honeycomb 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +22 -0
  3. data/Gemfile +3 -21
  4. data/LICENSE.txt +22 -675
  5. data/README.md +29 -0
  6. data/Rakefile +1 -51
  7. data/honeycomb.gemspec +23 -0
  8. data/lib/honeycomb.rb +4 -23
  9. data/lib/honeycomb/version.rb +3 -0
  10. metadata +54 -214
  11. data/.document +0 -5
  12. data/.rspec +0 -1
  13. data/Gemfile.lock +0 -75
  14. data/README.rdoc +0 -72
  15. data/VERSION +0 -1
  16. data/data/binaries/example_data +0 -0
  17. data/data/logsql/honeypot.sqlite +0 -0
  18. data/etc/config.yml.example +0 -11
  19. data/lib/honeycomb/database.rb +0 -20
  20. data/lib/honeycomb/database/interact.rb +0 -71
  21. data/lib/honeycomb/default_setup.rb +0 -28
  22. data/lib/honeycomb/environment.rb +0 -64
  23. data/lib/honeycomb/honeypot.rb +0 -20
  24. data/lib/honeycomb/honeypot/manage.rb +0 -204
  25. data/lib/honeycomb/interact.rb +0 -20
  26. data/lib/honeycomb/model.rb +0 -82
  27. data/lib/honeycomb/model/connections.rb +0 -77
  28. data/lib/honeycomb/model/dcerpcbinds.rb +0 -47
  29. data/lib/honeycomb/model/dcerpcrequests.rb +0 -46
  30. data/lib/honeycomb/model/dcerpcserviceops.rb +0 -48
  31. data/lib/honeycomb/model/dcerpcservices.rb +0 -44
  32. data/lib/honeycomb/model/downloads.rb +0 -47
  33. data/lib/honeycomb/model/emu_profiles.rb +0 -44
  34. data/lib/honeycomb/model/emu_services.rb +0 -44
  35. data/lib/honeycomb/model/logins.rb +0 -46
  36. data/lib/honeycomb/model/mssql_commands.rb +0 -46
  37. data/lib/honeycomb/model/mssql_fingerprints.rb +0 -48
  38. data/lib/honeycomb/model/offers.rb +0 -44
  39. data/lib/honeycomb/model/p0fs.rb +0 -58
  40. data/lib/honeycomb/model/resolves.rb +0 -48
  41. data/lib/honeycomb/model/virustotals.rb +0 -47
  42. data/lib/honeycomb/model/virustotalscans.rb +0 -46
  43. data/scripts/honeycomb_libpath.rb +0 -2
  44. data/spec/honeycomb_spec.rb +0 -7
  45. data/spec/spec_helper.rb +0 -12
  46. data/tasks/irb.rake +0 -8
@@ -1,72 +0,0 @@
1
- = honeycomb
2
- Josh Grunzweig - jgrunzweig at trustwave dot com
3
-
4
- == Introduction
5
-
6
- Tool to manage and analyze data from the Dionaea Honeypot Project
7
-
8
- The Dionaea Project is a great honeypot which originated from the Google Summer
9
- of Code. The project aims at obtaining malware samples by emulating Microsoft
10
- Windows services, however, has branched out since its create to emulate other
11
- services as well, such as MySQL. This project was created out of the necessity
12
- to monitor and manage multiple instances of the Dionaea on honeypots located
13
- around the world.
14
-
15
- You can view more information about the Dionaea at the following address:
16
- http://dionaea.carnivore.it/
17
-
18
-
19
- == Usage
20
-
21
- # basic example... See how much disk space is located on all honeypots
22
-
23
- require 'honeycomb'
24
-
25
- all_pots = Honeycomb::Honeypot::Manage.new
26
-
27
- all_pots.check_diskspace
28
-
29
-
30
- # another example... See how many instances of a specific md5 there are
31
-
32
- require 'honeycomb'
33
-
34
- all_pots = Honeycomb::Database::Interact.new
35
-
36
- all_pots.all{Honeycomb::Download.all(:download_md5_hash => "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")}
37
-
38
- == Versioning
39
- The current version of honeycomb at the time of writing is 0.0.1. Code will be
40
- buggy. Features may be lacking. However, in time I hope to make this a pretty
41
- functional/useful tool.
