pwnlandia / mhn Goto Github PK

https://github.com/threatstream/mhn/blob/4777c9b3ee9d25a31e4b787ac073e2b6bdb8bd14/scripts/install_mhnserver.sh

you can download config.py or any files from mhnserver. this caused by mhn's nginx config.

location / { 
    try_files \$uri @mhnserver; 
}

root $MHN_HOME/server;

I've deployed the server using the Vagrant method but the private network IP 10.254.254.100 wouldn't be accessible from other machine for deployment.
I've changed the Vagrant config so that the server and honeypot get their IP from the LAN DHCP, but I can't find a way to update the mhnserver config.
Re-running the install_mhnserver.sh script produces an error.

Is their a simple way to update the server config? Or just to replace the old IP with a new one?

It might be better to deploy dionaea from a fork on GH with all the patches and config pre-applied. This one looks like a good start https://github.com/rep/dionaea since it has the hpfeeds patch applied I will make a GH issue for this. It seems like a better cross Ubuntu version way to install.

Current the downloading of snort rules and initialization of the database take too long. We should be able to improve this.

My "Sensors" screen shows 14 attacks for a 'snort' sensor, but drilling in to that '14' number gets me to the Attacks Report - where I see just 10 entries with no "Next" or scrollbar to see more. (Tested on both Chrome 35.0.1916.153 m and Firefox 30.0)

https://github.com/DataSoft/Nova

I have the deploy script all set up and everything installs/runs properly, I just have no idea how to integrate hpfeeds into the whole thing. The actual honeypots in use for project nova is honeyd, however the information compiled together from Nova is more useful than the actual honeyd logs.

Anyways, this is just an idea if anyone wants to help out I can give you the deploy code I have already written.

My end goal with your software is to be able to deploy a honeypot onto a raspberry pi, then ship those devices to our branch locations and have local IT plug the sensors into the network there for monitoring.

The issue appears after the initial setup phase. After running the deploy script on my sensor, the IP address of the sensor is recorded in MHN. If I then power down the sensor and take it to a different subnet the IP address of that sensor changes, however the MHN server has no idea this change has taken place. I can simulate alerts on the sensor and I will receive no updates on the server side. Is there any way to update this manually or preferably automatically?

It would be a major plus if the malware captured by a honeypot like Dionaea could be sent to a Cuckoo sandbox running behind it.

Hi,
I was trying to install mhn in a Xubuntu 14.04 64 bits. I run all the scripts and everything was installed correctly.

But when I access to website I only can see the map. The top banner with settings and login does not appear. Any idea about that?, I tried access from different browsers and it´s the same.

All the services are running:
geoloc RUNNING pid 35687, uptime 0:43:18
honeymap RUNNING pid 35688, uptime 0:43:18
hpfeeds-broker RUNNING pid 15643, uptime 0:51:13
mhn-celery-beat RUNNING pid 38140, uptime 0:03:08
mhn-celery-worker RUNNING pid 38141, uptime 0:03:07
mhn-collector RUNNING pid 38142, uptime 0:03:07
mhn-uwsgi RUNNING pid 38147, uptime 0:03:07
mnemosyne RUNNING pid 33769, uptime 0:46:49

Thanks for all and the incredible project

Hi again,
I just deploy mhn server in a Xubuntu 14.04, and everything was ok. After that I deploy a glastopf honeypot with the script in a Xubuntu 12.04.

If I access from the Xubuntu 12.04 I can see the website deploy by glastopf and attacks appear from localhost(127.0.0.1) in mhn server but if I access to this website from a different machine nothing appear in mhn server.

I can see the access from the third machine in te glastopf log, but this attack is not sent to mhn server.

Any ideas?

Thanks for all,
Carlos

configure log rolling for each honeypot as part of deployment

Esp dionaea. its logs filled the disk on many of our honeypots. this is likely a problem for the other sensors as well.

Executed this command on conpot host: snmpwalk -Os -c public -v 1 localhost system and I saw activity in the /opt/conpot/conpot.log... Netstat shows that conpot has a connect back to mhn on port 10000... Should the snmp walk be enough to trigger an event? Is there a better way to test conpot?

If you want/need this support. Comment with a +1 or similar. It will help us prioritize this with the other items.

https://github.com/besimorhino/mirage

POST /auth/changepass/?user_id=1 HTTP/1.1
...
Accept: /
Content-Type: application/json
{"password":"NewPassFromHacker","password_repeat":"NewPassFromHacker"}

Vulnerability discovered by:
Laurent Oudot from TEHTRI-Security

https://github.com/shiva-spampot/shiva/tree/master

Exact error:
IOError: CRC ceck failed 0x808f37b != 0x9423e077L

I get the above error while running the install_mhnserver.sh, after filling in the MHN configuration info. This happens on both the Vagrant Install, and a fresh Ubuntu 14.04.1 Server VBox Install.

