Can MHN output alert to other server ?

[Thomas Vidal]

Dear all,

MHN looks really great and I would like to go more in depth with this product.

One thing that I'm looking is a way to inform other servers about real time attack. Example :

An Honeypot is great to receive attack like a SSH login for example. Then because all my other servers are not available for SSH connection from outside, I am wondering if in real time I can inform all my servers about SSH attack to MHN, and then drop all from the IP to my servers ?

If not, is it possible to at least get alert (from hpfeeds I think) in a text file ?

Many thanks and all the best

Thomas

 

 

[Jason Trost]

Thomas,

This capability does not exist today, but something like this should definitely be possible.  All honeypot events are published to "channels" on the hpfeeds broker.  This broker allows processes to subscribe to these channels and process the events in realtime.  I think you could easily augment this script: https://github.com/threatstream/hpfeeds/blob/master/examples/to_stdout.py to do what you're looking for.

I hope this helps.

--Jason

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/69185311-81df-4ca6-b766-a5f3710869b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | Director of ThreatStream Labs | www.threatstream.com 
Phone:  386.235.0078 | Twitter:  @jason_trost 

[Thomas Vidal]

Dear all,

Here it is the code to generate a log file that can be then easily read by other server/service.

#!/opt/hpfeeds/env/bin/python

import sys

import logging

logging.basicConfig(level=logging.WARNING)

import hpfeeds

import datetime

import json

outstream = sys.stdout

outstream = open( "/var/log/attacks.log", "a", 0 ) 

HOST = 'localhost'

PORT = 10000

CHANNELS = ['dionaea.connections', 'kippo.sessions', ]

IDENT = 'mnemosyne'

SECRET = 'mysecret'

def main():

    hpc = hpfeeds.new(HOST, PORT, IDENT, SECRET)

    print >>sys.stderr, 'connected to', hpc.brokername

    

    def on_message(identifier, channel, payload):

if channel == 'dionaea.connections':

       try:

dt = datetime.datetime.now()

dt2 = dt.strftime('%b %d %H:%M:%S')

payload = str(payload).strip()

payload = json.loads(payload)

        print >>outstream, "%s %s MHN: New attack from SRC=%s port %s (generated by dionaea) \n"%(dt2, payload['local_host'], payload['remote_host'], payload['local_port'])

       except Exception, e:

        print >> sys.stderr, "Error", e

elif channel == 'kippo.sessions':

       try:

dt = datetime.datetime.now()

dt2 = dt.strftime('%b %d %H:%M:%S')

payload = str(payload).strip()

payload = json.loads(payload)

        print >>outstream, "%s %s MHN: New attack from SRC=%s port %s (generated by kippo) \n"%(dt2, payload['hostIP'], payload['peerIP'], payload['hostPort'])

       except Exception, e:

        print >> sys.stderr, "Error", e

    def on_error(payload):

        print >>sys.stderr, ' -> errormessage from server: {0}'.format(payload)

        hpc.stop()

        outstream.close()

    hpc.subscribe(CHANNELS)

    hpc.run(on_message, on_error)

    hpc.close()

    outstream.close()

    return 0

if __name__ == '__main__':

    try: sys.exit(main())

    except KeyboardInterrupt:

        outstream.close()

        sys.exit(0)

This code generate log like this : 

Sep 16 10:41:16 IP.OF.MY.SERVER MHN: New attack from SRC=122.225.109.211 port 22 (generated by kippo)

Next step, on my side, is to create decoder and rules for OSSEC to automatically ban IPs on all my servers ! So I will be back in the next few days or weeks with also these codes.

All the best

Thomas

 

[Jason Trost]

This is great.  Thanks for sharing Thomas!

--

You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/702753cb-96eb-4975-a540-b1fda34e16fa%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Thomas Vidal]

Dear all,

So yes now it possible to alert other servers about attacks on MHN server. For that I am using OSSEC server and agents (www.ossec.net)

First you should format MHN output by using script in this tread to get in a specific log file something like :

Sep 16 10:41:16 IP.OF.MY.SERVER MHN: New attack from SRC=122.225.109.211 port 22 (generated by kippo)  

Then install and configure OSSEC server and agents.

