Reports/Alerts from Honeyd

Answered Question
Feb 22nd, 2011

I have my Honeyd servers piping to our MARS box and I am trying to get the reports to show something useful.  Currently all I get are a bunch of "Unknown Device Event Types".  What must I do in order for MARS to see this as readable data that I can produce Reports and Alerts on?

I have this problem too.
0 votes
Correct Answer by clausonna about 3 years 1 month ago

You will need to create a custom parser in MARS that recognizes the honeyd-specific syslogs.  That's why you're events are being classified as Unknown Event Type.  Best bet is to see if someone has already done this for other SIEMs, and then just steal their regex (regular expressions).  Otherwise, you will need to get a list of all (or the most important) honeyd syslogs, and map each one to a MARS rule.

There are good examples in the Netpro MARS Packages sub-forum.  That's a good place to start.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Siddharth Chand... Wed, 02/23/2011 - 09:54

Hi Jeremy,

You need to make sure that:

Servers are correctly added to MARS & Servers are correctly configured to send events to MARS.

The ip address from which the syslog events are sourced from the server, must be present as 'reporting ip' when the device is added to MARS.

Apart from that I understand HoneyD emulates virtual hosts on a network.

Does all the virtual hosts have unique ip address ?

Does MARS have those hosts with correct reporting ip's added ?

Mars need to understand the ip addresses from which the syslog messages are being sourced.

The way to add a normal server to MARS:

http://tools.cisco.com/squish/f84a5

- Sid

jnlawrence76 Wed, 02/23/2011 - 10:53

Siddharth,

The servers are added correctly and the Source IP is the IP of the physical server hosting the virtual honeypots.  The virtual honeypots do not send the events rather the physical server itself forwards them to MARS.

mwinnett Thu, 02/24/2011 - 12:03

Might be worth running up tcpdump and see what (if anything) is coming to the MARS. SSH to the mars and execute

tcpdump -i eth0 -v -x -s 1500 ip host and udp port 514

Matthew

jnlawrence76 Fri, 02/25/2011 - 07:19

Looks like the data is coming over (I have X'ed out my IPs in the data below).  I am getting a bunch of data like what is shown below:

10:16:42.087672 IP (tos 0x0, ttl  58, id 0, offset 0, flags [DF], proto 17, length: 171) X.X.X.58.51814 > hqMARSapp.syslog: UDP, length 143
        0x0000:  4500 00ab 0000 4000 3a11 45fd 0a8c eb3a  E.....@.:.E....:
        0x0010:  0a14 fa6a ca66 0202 0097 b57e 3c33 313e  ...j.f.....~<31>
        0x0020:  4665 6220 3235 2030 393a 3135 3a30 3920  Feb.25.09:15:09.
        0x0030:  4331 4850 4644 3031 2068 6f6e 6579 645b  C1HPFD01.honeyd[
        0x0040:  3133 3831 5d3a 2043 6f6e 6e65 6374 696f  1381]:.Connectio
        0x0050:  6e20 6573 7461 626c 6973 6865 643a 2074  n.established:.t
        0x0060:  6370 2028 3130 2e39 302e 3734 2e31 313a  cp.(X.X.X.11:
        0x0070:  3433 3633 3920 2d20 3130 2e31 3430 2e32  43639.-.X.X.X
        0x0080:  3335 2e39 303a 3233 2920 3c2d 3e20 7065  X.X:23).<->.pe
        0x0090:  726c 2073 6372 6970 7473 2f72 6f75 7465  rl.scripts/route
        0x00a0:  722d 7465 6c6e 6574 2e70 6c              r-telnet.pl

Correct Answer
clausonna Fri, 03/04/2011 - 12:42

You will need to create a custom parser in MARS that recognizes the honeyd-specific syslogs.  That's why you're events are being classified as Unknown Event Type.  Best bet is to see if someone has already done this for other SIEMs, and then just steal their regex (regular expressions).  Otherwise, you will need to get a list of all (or the most important) honeyd syslogs, and map each one to a MARS rule.

There are good examples in the Netpro MARS Packages sub-forum.  That's a good place to start.

Actions

Login or Register to take actions

This Discussion

Posted February 22, 2011 at 6:50 AM
Stats:
Replies:5 Avg. Rating:5
Views:559 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard