Skip to content

Instantly share code, notes, and snippets.

Jason Trost jatrost

Block or report user

Report or block jatrost

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
jatrost /
Created Nov 12, 2017
Using nxlog to collect sysmon log in Cuckoo
import logging
import os
import sys
from lib.common.abstracts import Auxiliary
from lib.api.process import Process
from lib.common.results import upload_to_host
log = logging.getLogger(__name__)
import re
import base64
import sys
def remove_padding(b):
b = b.rstrip('\n')
m ='(=+)', b)
if m:
padding_amt = len( + 1
return b[:len(b)-padding_amt]

For each of the files below, make sure the proxy settings are added (and obviously change the user/pass/domain/port)

These need to be set for both the MHN server and the honey systems you intend to deploy on (assuming the honeypots are behind the firewall).


View mongo2log.json
"channels": [
View mhn-template.json
"template": "mhn-*",
"settings": {
"number_of_shards": 5,
"number_of_replicas": 0,
"refresh_interval": "30s"
"mappings": {
"_default_": {
"_source": {
PAST_TIMESTAMP="$(date +%s -d '5 min ago')000"
mongoexport \
--csv --quiet \
--fields timestamp,source_ip,source_port,destination_port,honeypot \
--db mnemosyne \
--collection session \
--query "{ timestamp: {\$gt: new Date($PAST_TIMESTAMP)}}" > /tmp/mhn-report.txt

I believe here is the fix. This just needs to be integrated into the kippo deploy.

ensure this is in the kippo.cfg

ssh_addr =
ssh_port = 64222
View mnemonic-api-example.json
"ok": true,
"message": "ok",
"result": [
"class": "in",
"type": "a",
"query": "",
"answer": "",
"ttl": 300,
View honeymap-ssl-ngninx.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
server {
listen 8443 ssl;
ssl_certificate /etc/ssl/private/;
ssl_certificate_key /etc/ssl/private/;
You can’t perform that action at this time.