Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shockpot doesn't transmit anything to mhn #4

Open
plnox06vv opened this issue Sep 28, 2014 · 13 comments
Open

shockpot doesn't transmit anything to mhn #4

plnox06vv opened this issue Sep 28, 2014 · 13 comments

Comments

@plnox06vv
Copy link

I'm 100% sure I've done the installations right.
Even though shockpot logs the attacks, they're not transmited to the mhn server.
@jatrost
Copy link
Contributor

jatrost commented Sep 28, 2014

We have had a couple others say this too. It is probably because your MHN
config did not have shockpot's channel mapping set before you deployed your
1st shockpot honeypot. If this is the case update your MHN config, restart
the MHN-wsgi server and redeploy the honeypot.

The other items that are important are adding shockpot.events
to Mnemosyn's config and giving mnenosyne subscribe access on
shockpot.events in mongodb. Check out this wiki page for most of the steps
needed. It is written for wordpot but the steps are nearly identical.

https://github.com/threatstream/mhn/wiki/Howto:-Add-Support-for-New-Sensors-to-the-MHN

Did this work?

On Saturday, September 27, 2014, plnox06vv [email protected] wrote:

I'm 100% sure I've done the installations right.
Even though shockpot logs the attacks, they're not transmited to the mhn
server.


Reply to this email directly or view it on GitHub
https://github.com/threatstream/shockpot/issues/4.

Jason Trost | Director of ThreatStream Labs | www.threatstream.com
http://www.threatstream.com/
Phone: 386.235.0078 | Twitter: @jason_trost

@plnox06vv
Copy link
Author

But in the mhn presentation video it says that you just run the deployment script and that's it :(
Anyway, I'm gonna try what you said now and report back.

@jatrost
Copy link
Contributor

jatrost commented Sep 29, 2014

When adding support for brand new honeypots if requires a little more
effort. If you start with a brand new MHN, all you need to do is run the
deployment script. I'm sorry about that. This is something we are working
to improve.

On Mon, Sep 29, 2014 at 12:10 PM, plnox06vv [email protected]
wrote:

But in the mhn presentation video it says that you just run the deployment
script and that's it :(
Anyway, I'm gonna try what you said now and report back.


Reply to this email directly or view it on GitHub
https://github.com/threatstream/shockpot/issues/4#issuecomment-57185151.

Jason Trost | Director of ThreatStream Labs | www.threatstream.com
http://www.threatstream.com/
Phone: 386.235.0078 | Twitter: @jason_trost

@mrJingl3s
Copy link

I have issues with shockpot... when i am adding shockpot.events
to Mnemosyn's config, nothing is working...

@jatrost
Copy link
Contributor

jatrost commented Feb 19, 2015

Can you double check that mnemosyne is allowed to subscribe to the shockpot.events? If you had to add it then it wasn't there when you installed mnemosyne.

Notice "shockpot.events", is in the "subscribe" list:

$ mongo hpfeeds
MongoDB shell version: 2.6.7
connecting to: hpfeeds
> db.auth_key.find({'identifier': 'mnemosyne'})
{ "_id" : ObjectId("XXXXXXXXXXXXXXXX"), "identifier" : "mnemosyne", "subscribe" : [ "conpot.events", "thug.events", "beeswarm.hive", "dionaea.capture", "dionaea.connections", "thug.files", "beeswarn.feeder", "cuckoo.analysis", "kippo.sessions", "glastopf.events", "glastopf.files", "mwbinary.dionaea.sensorunique", "snort.alerts", "wordpot.events", "shockpot.events", "wordpot.events", "p0f.events", "amun.events" ], "secret" : "XXXXXXXXXXXXXXXX", "publish" : [] }

@mrJingl3s
Copy link

That was the problem. Thank you. So adding shockpot.events
to Mnemosyn's config and add it to the hpfeeds in mongo, right? It is working now. Just deploy the system yesterday, so why is it now fixit in the repo?

@jatrost
Copy link
Contributor

jatrost commented Feb 19, 2015 via email

@mrJingl3s
Copy link

I deployed all yesterday... So i Think there is a bug in the install process.

