Kippo Logs/ Honeypots sharing same IP address

[eyed...@gmail.com]

Hello.

Awesome project you guys have.  The framework has been amazing? Here is the problem.

On the first day of deploying the honeypot on the MHN server, I recorded quite a number of attacks, Dionaea to be precise There has been no attacks on the honeypot ever since then (since 4th of August). What might have caused it?

I am confused here.

1. Is it effective for two or more honeypots to share the same IP address?  because I deployed two honeypots on the same IP address ( Kippo and Dionaea). Dionaea stopped recording attacks from 4th of August and Kippo Honeypot is still recording attacks. Could that have caused a conflict why Dionaea Honeypot is no more recording attacks?

3. How can I extract logs from the honeypots to a database or spreadsheet? Or does the MongoDB have an interface? I need to carry out an analysis of attacks on the logs.

4. How does the rules work?

[Jason Trost]

Thanks Idayat.  Answers inline

On the first day of deploying the honeypot on the MHN server, I recorded quite a number of attacks, Dionaea to be precise There has been no attacks on the honeypot ever since then (since 4th of August). What might have caused it?

* Any chance you reinstalled your MHN server?  Or its IP address changed?  Or you have a firewall running on the MHN server that needs an ACL rule updated?

* Or any chance dionaea has crashed?

For both of these issues, i recommend following this: https://github.com/threatstream/mhn/wiki/MHN-Troubleshooting-Guide. It should help you narrow down what might be the problem.  I recommend starting by making sure dionaea is still running (sudo supervisorctl status).  If it is not, then check the logs here: /var/log/dionaea.*.  If it is running, i recommend troubleshooting the data flow by following the MHN-Troubleshooting-Guide.

I am confused here.

1. Is it effective for two or more honeypots to share the same IP address?  because I deployed two honeypots on the same IP address ( Kippo and Dionaea). Dionaea stopped recording attacks from 4th of August and Kippo Honeypot is still recording attacks. Could that have caused a conflict why Dionaea Honeypot is no more recording attacks?

Running Dionaea and Kippo together should be fine.  We do this with most of the honeypots we deploy.  We have a little guide here https://github.com/threatstream/mhn/wiki/Running-Multiple-Honeypots-on-the-same-server

3. How can I extract logs from the honeypots to a database or spreadsheet? Or does the MongoDB have an interface? I need to carry out an analysis of attacks on the logs.

See this for the types of data stored in mongo: https://github.com/threatstream/mhn/wiki/MHN's-MongoDB-Collections

See this for some ways to extract this data to CSV: https://github.com/threatstream/mhn/wiki/Exporting-Honeypot-Data-from-MHN, mainly:

mongoexport --db mnemosyne --collection session --fields=source_ip,destination_ip --csv

4. How does the rules work?

Rules are for snort and suricata deployments.  The rules UI is mainly used to deactivate rules.  Once you deactivate one, the next time the sensor checks in for a rules update (which should be daily) the sensor will get the new rule set.  To be honest, this feature is a little broken right now since the rules export doesn't work properly.  We don't really use this feature anymore so we haven't spent time to fix it.

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/118fbabb-9def-4207-94eb-d09b86414e12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.anomali.com 

2317 Broadway, 3rd Floor| Redwood City, CA 94063

Phone:  386.235.0078 | Twitter:  @jason_trost 

[forensi...@gmail.com]

They are a few combinations of honeypots that will not work together but Kippo and Dionaea together on the same system work fine.

There are a couple of ways to export data from the MongoDB. You can use the mongoexport command to extract the files into JSON or CSV:

             # Dump all the records from the session collection

mongoexport --db mnemosyne --collection session > session.json

 

# Dump the source_ip and destination_ip fields from the session collection as JSON

mongoexport --db mnemosyne --collection session --fields=source_ip,destination_ip

 

# Dump the source_ip and destination_ip fields from the session collection as CSV

mongoexport --db mnemosyne --collection session --fields=source_ip,destination_ip –csv

 

             # Dump the summary counts

mongoexport --db mnemosyne --collection counts --query '{}' 

 

# Dump the metadata collection (only populated if you run p0f sensors).

mongoexport --db mnemosyne --collection metadata --query '{}' 

You can use R-studio to extract data from the MongoDB and perform your stats/graphs without needing additional software.

Another option is to write a Python script to extract the data from the MongoDB or from the mongoexport files. This I think is the best method because of the fact that different honeypots store the same data but under different names. You can also pick and choose the timeframe, honeypot(s) or sensor(s) to use in your analysis.

I am not clear on what you mean by "How do the rules work". Please explain.