Console Error Dump from Chrome:

Uncaught TypeError: Cannot read property 'name' of undefined (jquery-jvectormap-1.0.min.js:7)
jvm.WorldMap.getRegionName (jquery-jvectormap-1.0.min.js:7)
Honeymap.regionName (VM158 honeymap.js:100)
Marker.regionName (VM158 honeymap.js:268)
Feed.addLog (VM158 honeymap.js:349)
Feed.handler (VM158 honeymap.js:338)
(anonymous function) (VM158 honeymap.js:12)
socket.onmessage (VM158 honeymap.js:302)
REventTarget.dispatchEvent (sockjs-0.3.js:84)
SockJS._dispatchMessage (sockjs-0.3.js:1025)
SockJS._didMessage (sockjs-0.3.js:1083)
that.ws.onmessage (sockjs-0.3.js:1215)

I'm not sure why this exception is being thrown but I'm almost positive that the feeds are being created properly. This exception is also thrown every time an event comes into the geoloc.events feed.

HI

I try to follow your guide to install MHN/Dionaea on my Raspberry Pi.

But i don't find how to install MHN.

"Go to the MHN web interface. For example, if I followed this guide, I would type in http://10.254.254.100 into my web browser. Click on the "Deploy" tab and select "Raspberry Pi Dionaea" from the drop down menu."

This part isn't clear for me. Should I install Vagrant ?

"Ansible is an open-source software platform for configuring and managing computers. It combines multi-node software deployment, ad hoc task execution, and configuration management. It manages nodes over SSH and does not require any additional remote software (except Python 2.4 or later)[2] to be installed on them"
-- http://en.wikipedia.org/wiki/Ansible_(software)

It would be great to have the ability to add sensors with Ansible instead of the actual script.

I can help if needed.

Add API endpoint documentation and links from the GUI

This is a DHCP broadcast from nodes on the same subnet... Snort is interpreting it as an attack. We'd like to disable this rule, but we can't find it in the interface. Is there an easy way to find this rule?

2014-09-09T08:08:48.726006  fc0446ee-1c0e-11e4-aa64-00163eec95e2    0.0.0.0 67  2   Potentially Bad Traffic BAD-TRAFFIC same SRC/DST

• Snort sensor has been deployed and is listed under sensors (/ui/sensors/)
• Sensor is an internal honeypot, so following the troubleshooting guide I configured mnemosyne appropriately (ignore_rfc1918 = False)
• Server and sensor are behind a web proxy which is bypassed for local addresses
• I generated traffic and alerts are logged locally on the sensor under /var/log/snort
• services on MHN server are up and running
• no problem with IPTables
• tcpdump showed me the traffic to/from port 10000 between the sensor and the server
• db.session.find() of mnemosyne DB is empty
• hpfeeds DB contains the correct identifier and secret
• mnemosyne.err log continuously writes this:

2014-07-17 14:05:26,857 (feedpuller.feedpuller) No activity for 15 seconds, forcing reconnect
2014-07-17 14:05:41,858 (feedpuller.feedpuller) No activity for 15 seconds, forcing reconnect
2014-07-17 14:05:56,859 (feedpuller.feedpuller) No activity for 15 seconds, forcing reconnect

• No other suspicious entries in the other logs

Do you have any idea why /ui/attacks/ is empty and I do not see any attacks in the MHN dashboard?

It would be nice to have a filter or search option under rules management, to filter/search the rules based on SID, Message or ClassType for example.

I've been wrestling with an issue where port 8080 doesn't appear to be listening on the mhn server, which blocks me from installing remote sensors.

My test server and test sensor are Ubuntu 12.0.4 (Precise) VM guests running on the same virtual host. I created a bridged connection for the mhn server, and I can access the management page (port 80) and honeynet page (port 3000) from the local network. The status checks (described under "Running" in the readme) match the known good configuration. In every case, the output of netstat --listen shows that port 8080 is not listening, and nmap run from another system shows the same result.

Also, the log files I found don't contain any data obviously relevant to this issue.

Any ideas?

Ubuntu 12.04 LXC container running on top of Ubuntu 14.04. Deployed a dionaea honeypot and was expecting it to listen on multiple ports, like 3306. Is there a config problem or is it supposed to do this?

root@dionaea:/usr/local/bin# netstat -lp | grep dionaea
udp        0      0 *:47582                 *:*                                 318/dionaea   

The Attacks Report page contains 7 fields: number, date, country, IP, port, protocol, honeypot.
On the Map page, when an event happens I get slightly more detail (at least from dionaea) to include: event type (connection vs capture), and if its a capture, I get a hash and link to VT.

This event type (connection vs capture) and hash of uploaded file are not available on any page except the Map. The data on the map is volatile, therefore a refresh or lot of activity would make this data disappear from the GUI.

