Merge pull request #22 from amerck/master

Added normalizer for UHP

mnemosyne.cfg.template

@@ -13,7 +13,7 @@ ident =
 secret =
 hp_host = hpfriends.honeycloud.net
 hp_port = 20000
-channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events,elastichoney.events,rdphoney.sessions
+channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events,elastichoney.events,rdphoney.sessions,uhp.events
 
 [file_log]
 enabled = True

mnemosyne.run.j2

@@ -14,7 +14,7 @@ if [[ ! -f ./mnemosyne.cfg ]]
 then
     IDENT='mnemosyne'
     SECRET=`python -c 'import uuid;print str(uuid.uuid4()).replace("-","")'`
-    CHANNELS='amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,dionaea.connections,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,snort.alerts,wordpot.events,p0f.events,suricata.events,shockpot.events,elastichoney.events,rdphoney.sessions'
+    CHANNELS='amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,dionaea.connections,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,snort.alerts,wordpot.events,p0f.events,suricata.events,shockpot.events,elastichoney.events,rdphoney.sessions,uhp.events'
 
     # Change into the HPFeeds dir, it's needed for hpfeeds scripts
     pushd {{ hpfeeds_dir }}/hpfeeds/broker/

mnemosyne/normalizer/modules/uhp_events.py

@@ -0,0 +1,29 @@
+
+import json
+from normalizer.modules.basenormalizer import BaseNormalizer
+
+import sys
+
+
+class RdphoneyEvents(BaseNormalizer):
+    channels = ('uhp.events',)
+
+    def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
+        o_data = self.parse_record_data(data)
+        sys.stdout.write("o_data: %s" % o_data + "\n")
+
+        if ignore_rfc1918 and self.is_RFC1918_addr(o_data['peerIP']):
+            return []
+
+        session = {
+            'timestamp': submission_timestamp,
+            'source_ip': o_data['src_ip'],
+            'source_port': o_data['src_port'],
+            'destination_port': o_data['dest_port'],
+            'honeypot': 'uhp',
+            'protocol': o_data['tags'][0],
+        }
+
+        relations = [{'session': session}, ]
+
+        return relations

mnemosyne/normalizer/normalizer.py

@@ -37,6 +37,7 @@
 from modules import suricata_events
 from modules import elastichoney_events
 from modules import rdphoney_events
+from modules import uhp_events
 from bson import ObjectId
 
 import gevent