Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Jesse Bowling
    @JesseBowling

    Routing 10.0.10.0/24 to an anyip host with a “real/management” interface on 10.0.20.5 is just dandy.

    But if you tried to send a default route of 10.0.0.0/16 at the anyip interface, your management interface traffic will end up sucked into the honeypot as well, which is of course not ideal. :-/

    I think the answer there is multiple routing tables with priority based on interface, but I’ve yet to actually work out exactly how to make that work.
    Chris O'Donnell
    @chodonne_twitter
    ok…we’re working on routing subnets that aren’t on the same one in the main interface.
    Jesse Bowling
    @JesseBowling
    ah, ok
    Chris O'Donnell
    @chodonne_twitter
    Like I said, I’ll play around w/ it, just wanted to verify I wasn’t missing something easy before I went down the rabbit hole
    zapsoda
    @zapsoda
    Can anyone tell me how CHN compares to the MHN? I realize that MHN is developed by a commercial company, but what additions/features does CHN have that MHN does not? Aka why would I use one over the other?
    Jesse Bowling
    @JesseBowling

    Hi @zapsoda ! Great question!

    MHN is where CHN came from; we forked that project about 1.5 years ago and have been working to maintain it since then. In terms of project comparisons, I think the biggest difference is that CHN is based on Docker images for the server and individual honeypots, while MHN used custom scripts to install the software onto the local OS in a traditional manner

    CHN is being developed towards furthering the STINGAR project (https://stingar.security.duke.edu), but could be used by others who are interested in running honeypot networks and sharing those results via CIF (Collective Intelligence Framework, particularly https://github.com/csirtgadgets/bearded-avenger)
    zapsoda
    @zapsoda
    Awesome! Thank you!
    Jesse Bowling
    @JesseBowling
    At least 1.5 years ago, Threatstream had declared MHN to be a “community supported project” after the primary author, Jason Trost, left Anomali. Perhaps they picked support back up….
    but it’s been a bit since I looked :)
    zapsoda
    @zapsoda
    Hmm, it does seem to be updated but I'm interested in the Docker capabilities of CHN, I'll be playing around with it shortly..
    Jesse Bowling
    @JesseBowling
    Well, looks like someone pushed something to master 27 days ago, so...
    Someone is doing something :)
    Please do! and lodge all your complaints either in https://github.com/CommunityHoneyNetwork/CHN-Server/issues or here. We can’t get better without feedback. :)
    I’ll note that we’ve been targeting Docker as the primary use case, and the way we worked the old MHN stuff into the current model forced some choices that make it not so great for k8s, but should be fine in a Docker-based container environment :)
    zapsoda
    @zapsoda
    Hmm, good to know, thanks!
    Jesse Bowling
    @JesseBowling
    We’ve got a big push for 2.0 version that should be in minimum viable product state by end of year that will address that. However, that’s a long way away (though less so than when we started in March) :D
    zapsoda
    @zapsoda
    For the base URL can it be an IP, or does it need to be a domain? @JesseBowling
    Jesse Bowling
    @JesseBowling
    It can be an IP, but know that it will default to using a self-signed cert for the server (so you’ll have to accept warnings in the browser). Also you’ll need to add a --no-check-certificate to the wget portion of the deployment command
    Do specify the “http” or “https” in the SERVER_BASE_URL though, even if you use an IP
    zapsoda
    @zapsoda
    Cool, I assume I should define the SUPERUSER_EMAIL and PASSWORD variables? What about SECRET_KEY/DEPLOY_KEY? Or should I just not mess with the chnserver.sysconfig much yet? Besides defining the base_url? (I'm just spinning up a PoC deployment to play around with for now)
    zapsoda
    @zapsoda
    I'm getting a refused connection when I try to connect to the management URL (after reseting the admin password and deploying with docker-compose), any suggestions @JesseBowling ?
    zapsoda
    @zapsoda
    I could tell from the log output CERTBOT was failing cause I was using an IP rather than domain, switched to SELFSIGNED and was still getting an error around generating the cert, when ran with sudo the error seems to change/go away, but I'm still unable to browse to it
    zapsoda
    @zapsoda
    Everything seems to be working now!
    Mark Gardner
    @mkgvt_gitlab
    How do I verify that data from our new honeypot is showing up in the CHN? (Someone I talked to off-line said something about figuring out our participant ID so we could distinguish our data.)
    (I asked a similar question earlier.)
    We have verified the data by looking at the web interface using admin@localhost. I would now like to verify the data is reaching the CHN.
    Jesse Bowling
    @JesseBowling
    @zapsoda Great! Was it an error with Certbot hitting API limits?
    zapsoda
    @zapsoda
    @JesseBowling I'm not entirely sure, I think it was most likely a user error (documentation does mention having the certs folder populated before starting up the VM the first time..), I've now moved onto collecting/viewing the data (via CIFs?)
    Which is mostly researching and reading right now, lol
    Jesse Bowling
    @JesseBowling

