New Version 1.32 cowrie issue fix

Author: armedpot

ews.py

@@ -6,7 +6,7 @@
 
 from modules.einit import locksocket, ecfg
 from modules.elog import ELog
-from modules.etoolbox import readonecfg
+from modules.etoolbox import readMYcfg
 from modules.ealert import EAlert
 from modules.esend import ESend
 
@@ -21,7 +21,7 @@
 if __name__ == "__main__":
 
     name = "EWS Poster"
-    version = "v1.31"
+    version = "v1.32"
 
     functions = [adbhoney, beelzebub, ciscoasa, citrix, conpot, cowrie, ddospot, dicompot, dionaea,
                  elasticpot, emobility, endlessh, fatt, galah, glastopfv3, glutton, gopot, h0neytr4p,
@@ -42,13 +42,13 @@
             honeypotname = honeypot.__name__
 
             if ECFG["a.modul"] and ECFG["a.modul"] == honeypotname:
-               if readonecfg(honeypotname.upper(), honeypotname, ECFG["cfgfile"]).lower() == "true":
+               if readMYcfg(honeypotname.upper(), honeypotname, ECFG["cfgfile"]):
                    honeypot(ECFG)
                    break
             elif ECFG["a.modul"]:
                 continue
 
-            if readonecfg(honeypotname.upper(), honeypotname, ECFG["cfgfile"]).lower() == "true":
+            if readMYcfg(honeypotname.upper(), honeypotname, ECFG["cfgfile"]):
                 honeypot(ECFG)
 
         if int(ECFG["a.loop"]) == 0:

honeypots/cowrie.py

@@ -36,40 +36,40 @@ def cowrie(ECFG):
 
         if line['eventid'] == 'cowrie.session.connect' and line['session'] not in cowrieSessions:
             cowrieSessions[sid] = {}
-            cowrieSessions[sid]['timestamp_start'] = line['timestamp']
-            cowrieSessions[sid]['source_ip'] = line['src_ip']
-            cowrieSessions[sid]['source_port'] = line['src_port']
-            cowrieSessions[sid]['target_ip'] = line['dst_ip']
-            cowrieSessions[sid]['target_port'] = line['dst_port']
-            cowrieSessions[sid]['session_id'] = line['session']
-            cowrieSessions[sid]['protocol'] = line['protocol']
+            cowrieSessions[sid]['timestamp_start'] = line.get('timestamp')
+            cowrieSessions[sid]['source_ip'] = line.get('src_ip')
+            cowrieSessions[sid]['source_port'] = line.get('src_port')
+            cowrieSessions[sid]['target_ip'] = line.get('dst_ip')
+            cowrieSessions[sid]['target_port'] = line.get('dst_port')
+            cowrieSessions[sid]['session_id'] = line.get('session')
+            cowrieSessions[sid]['protocol'] = line.get('protocol')
 
         if line['eventid'] == 'cowrie.login.success' and line['session'] in cowrieSessions:
             cowrieSessions[sid]['login'] = "Success"
-            cowrieSessions[sid]['username'] = line['username']
-            cowrieSessions[sid]['password'] = line['password']
-            cowrieSessions[sid]['timestamp_login'] = line['timestamp']
+            cowrieSessions[sid]['username'] = line.get('username')
+            cowrieSessions[sid]['password'] = line.get('password')
+            cowrieSessions[sid]['timestamp_login'] = line.get('timestamp')
 
         if line['eventid'] == 'cowrie.login.failed' and line['session'] in cowrieSessions:
             cowrieSessions[sid]['login'] = "Fail"
-            cowrieSessions[sid]['username'] = line['username']
-            cowrieSessions[sid]['password'] = line['password']
-            cowrieSessions[sid]['timestamp_login'] = line['timestamp']
+            cowrieSessions[sid]['username'] = line.get('username')
+            cowrieSessions[sid]['password'] = line.get('password')
+            cowrieSessions[sid]['timestamp_login'] = line.get('timestamp')
 
