Open AvEgA-ChuDoTvoreC opened 3 years ago
phibos
commented
3 years ago The log_json incident handler collects all information for a connection and reports all collected values when the dionaea.connection.free incident is reported/handled. If you just need a unique id per connection generate and append the id in the handle_incident_dionaea_connection_free() function. https://github.com/DinoTools/dionaea/blob/d0e03ae3715fccc580d253d67b3a4d3086c80ab3/modules/python/dionaea/log_json.py#L223
AvEgA-ChuDoTvoreC
commented
3 years ago Thank you for your response. Could you help me with another thing? Is it possible to catch events: "start_connection" and "disconnection" in log_json.py?
For example, I add two functions in smb.py:
def start_connection(self):
i = incident("dionaea.modules.python.start.connection")
i.con = self
i.session = self.session
i.eventid = "connection"
i.report()
def disconnection(self):
i = incident("dionaea.modules.python.disconnection")
i.con = self
i.eventid = "disconnection"
i.report()And two functions in json_log.py:
def handle_incident_dionaea_modules_python_start_connection(self, icd):
con = icd.con
data = self.attacks.get(con)
data["eventid"] = icd.eventid
data["session"] = icd.session
for handler in self.handlers:
handler.submit(data)
def handle_incident_dionaea_modules_python_disconnection(self, icd):
con = icd.con
data = self.attacks.get(con)
data["eventid"] = icd.eventid
for handler in self.handlers:
handler.submit(data)I call them in smb.py as self.start_connection(), self.disconnection(). All seems ok but the problem is that it makes a mess in JSON:
{ ..., "eventid": "connection", ... } - 1st string
{ ..., "eventid": "disconnection", ... } - 2nd string
{"src_ip": "", "src_hostname": "", "timestamp": "2020-11-14T11:39:12.922405", "dest_port": 34097, "dest_ip": "172.19.0.2", "connection": {"type": "listen", "protocol": "ftpdatalisten", "transport": "tcp"}, "src_port": 0} - 3d string
Is it possible to divide these events? I mean order: "connection" -> "attack information" -> "disconnection"? If yes, where should I call my functions (here? -> handle_disconnect() ) or use your other functions in different files? To get this order:
{ ..., "eventid": "connection", ... } - 1st string {"src_ip": "", "src_hostname": "", "timestamp": "2020-11-14T11:39:12.922405", "dest_port": 34097, ... } - 2d string { ..., "eventid": "disconnection", ... } - 3nd string
The log_json incident handler collects all information for a connection and reports all collected values when the dionaea.connection.free incident is reported/handled. If you just need a unique id per connection generate and append the id in the
handle_incident_dionaea_connection_free()function.
Hi Guys! This is my first comment in GitHub, I hope that you get what I mean and not be angry if I post it in wrong pace. Look, I want to add extra fields to the JSON output (log_json.py) -> "session", "filehash" to connect these fields with attack;
class FTPd(connection):
This helps me to catch the session, but only in ftp.py. I didn't get how
i = incident()work and how I can give arguments to it. Probably there is a better decision but I still don't find it out. I tried the same to do with smb.py but I'm stuck with this because there is no function for SMB kindahandle_incident_dionaea_modules_python_SMB_command. How can I get extra fields to JSON output? What file should I edit? Thank you!