Integration with Splunk Problem
1,679 views
Skip to first unread message
曾皓辰
Nov 5, 2015, 5:23:42 AM11/5/15
to Modern Honey Network
Hi Jason,
I followed the tutorial at http://mhn-training.s3.amazonaws.com/labs.pdf. There is no error in installation log.
However, when I logged in Splunk and search for "*" nothing happens. I looked the log file at /var/log/mhn/hpfeeds-logger-splunk.log. it's an empty file. Here is what err file says: (I tried to restart hpfeeds-logger several times)
root@honeynetMaster:/opt/mhn/scripts# cat /var/log/mhn/hpfeeds-logger-splunk.err
2015-11-05 11:59:01,039 - logger - INFO - Parsing config file: splunk.json
2015-11-05 11:59:01,039 - logger - INFO - Writing events to /var/log/mhn/mhn-splunk.log
2015-11-05 11:59:01,049 - logger - INFO - connected to @hp2
2015-11-05 16:32:56,117 - logger - INFO - Parsing config file: splunk.json
2015-11-05 16:32:56,118 - logger - INFO - Writing events to /var/log/mhn/mhn-splunk.log
2015-11-05 16:32:56,127 - logger - INFO - connected to @hp2
2015-11-05 16:35:44,106 - logger - INFO - Parsing config file: splunk.json
2015-11-05 16:35:44,107 - logger - INFO - Writing events to /var/log/mhn/mhn-splunk.log
2015-11-05 16:35:44,112 - logger - INFO - connected to @hp2
root@honeynetMaster:/opt/mhn/scripts# supervisorctl status
geoloc RUNNING pid 953, uptime 4 days, 19:37:15
honeymap RUNNING pid 948, uptime 4 days, 19:37:15
hpfeeds-broker RUNNING pid 957, uptime 4 days, 19:37:15
hpfeeds-logger-arcsight RUNNING pid 947, uptime 4 days, 19:37:15
hpfeeds-logger-splunk RUNNING pid 17603, uptime 1:36:13
mhn-celery-beat RUNNING pid 939, uptime 4 days, 19:37:15
mhn-celery-worker RUNNING pid 1407, uptime 1 day, 0:47:15
mhn-collector RUNNING pid 956, uptime 4 days, 19:37:15
mhn-uwsgi RUNNING pid 954, uptime 4 days, 19:37:15
mnemosyne RUNNING pid 951, uptime 4 days, 19:37:15
root@honeynetMaster:/opt/mhn/scripts# $SPLUNK list forward-server
Active forwards:
None
Configured but inactive forwards:
Splunk: Splunk Enterprise 6.3
MHN: newest version
Pls help T.T
Thanks in advance!
Regards,
Haochen
Jason Trost
Nov 5, 2015, 10:03:51 AM11/5/15
to 曾皓辰, Modern Honey Network
Is there any data in var/log/mhn/mhn-splunk.log? This is where the hpfeed-logger should be writing events. If not, then there wouldn't be any data in splunk. If so, there may be another issue.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/b6d55239-00e7-4972-96c8-e4d9d386c284%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
曾皓辰
Nov 7, 2015, 11:19:56 AM11/7/15
to Modern Honey Network, haochen...@gmail.com
No data in var/log/mhn/mhn-splunk.log and I can't figure out why. hpfeeds-logger is running normally. Pls give me some hint......
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/b6d55239-00e7-4972-96c8-e4d9d386c284%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Message has been deleted
曾皓辰
Nov 9, 2015, 1:51:32 AM11/9/15
to Modern Honey Network, haochen...@gmail.com
I can see number of attacks from kippo in my MHN attack page.
I re-installed hpfeeds-logger-splunk and restart everything then I can see some data coming in the /var/log/mhn/mhn-splunk.log, which means hpfeed-logger is writing some events!
However, still nothing in the MHN splunk app. I reinstall the splunk_universalforwarder but it doesn't help. splunk_universalforwarder does not send any data to Splunk server.
Splunk server and MHN server is sharing the same host.
Jason Trost
Nov 9, 2015, 8:45:15 AM11/9/15
to 曾皓辰, Modern Honey Network
Does your local Splunk instance have receiving configured?
login to your splunk instance.
