From 235f648ffe7939256fa33e5726455dfbac717a1f Mon Sep 17 00:00:00 2001
From: pixel5919 <reboot5919@yahoo.com>
Date: Tue, 7 Jun 2016 22:10:30 -0400
Subject: [PATCH] Added support for beeswax

---
 mnemosyne.cfg.dist                   |  2 +-
 normalizer/modules/beeswax_events.py | 42 ++++++++++++++++++++++++++++
 normalizer/normalizer.py             |  1 +
 3 files changed, 44 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 mnemosyne.cfg.dist
 create mode 100644 normalizer/modules/beeswax_events.py
 mode change 100644 => 100755 normalizer/normalizer.py

diff --git a/mnemosyne.cfg.dist b/mnemosyne.cfg.dist
old mode 100644
new mode 100755
index 5109e85..16eca83
--- a/mnemosyne.cfg.dist
+++ b/mnemosyne.cfg.dist
@@ -11,7 +11,7 @@ ident =
 secret =
 host = hpfriends.honeycloud.net
 port = 20000
-channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events,elastichoney.events
+channels = amun.events,conpot.events,thug.events,beeswarm.hive,dionaea.capture,thug.files,beeswarn.feeder,cuckoo.analysis,kippo.sessions,cowrie.sessions,glastopf.events,glastopf.files,mwbinary.dionaea.sensorunique,wordpot.events,shockpot.events,p0f.events,suricata.events,elastichoney.events,beeswax.events
 
 [file_log]
 enabled = True
diff --git a/normalizer/modules/beeswax_events.py b/normalizer/modules/beeswax_events.py
new file mode 100644
index 0000000..daeedeb
--- /dev/null
+++ b/normalizer/modules/beeswax_events.py
@@ -0,0 +1,42 @@
+opyright (C) 2014 Jason Trost <jason.trost@threatstream.com>
+ +#
+ +# This program is free software; you can redistribute it and/or
+ +# modify it under the terms of the GNU General Public License
+ +# as published by the Free Software Foundation; either version 2
+ +# of the License, or (at your option) any later version.
+ +#
+ +# This program is distributed in the hope that it will be useful,
+ +# but WITHOUT ANY WARRANTY; without even the implied warranty of
+ +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ +# GNU General Public License for more details.
+ +#
+ +# You should have received a copy of the GNU General Public License
+ +# along with this program; if not, write to the Free Software
+ +# Foundation, Inc.,
+ +# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ +
+ +import json
+ +
+ +from normalizer.modules.basenormalizer import BaseNormalizer
+ +
+ +
+ +class BeesWax(BaseNormalizer):
+ +    channels = ('beeswax.events',)
+ +
+ +    def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
+ +        o_data = json.loads(data)
+ +
+ +        if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
+ +            return []
+ +
+ +        session = {
+ +            'timestamp': submission_timestamp,
+ +            'source_ip': o_data['source_ip'],
+ +            'source_port': int(o_data['source_port']),
+ +            'destination_ip': o_data['dest_ip'],
+ +            'destination_port': int(o_data['dest_port']),
+ +            'honeypot': 'beeswax',
+ +            'protocol': 'http'
+ +        }
+ +        relations = {'session': session}
+ +        return [relations]
diff --git a/normalizer/normalizer.py b/normalizer/normalizer.py
old mode 100644
new mode 100755
index 1d05b5b..03c9fd8
--- a/normalizer/normalizer.py
+++ b/normalizer/normalizer.py
@@ -36,6 +36,7 @@
 from modules import p0f_events
 from modules import suricata_events
 from modules import elastichoney_events
+from modules import beeswax_events
 from bson import ObjectId
 
 import gevent