On the SERVER you need to add a decoder, in /var/ossec/etc/decoder.xml

<decoder name="mhn">

    <program_name>MHN</program_name>

    <!-- <prematch>^MHN: New attack from </prematch>

    <regex offset="after_prematch">SRC=(\S+) </regex>

    <order>srcip</order>-->

    <regex>from SRC=(\d+.\d+.\d+.\d+)</regex>

    <order>srcip</order>

</decoder>

On the SERVER.Then you have to add specific rules in /var/ossec/rules/local_rules

  <!-- Rules for and from MHN server -->

  <rule id="100010" level="3">

    <decoded_as>mhn</decoded_as>

    <description>This IP has been banned for some time on all servers</description><!-- servers defined in ossec.conf for active responses -->

  </rule>

  <rule id="100011" level="3" frequency="3" timeframe="3600" ignore="3600">

    <if_matched_sid>100010</if_matched_sid>

    <description>This IP has been banned for some time on the Honeypot...</description>

  </rule>

On the SERVER. Then you also need to configure active responses in /var/ossec/etc/ossec.conf

<!-- This is the active response for agent, but not the Honeypot itself -->
  <active-response>

    <command>firewall-drop</command>

    <location>defined-agent</location>

    <agent_id>001</agent_id>

    <rules_id>100010</rules_id>

    <timeout>3600</timeout><!-- Drop during 1 hour -->

    <repeated_offenders>1440,10080</repeated_offenders><!-- if same IP then drop for 1 day, and again then drop for one week ! -->

  </active-response>

  <active-response>

    <command>firewall-drop</command>

    <location>defined-agent</location>

    <agent_id>002</agent_id>

    <rules_id>100010</rules_id>

    <timeout>3600</timeout>

    <repeated_offenders>1440,10080</repeated_offenders>

  </active-response>
<!-- this is the active response for the honeypot itself. We want it to answer attacks more than other agents -->

  <active-response>

    <command>firewall-drop</command>

    <location>defined-agent</location>

    <agent_id>011</agent_id>

    <rules_id>100011</rules_id>

    <timeout>3600</timeout>

    <repeated_offenders>1440,10080</repeated_offenders>

  </active-response>

Still on the server, we need to ask it to read log on the honeypot. So in /var/ossec/etc/shared/agent.conf

<agent_config name="MHNSERVER"><!-- the name of the agent on the MHN server -->

    <localfile>

    <log_format>syslog</log_format>

    <location>/var/log/attacks.log</location><!-- The log file on the MHN server -->

  </localfile>

</agent_config>

Of course restart all agents and servers....

Now all my public servers drop attack IPs in 2 or 3 secondes.... That not a complete solution of course, but this can help to prevent basic attack !

All the best

Thomas

[Jason Trost]

Thanks for sharing.  This is great.  If you have time, this seems like it would make a great blog post.

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/5728f42a-637c-48b4-b464-f60ea5acbe84%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Noël Nachtegael]

Hi Thomas

Could you give us a the steps of how to implement this script on a MHN server?
How do we do to get this script running and producing the attacks.log file?

thx and regards,
noël

[Noël Nachtegael]

OK got it at work with supervisor

[fpea...@gmail.com]

Much love to Jason for this excellent platform and Thomas for the incredibly useful information in this thread!

I now have Dionaea on PI's on all external ranges feeding back IPs through MHN to OSSEC which bans them on our external firewalls. I also have MHN covering all internal subnets with OSSEC generating email alerts off the back of it.

Total capex (excluding time) <£100.

[Greg Martin]

Awesome!

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e9319926-198a-4c3c-b5f2-2682dead9ece%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Greg Martin | Chief Technical Officer | www.threatstream.com 

401 Warren Street, Ste 200 | Redwood City, CA 94063 

Phone:  408-800-4050 |  Twitter:  @threatstream 

Operationalize / Detect / Disrupt

[Jason Trost]

Very cool!  

On Wed, Jan 14, 2015 at 7:55 AM, <fpea...@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e9319926-198a-4c3c-b5f2-2682dead9ece%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

[Jordan Anderson]

Thomas,

Thanks for this code. When I run it on my MHN server, I get the following output:

$ sudo ./mhn_to_stdout.py
connected to @hp2
 ->errormessage from server: authfail.

I assume that's because I don't know the value of the 'SECRET' variable - I've attempted to replace this value with my account's API key (as listed in the web interface's "Settings" page), but that still fails with the same error. What is my secret and where can I find it?

Thank you,

Jordan

[Jason Trost]

Jordan

We just pushed a new project and install script to get MHN to log events to file for splunk (and soon arcsight).  Pull the latest MHN code and run the script

scripts/install_hpfeeds-logger.sh

--

You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/d140e256-0b6a-476c-9366-8a755ac64914%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jordan Anderson]

Jason,

Awesome, this is exactly what I was looking for. Thank you!

Jordan

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/d140e256-0b6a-476c-9366-8a755ac64914%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.