         if line['eventid'] == 'cowrie.session.closed' and line['session'] in cowrieSessions:
-            cowrieSessions[sid]['timestamp_close'] = line['timestamp']
+            cowrieSessions[sid]['timestamp_close'] = line.get('timestamp')
 
         if line['eventid'] == 'cowrie.command.input' and line['session'] in cowrieSessions:
             try:
                 cowrieSessions[sid]['input'].append(line['input'])
             except:
-                cowrieSessions[sid]['input'] = [line['input']]
+                cowrieSessions[sid]['input'] = [line.get('input')]
 
         if line['eventid'] == 'cowrie.client.version' and line['session'] in cowrieSessions:
             if "b'" in line["version"]:
-                cowrieSessions[sid]['version'] = re.search(r"b'(.*)'", line["version"], re.M).group(1)
+                cowrieSessions[sid]['version'] = re.search(r"b'(.*)'", line.get("version"), re.M).group(1)
             else:
-                cowrieSessions[sid]['version'] = line["version"]
+                cowrieSessions[sid]['version'] = line.get("version")
 
     """ second loop """
 
@@ -111,4 +111,4 @@ def cowrie(ECFG):
             break
 
     cowrie.finAlert()
-    return()
+    return()

modules/einit.py

@@ -7,7 +7,7 @@
 import ipaddress
 import uuid
 from modules.elog import ELog
-from modules.etoolbox import readcfg, getHostname, getIP, readcfg2
+from modules.etoolbox import getHostname, getIP, readMYcfg
 
 logger = ELog('EInit')
 
@@ -82,8 +82,8 @@ def ecfg(name, version, functions):
     ITEMS = ("homedir", "spooldir", "logdir", "del_malware_after_send", "send_malware",
              "sendlimit", "contact", "proxy", "ip_int", "ip_ext")
 
-    MCFG = readcfg('MAIN', ITEMS, ECFG['cfgfile'])
-
+    MCFG = readMYcfg('MAIN', ITEMS, ECFG['cfgfile'])
+   
     # home dir available?
     if not os.path.isdir(MCFG["homedir"]):
         logger.error(f"Missing homedir {MCFG['homedir']}. Abort!", '1E')
@@ -142,7 +142,7 @@ def ecfg(name, version, functions):
     # Read EWS Config Parameter
 
     ITEMS = ("ews", "username", "token", "rhost_first", "rhost_second", "ignorecert")
-    EWSCFG = readcfg("EWS", ITEMS, ECFG["cfgfile"])
+    EWSCFG = readMYcfg("EWS", ITEMS, ECFG["cfgfile"])
 
     if EWSCFG["ews"].lower() == "true":
         EWSCFG["ews"] = True
@@ -165,7 +165,7 @@ def ecfg(name, version, functions):
     ITEMS = ("hpfeed", "host", "port", "channels", "ident", "secret", "hpfformat",
              "tlscert")
 
-    HCFG = readcfg("HPFEED", ITEMS, ECFG["cfgfile"])
+    HCFG = readMYcfg("HPFEED", ITEMS, ECFG["cfgfile"])
 
     if HCFG["hpfeed"].lower() == "true":
         HCFG["hpfeed"] = True
@@ -191,7 +191,7 @@ def ecfg(name, version, functions):
     # Read EWSJSON Config Parameter
 
     ITEMS = ("json", "jsondir")
-    EWSJSON = readcfg("EWSJSON", ITEMS, ECFG["cfgfile"])
+    EWSJSON = readMYcfg("EWSJSON", ITEMS, ECFG["cfgfile"])
 
     if ECFG["a.jsondir"] != "":
         EWSJSON["json"] = True
@@ -211,7 +211,7 @@ def ecfg(name, version, functions):
     # Read INFLUX Config Parameter
 
