Merge pull request GreedyBear-Project#603 from intelowlproject/develop

2.1.0

Author: regulartim

.env_template

@@ -13,4 +13,4 @@ COMPOSE_FILE=docker/default.yml:docker/local.override.yml
 #COMPOSE_FILE=docker/default.yml:docker/local.override.yml:docker/elasticsearch.yml
 
 # If you want to run a specific version, populate this
-# REACT_APP_INTELOWL_VERSION="2.0.1"
+# REACT_APP_INTELOWL_VERSION="2.1.0"

.github/workflows/pull_request_automation.yml

@@ -100,6 +100,6 @@ jobs:
         "BROKER_URL": "amqp://guest:guest@rabbitmq:5672",
         }
       python_versions: >-
-        ["3.10"]
+        ["3.13"]
       max_timeout: 15
-      ubuntu_version: 22.04
+      ubuntu_version: 24.04

api/urls.py

@@ -1,6 +1,15 @@
 # This file is a part of GreedyBear https://github.com/honeynet/GreedyBear
 # See the file 'LICENSE' for copying permission.
-from api.views import StatisticsViewSet, command_sequence_view, enrichment_view, feeds, feeds_advanced, feeds_pagination, general_honeypot_list
+from api.views import (
+    StatisticsViewSet,
+    command_sequence_view,
+    cowrie_session_view,
+    enrichment_view,
+    feeds,
+    feeds_advanced,
+    feeds_pagination,
+    general_honeypot_list,
+)
 from django.urls import include, path
 from rest_framework import routers
 
@@ -14,6 +23,7 @@
     path("feeds/advanced/", feeds_advanced),
     path("feeds/<str:feed_type>/<str:attack_type>/<str:prioritize>.<str:format_>", feeds),
     path("enrichment", enrichment_view),
+    path("cowrie_session", cowrie_session_view),
     path("command_sequence", command_sequence_view),
     path("general_honeypot", general_honeypot_list),
     # router viewsets

api/views/__init__.py

@@ -1,4 +1,5 @@
 from api.views.command_sequence import *
+from api.views.cowrie_session import *
 from api.views.enrichment import *
 from api.views.feeds import *
 from api.views.general_honeypot import *

api/views/cowrie_session.py

@@ -0,0 +1,119 @@
+# This file is a part of GreedyBear https://github.com/honeynet/GreedyBear
+# See the file 'LICENSE' for copying permission.
+import itertools
+import logging
+import socket
+
+from api.views.utils import is_ip_address, is_sha256hash
+from certego_saas.apps.auth.backend import CookieTokenAuthentication
+from django.http import Http404, HttpResponseBadRequest
+from greedybear.consts import FEEDS_LICENSE, GET
+from greedybear.models import IOC, CommandSequence, CowrieSession, Statistics, viewType
+from rest_framework import status
+from rest_framework.decorators import api_view, authentication_classes, permission_classes
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+
+logger = logging.getLogger(__name__)
+
+
+@api_view([GET])
+@authentication_classes([CookieTokenAuthentication])
+@permission_classes([IsAuthenticated])
+def cowrie_session_view(request):
+    """
+    Retrieve Cowrie honeypot session data including command sequences, credentials, and session details.
+    Queries can be performed using either an IP address to find all sessions from that source,
+    or a SHA-256 hash to find sessions containing a specific command sequence.
+
+    Args:
+        request: The HTTP request object containing query parameters
+        query (str, required): The search term, can be either an IP address or the SHA-256 hash of a command sequence.
+            SHA-256 hashes should match command sequences generated using Python's "\\n".join(sequence) format.
+        include_similar (bool, optional): When "true", expands the result to include all sessions that executed
+            command sequences belonging to the same cluster(s) as command sequences found in the initial query result.
+            Requires CLUSTER_COWRIE_COMMAND_SEQUENCES enabled in configuration. Default: false
+        include_credentials (bool, optional): When "true", includes all credentials used across matching Cowrie sessions.
+            Default: false
+        include_session_data (bool, optional): When "true", includes detailed information about matching Cowrie sessions.
+            Default: false
+
+    Returns:
+        Response (200): JSON object containing:
+            - query (str): The original query parameter
+            - commands (list[str]): Unique command sequences (newline-delimited strings)
+            - sources (list[str]): Unique source IP addresses
+            - credentials (list[str], optional): Unique credentials if include_credentials=true
+            - sessions (list[dict], optional): Session details if include_session_data=true
+                - time (datetime): Session start time
+                - duration (float): Session duration in seconds
+                - source (str): Source IP address
+                - interactions (int): Number of interactions in session
+                - credentials (list[str]): Credentials used in this session
+                - commands (str): Command sequence executed (newline-delimited)
+        Response (400): Bad Request - Missing or invalid query parameter
+        Response (404): Not Found - No matching sessions found
+        Response (500): Internal Server Error - Unexpected error occurred
+
+    Example Queries:
+        /api/cowrie_session?query=1.2.3.4
+        /api/cowrie_session?query=5120e94e366ec83a79ee80454e4d1c76c06499ab19032bcdc7f0b4523bdb37a6
+        /api/cowrie_session?query=1.2.3.4&include_credentials=true&include_session_data=true&include_similar=true
+    """
+    observable = request.query_params.get("query")
+    include_similar = request.query_params.get("include_similar", "false").lower() == "true"
+    include_credentials = request.query_params.get("include_credentials", "false").lower() == "true"
+    include_session_data = request.query_params.get("include_session_data", "false").lower() == "true"
+
+    logger.info(f"Cowrie view requested by {request.user} for {observable}")
+    source_ip = str(request.META["REMOTE_ADDR"])
+    request_source = Statistics(source=source_ip, view=viewType.COWRIE_SESSION_VIEW.value)
+    request_source.save()
+
+    if not observable:
+        return HttpResponseBadRequest("Missing required 'query' parameter")
+
+    if is_ip_address(observable):
+        sessions = CowrieSession.objects.filter(source__name=observable, duration__gt=0).prefetch_related("source", "commands")
+        if not sessions.exists():
+            raise Http404(f"No information found for IP: {observable}")
+
+    elif is_sha256hash(observable):
+        try:
+            commands = CommandSequence.objects.get(commands_hash=observable.lower())
+        except CommandSequence.DoesNotExist as exc:
+            raise Http404(f"No command sequences found with hash: {observable}") from exc
+        sessions = CowrieSession.objects.filter(commands=commands, duration__gt=0).prefetch_related("source", "commands")
+    else:
+        return HttpResponseBadRequest("Query must be a valid IP address or SHA-256 hash")
+
+    if include_similar:
+        commands = set(s.commands for s in sessions if s.commands)
+        clusters = set(cmd.cluster for cmd in commands if cmd.cluster is not None)
+        related_sessions = CowrieSession.objects.filter(commands__cluster__in=clusters).prefetch_related("source", "commands")
+        sessions = sessions.union(related_sessions)
+
+    response_data = {
+        "license": FEEDS_LICENSE,
+        "query": observable,
+    }
+
+    unique_commands = set(s.commands for s in sessions if s.commands)
+    response_data["commands"] = sorted("\n".join(cmd.commands) for cmd in unique_commands)
+    response_data["sources"] = sorted(set(s.source.name for s in sessions), key=socket.inet_aton)
+    if include_credentials:
+        response_data["credentials"] = sorted(set(itertools.chain(*[s.credentials for s in sessions])))
+    if include_session_data:
+        response_data["sessions"] = [
+            {
+                "time": s.start_time,
+                "duration": s.duration,
+                "source": s.source.name,
+                "interactions": s.interaction_count,
+                "credentials": s.credentials if s.credentials else [],
+                "commands": "\n".join(s.commands.commands) if s.commands else "",
+            }
+            for s in sessions
+        ]
+
+    return Response(response_data, status=status.HTTP_200_OK)

docker/.version

@@ -1 +1 @@
-REACT_APP_GREEDYBEAR_VERSION="2.0.1"
+REACT_APP_GREEDYBEAR_VERSION="2.1.0"

docker/Dockerfile_nginx

@@ -1,4 +1,4 @@
-FROM library/nginx:1.29.1-alpine
+FROM library/nginx:1.29.3-alpine
 RUN mkdir -p /var/cache/nginx /var/cache/nginx/feeds
 RUN apk update && apk upgrade && apk add bash
 ENV NGINX_LOG_DIR=/var/log/nginx

greedybear/cronjobs/base.py

@@ -5,7 +5,7 @@
 from datetime import datetime, timedelta
 
 from django.conf import settings
-from elasticsearch_dsl import Q, Search
+from elasticsearch8.dsl import Q, Search
 from greedybear.settings import EXTRACTION_INTERVAL, LEGACY_EXTRACTION
 
 

greedybear/models.py

@@ -10,6 +10,7 @@ class viewType(models.TextChoices):
     FEEDS_VIEW = "feeds"
     ENRICHMENT_VIEW = "enrichment"
     COMMAND_SEQUENCE_VIEW = "command sequence"
+    COWRIE_SESSION_VIEW = "cowrie session"
 
 
 class iocType(models.TextChoices):

greedybear/settings.py

@@ -6,7 +6,7 @@
 from datetime import timedelta
 
 from django.core.management.utils import get_random_secret_key
-from elasticsearch import Elasticsearch
+from elasticsearch8 import Elasticsearch
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 BASE_STATIC_PATH = os.path.join(BASE_DIR, "static/")