Addition of new honeypots to the MHN

[David Greenwood]

Hi all -

It has been a while since any new honeypots were added into the core code base of MHN. Does anyone have any recommendations for new honeypots that could be added in 2017?

Thanks,

[mrco...@gmail.com]

as far as i know the project is discontinued. No more honeypots will be included.

BR,

Fabrizio

[David Greenwood]

Hey Fabrizio,

I work for Anomali (who manage the MHN repo). In all honesty, we have not been looking after this project too well since Jason T, who spearheaded this project, left the company last year.

Whilst I cannot promise anything, I'm very interested to hear how it could be improved both with the addition of honeypots and functionality.

-dave

[mrco...@gmail.com]

Hi David,

There are a lot of interesting honeypots out there. I personally use just some of them because i am interested in having specific feedbacks about some threats.

I use hontel which is a simple python telnet honeypot which is veru useful to catch telnet bruteforce attacks and it also collects samples (i've got many mirai samples). I am going also to use VNC-Pot, a python honeypot simulating VNC server.

There are some other interesting features i would add to MHN:

- PDF reports with filtering capabilities

- Administrator profiles

- Syslog exportation

- Email alerts

i also noticed some small bugs:

- Dionaea captures are only visible if the attacker has IPv6 Ip address

- Feeds from honeypots sometimes are not visible if the honeypot has just been installed

- Sometimes honeymap does not displays anything in realtime even if attacks are coming in and properly stored in the database

I am currently trying to expand my honeypot distribution so i can have more data to analyze.

Have a nice day!

Fabrizio

[johnpat...@gmail.com]

Hi! 

Since the MHN is not that stable is there any way the project continue it's support?

[Mila Parkour]

Hello David Greenwood,

i hope you support this project we really need it. so i have lot's on request you may add in future.
1- change the map and make it more interactive and show threat in log not just connection
PLEASE make map like

https://threatmap.checkpoint.com/ThreatPortal/livemap.html
http://threatmap.fortiguard.com/
2- add new honeypot for example
honeytrap
emobility
and etc.
3- fetch rule  in every day is not worked very well please correct the bug.
4- snort is too old please add snort 3 please update all sensor as you can
5- please update splunk app to show more information and change the interface

thanks indeed

i am very happy to hear from you hear and give me your feedback about my request.

[adedo...@tuxz.net]

Hello,

Thanks for your transparency

As we are talking about an OSS project backed at some point by your company, what is the "official" decision on your side ? Will you continue to keep an eye on the github repo, merge PR & so on or should we think about forking that into a new dedicated project with new maintainers ?

I'd be glad to help on that topic if needed ...

Waiting for your feedback,

Bests,

Alex

[john patrick lita]

Hello

Agree with Alex we also use the MHN and we did some tweks on the repo and like snort is not compatible in centos and we successfully port it for centos 6

Also waiting for the feedback

Jaypee

--
You received this message because you are subscribed to a topic in the Google Groups "Modern Honey Network" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/modern-honey-network/zG3eSt0SmHc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/8b98ff3f-e992-4597-aabb-1e1bcba0e634%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

-----------------------------------------------------------------------------------------------------------

The information contained in this message and any attachments may be privileged, confidential, proprietary or otherwise protected from disclosure. If you, the reader of this message, are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message, permanently delete it from your computer and destroy any printout.
----------------------------------------------------------------------------------------------------------

[Travis Farral]

This is a good thread - thanks for starting it, David Greenwood.

Good suggestions here.  I also work for Anomali and while we move to pour some energy back into this project, I want to make sure that we are putting effort into the right places.

Let me try and summarize the suggestions so far:

• Bring the codebase up-to-date and fix any outstanding bugs
  
• Update support for the latest Snort and latest versions of supported honeypots
• Include support for additional honeypots - we will need some help here so we are focusing on the ones that will bring the most value.  Each addition will require some effort and the support will need to be maintained going forward.  https://github.com/paralax/awesome-honeypots is a great list of potential additions.  Appreciate the suggestions here so far.
  
• Update Splunk integration to include more information and update the interface (@Mila, can we reach out to you directly for more information by what you mean here?)
• Other good suggestions to be considered:  PDF reports, email alerts, admin profiles, syslog export

Additional feedback is appreciated and we definitely appreciate these comments and the support for this project.

-Travis Farral

Jaypee

To unsubscribe from this group and all its topics, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/8b98ff3f-e992-4597-aabb-1e1bcba0e634%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[john patrick lita]

Hi

This is great! And another suggestion is if we can create an data filter. 

Example:

If a create another user on the admin side it will automatically create an api for that specific user on the user side the data available to his end is the sensor deployed to his machine/honeypots.

This can help control the data, this options is for multi diployment of sensors/honeypots to maintain the privacy of other user or agency that would require privacy.

