Sunday, 11 October 2015

Modern Honey Network ArcSight content

Continuing from the previous post about installing our own Modern Honey Network... all that is needed now would be the content to make some use of the intelligence we get from it. The most simple scenario we can cover, is using the IP addresses caught on our honeypot to generate alerts when identified in other sensors of our network.

First things first, we need an Active List to store our data. This will be a Fields based Active List with the following fields:
Malicious IP, Type is Address and The sub-type is IP Address
Comments, String

Our active list should be set with a TTL of a week or so (up to you again) to allow it to be efficient and not keep an IP flagged dirty for ever. The comment section as you will see below will be populated with the sensor that triggered it in the honeypot (Dionaea, Conpot, Snort or whatever).

The Alerting rule needs to follow the following conditions:
( Type != Correlation AND Device Product !=  MHN AND InActiveList("IP-Address-WatchList"))

Actions could be up to you but for simplicity sake
On First Event:
Set Event Field Actions 
name = Detected communication to IP address on WatchList
priority = 7

The Processing rule on the other hand would look something like this:
( Type != Correlation AND Device Product =  MHN AND Not InActiveList("IP-Address-WatchList"))

Actions would have to be:
On First Event:
Add To Active List
Field: Attacker Address
Field: Device Custom Srting1
Resource: IP-Address-WatchList

And that's it, enjoy your fresh intel :) 

Modern Honey Network and ArcSight combo

The Modern Honey Network is a brilliant project that allows you to easily deploy honeypot sensors on your network. Since in my case we are working with a small lab behind NAT we will end up with a large forwarding table and some restriction on port options. The system I have built this on is an Ubuntu 14.04.3 server (64bit).

System install:
I have selected a mail server and SSH only in the installation, small detail, since we will be adding port 22 for the honeypot we need to change our config on /etc/ssh/sshd_config to Port 2222 or whatever you what (dont forget to service ssh restart afterwards)

Deploying is quite straight forward:
apt-get install git -y
cd /opt/ 
git clone 
cd mhn/scripts/ 

Everything should be fine at this point and Nginx should be up and running
/etc/init.d/nginx status

Check the rest of the services with:
/etc/init.d/supervisor status

And more detail:
supervisorctl status

Install the ArcSight connector script to output the data on /var/log/mhn/mhn-arcsight.log
cd /opt/mhn/scripts/ 

Install some needed libraries to install the SmartConnector on the box:
apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 lib32stdc++6 

Configure the Smart Connector to read a CEF File and push to the Manager:
cd /opt/ArcSightSmartConnectors/current/bin/./

Login with the credentials you created at http://<ip>:80 and deploy the following sensors (the ones that I managed to make work on the same box):

You might have noticed that there are some errors when you run supervisorctl now. Off to fix celery-worker:
supervisorctl status mhn-celery-worker 
mhn-celery-worker                FATAL      Exited too quickly (process log may have details) 
wordpot                          STOPPED    Oct 11 11:50 AM 

Lets see the errors:
cat /var/log/mhn/mhn-celery-worker.err 
IOError: [Errno 13] Permission denied: '/var/log/mhn/mhn.log'

This might not be best practice.. but it worked and since this a test VM.. I will accept the risk.
ls -all /var/log/mhn/mhn.log 
chmod 666 /var/log/mhn/mhn.log 
supervisorctl start mhn-celery-worker  
supervisorctl status mhn-celery-worker 
mhn-celery-worker                RUNNING    pid 25876, uptime 0:02:05

Change ports on wordpot:
sed -i '/PORT/s/80/81/g' /opt/wordpot/wordpot.conf 
supervisorctl start wordpot 
supervisorctl status wordpot 
wordpot                          RUNNING    pid 26029, uptime 0:00:07

Change ports on conpot
sed -i '/port/s/80/82/g' /opt/conpot/env/src/conpot/conpot/templates/default/http/http.xml 
supervisorctl restart conpot 

Now things should be looking better:
root@mhn:~# supervisorctl status 
conpot                           RUNNING    pid 4208, uptime 0:00:06 
dionaea                          RUNNING    pid 1174, uptime 0:38:54 
geoloc                           RUNNING    pid 1180, uptime 0:38:53 
honeymap                         RUNNING    pid 1199, uptime 0:38:53 
hpfeeds-broker                   RUNNING    pid 1177, uptime 0:38:54 
hpfeeds-logger-arcsight          RUNNING    pid 1173, uptime 0:38:54 
kippo                            RUNNING    pid 1185, uptime 0:38:53 
mhn-celery-beat                  RUNNING    pid 1172, uptime 0:38:54 
mhn-celery-worker                RUNNING    pid 1190, uptime 0:38:53 
mhn-collector                    RUNNING    pid 1192, uptime 0:38:53 
mhn-uwsgi                        RUNNING    pid 1187, uptime 0:38:53 
mnemosyne                        RUNNING    pid 1179, uptime 0:38:53 
snort                            RUNNING    pid 1186, uptime 0:38:53 
wordpot                          RUNNING    pid 2076, uptime 0:34:00 

Very simple and easy to hook up to ArcSight. All we need now is some content for the feed.. probably feeding the output in an active list for later consumption by other content or something like that... enough for now.