Solved: Re: Reports/Alerts from Honeyd

jnlawrence76 · ‎02-22-2011

I have my Honeyd servers piping to our MARS box and I am trying to get the reports to show something useful. Currently all I get are a bunch of "Unknown Device Event Types". What must I do in order for MARS to see this as readable data that I can produce Reports and Alerts on?

clausonna · ‎03-04-2011

You will need to create a custom parser in MARS that recognizes the honeyd-specific syslogs. That's why you're events are being classified as Unknown Event Type. Best bet is to see if someone has already done this for other SIEMs, and then just steal their regex (regular expressions). Otherwise, you will need to get a list of all (or the most important) honeyd syslogs, and map each one to a MARS rule.

There are good examples in the Netpro MARS Packages sub-forum. That's a good place to start.

View solution in original post

Siddharth Chandrachud · ‎02-23-2011

Hi Jeremy,

You need to make sure that:

Servers are correctly added to MARS & Servers are correctly configured to send events to MARS.

The ip address from which the syslog events are sourced from the server, must be present as 'reporting ip' when the device is added to MARS.

Apart from that I understand HoneyD emulates virtual hosts on a network.

Does all the virtual hosts have unique ip address ?

Does MARS have those hosts with correct reporting ip's added ?

Mars need to understand the ip addresses from which the syslog messages are being sourced.

The way to add a normal server to MARS:

http://tools.cisco.com/squish/f84a5

- Sid

jnlawrence76 · ‎02-23-2011

Siddharth,

The servers are added correctly and the Source IP is the IP of the physical server hosting the virtual honeypots. The virtual honeypots do not send the events rather the physical server itself forwards them to MARS.

mwinnett · ‎02-24-2011

Might be worth running up tcpdump and see what (if anything) is coming to the MARS. SSH to the mars and execute

tcpdump -i eth0 -v -x -s 1500 ip host and udp port 514

Matthew

jnlawrence76 · ‎02-25-2011

Looks like the data is coming over (I have X'ed out my IPs in the data below). I am getting a bunch of data like what is shown below:

10:16:42.087672 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 17, length: 171) X.X.X.58.51814 > hqMARSapp.syslog: UDP, length 143
        0x0000: 4500 00ab 0000 4000 3a11 45fd 0a8c eb3a E.....@.:.E....:
        0x0010: 0a14 fa6a ca66 0202 0097 b57e 3c33 313e ...j.f.....~<31>
        0x0020: 4665 6220 3235 2030 393a 3135 3a30 3920 Feb.25.09:15:09.
        0x0030: 4331 4850 4644 3031 2068 6f6e 6579 645b C1HPFD01.honeyd[
        0x0040: 3133 3831 5d3a 2043 6f6e 6e65 6374 696f 1381]:.Connectio
        0x0050: 6e20 6573 7461 626c 6973 6865 643a 2074 n.established:.t
        0x0060: 6370 2028 3130 2e39 302e 3734 2e31 313a cp.(X.X.X.11:
        0x0070: 3433 3633 3920 2d20 3130 2e31 3430 2e32 43639.-.X.X.X
        0x0080: 3335 2e39 303a 3233 2920 3c2d 3e20 7065 X.X:23).<->.pe
        0x0090: 726c 2073 6372 6970 7473 2f72 6f75 7465 rl.scripts/route
        0x00a0: 722d 7465 6c6e 6574 2e70 6c              r-telnet.pl

clausonna · ‎03-04-2011

You will need to create a custom parser in MARS that recognizes the honeyd-specific syslogs. That's why you're events are being classified as Unknown Event Type. Best bet is to see if someone has already done this for other SIEMs, and then just steal their regex (regular expressions). Otherwise, you will need to get a list of all (or the most important) honeyd syslogs, and map each one to a MARS rule.

There are good examples in the Netpro MARS Packages sub-forum. That's a good place to start.