mempot 2.0.0__py2.py3-none-any.whl

core/config.py

@@ -0,0 +1,50 @@
+
+from configparser import ConfigParser, ExtendedInterpolation
+
+from os import environ
+
+
+def to_environ_key(key):
+    return key.upper()
+
+
+class EnvironmentConfigParser(ConfigParser):
+
+    def has_option(self, section, option):
+        if to_environ_key('_'.join((section, option))) in environ:
+            return True
+        return super(EnvironmentConfigParser, self).has_option(section, option)
+
+    def get(self, section, option, **kwargs):
+        key = to_environ_key('_'.join((section, option)))
+        if key in environ:
+            return environ[key]
+        return super(EnvironmentConfigParser, self).get(section, option, **kwargs)
+
+
+def readConfigFile(cfgfile):
+    """
+    Read config files and return ConfigParser object
+
+    @param cfgfile: filename or array of filenames
+    @return: ConfigParser object
+    """
+    parser = EnvironmentConfigParser(
+        interpolation=ExtendedInterpolation(),
+        converters={'list': lambda x: [i.strip() for i in x.split(',')]}
+    )
+    parser.read(cfgfile)
+    return parser
+
+
+def _config_files():
+    # Import here (not at module top) to avoid any circular-import risk.
+    from core.paths import workdir_path, bundled
+    return [
+        bundled('etc', 'honeypot.cfg.base'),	# bundled read-only defaults
+        workdir_path('etc', 'honeypot.cfg'),	# site-local overrides
+        workdir_path('honeypot.cfg'),		# convenience root-level override
+    ]
+
+
+CONFIG = readConfigFile(_config_files())

core/logfile.py

@@ -0,0 +1,74 @@
+
+from sys import stdout
+from datetime import datetime
+
+from pytz import timezone
+
+from twisted.python import log, util
+from twisted.python.logfile import DailyLogFile
+
+
+class HoneypotDailyLogFile(DailyLogFile):
+    """
+    Overload original Twisted with improved date formatting
+    """
+
+    def suffix(self, tupledate):
+        """
+        Return the suffix given a (year, month, day) tuple or unixtime
+        """
+        try:
+            return "{:02d}-{:02d}-{:02d}".format(tupledate[0], tupledate[1], tupledate[2])
+        except Exception:
+            # try taking a float unixtime
+            return '_'.join(map(str, self.toDate(tupledate)))
+
+
+def myFLOemit(self, eventDict):
+    """
+    Format the given log event as text and write it to the output file.
+
+    @param eventDict: a log event
+    @type eventDict: L{dict} mapping L{str} (native string) to L{object}
+    """
+
+    # Custom emit for FileLogObserver
+    text = log.textFromEventDict(eventDict)
+    if text is None:
+        return
+    timeStr = self.formatTime(eventDict['time'])
+    fmtDict = {
+        'text': text.replace('\n', '\n\t')
+    }
+    msgStr = log._safeFormat('%(text)s\n', fmtDict)
+    util.untilConcludes(self.write, timeStr + ' ' + msgStr)
+    util.untilConcludes(self.flush)
+
+
+def myFLOformatTime(self, when):
+    """
+    Log time in UTC
+
+    By default it's formatted as an ISO8601-like string (ISO8601 date and
+    ISO8601 time separated by a space). It can be customized using the
+    C{timeFormat} attribute, which will be used as input for the underlying
+    L{datetime.datetime.strftime} call.
+
+    @type when: C{int}
+    @param when: POSIX (ie, UTC) timestamp.
