honeycomb 0.0.3 → 0.0.4

data/README.rdoc

@@ -1,72 +0,0 @@
-= honeycomb
-Josh Grunzweig - jgrunzweig at trustwave dot com
-
-== Introduction
-
-Tool to manage and analyze data from the Dionaea Honeypot Project
-
-The Dionaea Project is a great honeypot which originated from the Google Summer
-of Code. The project aims at obtaining malware samples by emulating Microsoft
-Windows services, however, has branched out since its create to emulate other
-services as well, such as MySQL. This project was created out of the necessity
-to monitor and manage multiple instances of the Dionaea on honeypots located 
-around the world. 
-
-You can view more information about the Dionaea at the following address:
-http://dionaea.carnivore.it/
-
-
-== Usage
-
-  # basic example... See how much disk space is located on all honeypots
-  
-  require 'honeycomb'
-
-  all_pots = Honeycomb::Honeypot::Manage.new
-
-  all_pots.check_diskspace
-
- 
-  # another example... See how many instances of a specific md5 there are
-
-  require 'honeycomb'
-
-  all_pots = Honeycomb::Database::Interact.new
-
-  all_pots.all{Honeycomb::Download.all(:download_md5_hash => "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")}
-
-== Versioning
-The current version of honeycomb at the time of writing is 0.0.1. Code will be 
-buggy. Features may be lacking. However, in time I hope to make this a pretty
-functional/useful tool. 
-
-
-== Requirements
-There is, unfortunately, a number of gem pre-requisites. Apologies for this,
-but it's the only way I could do it. 
-
-* bundler
-
-After bundler is installed, do a "bundle install" to get everything installed.
-
-
-== Copyright
-honeycomb - Tool to manage and analyze data from the Dionaea Honeypot Project
-Josh Grunzweig
-Copyright (C) 2011 Trustwave Holdings
-
-This program is free software: you can redistribute it and/or modify it 
-under the terms of the GNU General Public License as published by the 
-Free Software Foundation, either version 3 of the License, or (at your
-option) any later version.
-
-This program is distributed in the hope that it will be useful, but 
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-for more details.
-
-You should have received a copy of the GNU General Public License along
-with this program. If not, see <http://www.gnu.org/licenses/>.
-
-See LICENSE.txt
-

data/VERSION

@@ -1 +0,0 @@
-0.0.3

data/etc/config.yml.example

@@ -1,11 +0,0 @@
-honey_config:
-   servers:  ['honeypot1', 'honeypot2']
-   username: 'r00t'
-   key:      'path/to/key'
-   password: 'sekret' # Not used at the moment, need to implement
-   path:     'path/to/dionaea'
-   # Uncomment to following to change default directory of 
-   # download_binaries - install_path/honeycomb/data/binaries
-   # download_databases - install_path/honeycomb/data/logsql
-   #download_binaries: '/where/to/store/binaries/'
-   #download_databases: '/where/to/store/databases/'

data/lib/honeycomb/database.rb

@@ -1,20 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-require 'honeycomb/database/interact'

data/lib/honeycomb/database/interact.rb

@@ -1,71 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-module Honeycomb
-  module Database
-    class Interact
-
-      # Used for executing a query against all databases at once. 
-      def all(&block)
-        all_values = []
-        ::DataMapper::Repository.adapters.each do |repo|
-          next if repo[0] == :default 
-          next if repo[0] == :"0"
-          
-          begin
-            response = DataMapper.repository(repo[0]) {yield}
-            if response.kind_of?(DataMapper::Collection)
-              response.each do |x|
-                all_values << x 
-              end
-            else
-              all_values << response if response
-            end
-          rescue Exception => e
-            #p e.message
-          end
-        end
-        all_values
-      end
-
-      # Used for executing a query against a single database. 
-      def individual(repo, &block)
-        all_values = []
-        begin
-          response = DataMapper.repository(repo[0]) {yield}
-          if response.kind_of?(DataMapper::Collection)
-            response.each do |x|
-            all_values << x 
-            end
-          else
-            all_values << response if response
-          end
-        rescue Exception => e
-          #p e.message
-        end
-        all_values
-      end
-
-    end # class Manage
-  end # module Database
-end # module Honeycomb
-
-
-