     ITEMS = ('influxdb', 'host', 'port', 'username', 'password', 'token', 'bucket', 'org')
-    ICFG = readcfg2("INFLUXDB", ITEMS, ECFG["cfgfile"])
+    ICFG = readMYcfg("INFLUXDB", ITEMS, ECFG["cfgfile"], loghandler='')
 
     if 'influxdb' not in ICFG:
         ICFG['influxdb'] = False

modules/etoolbox.py

@@ -12,33 +12,27 @@
 
 logger = ELog('Etoolbox')
 
-
-def readcfg(MODUL, ITEMS, FILE):
+def readMYcfg(MODUL, ITEMS, FILE, loghandler='1E'):
     result = {}
 
     config = configparser.ConfigParser(os.environ)
     config.read(FILE)
-
-    for item in ITEMS:
-        if config.has_option(MODUL, item) is True and len(config.get(MODUL, item)) > 0:
-            result[item] = config.get(MODUL, item)
+ 
+    if isinstance(ITEMS, str):
+        if config.has_option(MODUL, ITEMS) and len(config.get(MODUL, ITEMS)) > 0:
+            return(True)
+        elif config.has_option(MODUL, ITEMS) and len(config.get(MODUL, ITEMS)) == 0:
+            return(None)
         else:
-            logger.error(f"Config MODUL [{MODUL}] parameter '{item}' didn't find or empty or not 'none' in {FILE} config file. Abort!", '1E')
-
-    return(result)
-
-
-def readcfg2(MODUL, ITEMS, FILE):
-    result = {}
-
-    config = configparser.ConfigParser(os.environ)
-    config.read(FILE)
-
-    for item in ITEMS:
-        if config.has_option(MODUL, item) is True and len(config.get(MODUL, item)) > 0:
-            result[item] = config.get(MODUL, item)
-    return(result)
-
+            return(False)
+        
+    if isinstance(ITEMS, tuple):    
+        for item in ITEMS:
+            if config.has_option(MODUL, item) and len(config.get(MODUL, item)) > 0:
+                result[item] = config.get(MODUL, item)
+            elif loghandler == '1E':
+                logger.error(f"Config MODUL [{MODUL}] parameter '{item}' didn't find or empty or not 'none' in {FILE} config file. Abort!", '1E')
+        return(result)
 
 def checkSECTIONcfg(MODUL, FILE):
     config = configparser.ConfigParser(os.environ)
@@ -49,21 +43,6 @@ def checkSECTIONcfg(MODUL, FILE):
     else:
         return(False)
 
-
-def readonecfg(MODUL, item, FILE):
-    config = configparser.ConfigParser(os.environ)
-    config.read(FILE)
-
-    if config.has_option(MODUL, item) is True and len(config.get(MODUL, item)) > 0:
-        return config.get(MODUL, item)
-    elif config.has_option(MODUL, item) is True and len(config.get(MODUL, item)) == 0:
-        return('NULL')
-    elif config.has_option(MODUL, item) is False:
-        return('FALSE')
-    else:
-        return ('UNKNOW')
-
-
 def getIP(MODUL, ECFG):
     myIP = {}
 
@@ -128,16 +107,12 @@ def getIP(MODUL, ECFG):
 
     return(myIP)
 
-
 def getHostname(MODUL, ECFG):
-    """ get Hostname from ENV/SOCKET/RANDOM """
-    if os.environ.get('MY_HOSTNAME') is not None:
-        return(os.environ.get('MY_HOSTNAME'))
-    elif socket.gethostname() is not None:
-        return(socket.gethostname())
-    else:
-        return("host-".join(random.choice(string.ascii_lowercase) for i in range(16)))
-
+    # get Hostname from ENV/SOCKET/RANDOM
+    hostname = os.environ.get('MY_HOSTNAME')
+    if hostname:
+        return hostname
+    return socket.gethostname() or f"host-{''.join(random.choices(string.ascii_lowercase, k=16))}"
 
 if __name__ == "__main__":
     pass