Add support for setting the IP reported in CHN-Server Sensor list and…

… in hpfeeds data

Signed-off-by: Jesse Bowling <[email protected]>

dionaea.env

@@ -1,8 +1,8 @@
 DEBUG=false
 
-# IP Address of the honeypot
-# Leaving this blank will default to the docker container IP
-IP_ADDRESS=
+# IP address reported to the CHN sensor list and used in the dst_ip for hpfeeds logs
+# Leaving this blank will cause the honeypot to default to the Docker IP
+REPORTED_IP=
 
 CHN_SERVER=http://localhost
 DEPLOY_KEY=

dionaea.run

@@ -26,6 +26,7 @@ setup_dionaea_conf () {
     local secret=${2:-}
     local debug=${3:-false}
     local personality=${PERSONALITY:-default}
+    local ip=${REPORTED_IP:-}
 
     pushd /opt/dionaea/etc/dionaea
 
@@ -50,6 +51,7 @@ setup_dionaea_conf () {
       sed -i "s/secret:.*/secret: \"${secret}\"/g" /opt/dionaea/etc/dionaea/ihandlers-available/hpfeeds.yaml
       sed -i "s/port:.*/port: ${FEEDS_SERVER_PORT}/g" /opt/dionaea/etc/dionaea/ihandlers-available/hpfeeds.yaml
       sed -i "s|tags:.*|tags: \[\"${TAGS}\"\]|g" /opt/dionaea/etc/dionaea/ihandlers-available/hpfeeds.yaml
+      sed -i "s/reported_ip:.*/reported_ip: \"${ip}\"/g" /opt/dionaea/etc/dionaea/ihandlers-available/hpfeeds.yaml
     fi
 
     for i in {1..1024}
@@ -78,7 +80,7 @@ main() {
   local feeds_server=${FEEDS_SERVER:-localhost}
   local feeds_server_port=${FEEDS_SERVER_PORT:-10000}
   local json=${DIONAEA_JSON:-dionaea.json}
-  local ip=${IP_ADDRESS:-}
+  local ip=${REPORTED_IP:-}
 
   local debug=${DEBUG:-false}
 

outputs/hpfeeds.py

@@ -27,7 +27,7 @@
 
 from dionaea import IHandlerLoader
 from dionaea.core import ihandler, incident, g_dionaea, connection
-from dionaea.util import sha512file, sha256file
+from dionaea.util import sha512file
 
 import logging
 import json
@@ -96,6 +96,7 @@ def __init__(self, path, config=None):
         self.dynip_resolve = config.get('dynip_resolve', '')
         self.dynip_timer = None
         self.ownip = None
+
         if isinstance(self.dynip_resolve, str) and self.dynip_resolve.startswith("http"):
             if pyev is None:
                 logger.debug('You are missing the python pyev binding in your dionaea installation.')
@@ -104,6 +105,12 @@ def __init__(self, path, config=None):
                 self.loop = pyev.default_loop()
                 self.dynip_timer = pyev.Timer(2., 300, self.loop, self._dynip_resolve)
                 self.dynip_timer.start()
+        reported_ip = config.get("reported_ip")
+        if (reported_ip != None) and (reported_ip != "UNSET_REPORTED_IP"):
+            self.reported_ip = reported_ip
+            logger.debug('Set self.ownip based on reported_ip to {}'.format(self.ownip))
+        else:
+            self.reported_ip = None
 
     def stop(self):
         if self.dynip_timer:
@@ -117,7 +124,10 @@ def _ownip(self, icd):
                 return self.ownip
             else:
                 raise Exception('Own IP not yet resolved!')
-        return icd.con.local.host
+        elif self.reported_ip:
+            return self.reported_ip
+        else:
+            return icd.con.local.host
 
     def __del__(self):
         # self.client.close()
@@ -256,7 +266,7 @@ def handle_incident_dionaea_download_complete_again(self, icd):
         try:
             tstamp = timestr()
             sha512 = sha512file(icd.file)
-            sha256 = sha256file(icd.file)
+            #sha256 = sha256file(icd.file)
             meta = {"tags": self.tags,
                     "event_type": "Download with file hash",
                     "time": tstamp,
@@ -266,7 +276,7 @@ def handle_incident_dionaea_download_complete_again(self, icd):
                     "dport": str(icd.con.local.port),
                     "md5": icd.md5hash,
                     "sha512": sha512,
-                    "sha256": sha256,
+                    #"sha256": sha256,
                     "url": icd.url}
             self.client.publish(
                 CAPTURECHAN,

outputs/hpfeeds.yaml

@@ -5,3 +5,4 @@
     ident: ""
     secret: ""
     tags: []
+    reported_ip: "UNSET_REPORTED_IP"