data/lib/honeycomb/default_setup.rb

@@ -1,28 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-require 'honeycomb'
-
-if Honeycomb::Env::CONFIG["honey_config"]["download_databases"]
-  Honeycomb::Model.setup!(Honeycomb::Env::CONFIG["honey_config"]["download_databases"])
-else
-  Honeycomb::Model.setup!
-end
-
-

data/lib/honeycomb/environment.rb

@@ -1,64 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-require 'pathname'
-require 'yaml'
-
-module Honeycomb
-
-  module Environment
-    CONFIG = {}
-    CFGFILE = Pathname.new(__FILE__).dirname.dirname.dirname.expand_path.join('etc').join('config.yml')
-    
-    # TODO: Comment
-    def self.load_config(hash)
-      hash.each do |k,v|
-        if v.is_a?(String)
-          v = v.gsub(/\$([A-Z][A-Z0-9_]*)\$/) do |v|
-            var = $1
-            if const_defined?(var)
-              const_get(var).to_s
-            else
-              raise("Invalid variable referenced in configuration: #{v}")
-            end
-          end
-        end
-        CONFIG[k.to_s] = v
-      end
-    end
-
-    # TODO: Comment
-    def self.read_config(file=CFGFILE)
-      if h = YAML.load_file(file) 
-        if h.is_a?(Hash)
-          load_config(h)
-        else
-          raise("invalid honeycomb config file format")
-        end
-      end
-    end
-
-  end
-
-  Env = Environment
-    
-end
-
-
-

data/lib/honeycomb/honeypot.rb

@@ -1,20 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-require 'honeycomb/honeypot/manage'

