Dionaea: Malwr Module
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from dionaea.core import ihandler, incident, g_dionaea | |
import logging | |
import json | |
import uuid | |
import time | |
import sqlite3 | |
logger = logging.getLogger('malwr') | |
logger.setLevel(logging.DEBUG) | |
class malwrreport: | |
def __init__(self, md5, path, timestamp): | |
self.md5 = md5 | |
self.path = path | |
self.ts = timestamp | |
class handler(ihandler): | |
def __init__(self, path): | |
logger.info("%s ready!" % (self.__class__.__name__)) | |
ihandler.__init__(self, path) | |
self.vconfig = g_dionaea.config()['modules']['python']['malwr'] | |
self.submit_url = self.vconfig['submit_url'] | |
self.api_key = self.vconfig['apikey'] | |
self.share = self.vconfig['shared'] | |
self.cookies = {} | |
dbpath = self.vconfig['dbfile'] | |
self.dbh = sqlite3.connect(dbpath) | |
self.cursor = self.dbh.cursor() | |
self.cursor.execute(""" | |
CREATE TABLE IF NOT EXISTS submit ( | |
id INTEGER PRIMARY KEY, | |
uuid TEXT NOT NULL, | |
path TEXT NOT NULL, | |
md5 TEXT NOT NULL, | |
sha256 TEXT NOT NULL, | |
submit_time TEXT NOT NULL | |
);""") | |
def handle_incident(self, icd): | |
pass | |
def handle_incident_dionaea_download_complete_unique(self, icd): | |
cookie = str(uuid.uuid4()) | |
self.cookies[cookie] = malwrreport(icd.md5hash, icd.path, str(time.strftime("%Y-%m-%d :%H:%M:%S", time.localtime()))) | |
i = incident('dionaea.upload.request') | |
i._url = self.submit_url | |
i.shared = self.share | |
i.api_key = self.api_key | |
i.set('file://file', icd.path) | |
i._callback = "dionaea.modules.python.malwr.file_submitted" | |
i._userdata = cookie | |
i.report() | |
def handle_incident_dionaea_modules_python_malwr_file_submitted(self, icd): | |
f = open(icd.path, mode='r') | |
j = json.load(f) | |
cookie = icd._userdata | |
mreport = self.cookies[cookie] | |
self.cursor.execute("""INSERT INTO submit (uuid, path, md5, sha256, submit_time) VALUES (?, ?, ?, ?, ?);""", (j['uuid'], mreport.path, mreport.md5, j['sha256'], mreport.ts)) | |
self.dbh.commit() | |
i = incident("dionaea.modules.python.malwr.uuid") | |
i.md5hash = mreport.md5 | |
i.uuid = j['uuid'] | |
i.report() | |
del self.cookies[cookie] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment