Mejorando la integración de Dionaea con OSSIM

(Tomado de rooting.es)

Empezamos una serie de artículos en los cuales trataremos de integrar o mejorar la integración de nuevas fuentes de eventos en la versión gratuita de OSSIM.

En este post ampliaremos la integración de Dionaea (Honeypot de baja interacción) aumentando el número de tipo de eventos que el plugin de OSSIM trae por defecto.

Este plugin nos ofrece una información escasa a primera vista ya que únicamente se generan dos tipos de eventos:

  • Dionaea: Incoming Connection
  • Dionaea: Malware Detected

Para modificar este comportamiento y obtener algo más de información, así como poder crear reglas de correlación más avanzadas, definiremos nuevos tipos de eventos para este plugin y modificaremos el archivo de configuración del mismo. Los nuevos eventos resultantes seran:

  • Dionaea: Incoming Connection xmppclient
  • Dionaea: Incoming Connection smbd
  • Dionaea: Incoming Connection remoteshell
  • Dionaea: Incoming Connection pcap
  • Dionaea: Incoming Connection mysqld
  • Dionaea: Incoming Connection mssqld
  • Dionaea: Incoming Connection mirrord
  • Dionaea: Incoming Connection mirrorc
  • Dionaea: Incoming Connection httpd
  • Dionaea: Incoming Connection ftpdatalisten
  • Dionaea: Incoming Connection ftpdata
  • Dionaea: Incoming Connection ftpd
  • Dionaea: Incoming Connection ftpctrl
  • Dionaea: Incoming Connection epmapper
  • Dionaea: Incoming Connection emulation
  • Dionaea: Incoming Connection TftpClient
  • Dionaea: Incoming Connection SipSession
  • Dionaea: Incoming Connection SipCall
  • Dionaea: Incoming Connection RtpUdpStream
  • Dionaea: Malware Detected

Lo primero será instalar el agente de OSSIM en la maquina de Dionaea, para ello añadimos los siguientes repositorios en /etc/apt/sources.list:

Instalamos el agente:

apt-get update && apt-get install ossim-agent

Configuramos el agente para que se conecte con el servidor de OSSIM y desactivamos todos los plugin que no necesitemos:

vim /etc/ossim/agent/config.cfg

Y reiniciamos el agente:

/etc/init.d/ossim-agent restart

Para comprobar que el agente funciona y se conecto con el servidor ejecutaremos:

tail -f /var/log/ossim/agent.log

Una vez comprobemos que el agente funciona correctamente es hora de empezar con las modificaciones.

Lo primero de todo es crear el script que generara el log que nuestro plugin va a parsear:

vim /usr/share/oosim/scripts/dionaealog.py

Y añadimos:

#!/usr/bin/env python
import sqlite3
import time
import os
import sys
import commands

dbfile = “/opt/dionaea/var/dionaea/logsql.sqlite”

sleep = 20

cid = 0
did = 0

def checkIfRunning():
if os.path.exists(“/var/run/dionaealog.pid”):
print “Exists”
sys.exit()
else:
pid = os.getpid()
print “Pull script pid : %s ” % pid
f = open(“/var/run/dionaealog.pid”, “w”)
f.write(str(pid))
f.close()
print “dionaealog.py process didn’t existed before this one”

def getLastConnId():
conn = sqlite3.connect(dbfile)
c = conn.cursor()
sql = “select connection from connections order by connection desc limit 1”
c.execute(sql)
id = 0
for v in c:
id = v[0]
c.close()
return id

def getLastDownId():
conn = sqlite3.connect(dbfile)
c = conn.cursor()
sql = “select download from downloads order by download desc limit 1;”
c.execute(sql)
id = 0
for v in c:
id = v[0]
c.close()
return id