+
+    @rtype: C{str}
+    """
+    timeFormatString = self.timeFormat
+    if timeFormatString is None:
+        timeFormatString = '[%Y-%m-%d %H:%M:%S.%fZ]'
+    return datetime.fromtimestamp(when, tz=timezone('UTC')).strftime(timeFormatString)
+
+
+def set_logger(cfg_options):
+    log.FileLogObserver.emit = myFLOemit
+    log.FileLogObserver.formatTime = myFLOformatTime
+    if cfg_options['logfile'] is None:
+        log.startLogging(stdout)
+    else:
+        log.startLogging(HoneypotDailyLogFile.fromFullPath(cfg_options['logfile']), setStdout=False)

core/output.py

@@ -0,0 +1,39 @@
+
+from socket import gethostname
+
+from core.config import CONFIG
+
+
+class Output(object):
+    """
+    Abstract base class intended to be inherited by output plugins.
+    """
+
+    def __init__(self, general_options):
+
+        self.cfg = general_options
+
+        if 'sensor' in self.cfg:
+            self.sensor = self.cfg['sensor']
+        else:
+            self.sensor = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+
+        self.start()
+
+    def start(self):
+        """
+        Abstract method to initialize output plugin
+        """
+        pass
+
+    def stop(self):
+        """
+        Abstract method to shut down output plugin
+        """
+        pass
+
+    def write(self, event):
+        """
+        Handle a general event within the output plugin
+        """
+        pass

core/paths.py

@@ -0,0 +1,53 @@
+"""
+paths.py - Single source of truth for runtime path resolution.
+
+The honeypot needs a "working directory" containing:
+  data/         geolocation databases, SQLite db, etc.
+  etc/          config file (honeypot.cfg.base)
+  log/          rotating log files (created on demand)
+
+Priority for locating the working directory:
+  1. MEMPOT_WORKDIR environment variable
+  2. Current working directory
+
+The bundled read-only defaults (etc/*.cfg.base, responses/*.json)
+are installed inside the `mempot` package and located via the package's
+own __file__ attribute, which works on all Python versions without
+requiring pkg_resources or importlib.resources.
+"""
+
+from __future__ import absolute_import
+
+
+from os import getcwd, environ
+from os.path import abspath, dirname, join
+
+
+def get_workdir():
+    """Return the absolute path to the runtime working directory."""
+    env = environ.get('MEMPOT_WORKDIR', '').strip()
+    if env:
+        return abspath(env)
+    return getcwd()
+
+
+def workdir_path(*parts):
+    """Return an absolute path rooted at the working directory."""
+    return join(get_workdir(), *parts)
+
+
+def bundled(*parts):
+    """
+    Return the filesystem path to a file bundled inside the installed package.
+    Arguments are path components relative to the mempot/data/ directory,
+    passed as separate strings (like os.path.join) to avoid hardcoded separators.
+
+    Uses the package's own __file__ to locate the data directory, which works
+    on all Python versions (2.7+) without requiring pkg_resources or
+    importlib.resources.
+    """
+    # mempot/data/ lives alongside this module's package (core/ is a sibling
+    # of mempot/), so we go up one level from core/ to find mempot/data/.