Click "settings" --> "Forwarding and Receiving"
Under "Receive Data", click "Configure Receiving"
There should be one entry for port 9997 in the table on this page. If
not, click "New"
On the following page, enter 9997 under "Listen on this port" and then
click "Save"
This
login to your splunk instance.
Click "settings" --> "Forwarding and Receiving"
Under "Receive Data", click "Configure Receiving"
There should be one entry for port 9997 in the table on this page. If
not, click "New"
On the following page, enter 9997 under "Listen on this port" and then
click "Save"
This
> --
> You received this message because you are subscribed to the Google Groups
> "Modern Honey Network" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modern-honey-net...@googlegroups.com.
> To post to this group, send email to modern-hon...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modern-honey-network/23731142-e2df-477d-b85d-1efd7d4f0c22%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "Modern Honey Network" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modern-honey-net...@googlegroups.com.
> To post to this group, send email to modern-hon...@googlegroups.com.
> To view this discussion on the web visit
曾皓辰
Nov 9, 2015, 9:12:50 PM11/9/15
to Modern Honey Network, haochen...@gmail.com
A big thanks to you Jason!
Splunk is kind of new stuff for me anyway I'm good now :)
ambient...@gmail.com
Nov 16, 2016, 11:33:51 PM11/16/16
to Modern Honey Network
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
Jason Trost
Nov 17, 2016, 1:30:59 PM11/17/16
to ambient...@gmail.com, Modern Honey Network
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?
I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ambient...@gmail.com
Nov 17, 2016, 2:24:19 PM11/17/16
to Modern Honey Network
Splunk is set to listen on 9997 under the receive data settings. Firewall is off.
MHN server is linux box and Splunk enterprise is in a Windows box.
MHN server is a droplet, I am able to SFTP the MHN-Splunk log and upload to Splunk but I would like it in real time and automated.
I have no Splunk log in the location you mentioned just the Splunkforwarder is in /opt
Thanks for the quick reply.
ambient...@gmail.com
Nov 17, 2016, 4:32:41 PM11/17/16
to Modern Honey Network, ambient...@gmail.com
Ok, so I did find this location and info on MHN Server box:
/opt/splunkforwarder/var/log/splunk I am seeing a lot of this in the splunkd.log (on MHN server):
Connection to host=127.0.0.1:9997 failed
11-17-2016 18:39:11.612 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
11-17-2016 18:39:21.611 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
11-17-2016 18:39:21.611 +0000 ERROR TcpOutputFd - Connection to host=0.0.0.0:9997 failed
11-17-2016 18:39:21.612 +0000 WARN TcpOutputFd - Connect to 127.0.0.1:9997 failed. Connection refused
11-17-2016 18:39:21.612 +0000 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed
11-17-2016 18:39:33.682 +0000 WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 400 seconds.
11-17-2016 18:39:41.613 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
11-17-2016 18:39:51.613 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
Forwarding to indexer group default-autolb-group blocked for 1600 seconds.
11-17-2016 18:59:41.687 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
On windows box(SPLUNK ENTERPRISE) 0.0.0.0:9997 is LISTENING
And the log shows more of the same with the block incresing in seconds:
Forwarding to indexer group default-autolb-group blocked for 5400 seconds.
11-17-2016 21:16:42.533 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
11-17-2016 21:16:42.534 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
11-17-2016 21:16:42.534 +0000 ERROR TcpOutputFd - Connection to host=0.0.0.0:9997 failed
11-17-2016 21:16:52.532 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
11-17-2016 21:16:52.532 +0000 ERROR TcpOutputFd - Connection to host=0.0.0.0:9997 failed
11-17-2016 21:16:52.533 +0000 WARN TcpOutputFd - Connect to 127.0.0.1:9997 failed. Connection refused
11-17-2016 21:16:52.533 +0000 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed
11-17-2016 21:17:12.534 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
11-17-2016 21:17:22.534 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
11-17-2016 21:17:22.534 +0000 ERROR TcpOutputFd - Connection to host=0.0.0.0:9997 failed
11-17-2016 21:17:42.536 +0000 WARN TcpOutputProc - Cooked connection to ip=MYIPHERE:9997 timed out
11-17-2016 21:17:42.537 +0000 WARN TcpOutputFd - Connect to 127.0.0.1:9997 failed. Connection refused
11-17-2016 21:17:42.537 +0000 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed
11-17-2016 21:17:52.535 +0000 WARN TcpOutputFd - Connect to 127.0.0.1:9997 failed. Connection refused
11-17-2016 21:17:52.536 +0000 ERROR TcpOutputFd - Connection to host=127.0.0.1:9997 failed
11-17-2016 21:18:05.033 +0000 WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 5500 seconds.