data/lib/honeycomb/honeypot/manage.rb

@@ -1,204 +0,0 @@
-#    honeycomb - Tool to manage and analyze data from the Dionaea Honeypot 
-#                Project
-#    Josh Grunzweig
-#    Copyright (C) 2011 Trustwave Holdings
-#
-#    This program is free software: you can redistribute it and/or modify it 
-#    under the terms of the GNU General Public License as published by the 
-#    Free Software Foundation, either version 3 of the License, or (at your
-#    option) any later version.
-#
-#    This program is distributed in the hope that it will be useful, but 
-#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-#    for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-require 'net/ssh'
-require 'net/scp'
-require 'open3'
-
-module Honeycomb
-  module Honeypot
-    class Manage
-
-      attr_accessor :db_path, :bin_path, :base_path, :username, :servers, :key
-
-      # This initializes a Honeycomb::Interact object and sets all the necessary
-      # variables which are used by other methods of the object.
-      #
-      # Variables and their purpose:
-      # * db_path - Path where databases are stored/saved
-      # * bin_path - Path where binaries are stored/saved
-      # * username - Username to connect to remote honeypot servers
-      # * key - Path to private key which is used for connections to honeypot 
-      # servers
-      # * servers - Array of servers to connect to
-      # * base_path - Base location where Dionaea is installed to (Default per 
-      #   installation instructions: /opt/dionaea)
-      def initialize(db_path = nil, bin_path = nil, username = nil, key = nil, 
-                     servers = nil, base_path = nil)
-        self.db_path = Honeycomb::Env::CONFIG["honey_config"]["download_databases"] ||
-          self.db_path = Pathname.new(__FILE__).dirname.dirname.dirname.dirname.expand_path.join('data').join('logsql/').to_s ||
-            db_path
-        self.bin_path = Honeycomb::Env::CONFIG["honey_config"]["download_binaries"] ||
-          self.bin_path = Pathname.new(__FILE__).dirname.dirname.dirname.dirname.expand_path.join('data').join('binaries/').to_s ||
-            bin_path
-        self.username = Honeycomb::Env::CONFIG["honey_config"]["username"] || 
-          username
-        self.key = Honeycomb::Env::CONFIG["honey_config"]["key"] || key
-        self.servers = Honeycomb::Env::CONFIG["honey_config"]["servers"] || 
-          servers
-        self.base_path = Honeycomb::Env::CONFIG["honey_config"]["path"] ||
-          base_path
-      end
-
-      # This method will attempt to download all binaries from all servers 
-      # specified in Honeycomb::Interact.servers.
-      #
-      # It will attempt to store all binaries into the folder specified in
-      # Honeycomb::Interact.bin_path.
-      #
-      # Additionally, rsync is utilized to transfer these files. It was 
-      # chosen to use rsync over scp in order to limit the amount of 
-      # bandwidth used between the client and servers.
-      #
-      # Arguments:
-      # * server - Array of servers to query
-      def download_binaries(server = self.servers)
-        server.each do |server|
-          tries = 0
-          puts "Downloading binaries from #{server} ..."
-          begin
-            Open3::popen3("rsync -v --force --ignore-errors --times -r -u -e \"ssh -i #{self.key}\" #{self.username}@#{server}:#{self.base_path}/var/dionaea/binaries/ #{self.bin_path}") { |stdin, stdout, stderr|
-              puts stdout.read.strip
-              puts stderr.read.strip
-            }
-          rescue
-            tries += 1
-            retry if tries <= 3
-            puts "Unable to connect. Moving on ..."
-            next
-          end
-        end
-      end 
-
-      # This method will attempt to download all databases from all servers 
-      # specified in Honeycomb::Interact.servers.
-      #
-      # It will attempt to store all binaries into the folder specified in
-      # Honeycomb::Interact.db_path.
-      #
-      # Additionally, scp is utilized to transfer these files. During tests,
-      # it was discovered that rsync had less than ideal results when 
-      # downloading these files. While the transfer would appear to occur 
-      # without error, the databases were often found to be corrupt.
-      #
-      # Arguments:
-      # * server - Array of servers to query
-      def download_databases(server = self.servers)
-        server.each do |server|
-          tries = 0
-          begin
-            Net::SSH.start(server, self.username, :keys => self.key) do |session|
-              puts "Downloading database from #{server} ..."
-              session.scp.download!(base_path + "/var/dionaea/logsql.sqlite", 
-                                    self.db_path + "#{server}.sqlite")
-            end
-          rescue Errno::ETIMEDOUT
-            tries += 1
-            retry if tries <= 3
-            puts "Unable to connect. Moving on ..."
-            next
-          rescue Exception => e
-            puts "Error encountered: #{e.message}"
-            next
-          end
-        end
-      end
-
-      # This method will execute a command via ssh on all servers specified in
-      # the Honeycomb::Interact.servers variable. This command calls the internal
-      # ssh_command method in order to properly function.
-      #
-      # Argument:
-      # * command - Command to execute
-      #
-      # Returns:
-      # * Nothing
-      #
-      # Multiple strings with the results are outputted to the screen.
-      def execute_command(command)
-        response = self.ssh_command(command)
-        response.each do |server_hash|
-          puts "Executing #{command} on #{server_hash[:server]}:"
-          puts "\t#{server_hash[:result].gsub!(/\n/,"\n\t")}"
-        end
-      end # end execute_command
-
-      # This method is used internally by the execute_command method.
-      # It will take a command as an argument and execute it on ever server
-      # that is stored in Honeycomb::Interact.servers. The results are 
-      # stored in a hash which is returned in an Array.
-      #
-      # Argument:
-      # * command - Command to be executed
-      #
-      # Returns:
-      # * Array of hashes -
-      #   [{:server => <server_name>, :result => <result_of_command>}]
-      def ssh_command(command)
-        results = []
-        self.servers.each do |server|
-          begin
-            Net::SSH.start(server, self.username, :keys => self.key) do |session|
-              session.exec command do |ch, stream, data|
-              if stream == :stderr
-                  results << {:server => server, :result => "ERROR: #{data}"}
-                else
-                  results << {:server => server, :result => data}
-                end
-              end
-            end
-          rescue 
-            next
-          end
-        end
-        return results
-      end
-
-
-
-      # This method will query the diskspace on all remote servers by calling
-      # the internal ssh_command method. It executes the command 'df -h /' and
-      # parses the results. The response is then parsed to return the total 
-      # percentage of diskspace being used currently on each host.
-      #
-      # Arguments:
-      # * None
-      #
-      # Returns:
-      # * [ {:server => "Server Hostname", :result => 
-      #
-      # Multiple strings with the results are outputted to the screen.
-      def check_diskspace
-        response = self.ssh_command("df -h /") 
-        all_usage = []
-        response.each do |server_hash|
-          usage = server_hash[:result]
-          if usage =~ /^(\/\w+)+.+\S+\s+\S+\s+\S+\s+(([0-9]+)%)/m
-            all_usage << {:server => server_hash[:server], :result => $2}
-          end
-        end
-        all_usage
-      end # end check_diskspace
-
-    end # class Manage
-  end # module Honeypot
-end # module Honeycom
-
-
-