Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Model extensions. Closes #405 . #407

Merged
merged 23 commits into from
Dec 17, 2024
Merged

Model extensions. Closes #405 . #407

merged 23 commits into from
Dec 17, 2024

Conversation

regulartim
Copy link
Collaborator

@regulartim regulartim commented Dec 13, 2024
edited
Loading

Description

Several changes to the IOC model are introduced:

  • days_seen now has the list function as a default value (for convenience)
  • rename times_seen and add interaction count
  • add IP reputation, the attacker's ASN, a list of ports the IP has requested and a counter of attempted logins (currently only based on data from Heralding)

To populate these new fields, the attack data extraction process had to be rewritten. I did not touch the extraction process of log4pot yet, as I don't have one running. However, this should definitely be done at some point. I'll open an issue after this is merged.

I also added a model for CowrieSessions to eventually create a specialised feed for Cowrie.

Related issues

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).

Checklist

  • I have read and understood the rules about how to Contribute to this project.
  • The pull request is for the branch develop.
  • I have added documentation of the new features.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved. All the tests (new and old ones) gave 0 errors.
  • If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.

Important Rules

  • If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
  • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
  • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.

@regulartim
making pendng migration
f95f38a
@regulartim
add cowrie session model and extend IOC model
26968f7
@regulartim
apply psf black formatting
358eb9e
@regulartim
change ioc model default for more simple handling in _add_ioc function
30d2c94
@regulartim
fix error in _add_ioc: new IOC instances not able to access ManyToMan…
175fb85 
…y relation with GeneralHoneypot
@regulartim
minor model modifications
da4001c
@regulartim
remove unnecessary exception class
68f46e1
@regulartim
add method to extract more information about attackers from TPot
c70355c
@regulartim
rewrite data extraction process for general honeypot class to extract…
fe9fabf 
… more data
@regulartim
rewrite data extraction process for cowrie class to extract more data…
5e19175 
… and add cowrie session data extraction
@regulartim
revert already made migration
d7722fa
@regulartim
rename times_seen to attack_count
169d120
@regulartim
minor model tweaks
dde7484
@regulartim
add model migration
093ef3a
@regulartim
add data migration
62cd031
@regulartim
fill attack and interaction count correctly
4f421bf
@regulartim
Rename header in frontend code
4640845
@regulartim
base first_seen and last_seen on TPot timestamps instead of extractio…
a420b36 
…n time
@regulartim
add model tests
d4fcba3
@regulartim
change default value of login_attempts to 0
1fb1a57
@regulartim
minor improvements
eb45fb4
@regulartim
Copy link
Collaborator Author

GUI change: "Times Seen" renamed
image

@regulartim regulartim marked this pull request as ready for review December 16, 2024 13:33
@regulartim regulartim requested a review from mlodic December 16, 2024 13:33
mlodic
mlodic approved these changes Dec 16, 2024
View reviewed changes
Copy link
Member

@mlodic mlodic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work!

greedybear/models.py
Comment on lines +57 to +67
class CowrieSession(models.Model):
session_id = models.BigIntegerField(primary_key=True)
start_time = models.DateTimeField(blank=True, null=True)
duration = models.FloatField(blank=True, null=True)
login_attempt = models.BooleanField(blank=False, null=False, default=False)
credentials = pg_fields.ArrayField(models.CharField(max_length=256, blank=True), blank=False, null=False, default=list)
command_execution = models.BooleanField(blank=False, null=False, default=False)
interaction_count = models.IntegerField(blank=False, null=False, default=0)
source = models.ForeignKey(IOC, on_delete=models.CASCADE, blank=False, null=False)


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it could be useful to create a visualization with search options in the Django Admin interface. It should be pretty straightforward and would allow to analyze data without having to create a complex interface in the frontend

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in that case also some indexes for the search fields could be useful addition

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'll have to read into that and would like to implement it in a different branch, if that's fine for you?
You mean DB indexes, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep to both

greedybear/models.py
ip_reputation = models.CharField(max_length=32, blank=True)
asn = models.IntegerField(blank=True, null=True)
destination_ports = pg_fields.ArrayField(models.IntegerField(), blank=False, null=False, default=list)
login_attempts = models.IntegerField(blank=False, null=False, default=0)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also just noticed that there is not index here too. This could be helpful for the Django visualization too.

Plus, the already existing Enrichment API would be affected incredibily positively :) If you don't have time, I'll try to add this later myself

@regulartim regulartim mentioned this pull request Dec 16, 2024
Closed
@regulartim regulartim merged commit 08e251a into intelowlproject:develop Dec 17, 2024
6 checks passed
@regulartim regulartim deleted the advanced_feeds branch December 17, 2024 12:08
This was referenced Dec 17, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlodic mlodic mlodic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@regulartim @mlodic