11-17-2016 21:18:12.537 +0000 WARN TcpOutputProc - Cooked connection to ip=MY IP HERE.80:9997 timed out
11-17-2016 21:18:12.537 +0000 WARN TcpOutputFd - Connect to 0.0.0.0:9997 failed. Connection refused
11-17-2016 21:18:12.537 +0000 ERROR TcpOutputFd - Connection to host=0.0.0.0:9997 failed
To me it appears my Windows box is blocking the connection but the Firewall is off and I added an exception to allow this port connection in the Firewall settings.
Hope these details help and I really appreciate any help you can provide!
Thanks!
On Thursday, November 17, 2016 at 10:30:59 AM UTC-8, Jason Trost wrote:
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
On Wed, Nov 16, 2016 at 11:33 PM, <ambient...@gmail.com> wrote:
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ambient...@gmail.com
Nov 17, 2016, 5:36:40 PM11/17/16
to Modern Honey Network, ambient...@gmail.com
Could it be an SSL or certificate issue between forwarder and receiver?
On Thursday, November 17, 2016 at 10:30:59 AM UTC-8, Jason Trost wrote:
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
On Wed, Nov 16, 2016 at 11:33 PM, <ambient...@gmail.com> wrote:
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ambient...@gmail.com
Nov 17, 2016, 6:19:52 PM11/17/16
to Modern Honey Network, ambient...@gmail.com
Sorry for so many replies but I am very determined.
I tried the following from MHN server to Windows (Splunk):
telnet <indexer_ip> <indexer port>
Unable to connect to remote host: Connection timed out. Not sure at this point because.
On Thursday, November 17, 2016 at 10:30:59 AM UTC-8, Jason Trost wrote:
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
On Wed, Nov 16, 2016 at 11:33 PM, <ambient...@gmail.com> wrote:
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Trost
Nov 17, 2016, 6:33:02 PM11/17/16
to ambient...@gmail.com, Modern Honey Network
Check to see if splunk is listening on that port on all interfaces (or just the local interface):
What is the output of this command on your splunk box?
sudo netstat -luntp | grep splunk
On Thu, Nov 17, 2016 at 6:19 PM, <ambient...@gmail.com> wrote:
Sorry for so many replies but I am very determined.I tried the following from MHN server to Windows (Splunk):telnet <indexer_ip> <indexer port>Unable to connect to remote host: Connection timed out. Not sure at this point because.
On Thursday, November 17, 2016 at 10:30:59 AM UTC-8, Jason Trost wrote:
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
On Wed, Nov 16, 2016 at 11:33 PM, <ambient...@gmail.com> wrote:
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/9e8b9ba8-2afd-4d82-857d-e1c787a30f94%40googlegroups.com.
ambient...@gmail.com
Nov 17, 2016, 8:19:40 PM11/17/16
to Modern Honey Network, ambient...@gmail.com
My Splunk box is a Windows OS.
I ran netstat -b and these are the entries related to Splunk, did not paste non-pertinent entries below:
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:8191 Kilo:61408 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61409 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61411 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61412 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61421 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61422 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61423 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61424 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:8191 Kilo:61425 ESTABLISHED
[mongod.exe]
TCP 127.0.0.1:49237 Kilo:65001 ESTABLISHED
[NvStreamNetworkService.exe]
TCP 127.0.0.1:61408 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61409 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61411 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61412 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61421 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61422 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61423 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61424 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:61425 Kilo:8191 ESTABLISHED
[splunkd.exe]
TCP 127.0.0.1:65001 Kilo:49237 ESTABLISHED
On Thursday, November 17, 2016 at 3:33:02 PM UTC-8, Jason Trost wrote:
Check to see if splunk is listening on that port on all interfaces (or just the local interface):What is the output of this command on your splunk box?sudo netstat -luntp | grep splunk
On Thu, Nov 17, 2016 at 6:19 PM, <ambient...@gmail.com> wrote:
Sorry for so many replies but I am very determined.I tried the following from MHN server to Windows (Splunk):telnet <indexer_ip> <indexer port>Unable to connect to remote host: Connection timed out. Not sure at this point because.