42
-
43
-
44
- == Requirements
45
- There is, unfortunately, a number of gem pre-requisites. Apologies for this,
46
- but it's the only way I could do it.
47
-
48
- * bundler
49
-
50
- After bundler is installed, do a "bundle install" to get everything installed.
51
-
52
-
53
- == Copyright
54
- honeycomb - Tool to manage and analyze data from the Dionaea Honeypot Project
55
- Josh Grunzweig
56
- Copyright (C) 2011 Trustwave Holdings
57
-
58
- This program is free software: you can redistribute it and/or modify it
59
- under the terms of the GNU General Public License as published by the
60
- Free Software Foundation, either version 3 of the License, or (at your
61
- option) any later version.
62
-
63
- This program is distributed in the hope that it will be useful, but
64
- WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
65
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
66
- for more details.
67
-
68
- You should have received a copy of the GNU General Public License along
69
- with this program. If not, see <http://www.gnu.org/licenses/>.
70
-
71
- See LICENSE.txt
72
-
data/VERSION DELETED
@@ -1 +0,0 @@
1
- 0.0.3
File without changes
File without changes
@@ -1,11 +0,0 @@
1
- honey_config:
2
- servers: ['honeypot1', 'honeypot2']
3
- username: 'r00t'
4
- key: 'path/to/key'
5
- password: 'sekret' # Not used at the moment, need to implement
6
- path: 'path/to/dionaea'
7
- # Uncomment to following to change default directory of
8
- # download_binaries - install_path/honeycomb/data/binaries
9
- # download_databases - install_path/honeycomb/data/logsql
10
- #download_binaries: '/where/to/store/binaries/'
11
- #download_databases: '/where/to/store/databases/'
@@ -1,20 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
- require 'honeycomb/database/interact'
@@ -1,71 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
-
21
- module Honeycomb
22
- module Database
23
- class Interact
24
-
25
- # Used for executing a query against all databases at once.
26
- def all(&block)
27
- all_values = []
28
- ::DataMapper::Repository.adapters.each do |repo|
29
- next if repo[0] == :default
30
- next if repo[0] == :"0"
31
-
32
- begin
33
- response = DataMapper.repository(repo[0]) {yield}
34
- if response.kind_of?(DataMapper::Collection)
35
- response.each do |x|
36
- all_values << x
37
- end
38
- else
39
- all_values << response if response
40
- end
41
- rescue Exception => e
42
- #p e.message
43
- end
44
- end
45
- all_values
46
- end
47
-
48
- # Used for executing a query against a single database.
49
- def individual(repo, &block)
50
- all_values = []
51
- begin
52
- response = DataMapper.repository(repo[0]) {yield}
53
- if response.kind_of?(DataMapper::Collection)
54
- response.each do |x|
55
- all_values << x
56
- end
57
- else
58
- all_values << response if response
59
- end
60
- rescue Exception => e
61
- #p e.message
62
- end
63
- all_values
64
- end
65
-
66
- end # class Manage
67
- end # module Database
68
- end # module Honeycomb
69
-
70
-
71
-
@@ -1,28 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
- require 'honeycomb'
21
-
22
- if Honeycomb::Env::CONFIG["honey_config"]["download_databases"]
23
- Honeycomb::Model.setup!(Honeycomb::Env::CONFIG["honey_config"]["download_databases"])
24
- else
25
- Honeycomb::Model.setup!
