Sunday, 11 October 2015

Modern Honey Network and ArcSight combo

The Modern Honey Network is a brilliant project that allows you to easily deploy honeypot sensors on your network. Since in my case we are working with a small lab behind NAT we will end up with a large forwarding table and some restriction on port options. The system I have built this on is an Ubuntu 14.04.3 server (64bit).

System install:
I have selected a mail server and SSH only in the installation, small detail, since we will be adding port 22 for the honeypot we need to change our config on /etc/ssh/sshd_config to Port 2222 or whatever you what (dont forget to service ssh restart afterwards)

Deploying is quite straight forward:
apt-get install git -y
cd /opt/ 
git clone https://github.com/threatstream/mhn.git 
cd mhn/scripts/ 
./install_hpfeeds.sh 
./install_mnemosyne.sh 
./install_honeymap.sh 
./install_mhnserver.sh 

Everything should be fine at this point and Nginx should be up and running
/etc/init.d/nginx status

Check the rest of the services with:
/etc/init.d/supervisor status

And more detail:
supervisorctl status

Install the ArcSight connector script to output the data on /var/log/mhn/mhn-arcsight.log
cd /opt/mhn/scripts/ 
./install_hpfeeds-logger-arcsight.sh

Install some needed libraries to install the SmartConnector on the box:
apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 lib32stdc++6 
./ArcSight-7.1.1.7348.0-Connector-Linux.bin

Configure the Smart Connector to read a CEF File and push to the Manager:
cd /opt/ArcSightSmartConnectors/current/bin/./runagentsetup.sh

Login with the credentials you created at http://<ip>:80 and deploy the following sensors (the ones that I managed to make work on the same box):
Conpot
Dionaea
Wordpot
Snort
Kippo

You might have noticed that there are some errors when you run supervisorctl now. Off to fix celery-worker:
supervisorctl status mhn-celery-worker 
mhn-celery-worker                FATAL      Exited too quickly (process log may have details) 
wordpot                          STOPPED    Oct 11 11:50 AM 

Lets see the errors:
cat /var/log/mhn/mhn-celery-worker.err 
IOError: [Errno 13] Permission denied: '/var/log/mhn/mhn.log'

This might not be best practice.. but it worked and since this a test VM.. I will accept the risk.
ls -all /var/log/mhn/mhn.log 
chmod 666 /var/log/mhn/mhn.log 
supervisorctl start mhn-celery-worker  
supervisorctl status mhn-celery-worker 
mhn-celery-worker                RUNNING    pid 25876, uptime 0:02:05

Change ports on wordpot:
sed -i '/PORT/s/80/81/g' /opt/wordpot/wordpot.conf 
supervisorctl start wordpot 
supervisorctl status wordpot 
wordpot                          RUNNING    pid 26029, uptime 0:00:07

Change ports on conpot
sed -i '/port/s/80/82/g' /opt/conpot/env/src/conpot/conpot/templates/default/http/http.xml 
supervisorctl restart conpot 

Now things should be looking better:
root@mhn:~# supervisorctl status 
conpot                           RUNNING    pid 4208, uptime 0:00:06 
dionaea                          RUNNING    pid 1174, uptime 0:38:54 
geoloc                           RUNNING    pid 1180, uptime 0:38:53 
honeymap                         RUNNING    pid 1199, uptime 0:38:53 
hpfeeds-broker                   RUNNING    pid 1177, uptime 0:38:54 
hpfeeds-logger-arcsight          RUNNING    pid 1173, uptime 0:38:54 
kippo                            RUNNING    pid 1185, uptime 0:38:53 
mhn-celery-beat                  RUNNING    pid 1172, uptime 0:38:54 
mhn-celery-worker                RUNNING    pid 1190, uptime 0:38:53 
mhn-collector                    RUNNING    pid 1192, uptime 0:38:53 
mhn-uwsgi                        RUNNING    pid 1187, uptime 0:38:53 
mnemosyne                        RUNNING    pid 1179, uptime 0:38:53 
snort                            RUNNING    pid 1186, uptime 0:38:53 
wordpot                          RUNNING    pid 2076, uptime 0:34:00 

Very simple and easy to hook up to ArcSight. All we need now is some content for the feed.. probably feeding the output in an active list for later consumption by other content or something like that... enough for now.

:)

No comments:

Post a Comment