adding new sensor or data into mhn
301 views
Skip to first unread message
Christian Fernandez
Jan 15, 2016, 5:23:51 PM1/15/16
to Modern Honey Network
ok so I have a custom ruby script and another golang script that pulls some data from my networks, like nmap scans and other interesting results with IP.
I am researching in how to pipe this info into MHN so it shows with the results of the other honeypots.
so for this I have check this: https://github.com/threatstream/mhn/wiki/Howto%3A-Add-Support-for-New-Sensors-to-the-MHN
but for someone totally new to hpfeeds is a bit confusing.. since what im trying to do is not exactly the same.. so I figure to do this:
I create from the UI a new sensor.. got the UUID
I log into MHN admin server and used the add_user
python add_user.py "$IDENT" "$SECRET" "$PUBLISH_CHANNELS" "$SUBSCRIBE_CHANNELS"
the part that already start confusing me in the "channels" I can figure by the name what could it be but I have research around and can't see a real definition for hpfeeds.
example I created two channels.. lets say one for ip and other for count
channel.ip and channel.count because I have two rows of data. so I may be already doing it wrong here.
so in my ruby script I parse a file and get two parameters. and trying to sent that to the hpfeeds broker port 10000 on the MHN server.
I can connect using the uuid and the password I told add_user.py
but when I connect I get:
ERROR: "accessfail."
ERROR: "accessfail."
Im guessing one for each channel..
I contacted the guy that created the ruby gem
he said:
"You got an accessfail if you try to publish on a channel that does not exist"
ok.. so now in where I am puzzle/stuck because I did created those two channels with add_user.py
so my sincere questions are:
what steps I'm I missing to be able to push my data, for for anyone else for the matter (maybe we can put this in the wiki)
if I sent my raw data for example ip will MHN automatically do the geolocation and show it in the map? im confused about this part as well.
Sorry if this sounds ridicules from experienced hpfeeds developers.. bare with me :)
Thanks!
Jason Trost
Jan 17, 2016, 9:08:13 AM1/17/16
to Christian Fernandez, Modern Honey Network
Chris,
--
You will want to make sure that your sensors are configured with a publish Channel. The add_user script will do this. Look at the examples of this scripts use in the various MHN install and deploy scripts.
You can verify by looking at the users configured in mongo.
mongo hpfeeds
> db.auth_keys.find()
You need to make sure that there is only one entry for the user/ident you created. If there are multiple the hpfeeds broker may get confused and you could get accessfail messages.
I hope this helps.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/b0b9bbea-713a-4ba3-bd09-89b80f961646%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
Christian Fernandez
Jan 20, 2016, 11:06:15 PM1/20/16
to Modern Honey Network, cfernan...@gmail.com
Thanks for your response, sorry I was busy with work related stuff until now.
well Im sure I did run that command, the add_user script.. now I may have done it wrong.. but I did got the stdout saying that the channels were created..
but I have run your mongo commands and returns nothing... like literaly nothing at all.
any idea why?
Thanks.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/b0b9bbea-713a-4ba3-bd09-89b80f961646%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Christian Fernandez
Jan 21, 2016, 12:31:56 AM1/21/16
to Modern Honey Network
ohhh wait!! I just try with out the "s" so instead of auth_keys/auth_key and that worked...
so I see the entry there:
"_id" : ObjectId("xxxxxxxxx"), "subscribe" : [ ], "secret" : "xxxxXxxXXxXxxxxx...", "identifier" : "xxxxx-xxx-xxx...", "publish" : [ "attack.ip", "attack.count" ] }
obviosly I have removed the information... so as you can see is listed so why im getting those errors?
Thanks.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/b0b9bbea-713a-4ba3-bd09-89b80f961646%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Justin Shattuck
Apr 17, 2016, 2:49:03 AM4/17/16
to Modern Honey Network
Are you performing some enrichment to the hpfeed data via nmap and pumping back in? Curious if you're willing to share more.
Reply all
Reply to author
Forward
0 new messages