Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Jesse Bowling
    @JesseBowling
    Do specify the “http” or “https” in the SERVER_BASE_URL though, even if you use an IP
    zapsoda
    @zapsoda
    Cool, I assume I should define the SUPERUSER_EMAIL and PASSWORD variables? What about SECRET_KEY/DEPLOY_KEY? Or should I just not mess with the chnserver.sysconfig much yet? Besides defining the base_url? (I'm just spinning up a PoC deployment to play around with for now)
    zapsoda
    @zapsoda
    I'm getting a refused connection when I try to connect to the management URL (after reseting the admin password and deploying with docker-compose), any suggestions @JesseBowling ?
    zapsoda
    @zapsoda
    I could tell from the log output CERTBOT was failing cause I was using an IP rather than domain, switched to SELFSIGNED and was still getting an error around generating the cert, when ran with sudo the error seems to change/go away, but I'm still unable to browse to it
    zapsoda
    @zapsoda
    Everything seems to be working now!
    Mark Gardner
    @mkgvt_gitlab
    How do I verify that data from our new honeypot is showing up in the CHN? (Someone I talked to off-line said something about figuring out our participant ID so we could distinguish our data.)
    (I asked a similar question earlier.)
    We have verified the data by looking at the web interface using admin@localhost. I would now like to verify the data is reaching the CHN.
    Jesse Bowling
    @JesseBowling
    @zapsoda Great! Was it an error with Certbot hitting API limits?
    zapsoda
    @zapsoda
    @JesseBowling I'm not entirely sure, I think it was most likely a user error (documentation does mention having the certs folder populated before starting up the VM the first time..), I've now moved onto collecting/viewing the data (via CIFs?)
    Which is mostly researching and reading right now, lol
    Jesse Bowling
    @JesseBowling

    So the CIF bit only works if you’re contributing to the STINGAR project, which is restricted to education institutions only at the moment. :-/

    OR if you run your own CIF instance for collecting data, but that would likely be overkill for a single instance. If it’s just a single CHN server, I would configure the logging and then pull the logs off somewhere convenient

    You can also use the API, but I prefer logging and using an agent/syslog to get the data off-box somewhere useful
    Hi @mkgvt_gitlab ! Actually working with a student in your project now to get the API key needed. That’s actually my next task. :)
    Mark Gardner
    @mkgvt_gitlab
    Thanks @JesseBowling . As we are building our research on the data we get out, we want to make sure we are providing accurate data.
    zapsoda
    @zapsoda
    Thanks for the tips @JesseBowling I'd be interested in potentially deploying a larger network at some point, I setup a CIF instance on a DO droplet to play around with
    Am I right in assuming I could have one CHN server instance feed to CIF from many distributed honeypot agents? But only having one CHN server (with agents spread across networks/providers) wouldn't provide anywhere near the intended amount of data for a CIF server? (Aka, I would want to combine more data feeds? Potentially from csirtg.io or other sources?
    Trying to find a good way to visualize/utilize the data beyond the CHN web ui
    Jesse Bowling
    @JesseBowling

    So our concept when we architected this was basically:

    • each school deploys a single CHN instance, with multiple honeypots deployed off that CHN instance
    • each school contributes their own data back to a CIF instance we run for the STINGAR project
    • now each school can pull back summary data on what ALL the schools are seeing from the CIF instance

    The biggest difference is the granularity of data: with the CHN logs, you can see username/password attempts, commands run, etc, while with the CIF data it’s basically a summary: this IP/URL/hash, this time, this honeypot type

    Yeah, the CHN web ui is garbage for that. That’s where most of the work for version2 will go; a UI that does useful things. :)
    If it’s something you’re comfortable with
    change the logging format to JSON, get those logs into an ELK instance, and visualize/explore with Kibana
    Probably the easiest path forward
    zapsoda
    @zapsoda
    Sweet! Thanks for the info!
    zapsoda
    @zapsoda
    Would I start with using the "hpfeeds-logger" to create the local JSON log then work on exporting those to ELK or does the base CHN deployment already have the logging sufficient to export to Elastic?
    Sounds like hpfeeds-logger is what I need
    zapsoda
    @zapsoda
    Considering hpfeeds-logger exports to json, with what appears to be a somewhat defined output fields, I don't need to use logstash to export to ES, right? @JesseBowling
    Jesse Bowling
    @JesseBowling
    Hi @zapsoda ! I haven’t used ES/ELK enough to really answer your questions, but…I think the JSON can be consumed directly. That said, if I could convince you to log a feature request https://github.com/CommunityHoneyNetwork/CHN-Server/issues (something along the lines of “code or documentation to support direct export to ELK stack”) so we can get look at what it would take to do that…While you’re there, add a request for Kafka support, because I know some others are interested in that :)...
    Jay Brewer
    @mycroft9x
    Is this a good place to ask for install help or is there a more preferred forum or other site?
    Chris O'Donnell
    @chodonne_twitter
    is there a supported way to keep only the last X days of logs in mongoDB? we’re running into space issues on the mgmt container
    Jesse Bowling
    @JesseBowling
    Hi @mycroft9x ! As you can see from the lag, this is not necessarily the best place to ask for help. :)
    Jesse Bowling
    @JesseBowling
    mic check
    有没有能解决的大佬?
    mce-reggie
    @mce-reggie
    I am new to CHN and I really like what I have seen so far. Thank you for putting in so much effort! I would like to get e-mail notification of attacks. I have configured the MAIL_* variables in config/sysconfig/chnserver.env but I am not receiving notifications. How do I go about troubleshooting this?
    Jesse Bowling
    @JesseBowling

    @mce-reggie Hi! We appreciate the feedback!

    Honestly the email alerts aspect is something that was in the original MHN (ModernHoneyNetwork) code that we forked, and as we don’t use that option we likely broke it at some point. I’m not even sure what would trigger and email, but I’ll take alook at the code and see what might pop up

    Jesse Bowling
    @JesseBowling
    Hi @mce-reggie : Just took a look and from my scanning of the code, it looks like email addresses are only used as 1) the login username and 2) for password resets. There are no methods for doing alerting via email.
    If you’re interested in looking at the data being gathered, you may want to use the hpfeeds-logger module to generate logs, then write your own custom alerting based on that data (script, export to SIEM, etc.)
    jgru
    @jgru
    Hey guys, what do you think, what will be beneficial improvements for Mnemosyne?
    kakahoho30
    @kakahoho30
    Hi, how can I config email alert when CHN-server got events?
    Jesse Bowling
    @JesseBowling
    @kakahoho30 I’m afraid emailing on alerts is not functionality we have in today, or if it’s something that was present in MHN, it’s not one we’ve explored/tested/updated. You could use the hpfeeds-logger container to generate event logs and trigger off those (export to SIEM, logrotate script + bash, etc.) https://communityhoneynetwork.readthedocs.io/en/stable/hpfeeds-logger/
    @jgru Hey thanks for asking! I’m not sure if we have a list of functionality we’d like to see in mnemosyne. We honstly don’t emphasize the use of the local database and push people to exporting data via hpfeeds-logger (which skips mnemosyne).
    Jesse Bowling
    @JesseBowling

    @lyx132114 : https://communityhoneynetwork.readthedocs.io/en/stable/

    Unfortunately only in English. :(

    Emilio Aburto L.
    @emilio-aburto
    Hello people :), I have CHN running and a Dionaea instance running in another machine as HTTP honeypot, is there a way to log more info about the requests I'm receiving? Currently only ports and IP are logged but I'd like to add the PATH the request is looking for, is there any way to do it? Thanks!
    If someone could guide me please