+    here = dirname(abspath(__file__))
+    package_dir = join(dirname(here), 'mempot')
+    return join(package_dir, 'data', *parts)

core/protocol.py

@@ -0,0 +1,460 @@
+
+from __future__ import absolute_import
+
+from binascii import hexlify
+from collections import OrderedDict
+from hashlib import sha256
+from ipaddress import ip_address, ip_network
+from random import randint, uniform
+from sys import version_info
+from time import time
+from uuid import uuid4
+
+from core.tools import (
+    decode,
+    encode,
+    get_local_ip,
+    get_utc_time,
+    printable,
+    write_event
+)
+
+from twisted.internet.protocol import Factory, Protocol
+from twisted.python.log import msg
+
+
+if version_info[0] >= 3:
+    def unicode(x):
+        return x
+
+
+class MemcacheServer(Protocol):
+    def __init__(self, options):
+        self.cfg = options
+        self.state = None
+        self.data = {}
+
+    def get_stats(self, kind):
+        items = randint(80000000, 90000000)
+        ret = ''
+        if kind == 'settings':
+            temp = OrderedDict([
+                ('maxbytes', 67108864),
+                ('maxconns', 1024),
+                ('tcpport', self.cfg['port']),
+                ('udpport', 0),
+                ('inter', 'NULL'),
+                ('verbosity', 0),
+                ('oldest', 0),
+                ('evictions', 'on'),
+                ('domain_socket', 'NULL'),
+                ('umask', 700),
+                ('shutdown_command', 'no'),
+                ('growth_factor', 1.25),
+                ('chunk_size', 48),
+                ('num_threads', 4),
+                ('num_threads_per_udp', 4),
+                ('stat_key_prefix', ':'),
+                ('detail_enabled', 'no'),
+                ('reqs_per_event', 20),
+                ('cas_enabled', 'no'),
+                ('tcp_backlog', 1024),
+                ('binding_protocol', 'auto-negotiate'),
+                ('auth_enabled_sasl', 'no'),
+                ('auth_enabled_ascii', 'no'),
+                ('item_size_max', 1048576),
+                ('maxconns_fast', 'yes'),
+                ('hashpower_init', 0),
+                ('slab_reassign', 'yes'),
+                ('slab_automove', 1),
+                ('slab_automove_ratio', 0.80),
+                ('slab_automove_window', 30),
+                ('slab_chunk_max', 524288),
+                ('lru_crawler', 'yes'),
+                ('lru_crawler_sleep', 100),
+                ('lru_crawler_tocrawl', 0),
+                ('tail_repair_time', 0),
+                ('flush_enabled', 'yes'),
+                ('dump_enabled', 'yes'),
+                ('hash_algorithm', 'murmur3'),
+                ('lru_maintainer_thread', 'yes'),
+                ('lru_segmented', 'yes'),
+                ('hot_lru_pct', 20),
+                ('warm_lru_pct', 40),
+                ('hot_max_factor', 0.20),
+                ('warm_max_factor', 2.00),
+                ('temp_lru', 'no'),
+                ('temporary_ttl', 61),
+                ('idle_timeout', 0),
+                ('watcher_logbuf_size', 262144),
+                ('worker_logbuf_size', 65536),
+                ('read_buf_mem_limit', 0),
+                ('track_sizes', 'no'),
+                ('inline_ascii_response', 'no'),
+                ('ext_item_size', 512),
+                ('ext_item_age', 4294967295),
+                ('ext_low_ttl', 0),
+                ('ext_recache_rate', 2000),
+                ('ext_wbuf_size', 4194304),
+                ('ext_compact_under', 0),
+                ('ext_drop_under', 0),
+                ('ext_max_sleep', 1000000),
+                ('ext_max_frag', 0.80),
+                ('slab_automove_freeratio', 0.010),
+                ('ext_drop_unread', 'no'),
+                ('ssl_enabled', 'no'),
+                ('ssl_chain_cert', '(null)'),
+                ('ssl_key', '(null)'),
+                ('ssl_verify_mode', 0),
+                ('ssl_keyformat', 1),
+                ('ssl_ciphers', 'NULL'),
+                ('ssl_ca_cert', 'NULL'),
+                ('ssl_wbuf_size', 16384),
+                ('ssl_session_cache', 'no'),
+                ('ssl_kernel_tls', 'no'),
+                ('ssl_min_version', 'tlsv1.2'),
+                ('num_napi_ids', '(null)'),
+                ('memory_file', '(null)'),
+                ('client_flags_size', 4),
+            ])
+        #elif kind == 'sizes':
+        #    pass
