foospidy · February 25, 2019 13:37
diff --git a/honeydb-search-payloads.py b/honeydb-search-payloads.py
 #!/usr/bin/env python
 """
 # HoneyDB helper script:
 # honeydb-search-payloads.py
 # For a given array of strings, this script will search payloads for a match.
 # https://riskdiscovery.com/honeydb/threats#sensor_data_filtered
 # Edit the SEARCH_STRINGS variable to specify what you want to search for.
 # DATE is a required field for the API, and the default is today's date.
 # Edit the DATE variable to search on a specific date.
 # Requires:
 # - honeydb (https://pypi.org/project/honeydb/)
 #
 # Usage:
 #    $ export HONEYDB_API_ID=<your API ID>
 #    $ export HONEYDB_API_KEY=<your API Key>
 #    $ python honeydb-search-payloads.py
 #
 # On subsequent runs, provide an id to continue where you left off.
 #    $ python honeydb-search-payloads.py [from_id]
 """

 import os
 import sys
 import datetime
 from honeydb import api

 SEARCH_STRINGS = ['wget ', 'curl ']
 DATE = datetime.datetime.today().strftime('%Y-%m-%d')
 LOOP = True
 FROM_ID = 1
 LAST_ID = 0

 if 'HONEYDB_API_ID' not in os.environ:
    print 'HONEYDB API ID is required, run: export HONEYDB_API_ID=<Your ID Key>'
    sys.exit()

 if 'HONEYDB_API_KEY' not in os.environ:
    print 'HONEYDB API KEY is required, run: export HONEYDB_API_KEY=<Your API Key>'
    sys.exit()

 if len(sys.argv) > 1:
    FROM_ID = sys.argv[1]

 honeydb = api.Client(os.environ['HONEYDB_API_ID'], os.environ['HONEYDB_API_KEY'])

 while LOOP:
    response = honeydb.sensor_data(DATE, from_id=FROM_ID)
    # Payload data is first element in response array
    payloads = response[0]['data']
    # From ID is second element in response array
    FROM_ID = response[1]['from_id']

    for payload in payloads:
        # We only care about RX events
        if payload['event'] == 'RX':
            # Look for strings in the payload,
            # output decoded payload if there is a match
            for string in SEARCH_STRINGS:
                if string.encode('hex') in payload['data']:
                    print '{}'.format(payload['data'].decode('hex'))

    if FROM_ID == 0:
        LOOP = False
    else:
        LAST_ID = FROM_ID

 if LAST_ID != 0:
    print 'Next run: python honeydb-search-payloads.py {}'.format(LAST_ID)
 else:
    print 'No data. Try again later.'
	#!/usr/bin/env python
	"""
	# HoneyDB helper script:
	# honeydb-search-payloads.py
	# For a given array of strings, this script will search payloads for a match.
	# https://riskdiscovery.com/honeydb/threats#sensor_data_filtered
	# Edit the SEARCH_STRINGS variable to specify what you want to search for.
	# DATE is a required field for the API, and the default is today's date.
	# Edit the DATE variable to search on a specific date.
	# Requires:
	# - honeydb (https://pypi.org/project/honeydb/)
	#
	# Usage:
	# $ export HONEYDB_API_ID=<your API ID>
	# $ export HONEYDB_API_KEY=<your API Key>
	# $ python honeydb-search-payloads.py
	#
	# On subsequent runs, provide an id to continue where you left off.
	# $ python honeydb-search-payloads.py [from_id]
	"""

	import os
	import sys
	import datetime
	from honeydb import api

	SEARCH_STRINGS = ['wget ', 'curl ']
	DATE = datetime.datetime.today().strftime('%Y-%m-%d')
	LOOP = True
	FROM_ID = 1
	LAST_ID = 0

	if 'HONEYDB_API_ID' not in os.environ:
	print 'HONEYDB API ID is required, run: export HONEYDB_API_ID=<Your ID Key>'
	sys.exit()

	if 'HONEYDB_API_KEY' not in os.environ:
	print 'HONEYDB API KEY is required, run: export HONEYDB_API_KEY=<Your API Key>'
	sys.exit()

	if len(sys.argv) > 1:
	FROM_ID = sys.argv[1]

	honeydb = api.Client(os.environ['HONEYDB_API_ID'], os.environ['HONEYDB_API_KEY'])

	while LOOP:
	response = honeydb.sensor_data(DATE, from_id=FROM_ID)
	# Payload data is first element in response array
	payloads = response[0]['data']
	# From ID is second element in response array
	FROM_ID = response[1]['from_id']

	for payload in payloads:
	# We only care about RX events
	if payload['event'] == 'RX':
	# Look for strings in the payload,
	# output decoded payload if there is a match
	for string in SEARCH_STRINGS:
	if string.encode('hex') in payload['data']:
	print '{}'.format(payload['data'].decode('hex'))

	if FROM_ID == 0:
	LOOP = False
	else:
	LAST_ID = FROM_ID

	if LAST_ID != 0:
	print 'Next run: python honeydb-search-payloads.py {}'.format(LAST_ID)
	else:
	print 'No data. Try again later.'