Monday, September 6, 2010

Amun Honeypot with ArcSight CEF support

Playing around this weekend and created a CEF syslog output plugin for Amun honeypot, here is the sample output (dst IP scrubbed):

Sep 6 19:44:30 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=222.186.27.82,dst=76.78.17.74,msg=DCOM Vulnerability,dpt=135,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None

Now need to feed these into an ESM active list...

To be nice, I packaged up the CEF enabled Amun honeypot into a 200MB Ubuntu VM so you can try this out in your ArcSight lab or production. Follow the easy directions to re-IP and setup syslog out. You will be nabbing attackers and the latest malware in no time!

***update: I Googled the attacker IP's in the post above and found no mention of them in any open malicious IP lists, this highlights the effectiveness of using honeypots to gather the absolute latest intelligence on hosts attacking your perimeter (and others).

***update 2: VM boot issue fixed, sorry about that!