+        #elif kind == 'slabs':
+        #    pass
+        #elif kind == 'items':
+        #    pass
+        #elif kind == 'conns':
+        #    pass
+        else:
+            # e.g., 'stats'
+            temp = OrderedDict([
+                ('pid', randint(5, 400)),
+                ('uptime', randint(1000, 2000)),
+                ('time', int(time())),
+                ('version', '1.6.29'),
+                ('libevent', '2.1.8-stable'),
+                ('pointer_size', 64),
+                ('rusage_user', round(uniform(0.1, 0.9), 4)),
+                ('rusage_system', round(uniform(0.1, 0.9), 6)),
+                ('max_connections', 1024),
+                ('curr_connections', randint(1, 1024)),
+                ('total_connections', 5),
+                ('rejected_connections', 0),
+                ('connection_structures', 2),
+                ('reserved_fds', 20),
+                ('cmd_get', 0),
+                ('cmd_set', 40),
+                ('cmd_flush', 0),
+                ('cmd_touch', 0),
+                ('get_hits', 0),
+                ('get_misses', 0),
+                ('get_expired', 0),
+                ('get_flushed', 0),
+                ('delete_misses', 0),
+                ('delete_hits', 0),
+                ('incr_misses', 0),
+                ('incr_hits', 0),
+                ('decr_misses', 0),
+                ('decr_hits', 0),
+                ('cas_misses', 0),
+                ('cas_hits', 0),
+                ('cas_badval', 0),
+                ('touch_hits', 0),
+                ('touch_misses', 0),
+                ('auth_cmds', 0),
+                ('auth_errors', 0),
+                ('bytes_read', randint(7000000, 8000000)),
+                ('bytes_written', randint(500000, 1000000)),
+                ('limit_maxbytes', 33554432),
+                ('accepting_conns', 1),
+                ('listen_disabled_num', 0),
+                ('time_in_listen_disabled_us', 0),
+                ('threads', randint(4, 9000)),
+                ('conn_yields', 0),
+                ('hash_power_level', 16),
+                ('hash_bytes', 524288),
+                ('hash_is_expanding', False),
+                ('slab_reassign_rescues', 0),
+                ('slab_reassign_chunk_rescues', 0),
+                ('slab_reassign_evictions_nomem', 0),
+                ('slab_reassign_inline_reclaim', 0),
+                ('slab_reassign_busy_items', 0),
+                ('slab_reassign_busy_deletes', 0),
+                ('slab_reassign_running', False),
+                ('slabs_moved', 0),
+                ('lru_crawler_running', 0),
+                ('lru_crawler_starts', randint(500000, 700000)),
+                ('lru_maintainer_juggles', randint(400000, 500000)),
+                ('malloc_fails', 0),
+                ('log_worker_dropped', 0),
+                ('log_worker_written', 0),
+                ('log_watcher_skipped', 0),
+                ('log_watcher_sent', 0),
+                ('bytes', randint(13554432, 33554432)),
+                ('curr_items', items),
+                ('total_items', items),
+                ('slab_global_page_pool', 0),
+                ('expired_unfetched', 0),
+                ('evicted_unfetched', 0),
+                ('evicted_active', 0),
+                ('evictions', 0),
+                ('reclaimed', 0),
+                ('crawler_reclaimed', 0),
+                ('crawler_items_checked', randint(5000, 6000)),
+                ('lrutail_reflocked', 0),
+                ('moves_to_cold', randint(5000, 6000)),
+                ('moves_to_warm', randint(5000, 6000)),
+                ('moves_within_lru', 0),
+                ('direct_reclaims', 0),
+                ('lru_bumps_dropped', 0),
+            ])
+
+        for key, value in temp.items():
+            ret += 'STAT {} {}\r\n'.format(key, value)
+        ret += 'END\r\n'
+        return ret.encode()
+
+    def check_len(self, verb, data):
+        if verb in [
+            b'set',
+            b'add',
+            b'replace',
+            b'append',
+            b'prepend',
+            b'cas',
+        ]:
+            if len(data) >= 5:
+                self.key = data[1]
+                self.state = 2
+                return True
+            else:
+                return False
+        elif verb in [
+            b'get',
+            b'gets',
+            b'delete',
+        ]:
+            if len(data) > 1:
+                self.key = data[1]
