Skip to content

Instantly share code, notes, and snippets.

Jason Trost jatrost

Block or report user

Report or block jatrost

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@jatrost
jatrost / sysmon.py
Created Nov 12, 2017
Using nxlog to collect sysmon log in Cuckoo
View sysmon.py
import logging
import os
import sys
from lib.common.abstracts import Auxiliary
from lib.api.process import Process
from lib.common.results import upload_to_host
log = logging.getLogger(__name__)
View base64_regex.py
import re
import base64
import sys
def remove_padding(b):
b = b.rstrip('\n')
m = re.search(r'(=+)', b)
if m:
padding_amt = len(m.group(1)) + 1
return b[:len(b)-padding_amt]
View mhn-install-behind-proxy.md

For each of the files below, make sure the proxy settings are added (and obviously change the user/pass/domain/port)

These need to be set for both the MHN server and the honey systems you intend to deploy on (assuming the honeypots are behind the firewall).

/etc/environment

ALL_PROXY=http://user:password@your.corporate.proxy.hostname.com:8080
HTTP_PROXY=http://user:password@your.corporate.proxy.hostname.com:8080
HTTPS_PROXY=http://user:password@your.corporate.proxy.hostname.com:8080
View mongo2log.json
{
"channels": [
"amun.events",
"dionaea.connections",
"dionaea.capture",
"glastopf.events",
"beeswarm.hive",
"kippo.sessions",
"conpot.events",
"snort.alerts",
View mhn-template.json
{
"template": "mhn-*",
"settings": {
"number_of_shards": 5,
"number_of_replicas": 0,
"refresh_interval": "30s"
},
"mappings": {
"_default_": {
"_source": {
View mhn-email-alert.sh
#!/bin/bash
PAST_TIMESTAMP="$(date +%s -d '5 min ago')000"
mongoexport \
--csv --quiet \
--fields timestamp,source_ip,source_port,destination_port,honeypot \
--db mnemosyne \
--collection session \
--query "{ timestamp: {\$gt: new Date($PAST_TIMESTAMP)}}" > /tmp/mhn-report.txt
View kipp-fixes.md

I believe here is the fix. This just needs to be integrated into the kippo deploy.

ensure this is in the kippo.cfg

[honeypot]
ssh_addr = 127.0.0.1
ssh_port = 64222
View mnemonic-api-example.json
{
"ok": true,
"message": "ok",
"result": [
{
"class": "in",
"type": "a",
"query": "www.google.com.",
"answer": "213.155.151.152",
"ttl": 300,
View honeymap-ssl-ngninx.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8443 ssl;
ssl_certificate /etc/ssl/private/mhn.yourcompany.com.pem;
ssl_certificate_key /etc/ssl/private/mhn.yourcompany.com.pem;
You can’t perform that action at this time.