telekom-security / peba Goto Github PK

View Code? Open in Web Editor NEW

27.0 12.0 12.0 13.03 MB

Python EWS Backend API

License: GNU General Public License v3.0

Shell 1.16% Python 98.04% Dockerfile 0.80%

elasticsearch python3 ansible flask backend ews t-pot memcached honeypot

peba's People

Contributors

Stargazers

Watchers

Forkers

musale gnafu hemanthtech securityanalysts zetahoq breinkober wolfking2 jieyoujun masterscott 5l1v3r1 trixam

peba's Issues

retrieveAlerts - please add locationDestination

Hi,

please add the locationDestination to the retrieveAlerts JSON (and its related backend logic).

Proposal for naming:

lat -> sourceLat
lng -> sourceLng

+new:
destLat
destLng

Regards,
Aydin

add new endpoint /alert/retrieveAlertsCountByType?time=xyz&out=json

I'd like to implement a stacked-bar chart (like this one http://code.shutterstock.com/rickshaw/examples/extensions.html)

Can you create a new endpoint (business logic based on /alert/retrieveAlertsCount)
which adds also the honeypot-type?

Example json response:

{
"AlertCountTotal": 24,
"AlertCountPerType": {
"ssh": 121,
"honeydingsbums": 12344,
"iskender kebab": 3434,
"kommeinergehtnoch": 543
}
}

I would call it periodically (passing the time variable in the url as known) and
display the data in a chart in near-realtime.

delete alerts in index older than 28days

Store raw http requests from ewsposter in index

remove topx from retrieveAlertJson

expand / filter elasticsearch queries to support different communities (dtag vs. community data)

find appropriate values for operation parameters

write init script / supervisord / systemd

handle cowrie sessions 1:1, no ; but \n

Add syslog sending for intranet usage

work on authentication getOnly and communityOnly

add new endpoint /datasetAlertsPerMonth (Attacks/day - last X days)

[
{
"datasetAlertsPerMonth":{
"20170701":152682,
"20170702":219977,
"20170703":146094
}
}
]

root@ews02:/opt/PEBA# tail -f error.log
raise value
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/opt/PEBA/webservice.py", line 224, in retrieveIPs
username, password = (getCreds(request.data.decode('utf-8')))
File "/opt/PEBA/webservice.py", line 36, in getCreds
username = root.find("./Authentication/username").text.decode('utf-8')
AttributeError: 'str' object has no attribute 'decode'

Temporary fix: remove the .decode('utf-8')

add alerts with cve to new cve index

Create index on ES6

Hi,

I deployed PEBA on ES6 and put the test data, but I could not put data to PEBA.
I found that there are some differences between "setup-es-indices.py" and "setupES6Indices.sh".

Do I need to update the script to use ES6?

add threads for each @route to fill cache with data.

add new endpoint /LatLonAttacks (Statistik für Lat&Long + Count - wie bei schmalle)

https://github.com/schmalle/ask-elastic-py

[
[
"2016-11",
#monat-tag (mit leading zero) [
32.061707,
118.7778,
3925821,
#lat,
lng,
count 21.033295,
105.850006,
758705,
23.1167,
113.25,
338788,
48.86,
2.350006,
112268,
12.983307,
77.58331,
82639
]
],
[
"2016-10",
[
51,
9,
72552,
59.894394,
30.264206,
68928,
39.928894,
116.388306,
49394,
38,
-97,
48338,
34.099503,
-118.4143,
18730,
47.6801,
-122.120605,
12501,
47,
29,
12254,
37.386,
-122.0838,
12219,
51.533295,
0.69999695,
9321,
-31.942795,
115.8439,
6155
]
]
]

extend alert mapping to external ip, internal ip, honeypot hostname from ewsposter

Create statistics index

Hi,

I'd like to know how to create statistics index in elasticsearch.
I accessed public get endpoint 'alert/getStats?' on my peba server, I got this error message.

