add honeydb-agent support

Signed-off-by: Jesse Bowling <[email protected]>
CommunityHoneyNetwork · Nov 22, 2020 · 51df55f · 51df55f
1 parent fdf1c3b
commit 51df55f
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/hpfeeds-bhr/processors.py b/hpfeeds-bhr/processors.py
@@ -764,6 +764,50 @@ def ssh_auth_logger_events(identifier, payload):
 
     return base_message
 
+def honeydb_agent_events(identifier, payload):
+    try:
+        dec = ezdict(json.loads(str(payload)))
+    except:
+        logger.warning('exception processing honeydb-agent event')
+        traceback.print_exc()
+        return
+
+    if dec.event == 'TX':
+        # Ignore server responses to attackers
+        logger.debug('Ignoring honeydb-agent response to attacker message')
+        return
+
+    tags = []
+    if dec['tags']:
+        tags = dec['tags']
+
+    base_message = create_message(
+        'honeydb-agent',
+        identifier,
+        tags=tags,
+        src_ip=dec.remote_host,
+        dst_ip=dec.local_host,
+        src_port=dec.remote_port,
+        dst_port=dec.local_port,
+        vendor_product='honeydb-agent',
+        app='honeydb-agent',
+        direction='inbound',
+        ids_type='network',
+        severity='high',
+        service=dec.service,
+        bytes=dec.bytes,
+        signature='Connection to Honeypot'
+    )
+
+    if dec.data:
+        try:
+            data = bytes.fromhex(dec.data).decode('utf8')
+            base_message['data'] = data
+        except Exception as e:
+            logger.warning('Failed to hex-decode data in honeydb-agent log: data: {} exceptiom: {}'.format(dec.data,e))
+
+    return base_message
+
 PROCESSORS = {
     'amun.events': [amun_events],
     'glastopf.events': [glastopf_event],
@@ -782,7 +826,8 @@ def ssh_auth_logger_events(identifier, payload):
     'rdphoney.sessions': [rdphoney_sessions],
     'uhp.events': [uhp_events],
     'elasticpot.events': [elasticpot_events],
-    'ssh-auth-logger.events': [ssh_auth_logger_events]
+    'ssh-auth-logger.events': [ssh_auth_logger_events],
+    'honeydb-agent.events': [honeydb_agent_events]
 }
 
 

diff --git a/scripts/build_config.py b/scripts/build_config.py
@@ -27,7 +27,7 @@ def main():
     HPFEEDS_OWNER = os.environ.get("HPFEEDS_OWNER", "chn")
     IDENT = os.environ.get("IDENT", "")
     SECRET = os.environ.get("SECRET", "")
-    CHANNELS = os.environ.get("CHANNELS","amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,dionaea.connections,thug.files,beeswarm.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,snort.alerts,wordpot.events,p0f.events,suricata.events,shockpot.events,elastichoney.events,rdphoney.sessions,uhp.events,elasticpot.events,spylex.events,big-hp.events,ssh-auth-logger.events")
+    CHANNELS = os.environ.get("CHANNELS","amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,dionaea.connections,thug.files,beeswarm.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,snort.alerts,wordpot.events,p0f.events,suricata.events,shockpot.events,elastichoney.events,rdphoney.sessions,uhp.events,elasticpot.events,spylex.events,big-hp.events,ssh-auth-logger.events,hpfeeds-cif")
     INCLUDE_HP_TAGS = os.environ.get("INCLUDE_HP_TAGS", "false")
     IGNORE_CIDR = os.environ.get("IGNORE_CIDR", "false")