On Thursday, November 17, 2016 at 10:30:59 AM UTC-8, Jason Trost wrote:
Is your Splunk box listening on 9997? Is there a firewall or web proxy blocking traffic to this port?I recommend looking at the logs in /opt/splunk/var/logs to see if you can identify what is going wrong.
On Wed, Nov 16, 2016 at 11:33 PM, <ambient...@gmail.com> wrote:
I have this same issue but my MHN server and Splunk are on two separate boxes. Events are in mhn-splunk.log. 9997 set to receive in splunk but nothing is showing up in the MHN Splunk app.
I have tried everything I know possible and really want to find a solution as I love MHN and all the intelligence I am gathering.
Please help.
Thanks.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/9e8b9ba8-2afd-4d82-857d-e1c787a30f94%40googlegroups.com.
Jason Trost
Nov 17, 2016, 8:28:31 PM11/17/16
to ambient...@gmail.com, Modern Honey Network
This doesn't appear to list the listening ports
Can you try
netstat -a -b
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/9e8b9ba8-2afd-4d82-857d-e1c787a30f94%40googlegroups.com.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/69a1601e-8a42-444c-a2fe-22e3d6f4763e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ambient...@gmail.com
Nov 17, 2016, 8:48:34 PM11/17/16
to Modern Honey Network, ambient...@gmail.com
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 Kilo:0 LISTENING
TCP 0.0.0.0:443 Kilo:0 LISTENING
TCP 0.0.0.0:445 Kilo:0 LISTENING
TCP 0.0.0.0:554 Kilo:0 LISTENING
TCP 0.0.0.0:902 Kilo:0 LISTENING
TCP 0.0.0.0:912 Kilo:0 LISTENING
TCP 0.0.0.0:2869 Kilo:0 LISTENING
TCP 0.0.0.0:5060 Kilo:0 LISTENING
TCP 0.0.0.0:5357 Kilo:0 LISTENING
TCP 0.0.0.0:8000 Kilo:0 LISTENING
TCP 0.0.0.0:8089 Kilo:0 LISTENING
TCP 0.0.0.0:8191 Kilo:0 LISTENING
TCP 0.0.0.0:9997 Kilo:0 LISTENING
TCP 0.0.0.0:10243 Kilo:0 LISTENING
TCP 0.0.0.0:47984 Kilo:0 LISTENING
TCP 0.0.0.0:47989 Kilo:0 LISTENING
TCP 0.0.0.0:49152 Kilo:0 LISTENING
TCP 0.0.0.0:49153 Kilo:0 LISTENING
TCP 0.0.0.0:49154 Kilo:0 LISTENING
TCP 0.0.0.0:49158 Kilo:0 LISTENING
TCP 0.0.0.0:49163 Kilo:0 LISTENING
TCP 0.0.0.0:57551 Kilo:0 LISTENING
TCP 127.0.0.1:5939 Kilo:0 LISTENING
TCP 127.0.0.1:8065 Kilo:0 LISTENING
TCP 127.0.0.1:8191 Kilo:61408 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61409 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61411 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61412 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61421 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61422 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61423 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61424 ESTABLISHED
TCP 127.0.0.1:8191 Kilo:61425 ESTABLISHED
TCP 127.0.0.1:8307 Kilo:0 LISTENING
TCP 127.0.0.1:9990 Kilo:0 LISTENING
TCP 127.0.0.1:23401 Kilo:0 LISTENING
TCP 127.0.0.1:49237 Kilo:65001 ESTABLISHED
TCP 127.0.0.1:56070 Kilo:0 LISTENING
TCP 127.0.0.1:61408 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61409 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61411 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61412 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61421 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61422 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61423 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61424 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:61425 Kilo:8191 ESTABLISHED
