Awesome
The Intelligent HoneyNet
- Dashboard: (http://imgur.com/Sfk9Az4)
- Intel page: (http://imgur.com/13V78fz)
Purpose
This repository includes a shell script that will install both a honeypot server and any number of honeypots that will communicate with the server. In addition, there are several python scripts that will automatically process log files generated by various honeypots, adding the information to an Elasticsearch instance and to a Flask page.
Kibana can be configured to show dashboards for all the attack attempts, including a 'threat map', which management loves.
The Flask site, which I'm calling 'Intel' displays useful information, such as:
- Successful SSH connections
- Unsuccessful SSH connections
- Callouts performed by attackers when connected to the SSH honeypot
- Connections to the GasPot honeypot
- Connections to ConPot
The honeynet server scripts use OpenDNS Investigate and Virustotal at the moment to grab information about the IP's connecting in and the domains and IP's contacted by attackers who think they're exploiting a system.
Current Honeypots
- Cowrie: SSH Honeypot (it's a fork of Kippo)
- GasPot: Attackers think they're connecting to gas station sensors
- ConPot: SCADA honeypot
- Dionaea: Collects malware (note: Writes to a database and I haven't written anything to log it to text yet")
- Glastopf: Web honeypot (note: Writes to a database and I haven't written anything to log it to text yet")
Requirements:
*The server should work on any version of Linux. *The client should be installed on Ubuntu Server 12.04 (Dionaea only seems to work on this version) Once installed, you need to add a virustotal API key to /opt/analysis/virustotal_api_key.txt and an investigate API key to /opt/analysis/investigate_api_key.txt
How to run
Clone this on a (preferably) ubuntu 12.04 server (but I've found it doesn't matter for the server portion), then cd to the IntelligentHoneyNet directory. Run 'sudo sh honeynet_setup.sh'. Answer a question or two in the beginning and do something for about 5 minutes. When it's done, follow the brief instructions that will be displayed on your screen for details on installing the honeypot clients.
There are a few hiccups that I'm working on at the moment:
- I need to write Conpot and Dionaea filters for logstash so Kibana can classify them correctly
- I need to create a python script to get the Dionaea logs out of its sqlite db and into text
- In the client install script that you run on honepot clients to configure them, I set it up so the public IP address (which you enter at the beginning of the process) is entered into the stunnel.conf file for secure communication of logstash -> Redis data and various log files between the honepot clients and the server. However, in testing, I've noticed that it hasn't been fixing that. I ended up adding a sed command to replace some text, but won't be testing that at the time of this writing (it'll be tested in about 10 hours). Hopefully the sed commands work. If not, here's what you need to do to fix it. ** sudo vim (or whatever editor you like) /etc/stunnel/stunnel.conf. ** Replace the REPLACEME part with the IP address or domain of the server. ** Save and restart stunnel: sudo service stunnel4 restart
Upcoming and in progress:
- Updating logstash to properly filter conpot and dionaea
- Display replayed SSH sessions from the ssh informational pages
- Grab indicators from replayed SSH sessions
- Make the web portion better: **Pagination **User logins **Adding basic statistics **Uniquing malware findings **Ability to sort **Ability to search **Ability to download malware associated with an event **Add additional information from OpenDNS Investigate and/or other sources
- Check malware against malwr.com (not just virustotal)
- The ability to download csv files of all the IP's, domains and other indicators
- Switch to installation via docker and puppet for better deployment