MHN with Dionaea doesn't forward logs to broker
149 views
Skip to first unread message
boris....@gmail.com
Jun 6, 2018, 4:40:25 AM6/6/18
to Modern Honey Network
Hey guys,
I've been trying to set up a MHN Server with a Dionaea sensor in my local network these past couple days, but I can't get the server to parse the logs and forward them to the broker.
Both the MHN Server and the Dionaea sensor are Virtual Machines hosted on the same PC. They are in a NAT Network and have connectivity with eachother.
The IP of the Server is 10.0.2.5. The IP of the Sensor is 10.0.2.6.
I start Dionaea by running service dionaea start.
I've been trying to set up a MHN Server with a Dionaea sensor in my local network these past couple days, but I can't get the server to parse the logs and forward them to the broker.
Both the MHN Server and the Dionaea sensor are Virtual Machines hosted on the same PC. They are in a NAT Network and have connectivity with eachother.
The IP of the Server is 10.0.2.5. The IP of the Sensor is 10.0.2.6.
I start Dionaea by running service dionaea start.
Output from troubleshooting as described by the wiki:
--------------------------------------------------------------------------------
Netstat
-------------------------------------------------------------------------------# netstat -luntp | grep 10000
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1279/python
-------------------------------------------------------------------------------
Iptables
-------------------------------------------------------------------------------
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination -------------------------------------------------------------------------------
hpfeeds-broker
-------------------------------------------------------------------------------
# tail /var/log/mhn/hpfeeds-broker.err
INFO:root:Auth success by honeymap.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by geoloc.
INFO:root:Auth success by collector.
INFO:root:Auth success by e83a79e2-68bf-11e8-b866-0800275d59d5.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by e83a79e2-68bf-11e8-b866-0800275d59d5.
INFO:root:Auth success by e83a79e2-68bf-11e8-b866-0800275d59d5.
INFO:root:Auth success by d9bdb08a-6957-11e8-b3e8-0800275d59d5.
INFO:root:Auth success by mnemosyne.
-------------------------------------------------------------------------------
- I played around with the sensors, so, as far as I remember, e83a79e2-68bf-11e8-b866-0800275d59d5 is the previous Sensor's ID.
-------------------------------------------------------------------------------
mongodb hpfeeds
-------------------------------------------------------------------------------
mongodb hpfeeds
-------------------------------------------------------------------------------
# mongo hpfeeds
/*omitted*/
{ "_id" : ObjectId("5b17877bf2aed40506a57884"), "subscribe" : [ ], "secret"
: "mhntest", "identifier" :
"d9bdb08a-6957-11e8-b3e8-0800275d59d5", "publish" : [ "dionaea.connections", "dionaea.capture", "mwbinary.dionaea.sensorunique", "dionaea.caputres", "dionaea.capture.anon" ] }
-------------------------------------------------------------------------------
: "mhntest", "identifier" :
"d9bdb08a-6957-11e8-b3e8-0800275d59d5", "publish" : [ "dionaea.connections", "dionaea.capture", "mwbinary.dionaea.sensorunique", "dionaea.caputres", "dionaea.capture.anon" ] }
-------------------------------------------------------------------------------
- The publish channels are the same as in the wiki. The "dionaea caputres" one seems like a typo to me. I tried a sensor with the "typo" and without it. There wasn't any difference.
Dionaea conf on the Sensor
-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
tcpdump on the Server
--------------------------------------------------------------------------------
# tcpdump -nnNN tcp port 10000
11:23:30.273285 IP 10.0.2.6.52310 > 10.0.2.5.10000: Flags [P.], seq 810:1080, ack 49, win 229, options [nop,nop,TS val 1375647 ecr 1176401], length 270
11:23:30.275514 IP 10.0.5.5.10000 > 10.0.2.6.52310: Flags [P.], seq 49:65, ack 1080, win 285, options [nop,nop,TS val 1375652 ecr 1375647], length 16
11:23:30.276113 IP 10.0.2.6.52310 > 10.0.2.5.10000: Flags [.], ack 65, win 229, options [nop,nop,TS val 1375648 ecr 1375652], length 0
-------------------------------------------------------------------------------
In the links below you can find the logs and the errors logs of the Dionaea Sensor from the previously mentioned Metasploit attack.
>> Dionaea logs <<
>> Dionaea error dump <<
Regards,
Boris
-------------------------------------------------------------------------------
# cat /opt/dionaea/etc/dionaea/dionaea.conf
- name: hpfeeds
config:
server: "10.0.2.5"
port: "10000"
ident: "d9bdb08a-6957-11e8-b3e8-0800275d59d5"
secret: "mhntest"
# dynip_resolve: enable to lookup the sensor ip through a webservice
# dynip_resolve: "http://hpfriends.honeycloud.net/ip"--------------------------------------------------------------------------------
- To test the logging capability, I attacked the Dionaea sensor from the MHN Server with the ms10_061_spoolss payload from Metasploit.
tcpdump on the Server
--------------------------------------------------------------------------------
# tcpdump -nnNN tcp port 10000
11:23:30.273285 IP 10.0.2.6.52310 > 10.0.2.5.10000: Flags [P.], seq 810:1080, ack 49, win 229, options [nop,nop,TS val 1375647 ecr 1176401], length 270
11:23:30.275514 IP 10.0.5.5.10000 > 10.0.2.6.52310: Flags [P.], seq 49:65, ack 1080, win 285, options [nop,nop,TS val 1375652 ecr 1375647], length 16
11:23:30.276113 IP 10.0.2.6.52310 > 10.0.2.5.10000: Flags [.], ack 65, win 229, options [nop,nop,TS val 1375648 ecr 1375652], length 0
-------------------------------------------------------------------------------
In the links below you can find the logs and the errors logs of the Dionaea Sensor from the previously mentioned Metasploit attack.
>> Dionaea logs <<
>> Dionaea error dump <<
Regards,
Boris
boris....@gmail.com
Jun 6, 2018, 5:51:01 AM6/6/18
to Modern Honey Network
It's important to note I used this >>guide<< to configure the MHN server and the Dionaea sensor.
I also checked mongo mnemosyne as per the wiki:
# mongo mnemosyne
>db.getCollectionNames()
[
db.session.find() returns blank.
I also checked /opt/mnemosyne/mnemosyne.cfg, where as per the wiki I should add a couple lines so that logs with attacks involving private IPs can be parsed.
Interestingly, the line was already there
# cat /opt/mnemosyne/mnemosyne.cfg
/*omitted*/
[normalizer]
ignore_rfc1918 = False
Regards,
Boris
I also checked mongo mnemosyne as per the wiki:
# mongo mnemosyne
>db.getCollectionNames()
[
"counts",
"daily_stats",
"dork",
"file",
"hpfeed",
"metadata",
"session",
"url"
]"daily_stats",
"dork",
"file",
"hpfeed",
"metadata",
"session",
"url"
db.session.find() returns blank.
I also checked /opt/mnemosyne/mnemosyne.cfg, where as per the wiki I should add a couple lines so that logs with attacks involving private IPs can be parsed.
Interestingly, the line was already there
# cat /opt/mnemosyne/mnemosyne.cfg
/*omitted*/
[normalizer]
ignore_rfc1918 = False
Regards,
Boris
boris....@gmail.com
Jun 6, 2018, 9:52:37 AM6/6/18
to Modern Honey Network
I deployed another Dionaea VM by using the automated deploy script and it works.
Guess I must've missed something while manually configuring.
Guess I must've missed something while manually configuring.
Reply all
Reply to author
Forward
0 new messages