TCP 127.0.0.1:65000 Kilo:0 LISTENING
TCP 127.0.0.1:65001 Kilo:0 LISTENING
TCP 127.0.0.1:65001 Kilo:49237 ESTABLISHED
TCP 192.168.0.32:139 Kilo:0 LISTENING
TCP 192.168.0.32:2869 192.168.0.22:55740 TIME_WAIT
TCP 192.168.0.32:52982 server-52-84-24-129:https CLOSE_WAIT
TCP 192.168.0.32:52983 server-52-84-24-233:https CLOSE_WAIT
TCP 192.168.0.32:56146 sip122:5091 ESTABLISHED
TCP 192.168.0.32:56147 ec2-54-241-191-235:http ESTABLISHED
TCP 192.168.0.32:57804 192.30.253.125:https ESTABLISHED
TCP 192.168.0.32:58201 ec2-54-221-219-218:https CLOSE_WAIT
TCP 192.168.0.32:58700 162.243.142.138:ssh ESTABLISHED
TCP 192.168.0.32:60317 stackoverflow:http ESTABLISHED
TCP 192.168.0.32:63045 ec2-52-7-232-221:https CLOSE_WAIT
TCP 192.168.0.32:63046 api:https CLOSE_WAIT
TCP 192.168.0.32:63047 api:https CLOSE_WAIT
TCP 192.168.0.32:63048 ec2-52-7-232-221:https CLOSE_WAIT
TCP 192.168.0.32:63541 6:http ESTABLISHED
TCP 192.168.0.32:64068 ec2-52-70-108-85:https ESTABLISHED
TCP 192.168.0.32:64069 192.168.0.1:5000 TIME_WAIT
TCP 192.168.0.32:65034 ec2-23-20-149-146:10000 ESTABLISHED
TCP 192.168.56.1:139 Kilo:0 LISTENING
TCP 192.168.127.1:139 Kilo:0 LISTENING
TCP 192.168.204.1:139 Kilo:0 LISTENING
TCP [::]:135 Kilo:0 LISTENING
TCP [::]:443 Kilo:0 LISTENING
TCP [::]:445 Kilo:0 LISTENING
TCP [::]:554 Kilo:0 LISTENING
TCP [::]:2869 Kilo:0 LISTENING
TCP [::]:3587 Kilo:0 LISTENING
TCP [::]:5357 Kilo:0 LISTENING
TCP [::]:10243 Kilo:0 LISTENING
TCP [::]:49152 Kilo:0 LISTENING
TCP [::]:49153 Kilo:0 LISTENING
TCP [::]:49154 Kilo:0 LISTENING
TCP [::]:49158 Kilo:0 LISTENING
TCP [::]:49163 Kilo:0 LISTENING
TCP [::]:57551 Kilo:0 LISTENING
TCP [::1]:8307 Kilo:0 LISTENING
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64038 pa-in-x8a:https TIME_WAIT
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64044 pc-in-x64:https TIME_WAIT
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64045 ams15s21-in-x03:https TIME_WAIT
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64061 sea15s12-in-x0e:https ESTABLISHED
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64062 sea15s12-in-x0e:https ESTABLISHED
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64064 sea15s07-in-x0e:https ESTABLISHED
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64065 sea15s07-in-x0e:https ESTABLISHED
TCP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:64066 sea15s12-in-x0e:https ESTABLISHED
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5004 *:*
UDP 0.0.0.0:5005 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:50351 *:*
UDP 0.0.0.0:50352 *:*
UDP 0.0.0.0:50353 *:*
UDP 0.0.0.0:50354 *:*
UDP 0.0.0.0:52616 *:*
UDP 0.0.0.0:52617 *:*
UDP 0.0.0.0:52618 *:*
UDP 0.0.0.0:52619 *:*
UDP 0.0.0.0:53957 *:*
UDP 0.0.0.0:53958 *:*
UDP 0.0.0.0:53959 *:*
UDP 0.0.0.0:53960 *:*
UDP 0.0.0.0:53961 *:*
UDP 0.0.0.0:53963 *:*
UDP 0.0.0.0:53973 *:*
UDP 0.0.0.0:53974 *:*
UDP 0.0.0.0:53975 *:*
UDP 0.0.0.0:54702 *:*
UDP 0.0.0.0:58924 *:*
UDP 0.0.0.0:60065 *:*
UDP 0.0.0.0:61475 *:*
UDP 0.0.0.0:63302 *:*
UDP 0.0.0.0:65297 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:48200 *:*
UDP 127.0.0.1:48201 *:*
UDP 127.0.0.1:48202 *:*
UDP 127.0.0.1:54015 *:*
UDP 127.0.0.1:59362 *:*
UDP 127.0.0.1:59455 *:*
UDP 127.0.0.1:60407 *:*
UDP 127.0.0.1:60408 *:*
UDP 127.0.0.1:60409 *:*
UDP 127.0.0.1:63571 *:*
UDP 127.0.0.1:63572 *:*
UDP 127.0.0.1:65000 *:*
UDP 192.168.0.32:137 *:*
UDP 192.168.0.32:138 *:*
UDP 192.168.0.32:1900 *:*
UDP 192.168.0.32:2177 *:*
UDP 192.168.0.32:5353 *:*
UDP 192.168.0.32:59361 *:*
UDP 192.168.56.1:137 *:*
UDP 192.168.56.1:138 *:*
UDP 192.168.56.1:1900 *:*
UDP 192.168.56.1:2177 *:*
UDP 192.168.56.1:5353 *:*
UDP 192.168.56.1:5353 *:*
UDP 192.168.127.1:137 *:*
UDP 192.168.127.1:138 *:*
UDP 192.168.127.1:1900 *:*
UDP 192.168.127.1:2177 *:*
UDP 192.168.127.1:5353 *:*
UDP 192.168.127.1:5353 *:*
UDP 192.168.204.1:137 *:*
UDP 192.168.204.1:138 *:*
UDP 192.168.204.1:1900 *:*
UDP 192.168.204.1:2177 *:*
UDP 192.168.204.1:5353 *:*
UDP 192.168.204.1:5353 *:*
UDP [::]:500 *:*
UDP [::]:3540 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:4500 *:*
UDP [::]:5004 *:*
UDP [::]:5005 *:*
UDP [::]:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::]:50352 *:*
UDP [::]:50354 *:*
UDP [::]:52617 *:*
UDP [::]:52619 *:*
UDP [::]:53963 *:*
UDP [::]:54703 *:*
UDP [::]:58925 *:*
UDP [::]:60066 *:*
UDP [::]:63303 *:*
UDP [::]:65298 *:*
UDP [::1]:1900 *:*
UDP [::1]:5353 *:*
UDP [::1]:59360 *:*
UDP [2601:602:9500:8715::8af1]:5353 *:*
UDP [2601:602:9500:8715:83a:f98b:26e9:833e]:5353 *:*
UDP [2601:602:9500:8715:d97e:a8dc:5ca3:bd44]:5353 *:*
UDP [2601:602:9501:cd6f:58a8:2d7:f138:a18f]:2177 *:*
UDP [2601:602:9501:cd6f:d97e:a8dc:5ca3:bd44]:2177 *:*
UDP [fe80::197d:c029:45ab:9bd6%21]:546 *:*
UDP [fe80::197d:c029:45ab:9bd6%21]:1900 *:*
UDP [fe80::197d:c029:45ab:9bd6%21]:2177 *:*
UDP [fe80::2508:7806:ac3b:7a5a%19]:546 *:*
UDP [fe80::2508:7806:ac3b:7a5a%19]:1900 *:*
UDP [fe80::2508:7806:ac3b:7a5a%19]:2177 *:*
UDP [fe80::d97e:a8dc:5ca3:bd44%11]:1900 *:*
UDP [fe80::d97e:a8dc:5ca3:bd44%11]:2177 *:*
UDP [fe80::d97e:a8dc:5ca3:bd44%11]:5353 *:*
UDP [fe80::d97e:a8dc:5ca3:bd44%11]:59359 *:*
UDP [fe80::e9bb:ca69:736b:d12%13]:546 *:*
UDP [fe80::e9bb:ca69:736b:d12%13]:546 *:*
UDP [fe80::e9bb:ca69:736b:d12%13]:1900 *:*
UDP [fe80::e9bb:ca69:736b:d12%13]:2177 *:*
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/9e8b9ba8-2afd-4d82-857d-e1c787a30f94%40googlegroups.com.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/69a1601e-8a42-444c-a2fe-22e3d6f4763e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Trost
Nov 17, 2016, 9:01:43 PM11/17/16
to ambient...@gmail.com, Modern Honey Network
This looks right. Are you sure the windows firewall is not blocking inbound connections to 9997?
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/51c1c07d-ddf1-4463-a77d-8a2805055872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/9e8b9ba8-2afd-4d82-857d-e1c787a30f94%40googlegroups.com.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/69a1601e-8a42-444c-a2fe-22e3d6f4763e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.anomali.com2317 Broadway, 3rd Floor| Redwood City, CA 94063Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/84453c41-9c47-472b-ad0b-999b78437281%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages