doc/sql/mysql.sql @@ -1,4 +1,4 @@ -CREATE TABLE `auth` ( +CREATE TABLE IF NOT EXISTS `auth` ( `id` int(11) NOT NULL auto_increment, `session` char(32) NOT NULL, `success` tinyint(1) NOT NULL, @@ -8,13 +8,13 @@ CREATE TABLE `auth` ( PRIMARY KEY (`id`) ) ; -CREATE TABLE `clients` ( +CREATE TABLE IF NOT EXISTS `clients` ( `id` int(4) NOT NULL auto_increment, `version` varchar(50) NOT NULL, PRIMARY KEY (`id`) ) ; -CREATE TABLE `input` ( +CREATE TABLE IF NOT EXISTS `input` ( `id` int(11) NOT NULL auto_increment, `session` char(32) NOT NULL, `timestamp` datetime NOT NULL, @@ -25,13 +25,13 @@ CREATE TABLE `input` ( KEY `session` (`session`,`timestamp`,`realm`) ) ; -CREATE TABLE `sensors` ( +CREATE TABLE IF NOT EXISTS `sensors` ( `id` int(11) NOT NULL auto_increment, `ip` varchar(15) NOT NULL, PRIMARY KEY (`id`) ) ; -CREATE TABLE `sessions` ( +CREATE TABLE IF NOT EXISTS `sessions` ( `id` char(32) NOT NULL, `starttime` datetime NOT NULL, `endtime` datetime default NULL, @@ -43,7 +43,7 @@ CREATE TABLE `sessions` ( KEY `starttime` (`starttime`,`sensor`) ) ; -CREATE TABLE `ttylog` ( +CREATE TABLE IF NOT EXISTS `ttylog` ( `id` int(11) NOT NULL auto_increment, `session` char(32) NOT NULL, `ttylog` varchar(100) NOT NULL, @@ -51,7 +51,7 @@ CREATE TABLE `ttylog` ( PRIMARY KEY (`id`) ) ; -CREATE TABLE `downloads` ( +CREATE TABLE IF NOT EXISTS `downloads` ( `id` int(11) NOT NULL auto_increment, `session` CHAR( 32 ) NOT NULL, `timestamp` datetime NOT NULL, @@ -61,3 +61,11 @@ CREATE TABLE `downloads` ( PRIMARY KEY (`id`), KEY `session` (`session`,`timestamp`) ) ; + +CREATE TABLE IF NOT EXISTS `keyfingerprints` ( + `id` int(11) NOT NULL auto_increment, + `session` CHAR( 32 ) NOT NULL, + `username` varchar(100) NOT NULL, + `fingerprint` varchar(100) NOT NULL, + PRIMARY KEY (`id`) +) ; diff --git a/doc/sql/update10.sql b/doc/sql/update10.sql new file mode 100644 index 0000000..3bc4c7b --- /dev/null +++ b/doc/sql/update10.sql @@ -0,0 +1,7 @@ +CREATE TABLE `keyfingerprints` ( + `id` int(11) NOT NULL auto_increment, + `session` CHAR( 32 ) NOT NULL, + `username` varchar(100) NOT NULL, + `fingerprint` varchar(100) NOT NULL, + PRIMARY KEY (`id`), +) ;