foospidy/honeydb-search-payloads.py

## honeydb-search-payloads.py
#!/usr/bin/env python
"""
# HoneyDB helper script:
# honeydb-search-payloads.py
# For a given array of strings, this script will search payloads for a match.
# https://riskdiscovery.com/honeydb/threats#sensor_data_filtered
# Edit the SEARCH_STRINGS variable to specify what you want to search for.
# DATE is a required field for the API, and the default is today's date.
# Edit the DATE variable to search on a specific date.
# Requires:
# - honeydb (https://pypi.org/project/honeydb/)
#
# Usage:
#    $ export HONEYDB_API_ID=<your API ID>
#    $ export HONEYDB_API_KEY=<your API Key>
#    $ python honeydb-search-payloads.py
#
# On subsequent runs, provide an id to continue where you left off.
#    $ python honeydb-search-payloads.py [from_id]
"""

import os
import sys
import datetime
from honeydb import api

SEARCH_STRINGS = ['wget ', 'curl ']
DATE = datetime.datetime.today().strftime('%Y-%m-%d')
LOOP = True
FROM_ID = 1
LAST_ID = 0

if 'HONEYDB_API_ID' not in os.environ:
    print 'HONEYDB API ID is required, run: export HONEYDB_API_ID=<Your ID Key>'
    sys.exit()

if 'HONEYDB_API_KEY' not in os.environ:
    print 'HONEYDB API KEY is required, run: export HONEYDB_API_KEY=<Your API Key>'
    sys.exit()

if len(sys.argv) > 1:
    FROM_ID = sys.argv[1]

honeydb = api.Client(os.environ['HONEYDB_API_ID'], os.environ['HONEYDB_API_KEY'])

while LOOP:
    response = honeydb.sensor_data(DATE, from_id=FROM_ID)
    # Payload data is first element in response array
    payloads = response[0]['data']
    # From ID is second element in response array
    FROM_ID = response[1]['from_id']

    for payload in payloads:
        # We only care about RX events
        if payload['event'] == 'RX':
            # Look for strings in the payload,
            # output decoded payload if there is a match
            for string in SEARCH_STRINGS:
                if string.encode('hex') in payload['data']:
                    print '{}'.format(payload['data'].decode('hex'))

    if FROM_ID == 0:
        LOOP = False
    else:
        LAST_ID = FROM_ID

if LAST_ID != 0:
    print 'Next run: python honeydb-search-payloads.py {}'.format(LAST_ID)
else:
    print 'No data. Try again later.'
	#!/usr/bin/env python
	"""
	# HoneyDB helper script:
	# honeydb-search-payloads.py
	# For a given array of strings, this script will search payloads for a match.
	# https://riskdiscovery.com/honeydb/threats#sensor_data_filtered
	# Edit the SEARCH_STRINGS variable to specify what you want to search for.
	# DATE is a required field for the API, and the default is today's date.
	# Edit the DATE variable to search on a specific date.
	# Requires:
	# - honeydb (https://pypi.org/project/honeydb/)
	#
	# Usage:
	# $ export HONEYDB_API_ID=<your API ID>
	# $ export HONEYDB_API_KEY=<your API Key>
	# $ python honeydb-search-payloads.py
	#
	# On subsequent runs, provide an id to continue where you left off.
	# $ python honeydb-search-payloads.py [from_id]
	"""

	import os
	import sys
	import datetime
	from honeydb import api

	SEARCH_STRINGS = ['wget ', 'curl ']
	DATE = datetime.datetime.today().strftime('%Y-%m-%d')
	LOOP = True
	FROM_ID = 1
	LAST_ID = 0

	if 'HONEYDB_API_ID' not in os.environ:
	print 'HONEYDB API ID is required, run: export HONEYDB_API_ID=<Your ID Key>'
	sys.exit()

	if 'HONEYDB_API_KEY' not in os.environ:
	print 'HONEYDB API KEY is required, run: export HONEYDB_API_KEY=<Your API Key>'
	sys.exit()

	if len(sys.argv) > 1:
	FROM_ID = sys.argv[1]

	honeydb = api.Client(os.environ['HONEYDB_API_ID'], os.environ['HONEYDB_API_KEY'])

	while LOOP:
	response = honeydb.sensor_data(DATE, from_id=FROM_ID)
	# Payload data is first element in response array
	payloads = response[0]['data']
	# From ID is second element in response array
	FROM_ID = response[1]['from_id']

	for payload in payloads:
	# We only care about RX events
	if payload['event'] == 'RX':
	# Look for strings in the payload,
	# output decoded payload if there is a match
	for string in SEARCH_STRINGS:
	if string.encode('hex') in payload['data']:
	print '{}'.format(payload['data'].decode('hex'))

	if FROM_ID == 0:
	LOOP = False
	else:
	LAST_ID = FROM_ID

	if LAST_ID != 0:
	print 'Next run: python honeydb-search-payloads.py {}'.format(LAST_ID)
	else:
	print 'No data. Try again later.'