Honeypot, Malware and Splunk

Posted by

Many articles in my blog are dedicated to malware analysis. All of the articles involve downloading the malware from malware collections such as any.run or hybrid-analysis.com or a friend providing me a malware sample. In this article, I describe my procedure to setup a honeypot using the Modern Honeypot Network (MHN) Framework and Dionaea honeypot on Amazon AWS. I will also go on to show how Dionaea logs can be integrated with Splunk.

Prerequisites: At least a free-tier account on AWS.

Setting Up MHN Server

The MHN server will be an EC2 instance on Amazon AWS. After it is fully operational, it will have the following ports open:

  • 80: MHN dashboard (My IP only)
  • 22: SSH for administration (My IP only)
  • 3000: MHN attack map (My IP only)
  • 10000: Dionaea honeypot traffic (Dionaea honeypot IP only)

EC2 Instance

At this point of the setup process, I’ll open SSH port 22 accessible from my IP only. This will allow me to login and execute scripts to install MHN on this instance.

In order to SSH into the server, I’ll create a public/private key pair and download the private key.

SSH into EC2 Instance

The downloaded private key has a file format of .pem which is incompatible with PuTTY that uses a .ppk file format. So, I used PuTTYgen to convert the .pem private key into RSA .ppk file format and saved it without any passphrase.

In PuTTY, I set the above private key to be used for authentication and the IPv4 address of the MHN server (refer to instance dashboard in AWS). By default, the login username is ubuntu.

Installing MHN on EC2 Instance

After SSH‘ng into the server, I ran the following command to ensure all packages are updated on the server:

sudo apt update && sudo apt upgrade -y

The following commands start the installation of MHN on the server:

cd /opt
sudo git clone https://github.com/pwnlandia/mhn.git
cd mhn
sudo ./install.sh

The installation will ask for specific administrative parameters. Fill them in according to your needs.

Since I sit behind my University’s proxy, I was unable to setup a forwarder on the MHN server to transmit logs to the Splunk instance running on my laptop. So, I will not be integrating MHN with Splunk and ELK. Adding rules to UFW is not needed at this point.

I executed the following commands to ensure all MHN related services were up and running:

sudo /etc/init.d/nginx status
sudo /etc/init.d/supervisor status
sudo supervisorctl status

Setting Up Dionaea Honeypot

The command to deploy Dionaea honeypot is available on the MHN server’s dashboard. To login to the dashboard, I had to add a rule to the MHN server’s network configuration to allow HTTP port 80 traffic from my IP.

On the dashboard login portal, I logged in with the same credentials that I used during the MHN server’s installation.

Dionaea Deploy Command

On the MHN server’s dashboard, click on the Deploy tab and select Ubuntu/Raspberry Pi - Dionaea on the resulting page. Also, notice that there are many honeypot types to choose from besides Dionaea.

The above deploy command installs the Dionaea honeypot. So, it must be run on a new EC2 server. (The steps to create the new EC2 server are the same as before.) Before executing the above deploy command, a HTTP rule needs to be added to the MHN server’s network configuration. It must allow the Dionaea honeypot IP to connect to it.

If the IP address of the Dionaea honeypot changes for whatever reason, Dionaea must be uninstalled from the server and the deploy command must be executed again. Also, the network configuration rule for port 10000 on the MHN server needs to be modified accordingly to allow traffic from Dionaea.

Logging Control

To decrease the amount of logging, I implemented the following measures:

  • only error level logs.
  • log rotation and time-based log compression/deletion for bistreams.

Error Level Logging

This modification is made in the file, /opt/dionaea/etc/dionaea/dionaea.cfg.

Bistreams Log Rotation

I created the file, /etc/logrotate.d/dionaea and copied the following code into it. The code is also available in Dionaea documentation. Logs are rotated every 7 days.

/opt/dionaea/var/dionaea/dionaea*.log {
notifempty
missingok
rotate 7
daily
delaycompress
compress
create 660 root root
dateext
postrotate
service dionaea restart
endscript
}

Time-based Bistreams Log Compression/Deletion

I installed the following code as a script, bistreamZipDel in a cron job that runs every hour everyday. It compresses bistreams logs which are more than one hour old and deletes those which are more than six hours old. Note that the cron is installed for root user to take care of permissions issues.

#!/bin/bash

bistreamsDir=$(date +%Y-%m-%d)

function zipFiles() {
    while read line1; do
        zip /home/ubuntu/bistreamsZip/$bistreamsDir-$(date +%M-%S).zip -u $line1
    done
}

# Compress bistream files older than 1 hour
find /opt/dionaea/var/lib/dionaea/bistreams/$bistreamsDir/ -type f -mmin +60 | zipFiles

# Clear bistream logs from dionaea every 6 hours
find /opt/dionaea/var/lib/dionaea/bistreams/$bistreamsDir/ -type f -mmin +360 -exec rm {} \;

Open Dionaea to the World

Dionaea sends TCP data to port 10000 on the MHN server. So, that port needs to be accessible from Dionaea honeypot IP. Also, the attack map is available on port 3000 but that is only for admin use, so I’ll open that port to be accessible only from my IP.

Now that Dionaea is fully setup, the last step is to open all ports for attackers to discover and attack it. Or if you are looking to monitor only specific ports, then only those ports can be opened.

Almost instantly, Dionaea is discovered and poked at.

Malware Collection

My primary motivation to setup a honeypot was to collect fresh malware binaries. The Dionaea honeypot collects any dropped malware binaries in the directory, /opt/dionaea/var/lib/dionaea/binaries. This path can be configured in /opt/dionaea/etc/dionaea/dionaea.cfg.

Splunk and MHN

Since I wasn’t able to setup a forwarder on the MHN server, I decided to manually load data into Splunk. The MHN server is capable of generating logs that can be easily read by Splunk. These are stored in the file, /var/log/mhn/mhn-splunk.log. This feature can be enabled by executing the following commands:

cd /opt/mhn/scripts
sudo ./install_hpfeeds-logger-splunk.sh

Like Dionaea, Splunk logs more than 2 days old will be deleted using the following code in a script as a cron job.

# Clear splunk logs every 48 hours
find /var/log/mhn/mhn-splunk.log -type f -mmin +2880 -exec rm {} \;

MHN Splunk App

Splunk has an app which intrinsically contains analytics that supports data from MHN. It can be downloaded here. After installing the app, I manually copy-pasted data from /var/log/mhn/mhn-server.log on the MHN server to a file, mhn-server.log my local machine. I then imported the file into the Splunk Modern Honey Network app.

Once the file was imported into the Modern Honey Network app, I navigated to the app’s dashboard. I modified the time filters of all searches to All time and a wealth of analytics presented itself.

Thanks for reading!

In this article, I described my procedure to setup a honeypot using the MHN Framework and Dionaea honeypot on AWS. On being attacked, Dionaea collected information about the attacker and stored any dropped malware binaries, which was my primary motivation to setup a honeypot. I also used the Modern Honey Network Splunk app to ingest honeypot data for future data analytics.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

References

Leave a Reply

Your email address will not be published.