Monday, September 6, 2010

Amun Honeypot with ArcSight CEF support

Playing around this weekend and created a CEF syslog output plugin for Amun honeypot, here is the sample output (dst IP scrubbed):

Sep 6 19:44:30 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=222.186.27.82,dst=76.78.17.74,msg=DCOM Vulnerability,dpt=135,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None

Now need to feed these into an ESM active list...

To be nice, I packaged up the CEF enabled Amun honeypot into a 200MB Ubuntu VM so you can try this out in your ArcSight lab or production. Follow the easy directions to re-IP and setup syslog out. You will be nabbing attackers and the latest malware in no time!

***update: I Googled the attacker IP's in the post above and found no mention of them in any open malicious IP lists, this highlights the effectiveness of using honeypots to gather the absolute latest intelligence on hosts attacking your perimeter (and others).

***update 2: VM boot issue fixed, sorry about that!

8 comments:

Anonymous said...

Your VM doesn't start. It's missing a file.

Greg Martin said...

This is fixed now, please re-download the file and delete the old VM.

Unknown said...

Random comment: I recently learned more about botnets and am now paranoid about how they spread and how my avast antivirus may or may not be enough to stop them. Specifically I'm now under the impression that just visiting a hacked facebook page could invisibly install a bot on my machine without my knowledge and with no obvious popups saying "are you sure you want to install evil_sugar.exe?" and that explorer.exe could suddenly have malicious code "injected" into it, leaving no signature behind for avast to detect. Is that true, and what can I do to protect our family machines at home? Thank you for any response, even just a "go read this...".

Greg Martin said...

Will you have a couple options:

1. Ditch Windows for a Mac or Linux OS. You will not have these worries for some time I am sure as they are less a target and more inherently secure.

2. If you have to use Windows I recommend Firefox with Noscript plugin enabled and Using OpenDNS as your DNS servers on you computer or router. Lastly just be careful what you click on and always keep your software and OS updated.

Unknown said...

Okay, thanks for the response!

diami03 said...

It's @diami03 and I've been trying to contact you regarding BSidesDFW. Couldn't sent you a DM (you aren't following me). I did send you a message on LinkedIn. Please get in touch w/me.

th3g33k said...

The log format doesn't have a "Severity" field and the extension Key/Val pair should be separated by Spaces instead of Commas.

Anyway, thank you for making this hack to the code.

free movies online Ironman 2011 said...

This is an excellent site absolutely packed with information really well done! Voted up useful & awesome. This is an excellent site, absolutely packed with information really well done! Voted up, useful & awesome. watch free movies online now TheCatz0ma ddl ebooks windowsz0ma free ads hobbiesz0ma Social Bookmarking Bankingc