In the Attacks Report, I'd like to have this information. I realize it may vary for each type of sensor, so maybe an Attack Type field (this could be connection vs capture. for snort maybe the category of hit?), and a Details field (this could have the file hash link, maybe diff info for each sensor type).

I don't necessarily require the ability to search/filter on these fields. I think that gets more in to the splunk realm, but just showing the data would be useful.

From your video I see that this is done by running a script from the management server onto a clean Ubuntu box, but it should be mentioned in the README imho.

mnemosyne is storing details of uploaded files in the 'file' collection. We should explose this.

Example:

https://github.com/threatstream/mnemosyne/blob/master/normalizer/modules/dionaea_binary.py#L22

Really appreciate this project. I want to verify if other has conpot sensor reports back to the dashboard with 'Dst port' = 502 regardless of which actual port was used. Tested with wget (Dst port = 502, Protocol=http); Tested with NMAP/modbus-discover.nse (Dst port=502, Protocol=modbus) Thanks.

Pagination not working past 6 pages on sensor page

We should check the other pages as well.

Users want to see events from private IP rendered on honeymap and they often know the GEO info for their private IPs.

Enable users to create a private IP space IP geo source.

Enrich events with this IP geo source so they can be rendered on honeymap.

You have mentioned CEF will be supported.
Is somebody actively working on it? Is there any estimated date maybe?

i don't get any attack report after following the basic vagrant install and launching nmap on both raspberrypi-dionaea and mhn-honeypot-dionaea connected sensors.

Am I missing something?

I guess there's no problem in installing other sensor types on the same devices on which Dionea has been deployed, right?

The default shockpot.conf file starts it up on port 80 but port 80 will be in-use already for the mhn interface. This casues shockpot to throw a "socket.error: [Errno 98] Address already in use". Is this a bug in the installation or somehow the way I have installed mhn+shockpot? I will test on a fresh system when I have time

Hi guys !

Just did a fresh install on Ubuntu Server 14.04 and get this error :
" FATAL - ERROR (abnormal termination)"
on mnemosyne & hpfeeds-broker (others are good).

Tryed to stop/start but still the same problem.

Thanks for your help !

If the superuser email and password are left blank when configuration takes place in install_mhnserver.sh, you cannot login with blank email and password and cannot change them by rerunning the install script.

The fields should be marked required and sanity checked for input.

Thank you.

http://glastopf.org/

Make sure multiverse is enabled in /etc/apt/sources.list for at least the Conpot script. Perhaps also add some 'sudo's where necessary in the scripts.

I can't seem to get the dionaea sensor to show up under attacks in the web console. I've followed all of the troubleshooting steps. Port 10000 seems to be open, displays banner in netcat, and I can see the traffic in tcpdump on both the server and sensor. hpfeeds-broker.err last entries are:

INFO:root:Database ready.
INFO:root:Auth success by .
INFO:root:Auth success by honeymap.
INFO:root:Auth success by .
INFO:root:Auth success by collector.
INFO:root:Auth success by geoloc.
INFO:root:Auth success by mnemosyne.

I turned DEBUG on in the /opt/mhn/server/config.py and restarted but still just that.

I have 80/tcp, 8181/tcp, 3000/tcp, 10000/tcp open from sensor to server, and all tcp and udp the other way. I tried opening everything from sensor to server also, just in case, but no effect.

What else can I do?

We need a better way to page through API results for "sessions" and "feeds" APIs using offset and limit as well as other search fields.

The sensor model has a uuid field and an identifier field. These seem redundant and should be cleaned up.

If it makes sense, add support for Bifrozt
https://www.honeynet.org/node/1191

When I open "ui/dashboard/" or "/ui/attacks/" pages I get "504 - Gateway time-out" errors while navigating through the rest of the site I don't have any problem.
I have 1 sensor connected with 356 attacks logged.

The error.log of nginx contains the following lines:

2014/07/18 13:48:30 [error] 3068#0: *1 upstream timed out (110: Connection timed out) while reading response header from upstream, client: A.B.C.D, server: _, request: "GET /ui/dashboard/ HTTP/1.1", upstream: "uwsgi://unix:/tmp/uwsgi.sock:", host: "127.0.0.1:X"
2014/07/18 13:55:48 [error] 3107#0: *1 upstream timed out (110: Connection timed out) while reading response header from upstream, client: A.B.C.D, server: _, request: "GET /ui/attacks/ HTTP/1.1", upstream: "uwsgi://unix:/tmp/uwsgi.sock:", host: "127.0.0.1:X"

I tried restarting the nginx and other services, I increased some thresholds in nginx.conf, I rebooted the server, I added "proxy_read_timeout 150;" in "/etc/nginx/sites-available/default" under "location @mhnserver" but none of the above resolved the problem.

Protocols are identified as pcap, But perhaps should be identified as TCP/UDP/ICMP etc.