Thanks

To unsubscribe from this group and all its topics, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/8b98ff3f-e992-4597-aabb-1e1bcba0e634%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

-----------------------------------------------------------------------------------------------------------

The information contained in this message and any attachments may be privileged, confidential, proprietary or otherwise protected from disclosure. If you, the reader of this message, are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message, permanently delete it from your computer and destroy any printout.
----------------------------------------------------------------------------------------------------------

--

You received this message because you are subscribed to a topic in the Google Groups "Modern Honey Network" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/modern-honey-network/zG3eSt0SmHc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/8e1c5f48-8ba7-4f61-afd9-148f5117fad9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Roland Urbano]

Hi,

Thanks for reviving the Project ;)  I was afraid witout Jason the MHN will slowley die.... :(
Nice to hear that you guys will continue adding new features. I would be very happy to help with providing PR for new sensors.

I would suggest to keep an eye on MushMush.org since their Head, Lukas Rist (CRO @ The Honeynet Project) is working on multiple cool project such as SNARE/TANNER, Glutton which would be nice to have in MHN.

As a start I could add a deployment for SNARE/TANNER to MHN with a PR. At least if you want me to ;)

Cheers

[smur...@gmail.com]

This is great news! I just stumbled on this honeypot solution a few days ago and already have a network of sensors up and running.

• I would love to collect mirai samples
• I would also love to see an updated map. One that has more information on the attackers. Whois info maybe
• Maybe a way to sort the map base on honeypot type or port address
  

[smur...@gmail.com]

Maybe something like this?

https://intel.malwaretech.com/pewpew.html

[Roland Urbano]

Hey,

I would like to see Beeswarm(http://www.beeswarm-ids.org/) added to the MHN.

Cheers

[Matthias Merkel]

It may be interesting to have Spamtraps/SMTP honeypots included as well. In that case one would need some kind of emails tab, too though. Also it would be interesting to automatically upload to https://github.com/Tigzy/malware-repo

Am Samstag, 6. Mai 2017 18:39:20 UTC+2 schrieb David Greenwood:

[ozzysch...@gmail.com]

Here are some ideas that are really a stretch for the project:

- I'm not sure how difficult it would be, but stix/taxii output would be awesome for IOC's. Then we could plug it in to STAXX ;-)

- Some way of easily auto-generating suricata/snort rules would be awesome. So the output could be pulled into a nids/nips.

(I'm not a smart coding person, but I wonder if the above two could be accomplished by manipulating data about the attacks in a local db? That would make it easier to add other output features by the community. Some additional things in the optional ELK back end might also be handy here.)

- Being able to easily add custom locations for IP networks like 10.0.0.0/24 = Server Subnet, 172.21.7.0/26 = VPN Subnet. For those who might be using MHN internally to monitor lateral movement throughout their network this would be handy. An example of what we can do with more actionable information - if 172.21.7.5 triggered alerts on 5 different honeypot nodes, we would know that it was probably a compromised VPN account or computer connected over VPN. If something internally to MHN could recognize that it triggered 5 times and execute "actions" off of that alert, we could have a python script to send an email (takes care of the requested email alerting) or a different custom python script written by us (the community) to automatically pull that information, create a rule and "inject" that rule into the VPN server to drop traffic from that user account based off of the offending IP. That way a company or individual could get email alerts, but also write custom scripted actions to help turn this from a monitoring product into something more actionable. And then if we could get the community to share their custom scripts, it might really take this project to the next level. Basically just asking for alerting to be more "pluggable?", if that's a word?

These are things that would be epic, but being not a paid product it's definitely a stretch. Thanks for being awesome and reaching out to the community. In a lot of cases smaller companies don't have much of an infosec budget and this has the ability to make the small business sector a lot more secure. Having an easy to use OSS honeypot really helps those interested in infosec (like me) progress their skills in a lab network so they can go out and apply their new skills to the ever growing demand in the field. I'm not the best in python yet but if we had the ability to plug in scripts for alert actions, I would gladly share what ever I come up with to the community to help keep this project alive. Hopefully that's all somewhat coherent, I just woke up :-)

[prof...@hotmail.com]

I would like to see MHN send its feed to QRadar. As for new honeypots, I would like to see an email spam/phishing honeypot added. Maybe something like SHIVA.

[dpico...@gmail.com]

ADD bro ids

On Saturday, May 6, 2017 at 9:09:20 PM UTC+4:30, David Greenwood wrote:

[Chris Wilson]

Would love to see the ability to make a sensor geared towards detecting threats on various cms systems like wordpress, opencart, etc.

[mg....@campus.fct.unl.pt]

Do you really developed a way of SNARE/TUNNER working with our MHN?

I want to include it in my project as it is a huge improve regarding Glastopf but I am having difficulties implementing it.

[Brady Sullivan]

We have not officially released an install script for SNARE/TANNER.
However, if it supports hpfeeds, it should be relatively easy to
integrate. The wiki on GitHub has some documentation on incorporating
new sensors.

> --
> You received this message because you are subscribed to the Google Groups
> "Modern Honey Network" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modern-honey-net...@googlegroups.com.

> To post to this group, send email to modern-hon...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/modern-honey-network/99b08ddd-37ed-4a33-8d7f-703739bce196%40googlegroups.com.