[2019-08-27 07:24:15,157] ERROR in tpotstats: ElasticSearch error: TransportError(404, 'index_not_found_exception', 'no such index')

Thanks,

retrieveAlertsJson- some issues / improvements

Please filter out those entries having an empty targetCountry-value because I can't display them on a map.
The requestString value (which is parameter in the tacho) is empty in very often cases, this makes the live-ticker table looking empty / ugly.

In the old JSON (http://sicherheitstacho.eu/alertsJSON) it had always a value:

,"analyzerType":"Konsole/Shell","requestString":"SSH Honeypot Kippo"}

In the new, it hasn't:

      "analyzerType": "Network Honeyport Dionaea v0.1.0",
      "requestString": "",

The analyzer Type "Network Honeyport Dionaea v0.1.0" is quite long to display in the table. If possible, shorten it in the backend or put it into the requestString field.

replace ET with defusedXML https://pypi.python.org/pypi/defusedxml/

add user index mapping to create user script

Epic: Passive PEBA Transitioning

We decided to completely drop the python implementation of our honeypot data ingestion for our backend at DT and rewrite the code in Golang (thx @rverton). We'll follow up with a blog post when these changes go live in prod. We'll continue to use PEBA for our public API, mainly used for sicherheitstacho.eu, without ingestion capabilities though.

display external honeypot ip for attacks with external src ip instead of private ip

run as underprivileged user

create nginx reverse proxy config

add new endpoint /retrieveStaistics

add new endpoint /topCountriesAttacks (Länderstatistik Top X countries)

[
{
"id":1,
"date":"2016-12",
"attacksPerCountry":[
{
"country":"China",
"code":"CN",
"count":"80520605"
},
{
"country":"Viet Nam",
"code":"VN",
"count":"13787034"
},
{
"country":"United States",
"code":"US",
"count":"10273960"
},
{
"country":"Russia",
"code":"RU",
"count":"8590511"
},
{
"country":"Germany",
"code":"DE",
"count":"6254960"
},
{
"country":"Taiwan, Province of China",
"code":"TW",
"count":"3836209"
},
{
"country":"Egypt",
"code":"EG",
"count":"2853632"
},
{
"country":"Kazakhstan",
"code":"KZ",
"count":"2633969"
},
{
"country":"Korea, Republic of",
"code":"KR",
"count":"2103168"
},
{
"country":"France",
"code":"FR",
"count":"2059442"
},
{
"country":"Netherlands",
"code":"NL",
"count":"1855017"
},
{
"country":"Venezuela",
"code":"VE",
"count":"1649844"
},
{
"country":"Lithuania",
"code":"LT",
"count":"1622323"
},
{
"country":"Brazil",
"code":"BR",
"count":"1573446"
},
{
"country":"Ukraine",
"code":"UA",
"count":"1495057"
}
],
"attacksToTargetCountry":[
{
"country":"USA",
"code":"USA",
"targetCountries":[

        ]
     },
     {  
        "country":"ES",
        "code":"ES",
        "targetCountries":[  

        ]
     },
     {  
        "country":"PL",
        "code":"PL",
        "targetCountries":[  

        ]
     },
     {  
        "country":"HR",
        "code":"HR",
        "targetCountries":[  

        ]
     },
     {  
        "country":"RO",
        "code":"RO",
        "targetCountries":[  

        ]
     },
     {  
        "country":"GR",
        "code":"GR",
        "targetCountries":[  

        ]
     },
     {  
        "country":"ME",
        "code":"ME",
        "targetCountries":[  

        ]
     },
     {  
        "country":"US",
        "code":"US",
        "targetCountries":[  

        ]
     },
     {  
        "country":"CH",
        "code":"CH",
        "targetCountries":[  

        ]
     },
     {  
        "country":"MK",
        "code":"MK",
        "targetCountries":[  

        ]
     },
     {  
        "country":"HU",
        "code":"HU",
        "targetCountries":[  