+                return True
+            else:
+                return False
+        elif verb in [
+            b'incr',
+            b'decr'
+        ]:
+            if len(data) > 2:
+                self.key = data[1]
+                return True
+            else:
+                return False
+        else:
+            return True
+
+    def process_command(self, line):
+        _data = line.split(b' ')
+        self.verb = _data[0]
+        if not self.check_len(self.verb, _data):
+            self.transport.write(b'ERROR\r\n')
+            return
+        if self.verb == b'stats':
+            if len(_data) > 1:
+                if _data[1] == b'settings':
+                    response = self.get_stats('settings')
+                elif _data[1] == b'cachedump':
+                    response = ''
+                    for key, value in self.data.items():
+                        response += 'ITEM {} [{} b; {} s]\r\n'.format(
+                            decode(key), len(value), randint(1000000, 2000000)
+                        )
+                    response += 'END\r\n'
+                    response = response.encode()
+                elif _data[1] == b'slabs':
+                    response = self.get_stats('stats')
+                elif _data[1] == b'sizes':
+                    response = self.get_stats('stats')
+                elif _data[1] == b'items':
+                    response = self.get_stats('stats')
+                else:
+                    response = self.get_stats('stats')
+            else:
+                response = self.get_stats('stats')
+            self.transport.write(response)
+        elif self.verb == b'flush_all':
+            self.data = {}
+            self.transport.write(b'OK\r\n')
+        elif hexlify(self.verb) == b'fff4fffd06' or self.verb == b'quit':
+            self.transport.loseConnection()
+        elif self.verb == b'get':
+            if self.key in self.data:
+                response = 'VALUE {} 0 {}\r\n{}\r\n'.format(
+                    decode(self.key),
+                    len(self.data[self.key]),
+                    decode(self.data[self.key])
+                )
+                self.transport.write(response.encode())
+            self.transport.write(b'END\r\n')
+        elif self.verb == b'delete':
+            if self.key in self.data:
+                self.data.pop(self.key)
+                self.transport.write(b'DELETED\r\n')
+            else:
+                self.transport.write(b'NOT_FOUND\r\n')
+        elif self.verb == b'incr':
+            if not _data[2].isdigit():
+                self.transport.write(b'ERROR\r\n')
+            else:
+                if self.key in self.data:
+                    if self.data[self.key].isdigit():
+                        result = str(int(self.data[self.key]) + int(_data[2])).encode()
+                        self.data[self.key] = result
+                        self.transport.write(result + b'\r\n')
+                    else:
+                        self.transport.write(b'CLIENT_ERROR cannot increment or decrement non-numeric value\r\n')
+                else:
+                    self.transport.write(b'NOT_FOUND\r\n')
+        elif self.verb == b'decr':
+            if not _data[2].isdigit():
+                self.transport.write(b'ERROR\r\n')
+            else:
+                if self.key in self.data:
+                    if self.data[self.key].isdigit():
+                        result = str(int(self.data[self.key]) - int(_data[2])).encode()
+                        self.data[self.key] = result
+                        self.transport.write(result + b'\r\n')
+                    else:
+                        self.transport.write(b'CLIENT_ERROR cannot increment or decrement non-numeric value\r\n')
+                else:
+                    self.transport.write(b'NOT_FOUND\r\n')
+        elif self.verb == b'touch':
+            if self.key in self.data:
+                self.transport.write(b'TOUCHED\r\n')
+            else:
+                self.transport.write(b'NOT_FOUND\r\n')
+        elif self.verb == b'version':
+            self.transport.write(b'VERSION 1.6.29\r\n')
+        elif self.verb == b'verbosity':
+            self.transport.write(b'OK\r\n')
+        elif self.verb == b'cache_memlimit':
+            self.transport.write(b'OK\r\n')
+        #elif self.verb == b'cas':
+        #    pass
+        #elif self.verb == b'gat':
