Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
    Jesse Bowling

    So the CIF bit only works if you’re contributing to the STINGAR project, which is restricted to education institutions only at the moment. :-/

    OR if you run your own CIF instance for collecting data, but that would likely be overkill for a single instance. If it’s just a single CHN server, I would configure the logging and then pull the logs off somewhere convenient

    You can also use the API, but I prefer logging and using an agent/syslog to get the data off-box somewhere useful
    Hi @mkgvt_gitlab ! Actually working with a student in your project now to get the API key needed. That’s actually my next task. :)
    Mark Gardner
    Thanks @JesseBowling . As we are building our research on the data we get out, we want to make sure we are providing accurate data.
    Thanks for the tips @JesseBowling I'd be interested in potentially deploying a larger network at some point, I setup a CIF instance on a DO droplet to play around with
    Am I right in assuming I could have one CHN server instance feed to CIF from many distributed honeypot agents? But only having one CHN server (with agents spread across networks/providers) wouldn't provide anywhere near the intended amount of data for a CIF server? (Aka, I would want to combine more data feeds? Potentially from csirtg.io or other sources?
    Trying to find a good way to visualize/utilize the data beyond the CHN web ui
    Jesse Bowling

    So our concept when we architected this was basically:

    • each school deploys a single CHN instance, with multiple honeypots deployed off that CHN instance
    • each school contributes their own data back to a CIF instance we run for the STINGAR project
    • now each school can pull back summary data on what ALL the schools are seeing from the CIF instance

    The biggest difference is the granularity of data: with the CHN logs, you can see username/password attempts, commands run, etc, while with the CIF data it’s basically a summary: this IP/URL/hash, this time, this honeypot type

    Yeah, the CHN web ui is garbage for that. That’s where most of the work for version2 will go; a UI that does useful things. :)
    If it’s something you’re comfortable with
    change the logging format to JSON, get those logs into an ELK instance, and visualize/explore with Kibana
    Probably the easiest path forward
    Sweet! Thanks for the info!
    Would I start with using the "hpfeeds-logger" to create the local JSON log then work on exporting those to ELK or does the base CHN deployment already have the logging sufficient to export to Elastic?
    Sounds like hpfeeds-logger is what I need
    Considering hpfeeds-logger exports to json, with what appears to be a somewhat defined output fields, I don't need to use logstash to export to ES, right? @JesseBowling
    Jesse Bowling
    Hi @zapsoda ! I haven’t used ES/ELK enough to really answer your questions, but…I think the JSON can be consumed directly. That said, if I could convince you to log a feature request https://github.com/CommunityHoneyNetwork/CHN-Server/issues (something along the lines of “code or documentation to support direct export to ELK stack”) so we can get look at what it would take to do that…While you’re there, add a request for Kafka support, because I know some others are interested in that :)...
    Jay Brewer
    Is this a good place to ask for install help or is there a more preferred forum or other site?
    Chris O'Donnell
    is there a supported way to keep only the last X days of logs in mongoDB? we’re running into space issues on the mgmt container
    Jesse Bowling
    Hi @mycroft9x ! As you can see from the lag, this is not necessarily the best place to ask for help. :)
    Jesse Bowling
    mic check
    I am new to CHN and I really like what I have seen so far. Thank you for putting in so much effort! I would like to get e-mail notification of attacks. I have configured the MAIL_* variables in config/sysconfig/chnserver.env but I am not receiving notifications. How do I go about troubleshooting this?
    Jesse Bowling

    @mce-reggie Hi! We appreciate the feedback!

    Honestly the email alerts aspect is something that was in the original MHN (ModernHoneyNetwork) code that we forked, and as we don’t use that option we likely broke it at some point. I’m not even sure what would trigger and email, but I’ll take alook at the code and see what might pop up

    Jesse Bowling
    Hi @mce-reggie : Just took a look and from my scanning of the code, it looks like email addresses are only used as 1) the login username and 2) for password resets. There are no methods for doing alerting via email.
    If you’re interested in looking at the data being gathered, you may want to use the hpfeeds-logger module to generate logs, then write your own custom alerting based on that data (script, export to SIEM, etc.)
    Hey guys, what do you think, what will be beneficial improvements for Mnemosyne?
    Hi, how can I config email alert when CHN-server got events?
    Jesse Bowling
    @kakahoho30 I’m afraid emailing on alerts is not functionality we have in today, or if it’s something that was present in MHN, it’s not one we’ve explored/tested/updated. You could use the hpfeeds-logger container to generate event logs and trigger off those (export to SIEM, logrotate script + bash, etc.) https://communityhoneynetwork.readthedocs.io/en/stable/hpfeeds-logger/
    @jgru Hey thanks for asking! I’m not sure if we have a list of functionality we’d like to see in mnemosyne. We honstly don’t emphasize the use of the local database and push people to exporting data via hpfeeds-logger (which skips mnemosyne).
    Jesse Bowling

    @lyx132114 : https://communityhoneynetwork.readthedocs.io/en/stable/

    Unfortunately only in English. :(

    Emilio Aburto L.
    Hello people :), I have CHN running and a Dionaea instance running in another machine as HTTP honeypot, is there a way to log more info about the requests I'm receiving? Currently only ports and IP are logged but I'd like to add the PATH the request is looking for, is there any way to do it? Thanks!
    If someone could guide me please