MHN and Splunk - Only attacks populating

[jonatha...@gmail.com]

I'm currently trying to use the Splunk application with MHN.  My Splunk install is on a separate server from the MHN server.  In order to forward the data, instead of using localhost, I used the splunk forwarder script and had it point toward the ip of my Splunk server.  From what I can tell, there doesn't seem to be any issue w/ the MHN server communicating with my splunk install.  I made sure to allow the appropriate ports to be forwarded.  

However, I'm only getting Attacks and Unique Attacks. No other data is being populated. I attached a screenshot of what i'm seeing.  

First of all, is there a stipulation that the Splunk install and the MHN server have to be on the same machine?  Secondly, from what I've read, the mhn-splunk script converts logs into a splunk readable format. Is there something I should look for to see why things are not appropriately appearing in Splunk? Lastly, I'm mostly self-taught when it comes to these things, so if I'm missing something obvious, I'm more than welcome to prudent advice!

[Jason Trost]

First of all, is there a stipulation that the Splunk install and the MHN server have to be on the same machine?  

No, the way you have it configured sounds correct.  This is how we do it.

Secondly, from what I've read, the mhn-splunk script converts logs into a splunk readable format. Is there something I should look for to see why things are not appropriately appearing in Splunk? 

You need to have hpfeeds-logger running and configured to output in the correct format.  I assume you ran this script (https://github.com/threatstream/mhn/blob/master/scripts/install_hpfeeds-logger-splunk.sh) to install this, but if not you need to.  If you run it successfully you should see a file /var/log/mhn/mhn-splunk.log that has lines that look like this (you will likely have different field names depending on which honeypot types you're running).  This file is populated in realtime from events coming from hpfeeds so if you install today you will just have events from now forward in splunk.  

2016-05-30 07:31:39,875 src="XXX.XXX.216.187", direction="inbound", protocol="ip", ids_type="network", vendor_product="Dionaea", type="dionaea.connections", app="dionaea", dest="XXX.XXX.XXX.XXX", dest_port="445", signature="Connection to Honeypot", src_port="2527", sensor="XXXXXXX-XXXX-XXXXX-XXXXX-XXXXXXXXX", transport="tcp", severity="high"

If you already did this and you're still encountering issues, can you send me a sample of your /var/log/mhn/mhn-splunk.log.  Ex: 

tail -n 50 /var/log/mhn/mhn-splunk.log 

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/3fbbd9c7-7fbd-46ec-8283-9adaf3a95121%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.anomali.com 

2317 Broadway, 3rd Floor| Redwood City, CA 94063

Phone:  386.235.0078 | Twitter:  @jason_trost 

[jonatha...@gmail.com]

Well, I wish I had step-by-step instructions of how I got things to work. Truth was I installed Splunk on a different machine, forwarded the MHN data to that new server, and things are appearing appropriately.  Thanks for taking a look at my post though. I really appreciate it!

On Monday, May 30, 2016 at 6:24:08 AM UTC-7, Jason Trost wrote:

First of all, is there a stipulation that the Splunk install and the MHN server have to be on the same machine?  

No, the way you have it configured sounds correct.  This is how we do it.

Secondly, from what I've read, the mhn-splunk script converts logs into a splunk readable format. Is there something I should look for to see why things are not appropriately appearing in Splunk? 

You need to have hpfeeds-logger running and configured to output in the correct format.  I assume you ran this script (https://github.com/threatstream/mhn/blob/master/scripts/install_hpfeeds-logger-splunk.sh) to install this, but if not you need to.  If you run it successfully you should see a file /var/log/mhn/mhn-splunk.log that has lines that look like this (you will likely have different field names depending on which honeypot types you're running).  This file is populated in realtime from events coming from hpfeeds so if you install today you will just have events from now forward in splunk.  

2016-05-30 07:31:39,875 src="XXX.XXX.216.187", direction="inbound", protocol="ip", ids_type="network", vendor_product="Dionaea", type="dionaea.connections", app="dionaea", dest="XXX.XXX.XXX.XXX", dest_port="445", signature="Connection to Honeypot", src_port="2527", sensor="XXXXXXX-XXXX-XXXXX-XXXXX-XXXXXXXXX", transport="tcp", severity="high"

If you already did this and you're still encountering issues, can you send me a sample of your /var/log/mhn/mhn-splunk.log.  Ex: 

tail -n 50 /var/log/mhn/mhn-splunk.log 

On Sat, May 28, 2016 at 1:46 AM, <jonatha...@gmail.com> wrote:

I'm currently trying to use the Splunk application with MHN.  My Splunk install is on a separate server from the MHN server.  In order to forward the data, instead of using localhost, I used the splunk forwarder script and had it point toward the ip of my Splunk server.  From what I can tell, there doesn't seem to be any issue w/ the MHN server communicating with my splunk install.  I made sure to allow the appropriate ports to be forwarded.  

However, I'm only getting Attacks and Unique Attacks. No other data is being populated. I attached a screenshot of what i'm seeing.  

First of all, is there a stipulation that the Splunk install and the MHN server have to be on the same machine?  Secondly, from what I've read, the mhn-splunk script converts logs into a splunk readable format. Is there something I should look for to see why things are not appropriately appearing in Splunk? Lastly, I'm mostly self-taught when it comes to these things, so if I'm missing something obvious, I'm more than welcome to prudent advice!

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/3fbbd9c7-7fbd-46ec-8283-9adaf3a95121%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.