-
Notifications
You must be signed in to change notification settings - Fork 0
/
honeypot_v4_beta.pl
127 lines (119 loc) · 5.28 KB
/
honeypot_v4_beta.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/perl -w
require "/usr/local/sbin/fatbee/xml_reader_v1.pl";
require "/usr/local/sbin/fatbee/write_log_v2.pl";
require "/usr/local/sbin/fatbee/send_syslog_v1.pl";
use IO::Socket;
use Sys::Hostname;
$|=1;
$hostname=hostname();
sub honeypot($$$$$$$%){
($honeypot_name, $honeypot_ip_address, $honeypot_protocol, $honeypot_port, $honeypot_active_close, $session_biggest_number, $session_least_number, %honeypot_session)=@_;
print "Honeypot \"$honeypot_name\" is listening on $honeypot_ip_address:$honeypot_protocol$honeypot_port!\n";
$sock=IO::Socket::INET->new(Listen=>10,LocalHost=>$honeypot_ip_address,Proto=>$honeypot_protocol,LocalPort=>$honeypot_port) || die "$honeypot_ip_address:$honeypot_protocol$honeypot_port cannot be created!\n";
GET_CLIENT: while(1){
next unless $client_sock=$sock->accept();
$client_sock->autoflush(1);
$received_data_accumulated="";
$current_time=`date +\"\%b \%d \%T \%Y\"`;
chop($current_time);
$client_ip=$client_sock->peerhost();
$client_port=$client_sock->peerport();
print "$current_time, \$client: $client_ip:$honeypot_protocol$client_port\n";
#Example of Syslog Message:
#<38>Dec 30 12:51:22 LinuxTest snort[2466]: [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) [Classification: Web Application Attack] [Priority: 1] {TCP} 184.0.172.222:39200 -> 184.0.1.189:80
undef($syslog_message_about_session_commencement);
$syslog_message_about_session_commencement='<38>'.$current_time." $hostname honeypot\[11\]: \[11:11:11\] ".
'Honeypot is being connected '."\[Classification: Known malware command and control traffic\] \[Priority: 1\]".
" \{$honeypot_protocol\} ".$client_ip.":".$client_port.' -> '.$honeypot_ip_address.
":".$honeypot_port;
&send_syslog($syslog_message_about_session_commencement);
for($count3=$session_least_number; $count3<=$session_biggest_number; $count3++){
#print "Active: ".$honeypot_session{$count3}{'active'}."\n";
if($honeypot_session{$count3}{'active'}==1){
$send_payload=$honeypot_session{$count3}{'content'};
#print "Sending $send_payload!\n";
if($send_payload=~/\\r/){
$send_payload=~s/\\r/\r/g;
}
if($send_payload=~/\\n/){
$send_payload=~s/\\n/\n/g;
}
#print "----\n\$send_payload: $send_payload----\n"; #Debug
$client_sock->send($send_payload);
&write_log($honeypot_ip_address, $client_ip, $honeypot_protocol, $honeypot_port, $client_port, $honeypot_session{$count3}{'content'});
}else{
$client_sock->recv($data, 1024);
if(length($data)==0){
$client_sock->close();
$current_time=`date +\"\%b \%d \%T \%Y\"`;
chop($current_time);
$syslog_message_about_session_ending='<38>'.$current_time." $hostname honeypot\[11\]: \[11:11:11\] ".
"The connection is closed! Content : $received_data_accumulated"." | \[Classification: Known malware command and control traffic\]".
" \[Priority: 1\]"." \{$honeypot_protocol\} ".$client_ip.":".$client_port.' -> '
.$honeypot_ip_address.":".$honeypot_port;
&send_syslog($syslog_message_about_session_ending);
next GET_CLIENT;
}
$data_for_log=$data;
if($data_for_log=~/\r/){
$data_for_log=~s/\r/\\r/g;
}
if($data_for_log=~/\n/){
$data_for_log=~s/\n/\\n/g;
}
&write_log($client_ip, $honeypot_ip_address, $honeypot_protocol, $client_port, $honeypot_port, $data_for_log);
$received_data_accumulated=$received_data_accumulated.' | '.$data_for_log;
}
}
if($honeypot_active_close==1){
$client_sock->close();
#print "Automatically closed!\n"; #Debug
$current_time=`date +\"\%b \%d \%T \%Y\"`;
chop($current_time);
$syslog_message_about_session_ending='<38>'.$current_time." $hostname honeypot\[11\]: \[11:11:11\] ".
"The connection is closed! Content : $received_data_accumulated"." | \[Classification: Known malware command and control traffic\]".
" \[Priority: 1\]"." \{$honeypot_protocol\} ".$client_ip.":".$client_port.' -> '
.$honeypot_ip_address.":".$honeypot_port;
&send_syslog($syslog_message_about_session_ending);
}else{
while(1){
$client_sock->recv($data, 1024);
if(length($data)==0){
$client_sock->close();
$current_time=`date +\"\%b \%d \%T \%Y\"`;
chop($current_time);
$syslog_message_about_session_ending='<38>'.$current_time." $hostname honeypot\[11\]: \[11:11:11\] ".
"The connection is closed! Content : $received_data_accumulated"." | \[Classification: Known malware command and control traffic\]".
" \[Priority: 1\]"." \{$honeypot_protocol\} ".$client_ip.":".$client_port.' -> '
.$honeypot_ip_address.":".$honeypot_port;
&send_syslog($syslog_message_about_session_ending);
next GET_CLIENT;
}
$data_for_log=$data;
if($data_for_log=~/\r/){
$data_for_log=~s/\r/\\r/g;
}
if($data_for_log=~/\n/){
$data_for_log=~s/\n/\\n/g;
}
&write_log($client_ip, $honeypot_ip_address, $honeypot_protocol, $client_port, $honeypot_port, $data_for_log);
$received_data_accumulated=$received_data_accumulated.' | '.$data_for_log;
}
}
}
print "Over!\n";
$sock->close();
}
#main()
$config_file=shift;
if(!defined($config_file)){
die "Usage: $0 CONFIG_FILE_PATH\n";
}
if(-e $config_file){
;
}else{
die "$config_file does not exist!\n";
}
#&honeypot(&read_xml("./ftp.xml"));
&honeypot(&read_xml($config_file));
exit(1);