    So the CIF bit only works if you’re contributing to the STINGAR project, which is restricted to education institutions only at the moment. :-/

    OR if you run your own CIF instance for collecting data, but that would likely be overkill for a single instance. If it’s just a single CHN server, I would configure the logging and then pull the logs off somewhere convenient

    You can also use the API, but I prefer logging and using an agent/syslog to get the data off-box somewhere useful
    Hi @mkgvt_gitlab ! Actually working with a student in your project now to get the API key needed. That’s actually my next task. :)
    Mark Gardner
    @mkgvt_gitlab
    Thanks @JesseBowling . As we are building our research on the data we get out, we want to make sure we are providing accurate data.
    zapsoda
    @zapsoda
    Thanks for the tips @JesseBowling I'd be interested in potentially deploying a larger network at some point, I setup a CIF instance on a DO droplet to play around with
    Am I right in assuming I could have one CHN server instance feed to CIF from many distributed honeypot agents? But only having one CHN server (with agents spread across networks/providers) wouldn't provide anywhere near the intended amount of data for a CIF server? (Aka, I would want to combine more data feeds? Potentially from csirtg.io or other sources?
    Trying to find a good way to visualize/utilize the data beyond the CHN web ui
    Jesse Bowling
    @JesseBowling

    So our concept when we architected this was basically:

    • each school deploys a single CHN instance, with multiple honeypots deployed off that CHN instance
    • each school contributes their own data back to a CIF instance we run for the STINGAR project
    • now each school can pull back summary data on what ALL the schools are seeing from the CIF instance

    The biggest difference is the granularity of data: with the CHN logs, you can see username/password attempts, commands run, etc, while with the CIF data it’s basically a summary: this IP/URL/hash, this time, this honeypot type

    Yeah, the CHN web ui is garbage for that. That’s where most of the work for version2 will go; a UI that does useful things. :)
    If it’s something you’re comfortable with
    change the logging format to JSON, get those logs into an ELK instance, and visualize/explore with Kibana
    Probably the easiest path forward
    zapsoda
    @zapsoda
    Sweet! Thanks for the info!
    zapsoda
    @zapsoda
    Would I start with using the "hpfeeds-logger" to create the local JSON log then work on exporting those to ELK or does the base CHN deployment already have the logging sufficient to export to Elastic?
    Sounds like hpfeeds-logger is what I need
    zapsoda
    @zapsoda
    Considering hpfeeds-logger exports to json, with what appears to be a somewhat defined output fields, I don't need to use logstash to export to ES, right? @JesseBowling
    Jesse Bowling
    @JesseBowling
    Hi @zapsoda ! I haven’t used ES/ELK enough to really answer your questions, but…I think the JSON can be consumed directly. That said, if I could convince you to log a feature request https://github.com/CommunityHoneyNetwork/CHN-Server/issues (something along the lines of “code or documentation to support direct export to ELK stack”) so we can get look at what it would take to do that…While you’re there, add a request for Kafka support, because I know some others are interested in that :)...
    Jay Brewer
    @mycroft9x
    Is this a good place to ask for install help or is there a more preferred forum or other site?
    Chris O'Donnell
    @chodonne_twitter
    is there a supported way to keep only the last X days of logs in mongoDB? we’re running into space issues on the mgmt container