Merge pull request #7 from threatstream/wordpot

added wordpot support
pwnlandia · Sep 25, 2014 · 1a8825d · 1a8825d
2 parents 9108619 + 9688da1
commit 1a8825d
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 1 deletion.
diff --git a/mnemosyne.cfg.dist b/mnemosyne.cfg.dist
@@ -11,7 +11,7 @@ ident =
 secret =
 host = hpfriends.honeycloud.net
 port = 20000
-channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique
+channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events
 
 [file_log]
 enabled = True

diff --git a/normalizer/modules/wordpot_events.py b/normalizer/modules/wordpot_events.py
@@ -0,0 +1,42 @@
+# Copyright (C) 2014 Jason Trost <jason.trost@threatstream.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+import json
+
+from normalizer.modules.basenormalizer import BaseNormalizer
+
+
+class WordpotEvents(BaseNormalizer):
+    channels = ('wordpot.events',)
+
+    def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
+        o_data = json.loads(data)
+
+        if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
+            return []
+
+        session = {
+            'timestamp': submission_timestamp,
+            'source_ip': o_data['source_ip'],
+            'source_port': int(o_data['source_port']),
+            'destination_ip': o_data['dest_ip'],
+            'destination_port': int(o_data['dest_port']),
+            'honeypot': 'wordpot',
+            'protocol': 'http'
+        }
+        relations = {'session': session}
+        return [relations]
diff --git a/normalizer/normalizer.py b/normalizer/normalizer.py
@@ -30,6 +30,7 @@
 from modules import conpot_events
 from modules import snort_alerts
 from modules import amun_events
+from modules import wordpot_events
 from bson import ObjectId
 
 import gevent