26
- end
27
-
28
-
@@ -1,64 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
- require 'pathname'
21
- require 'yaml'
22
-
23
- module Honeycomb
24
-
25
- module Environment
26
- CONFIG = {}
27
- CFGFILE = Pathname.new(__FILE__).dirname.dirname.dirname.expand_path.join('etc').join('config.yml')
28
-
29
- # TODO: Comment
30
- def self.load_config(hash)
31
- hash.each do |k,v|
32
- if v.is_a?(String)
33
- v = v.gsub(/\$([A-Z][A-Z0-9_]*)\$/) do |v|
34
- var = $1
35
- if const_defined?(var)
36
- const_get(var).to_s
37
- else
38
- raise("Invalid variable referenced in configuration: #{v}")
39
- end
40
- end
41
- end
42
- CONFIG[k.to_s] = v
43
- end
44
- end
45
-
46
- # TODO: Comment
47
- def self.read_config(file=CFGFILE)
48
- if h = YAML.load_file(file)
49
- if h.is_a?(Hash)
50
- load_config(h)
51
- else
52
- raise("invalid honeycomb config file format")
53
- end
54
- end
55
- end
56
-
57
- end
58
-
59
- Env = Environment
60
-
61
- end
62
-
63
-
64
-
@@ -1,20 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
- require 'honeycomb/honeypot/manage'
@@ -1,204 +0,0 @@
1
- # honeycomb - Tool to manage and analyze data from the Dionaea Honeypot
2
- # Project
3
- # Josh Grunzweig
4
- # Copyright (C) 2011 Trustwave Holdings
5
- #
6
- # This program is free software: you can redistribute it and/or modify it
7
- # under the terms of the GNU General Public License as published by the
8
- # Free Software Foundation, either version 3 of the License, or (at your
9
- # option) any later version.
10
- #
11
- # This program is distributed in the hope that it will be useful, but
12
- # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14
- # for more details.
15
- #
16
- # You should have received a copy of the GNU General Public License along
17
- # with this program. If not, see <http://www.gnu.org/licenses/>.
18
- #
19
-
20
- require 'net/ssh'
21
- require 'net/scp'
22
- require 'open3'
23
-
24
- module Honeycomb
25
- module Honeypot
26
- class Manage
27
-
28
- attr_accessor :db_path, :bin_path, :base_path, :username, :servers, :key
29
-
30
- # This initializes a Honeycomb::Interact object and sets all the necessary
31
- # variables which are used by other methods of the object.
32
- #
33
- # Variables and their purpose:
34
- # * db_path - Path where databases are stored/saved
35
- # * bin_path - Path where binaries are stored/saved
36
- # * username - Username to connect to remote honeypot servers
37
- # * key - Path to private key which is used for connections to honeypot
38
- # servers
39
- # * servers - Array of servers to connect to
40
- # * base_path - Base location where Dionaea is installed to (Default per
41
- # installation instructions: /opt/dionaea)
42
- def initialize(db_path = nil, bin_path = nil, username = nil, key = nil,
43
- servers = nil, base_path = nil)
44
- self.db_path = Honeycomb::Env::CONFIG["honey_config"]["download_databases"] ||
45
- self.db_path = Pathname.new(__FILE__).dirname.dirname.dirname.dirname.expand_path.join('data').join('logsql/').to_s ||
46
- db_path
47
- self.bin_path = Honeycomb::Env::CONFIG["honey_config"]["download_binaries"] ||
48
- self.bin_path = Pathname.new(__FILE__).dirname.dirname.dirname.dirname.expand_path.join('data').join('binaries/').to_s ||
49
- bin_path
50
- self.username = Honeycomb::Env::CONFIG["honey_config"]["username"] ||
51
- username
52
- self.key = Honeycomb::Env::CONFIG["honey_config"]["key"] || key
53
- self.servers = Honeycomb::Env::CONFIG["honey_config"]["servers"] ||
54
- servers
55
- self.base_path = Honeycomb::Env::CONFIG["honey_config"]["path"] ||
56
- base_path
57
- end
58
-
59
- # This method will attempt to download all binaries from all servers
60
- # specified in Honeycomb::Interact.servers.
61
- #
62
- # It will attempt to store all binaries into the folder specified in
63
- # Honeycomb::Interact.bin_path.
64
- #
65
- # Additionally, rsync is utilized to transfer these files. It was
66
- # chosen to use rsync over scp in order to limit the amount of
67
- # bandwidth used between the client and servers.
68
- #
69
- # Arguments:
70
- # * server - Array of servers to query
71
- def download_binaries(server = self.servers)
72
- server.each do |server|
73
- tries = 0
74
- puts "Downloading binaries from #{server} ..."
75
- begin
76
- Open3::popen3("rsync -v --force --ignore-errors --times -r -u -e \"ssh -i #{self.key}\" #{self.username}@#{server}:#{self.base_path}/var/dionaea/binaries/ #{self.bin_path}") { |stdin, stdout, stderr|
77
- puts stdout.read.strip
78
- puts stderr.read.strip
79
- }
80
- rescue
81
- tries += 1
82
- retry if tries <= 3
83
- puts "Unable to connect. Moving on ..."
