Modern Honey Network and ArcSight combo
The Modern Honey Network is a brilliant project that allows you to easily deploy honeypot sensors on your network. Since in my case we are working with a small lab behind NAT we will end up with a large forwarding table and some restriction on port options. The system I have built this on is an Ubuntu 14.04.3 server (64bit).
System install:
I have selected a mail server and SSH only in the installation, small detail, since we will be adding port 22 for the honeypot we need to change our config on /etc/ssh/sshd_config to Port 2222 or whatever you what (dont forget to service ssh restart afterwards)
Deploying is quite straight forward:
Everything should be fine at this point and Nginx should be up and running
Check the rest of the services with:
And more detail:
Install the ArcSight connector script to output the data on /var/log/mhn/mhn-arcsight.log
Install some needed libraries to install the SmartConnector on the box:
Configure the Smart Connector to read a CEF File and push to the Manager:
Login with the credentials you created at http://<ip>:80 and deploy the following sensors (the ones that I managed to make work on the same box):
Conpot
Dionaea
Wordpot
Snort
Kippo
You might have noticed that there are some errors when you run supervisorctl now. Off to fix celery-worker:
Lets see the errors:
This might not be best practice.. but it worked and since this a test VM.. I will accept the risk.
Change ports on wordpot:
Change ports on conpot
Now things should be looking better:
Very simple and easy to hook up to ArcSight. All we need now is some content for the feed.. probably feeding the output in an active list for later consumption by other content or something like that... enough for now.
:)
System install:
I have selected a mail server and SSH only in the installation, small detail, since we will be adding port 22 for the honeypot we need to change our config on /etc/ssh/sshd_config to Port 2222 or whatever you what (dont forget to service ssh restart afterwards)
Deploying is quite straight forward:
apt-get install git -y
cd /opt/
git clone https://github.com/threatstream/mhn.git
cd mhn/scripts/
./install_hpfeeds.sh
./install_mnemosyne.sh
./install_honeymap.sh
./install_mhnserver.sh
Everything should be fine at this point and Nginx should be up and running
/etc/init.d/nginx status
Check the rest of the services with:
/etc/init.d/supervisor status
And more detail:
supervisorctl status
Install the ArcSight connector script to output the data on /var/log/mhn/mhn-arcsight.log
cd /opt/mhn/scripts/
./install_hpfeeds-logger-arcsight.sh
Install some needed libraries to install the SmartConnector on the box:
apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 lib32stdc++6
./ArcSight-7.1.1.7348.0-Connector-Linux.bin
Configure the Smart Connector to read a CEF File and push to the Manager:
cd /opt/ArcSightSmartConnectors/current/bin/./runagentsetup.sh
Login with the credentials you created at http://<ip>:80 and deploy the following sensors (the ones that I managed to make work on the same box):
Conpot
Dionaea
Wordpot
Snort
Kippo
You might have noticed that there are some errors when you run supervisorctl now. Off to fix celery-worker:
supervisorctl status mhn-celery-worker
mhn-celery-worker FATAL Exited too quickly (process log may have details)
wordpot STOPPED Oct 11 11:50 AM
Lets see the errors:
cat /var/log/mhn/mhn-celery-worker.err
IOError: [Errno 13] Permission denied: '/var/log/mhn/mhn.log'
This might not be best practice.. but it worked and since this a test VM.. I will accept the risk.
ls -all /var/log/mhn/mhn.log
chmod 666 /var/log/mhn/mhn.log
supervisorctl start mhn-celery-worker
supervisorctl status mhn-celery-worker
mhn-celery-worker RUNNING pid 25876, uptime 0:02:05
sed -i '/PORT/s/80/81/g' /opt/wordpot/wordpot.conf
supervisorctl start wordpot
supervisorctl status wordpot
wordpot RUNNING pid 26029, uptime 0:00:07
Change ports on conpot
sed -i '/port/s/80/82/g' /opt/conpot/env/src/conpot/conpot/templates/default/http/http.xml
supervisorctl restart conpot
Now things should be looking better:
root@mhn:~# supervisorctl status
conpot RUNNING pid 4208, uptime 0:00:06
dionaea RUNNING pid 1174, uptime 0:38:54
geoloc RUNNING pid 1180, uptime 0:38:53
honeymap RUNNING pid 1199, uptime 0:38:53
hpfeeds-broker RUNNING pid 1177, uptime 0:38:54
hpfeeds-logger-arcsight RUNNING pid 1173, uptime 0:38:54
kippo RUNNING pid 1185, uptime 0:38:53
mhn-celery-beat RUNNING pid 1172, uptime 0:38:54
mhn-celery-worker RUNNING pid 1190, uptime 0:38:53
mhn-collector RUNNING pid 1192, uptime 0:38:53
mhn-uwsgi RUNNING pid 1187, uptime 0:38:53
mnemosyne RUNNING pid 1179, uptime 0:38:53
snort RUNNING pid 1186, uptime 0:38:53
wordpot RUNNING pid 2076, uptime 0:34:00
:)