+        #    pass
+        #elif self.verb == b'gats':
+        #    pass
+        #elif self.verb == b'gets':
+        #    pass
+        elif self.verb not in [b'set', b'add', b'replace', b'append', b'prepend']:
+            self.transport.write(b'ERROR\r\n')
+        if self.verb != b'':
+            peer = self.transport.getPeer()
+            self.report_event(
+                'command',
+                peer.host,
+                peer.port,
+                decode(line)
+            )
+
+    def process_data (self, line):
+        if self.verb == b'set':
+            self.data[self.key] = line
+            self.transport.write(b'STORED\r\n')
+        elif self.verb == b'replace':
+            if self.key in self.data:
+                self.data[self.key] = line
+                self.transport.write(b'STORED\r\n')
+            else:
+                self.transport.write(b'NOT_STORED\r\n')
+        elif self.verb == b'add':
+            if self.key in self.data:
+                self.transport.write(b'NOT_STORED\r\n')
+            else:
+                self.data[self.key] = line
+                self.transport.write(b'STORED\r\n')
+        elif self.verb == b'append':
+            if self.key in self.data:
+                self.data[self.key] += line
+                self.transport.write(b'STORED\r\n')
+            else:
+                self.transport.write(b'NOT_STORED\r\n')
+        elif self.verb == b'prepend':
+            if self.key in self.data:
+                self.data[self.key] = line + self.data[self.key]
+                self.transport.write(b'STORED\r\n')
+            else:
+                self.transport.write(b'NOT_STORED\r\n')
+        self.state = 1
+        if line != b'':
+            peer = self.transport.getPeer()
+            self.report_event(
+                'data',
+                peer.host,
+                peer.port,
+                decode(line)
+            )
+
+    def process_input(self, line):
+        if self.state == 1:
+            self.process_command(line)
+        elif self.state == 2:
+            self.process_data(line)
+
+    def connectionMade(self):
+        self.state = 1
+        self.session = uuid4().hex[:12]
+        peer = self.transport.getPeer()
+        self.report_event('connect', peer.host, peer.port)
+
+    def dataReceived(self, data):
+        if self.state in [1, 2]:
+            line = data.split(b'\r\n')[0].strip()
+            self.process_input(line)
+
+    def connectionLost(self, reason):
+        peer = self.transport.getPeer()
+        self.report_event('disconnect', peer.host, peer.port, reason.value)
+        self.state = None
+        self.session = None
+
+    def report_event(self, operation, ip, port, command=None):
+        for network in self.cfg['blacklist']:
+            if ip_address(unicode(ip)) in ip_network(unicode(network)):
+                return
+        unix_time = time()
+        operation = operation.lower()
+        if operation == 'connect':
+            message = 'Connection made from {}:{}.'.format(ip, port)
+        elif operation == 'disconnect':
+            message = '{}:{} disconnected. Reason: {}'.format(ip, port, command)
+        elif operation == 'command':
+            message = 'Command: "{}" from {}:{}.'.format(printable(command), ip, port)
+        elif operation == 'data':
+            message = 'Data: "{}" from {}:{}.'.format(printable(command), ip, port)
+        else:
+            message = 'Error: Unknown operation "{}" from {}:{}.'.format(operation, ip, port)
+        event = {
+            'session': self.session,
+            'eventid': 'mempot.' + operation,
+            'operation': operation,
+            'timestamp': get_utc_time(unix_time),
+            'unixtime': unix_time,
+            'src_ip': ip,
+            'src_port': port,
+            'dst_port': self.cfg['port'],
+            'sensor': self.cfg['sensor'],
+            'dst_ip': self.cfg['public_ip'] if self.cfg['report_public_ip'] else get_local_ip()
+        }
+        if command is not None and operation != 'disconnect':
+            event['command'] = printable(command)
+            event['sha256'] = sha256(encode(command)).hexdigest()
+        msg(message)
+        write_event(event, self.cfg)
+
+
+class MemcacheFactory(Factory):
+    def __init__(self, options):
+        self.cfg = options
+
+    def buildProtocol(self, addr):
+        return MemcacheServer(self.cfg)