84
- next
85
- end
86
- end
87
- end
88
-
89
- # This method will attempt to download all databases from all servers
90
- # specified in Honeycomb::Interact.servers.
91
- #
92
- # It will attempt to store all binaries into the folder specified in
93
- # Honeycomb::Interact.db_path.
94
- #
95
- # Additionally, scp is utilized to transfer these files. During tests,
96
- # it was discovered that rsync had less than ideal results when
97
- # downloading these files. While the transfer would appear to occur
98
- # without error, the databases were often found to be corrupt.
99
- #
100
- # Arguments:
101
- # * server - Array of servers to query
102
- def download_databases(server = self.servers)
103
- server.each do |server|
104
- tries = 0
105
- begin
106
- Net::SSH.start(server, self.username, :keys => self.key) do |session|
107
- puts "Downloading database from #{server} ..."
108
- session.scp.download!(base_path + "/var/dionaea/logsql.sqlite",
109
- self.db_path + "#{server}.sqlite")
110
- end
111
- rescue Errno::ETIMEDOUT
112
- tries += 1
113
- retry if tries <= 3
114
- puts "Unable to connect. Moving on ..."
115
- next
116
- rescue Exception => e
117
- puts "Error encountered: #{e.message}"
118
- next
119
- end
120
- end
121
- end
122
-
123
- # This method will execute a command via ssh on all servers specified in
124
- # the Honeycomb::Interact.servers variable. This command calls the internal
125
- # ssh_command method in order to properly function.
126
- #
127
- # Argument:
128
- # * command - Command to execute
129
- #
130
- # Returns:
131
- # * Nothing
132
- #
133
- # Multiple strings with the results are outputted to the screen.
134
- def execute_command(command)
135
- response = self.ssh_command(command)
136
- response.each do |server_hash|
137
- puts "Executing #{command} on #{server_hash[:server]}:"
138
- puts "\t#{server_hash[:result].gsub!(/\n/,"\n\t")}"
139
- end
140
- end # end execute_command
141
-
142
- # This method is used internally by the execute_command method.
143
- # It will take a command as an argument and execute it on ever server
144
- # that is stored in Honeycomb::Interact.servers. The results are
145
- # stored in a hash which is returned in an Array.
146
- #
147
- # Argument:
148
- # * command - Command to be executed
149
- #
150
- # Returns:
151
- # * Array of hashes -
152
- # [{:server => <server_name>, :result => <result_of_command>}]
153
- def ssh_command(command)
154
- results = []
155
- self.servers.each do |server|
156
- begin
157
- Net::SSH.start(server, self.username, :keys => self.key) do |session|
158
- session.exec command do |ch, stream, data|
159
- if stream == :stderr
160
- results << {:server => server, :result => "ERROR: #{data}"}
161
- else
162
- results << {:server => server, :result => data}
163
- end
164
- end
165
- end
166
- rescue
167
- next
168
- end
169
- end
170
- return results
171
- end
172
-
173
-
174
-
175
- # This method will query the diskspace on all remote servers by calling
176
- # the internal ssh_command method. It executes the command 'df -h /' and
177
- # parses the results. The response is then parsed to return the total
178
- # percentage of diskspace being used currently on each host.
179
- #
180
- # Arguments:
181
- # * None
182
- #
183
- # Returns:
184
- # * [ {:server => "Server Hostname", :result =>
185
- #
186
- # Multiple strings with the results are outputted to the screen.
187
- def check_diskspace
188
- response = self.ssh_command("df -h /")
189
- all_usage = []
190
- response.each do |server_hash|
191
- usage = server_hash[:result]
192
- if usage =~ /^(\/\w+)+.+\S+\s+\S+\s+\S+\s+(([0-9]+)%)/m
193
- all_usage << {:server => server_hash[:server], :result => $2}
194
- end
195
- end
196
- all_usage
197
- end # end check_diskspace
198
-
199
- end # class Manage
200
- end # module Honeypot
201
- end # module Honeycom
202
-
203
-
204
-