MHN Dionaea ThreatMap
Wednesday, 29 October 2014
Set MHN for local rfc1918 addresses
#!/bin/bash
# LocalMHN to set MHN for rfc1918 private / local networks CEM 29/Oct/2014
cd /opt/mnemosyne/
git fetch origin
git stash
git merge origin/master
git stash pop
sed -i 's/ignore_rfc1918 = True/ignore_rfc1918 = False/g' mnemosyne.cfg
supervisorctl restart mnemosyne
supervisorctl status
====take two ===
# LocalMHN to set MHN for rfc1918 private / local networks CEM 29/Oct/2014
cd /opt/mnemosyne/
git fetch origin
git stash
git merge origin/master
git stash pop
sed -i 's/ignore_rfc1918 = True/ignore_rfc1918 = False/g' mnemosyne.cfg
supervisorctl restart mnemosyne
supervisorctl status
====take two ===
#!/bin/bash
# LocalMHN to set MHN for rfc1918 private / local networks CEM 22/Sept/2014
# Also trap mac addresses in Dionaea for analysis
cd /opt/mnemosyne/
git fetch origin
git stash
git merge origin/master
git stash pop
sed -i 's/ignore_rfc1918 = True/ignore_rfc1918 = False/g' mnemosyne.cfg
sed -i 's/lookup_ethernet_addr = "no"/lookup_ethernet_addr = "yes"/g' /etc/dionaea/dionaea.conf
supervisorctl restart mnemosyne
sudo supervisorctl restart dionaea
supervisorctl status
# LocalMHN to set MHN for rfc1918 private / local networks CEM 22/Sept/2014
# Also trap mac addresses in Dionaea for analysis
cd /opt/mnemosyne/
git fetch origin
git stash
git merge origin/master
git stash pop
sed -i 's/ignore_rfc1918 = True/ignore_rfc1918 = False/g' mnemosyne.cfg
sed -i 's/lookup_ethernet_addr = "no"/lookup_ethernet_addr = "yes"/g' /etc/dionaea/dionaea.conf
supervisorctl restart mnemosyne
sudo supervisorctl restart dionaea
supervisorctl status
Friday, 24 October 2014
Enable MHN Dionaea Sandbox submission
Regarding the sandbox submission, we don't have this enabled now. Do do so, you need to do a couple things.
sudo gedit /etc/dionaea/dionaea.conf
.
1. find the line that looks like this (in the ihandlers section):
// "virustotal",
and uncomment it.
2. Find the section that looks like this:
virustotal = {
apikey = "........." // grab it from your virustotal account at My account -> Inbox -> Public API
file = "var/dionaea/vtcache.sqlite"
}
and fill in your API key.
sudo gedit /etc/dionaea/dionaea.conf
.
1. find the line that looks like this (in the ihandlers section):
// "virustotal",
and uncomment it.
2. Find the section that looks like this:
virustotal = {
apikey = "........." // grab it from your virustotal account at My account -> Inbox -> Public API
file = "var/dionaea/vtcache.sqlite"
}
and fill in your API key.
2f226f10dfe3a6b2d==
f0102876b42070cd2==
7f86543ae28d79443==
bdd98eb539708
3 Save dionaea.conf and restart
sudo supervisorctl restart dionaea
--
Thanks
Jason @ Threatstream
Wednesday, 22 October 2014
Friday, 17 October 2014
MHN - Delete Old Records
You can delete the fake attacks from MHN by using the mongo DB command. Here is how you would do it for IP 1.2.3.4:
mongo mnemosyne
> db.session.count({ source_ip:"1.2.3.4" })
> db.session.remove({ source_ip:"1.2.3.4" })
The first command will show you how many entries will be deleted. The 2nd command will delete them.
Depending on the setup, mongo may store the results with "::ffff:" prepended to the IP. So you may need to do this too:
> db.session.count({ source_ip:"::ffff:1.2.3.4" })
> db.session.remove({ source_ip:"::ffff:1.2.3.4" })
To explore the "logs" you can also use mongo. Here is an example:
> db.session.find({source_ip: "4.5.5.6"})
---
I had issues connecting mongo to mnemosyne
gedit /etc/mongod.conf
change to
Then
--
Thanks
Jason Trost from ThreatStream
http://stackoverflow.com/questions/24899849/connection-refused-to-mongodb-errno-111
mongo mnemosyne
> db.session.count({ source_ip:"1.2.3.4" })
> db.session.remove({ source_ip:"1.2.3.4" })
The first command will show you how many entries will be deleted. The 2nd command will delete them.
Depending on the setup, mongo may store the results with "::ffff:" prepended to the IP. So you may need to do this too:
> db.session.count({ source_ip:"::ffff:1.2.3.4" })
> db.session.remove({ source_ip:"::ffff:1.2.3.4" })
To explore the "logs" you can also use mongo. Here is an example:
> db.session.find({source_ip: "4.5.5.6"})
---
I had issues connecting mongo to mnemosyne
gedit /etc/mongod.conf
change to
bind_ip = 0.0.0.0 Then
sudo rm /var/lib/mongodb/mongod.lock
sudo service mongodb restart
--
Thanks
http://stackoverflow.com/questions/24899849/connection-refused-to-mongodb-errno-111
Wednesday, 15 October 2014
Tweaking MHN
Edit
/opt/mhn/server/config.py
SERVER_BASE_URL = 'http://192.168.1.101'
HONEYMAP_URL = 'http://192.168.1.101:3000'
Restart
sudo supervisorctl restart mhn-uwsgi
--
Thanks
https://groups.google.com/forum/#!topic/modern-honey-network/8iFsMdHSHqE
Sunday, 21 September 2014
Modern Honeypot Network
Lots of work to set up
http://threatstream.com/blog/mhn-modern-honey-network
Try to pop it into a script to automate it
#!/bin/bash
# MHN Getting started CEM 22/Sept/2014
cd /opt/
sudo apt-get install git -y
sudo git clone https://github.com/threatstream/mhn.git
cd mhn/scripts/
sudo ./install_hpfeeds.sh
sudo ./install_mnemosyne.sh
sudo ./install_honeymap.sh
sudo ./install_mhnserver.sh
Deploy
Then on Terminal Command Line
but then
to do
Submit Norman
https://github.com/threatstream/mhn/issues/46
http://threatstream.com/blog/mhn-modern-honey-network
Try to pop it into a script to automate it
#!/bin/bash
# MHN Getting started CEM 22/Sept/2014
cd /opt/
sudo apt-get install git -y
sudo git clone https://github.com/threatstream/mhn.git
cd mhn/scripts/
sudo ./install_hpfeeds.sh
sudo ./install_mnemosyne.sh
sudo ./install_honeymap.sh
sudo ./install_mhnserver.sh
Deploy
Then on Terminal Command Line
but then
to do
Submit Norman
https://github.com/threatstream/mhn/issues/46
Wednesday, 17 September 2014
Security Onion
sudo vi /etc/nsm/pulledpork/disablesid.conf
# Disable the GPL SNMP public access udp signature1:2101411sudo /usr/bin/rule-update
sudo vi /etc/nsm/securityonion.conf
DAYSTOKEEP = 1sudo sguil-db-purge
sudo /usr/bin/rule-update
----Thanks---
https://code.google.com/p/security-onion/wiki/ManagingAlerts
Thursday, 11 September 2014
Subscribe to:
Posts (Atom)