def main():
#Remove
global cid
global did
while True:
f = open(“/var/log/ossim/dionaea.log”, “a+”)
#Connections
conn = sqlite3.connect(dbfile)
c = conn.cursor()
sql = “select connection,connection_type,connection_transport,connection_protocol,connection_timestamp,local_host,local_port,remote_host,remote_port from connections where connection > %d order by connection desc” % cid
print sql
c.execute(sql)
#(604201, u’smbd’, 1260184703.58021, u’10.86.20.135′, 445, u’10.50.251.208′, 6589)
#604201|smbd|1260184703.58021|10.86.20.135|445|10.50.251.208|6589
for v in c:
data = “connection|%s|%s|%s|%s|%s|%s|%s|%s|%sn” % (v[0],v[1],v[2],v[3],v[4],v[7],v[8],v[5],v[6])
print data
f.write(“%s” % data)
try:
cid = int(v[0])
except:
pass
#print cid
c.close()
#downloads
conn = sqlite3.connect(dbfile)
c = conn.cursor()
sql = “select d.download,d.download_url,d.download_md5_hash,c.local_host,c.local_port,c.remote_host,c.remote_port,c.connection_timestamp,c.connection_type,c.connection_transport,c.connection_protocol from downloads as d, connections as c where d.download > %d and d.connection = c.connection order by d.download desc” % did
c.execute(sql)
for v in c:
data = “download|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%sn” % (v[0],v[1],v[2],v[5],v[6],v[3],v[4],v[7],v[8],v[9],v[10])
print data
f.write(data)
try:
did = int(v[0])
except:
pass
#print did
c.close()
f.close()
time.sleep(sleep)

checkIfRunning()
cid = getLastConnId()
did = getLastDownId()
main()

Creamos el demonio de arranque:

vim /etc/init.d/dionaealog

Pegamos las siguientes lineas y guardamos:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          dionaealog
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start dionaealog at boot time
# Description:       Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
### END INIT INFO

PIDFILE=/var/run/dionaealog.pid
DAEMON=dionaealog.py
DESC=”Dionaealog”
ROOTDIR=/usr/share/ossim/scripts/
test -d $ROOTDIR || exit 0

case $1 in
start)
echo -n “Starting $DESC: ”
if [ -e $PIDFILE ]; then
echo “already running, please stop first”
exit 1
fi
cd $ROOTDIR
STATUS=”OK”
nohup python $DAEMON > /var/log/ossim/dionaea.out 2> /var/log/ossim/dionaea.err & > /dev/null || STATUS=”FAILED”
echo “$STATUS”
;;
stop)
echo -n “Stopping $DESC: ”
if [ -e $PIDFILE ]; then
neppid=`cat $PIDFILE`
`kill -9 $neppid`;
rm $PIDFILE
echo “OK”
else
echo “failed: no pid found”
fi
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${0}
;;
*)
echo “Usage: $0 {start|stop|restart}” >&2
exit 1
;;
esac
exit 0

Asignamos los permisos correctos y comprobamos que funciona:

chmod 644 /etc/init.d/dionaealog
/etc/init.d/dionaealog start
/etc/init.d/dionaealog stop

Comprobamos que se ha generado el log:

tail /var/log/ossim/dionaea.log

Si todo ha funcionado bien:

update-rc.d dionaealog start 98 2 3 4 5 .

Ahora procedemos a insertar los datos de nuestro plugin en la base de datos de nuestro servidor OSSIM.

Creamos el fichero dionaea.sql con el siguiente contenido:

INSERT INTO plugin (id, TYPE, name, description) VALUES (50001, 1, ‘Dionaea’, ‘Dionaea Honeypot’);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 1, 19, 225, ‘Dionaea: Incoming Connection xmppclient’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 2, 19, 225, ‘Dionaea: Incoming Connection smbd’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 3, 19, 225, ‘Dionaea: Incoming Connection remoteshell’, 3, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 4, 19, 225, ‘Dionaea: Incoming Connection pcap’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 5, 19, 225, ‘Dionaea: Incoming Connection mysqld’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 6, 19, 225, ‘Dionaea: Incoming Connection mssqld’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 7, 19, 225, ‘Dionaea: Incoming Connection mirrord’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 8, 19, 225, ‘Dionaea: Incoming Connection mirrorc’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 9, 19, 225, ‘Dionaea: Incoming Connection httpd’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 10, 19, 225, ‘Dionaea: Incoming Connection ftpdatalisten’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 11, 19, 225, ‘Dionaea: Incoming Connection ftpdata’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 12, 19, 225, ‘Dionaea: Incoming Connection ftpd’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 13, 19, 225, ‘Dionaea: Incoming Connection ftpctrl’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 14, 19, 225, ‘Dionaea: Incoming Connection epmapper’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 15, 19, 225, ‘Dionaea: Incoming Connection emulation’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 16, 19, 225, ‘Dionaea: Incoming Connection TftpClient’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 17, 19, 225, ‘Dionaea: Incoming Connection SipSession’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 18, 19, 225, ‘Dionaea: Incoming Connection SipCall’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 19, 19, 225, ‘Dionaea: Incoming Connection RtpUdpStream’, 1, 3);
INSERT INTO plugin_sid (plugin_id, sid, category_id, subcategory_id, name, priority, reliability) VALUES (50001, 20, 4, 39, ‘Dionaea: Malware Detected’, 1, 3);

Ejecutamos las consultas SQL en la base de datos:

mysql -p alienvault < dionaea.sql

Reiniciamos el servidor y listo:

/etc/init.d/ossim-server restart

Ahora volvemos a nuestro honeypot (Dionaea) y editamos el archivo de configuracion de nuestro plugin:

vim /etc/ossim/agent/plugins/dionaea.cfg

Copiamos y pegamos el siguiente contenido:

;; dionaea
;; type: monitor
;; plugin_id: 50001
;;

[DEFAULT]
plugin_id=50001

[translation]
xmppclient=1
smbd=2
remoteshell=3
pcap=4
mysqld=5
mssqld=6
mirrord=7
mirrorc=8
httpd=9
ftpdatalisten=10
ftpdata=11
ftpd=12
ftpctrl=13
epmapper=14
emulation=15
TftpClient=16
SipSession=17
SipCall=18
RtpUdpStream=19

[config]
enable=yes
type=detector
source=log
location=/var/log/ossim/dionaea.log
create_file=false
process=
start=no
stop=no
startup=
shutdown=

[DIONAEA – connections]
event_type=event
regexp=”connection|(?Pd+)|(?Pw+)|(?Pw+)|(?Pw+)|(?Pd+).d+|(?Pd+.d+.d+.d+)|(?Pd+)|(?Pd{1,3}.d{1,3}.d{1,3}.d{1,3})|(?Pd+)”
date={normalize_date($date)}
plugin_sid={translate($proto)}
src_ip={$sip}
src_port={$sport}
dst_ip={$dip}
dst_port={$dport}
userdata1={$id}
protocol={$proto}
userdata1={$type}
userdata2={$service}

[DIONAEA – downloads]
event_type=event
regexp=”download|(?Pd+)|(?P.*)|(?Pw+)|(?Pd{1,3}.d{1,3}.d{1,3}.d{1,3})|(?Pd+)|(?Pd{1,3}.d{1,3}.d{1,3}.d{1,3})|(?Pd+)|(?Pd+).d+|(?Pw+)|(?Pw+)|(?Pw+)”
date={normalize_date($date)}
plugin_sid=20
src_ip={$sip}
src_port={$sport}
dst_ip={$dip}
dst_port={$dport}
userdata1={$id}
protocol={$proto}
userdata1={$type}
userdata2={$service}
userdata3={$url}
userdata4={$hash}

Activamos el plugin añadiendo la siguiente línea en la sección [plugins] del fichero /etc/ossim/agent/config.cfg:

dionaea=/etc/ossim/agent/plugins/dionaea.cfg

Y reiniciamos el agente de OSSIM:

/etc/init.d/ossim-agent restart

Iniciamos nuestro demonio:

/etc/init.d/dionaealog start

Y comprobamos que todo esta funcionando:

tail -f /var/log/ossim/agent.log
tail -f /var/log/ossim/dionaea.log

Si todo ha ido bien veremos como el agente envia los eventos al servidor.

Saludos
Rubén Espadas Vargas
@rubenespadas

Fuentes:
OSSIM Wiki
Dionaea – Catches bugs
SURFcert – Installing Dionaea

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s