        ]
     },
     {  
        "country":"AT",
        "code":"AT",
        "targetCountries":[  

        ]
     },
     {  
        "country":"VN",
        "code":"VN",
        "targetCountries":[  

        ]
     },
     {  
        "country":"FR",
        "code":"FR",
        "targetCountries":[  

        ]
     },
     {  
        "country":"SK",
        "code":"SK",
        "targetCountries":[  

        ]
     },
     {  
        "country":"IE",
        "code":"IE",
        "targetCountries":[  

        ]
     },
     {  
        "country":"GB",
        "code":"GB",
        "targetCountries":[  
           {  
              "country":"China",
              "code":"CN",
              "count":"10474"
           },
           {  
              "country":"United States",
              "code":"US",
              "count":"3242"
           },
           {  
              "country":"Chile",
              "code":"CL",
              "count":"2358"
           },
           {  
              "country":"Ukraine",
              "code":"UA",
              "count":"1369"
           },
           {  
              "country":"Netherlands",
              "code":"NL",
              "count":"937"
           },
           {  
              "country":"Germany",
              "code":"DE",
              "count":"785"
           },
           {  
              "country":"New Zealand",
              "code":"NZ",
              "count":"782"
           },
           {  
              "country":"Korea, Republic of",
              "code":"KR",
              "count":"628"
           },
           {  
              "country":"Canada",
              "code":"CA",
              "count":"598"
           },
           {  
              "country":"Viet Nam",
              "code":"VN",
              "count":"525"
           },
           {  
              "country":"United Kingdom",
              "code":"GB",
              "count":"252"
           },
           {  
              "country":"France",
              "code":"FR",
              "count":"219"
           },
           {  
              "country":"Russian Federation",
              "code":"RU",
              "count":"150"
           },
           {  
              "country":"Turkey",
              "code":"TR",
              "count":"113"
           },
           {  
              "country":"Cayman Islands",
              "code":"KY",
              "count":"101"
           }
        ]
     }
  ]

}
]

remove mongodb lookup for sensor placement country, lookup in ES

getPeerCountry(peerIdent):

add separate config file

add 15 min bad ip feed

add cisco asa honeypot handling

retrieveAlertsCount - special tacho version for avoiding network calls

Hi,

the current tacho makes three calls towards the new backend for displaying
the last alerts for the last minute, last hour and last 24 hours:

https://community.sicherheitstacho.eu:9443/alert/retrieveAlertsCount?time=1&out=json
https://community.sicherheitstacho.eu:9443/alert/retrieveAlertsCount?time=60&out=json
https://community.sicherheitstacho.eu:9443/alert/retrieveAlertsCount?time=1440&out=json

Is it possible to offer a special version for the tacho to reduce the unnecessary calls to a single one?

Something like:
https://community.sicherheitstacho.eu:9443/alert/retrieveAlertStats&out=json

Example response:

{
  "AlertsLastMinute": 39,
  "AlertsLastHour": 12313213,
  "AlertsLast24Hours": 13214145128496
}

Support for parameter (i.e. ci=-1) for returning clientDomain-unspecific data

As spoken today, please additionally support returning alert-docs from ES without a clientDomain-filter.

From client/sicherheittacho perspective, this is only needed for the endpoints:

/alert/topCountriesAttacks
/alert/retrieveAlertStats
/alert/retrieveAlertsCountWithType

optional (can be done on client side as there is anyway some steps to do regarding flagging the origin for stuff like coloring etc):

/alert/retrieveAlertsJson

Maxmind's GeoIP moved to GeoLite2

Hi there,

In the the installation section of the MaxMind GeoIP the download.sh script no longer works.

download Maxmind's GeoIP database and copy it to the right destination

cd var/lib/GeoIP/
./download.sh
sudo cp *.dat /var/lib/GeoIP/

Maxmind has moved to GeoLite2.
https://dev.maxmind.com/geoip/geoip2/geolite2/

Regards,
Danny