Sent from my iPhone

On 19/02/2015, at 20.48, Jason Trost [email protected] wrote:

Did you deploy mnemosyne/MHN yesterday? Or just shockpot? Or all?
If mnemosyne/MHN, then we may have a bug in the install.


Reply to this email directly or view it on GitHub.

@mrJingl3s
Copy link

I git cloned MHN yesterday and started deploy different honeypots... Tried some of them and they worked fine, but not the shockpot. The subscribe in mnemosyne config was not there and the subscribe in mongo was apparently also missing.

Sent from my iPhone

On 19/02/2015, at 20.48, Jason Trost [email protected] wrote:

Did you deploy mnemosyne/MHN yesterday? Or just shockpot? Or all?
If mnemosyne/MHN, then we may have a bug in the install.


Reply to this email directly or view it on GitHub.

@jatrost
Copy link
Contributor

jatrost commented Feb 20, 2015

Sorry about that. I found and fixed the bug

https://github.com/threatstream/mhn/commit/fc9f3997d46fe852e195e7a6ac0466f19192a58c

Thanks for bringing this to our attention.

On Thu, Feb 19, 2015 at 3:39 PM, mrJingl3s [email protected] wrote:

I git cloned MHN yesterday and started deploy different honeypots... Tried
some of them and they worked fine, but not the shockpot. The subscribe in
mnemosyne config was not there and the subscribe in mongo was apparently
also missing.

Sent from my iPhone

On 19/02/2015, at 20.48, Jason Trost [email protected] wrote:

Did you deploy mnemosyne/MHN yesterday? Or just shockpot? Or all?
If mnemosyne/MHN, then we may have a bug in the install.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
https://github.com/threatstream/shockpot/issues/4#issuecomment-75131308.

Jason Trost | Director of ThreatStream Labs | www.threatstream.com
http://www.threatstream.com/
Phone: 386.235.0078 | Twitter: @jason_trost

@mrJingl3s
Copy link

No problem. Thank You for the fix. Have You considered using this modded Kippo version: https://github.com/micheloosterhof/kippo-mo

Sent from my iPhone

On 20/02/2015, at 02.15, Jason Trost [email protected] wrote:

Sorry about that. I found and fixed the bug

https://github.com/threatstream/mhn/commit/fc9f3997d46fe852e195e7a6ac0466f19192a58c

Thanks for bringing this to our attention.

On Thu, Feb 19, 2015 at 3:39 PM, mrJingl3s [email protected] wrote:

I git cloned MHN yesterday and started deploy different honeypots... Tried
some of them and they worked fine, but not the shockpot. The subscribe in
mnemosyne config was not there and the subscribe in mongo was apparently
also missing.

Sent from my iPhone

On 19/02/2015, at 20.48, Jason Trost [email protected] wrote:

Did you deploy mnemosyne/MHN yesterday? Or just shockpot? Or all?
If mnemosyne/MHN, then we may have a bug in the install.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
https://github.com/threatstream/shockpot/issues/4#issuecomment-75131308.

Jason Trost | Director of ThreatStream Labs | www.threatstream.com
http://www.threatstream.com/
Phone: 386.235.0078 | Twitter: @jason_trost

Reply to this email directly or view it on GitHub.

@jatrost
Copy link
Contributor

jatrost commented Feb 20, 2015

I was not aware of that fork, but we have started to pull in some of the SFTP and related changes that might be from the same patch (https://github.com/threatstream/kippo/pull/4).

@Libabble
Copy link

Shockpot doesn't seem to be transmitting to MHN for me either. I followed a guide that said to add the following to the deployment script:
[fetch_public_ip]
enabled = false
urls = ["http://api.ipify.org","http://bot.whatismyipaddress.com/"
Would this have anything to do with it?
The MHN config, mnemosyne config has shockpot.events in them already and mnenosyne already has access to shockpot.events in mongodb. Is there anything else that may be causing this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jatrost @plnox06vv @mrJingl3s @Libabble