I believe here is the fix. This just needs to be integrated into the kippo deploy.
ensure this is in the kippo.cfg
[honeypot]
ssh_addr = 127.0.0.1
ssh_port = 64222
Jason Trost jatrost
jatrost
/ gist:68464a4d8c66db1807fa
Created
October 8, 2014 18:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vagrant@mhn-server:~$ mongo | |
| MongoDB shell version: 2.6.4 | |
| connecting to: test | |
| Welcome to the MongoDB shell. | |
| For interactive help, type "help". | |
| For more comprehensive documentation, see | |
| http://docs.mongodb.org/ | |
| Questions? Try the support group | |
| http://groups.google.com/group/mongodb-user | |
| > use hpfeeds |
jatrost
/ disposable-email-domains.txt
Last active
August 29, 2015 14:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sharklasers.com | |
| grr.la | |
| guerrillamail.biz | |
| guerrillamail.com | |
| guerrillamail.de | |
| guerrillamail.net | |
| guerrillamail.org | |
| guerrillamailblock.com | |
| spam4.me | |
| maildrop.cc |
jatrost
/ honeymap-ssl-ngninx.conf
Last active
October 22, 2018 12:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| server { | |
| listen 8443 ssl; | |
| ssl_certificate /etc/ssl/private/mhn.yourcompany.com.pem; | |
| ssl_certificate_key /etc/ssl/private/mhn.yourcompany.com.pem; |
jatrost
/ mnemonic-api-example.json
Created
January 9, 2015 14:17
Example Query for https://passivedns.mnemonic.no/api1/?apikey=XXXXXXXXXXXXXXXXXXXXX&method=exact&query=www.google.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "ok": true, | |
| "message": "ok", | |
| "result": [ | |
| { | |
| "class": "in", | |
| "type": "a", | |
| "query": "www.google.com.", | |
| "answer": "213.155.151.152", | |
| "ttl": 300, |
jatrost
/ kipp-fixes.md
Created
May 11, 2015 01:26
jatrost
/ mhn-email-alert.sh
Created
January 12, 2016 00:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| PAST_TIMESTAMP="$(date +%s -d '5 min ago')000" | |
| mongoexport \ | |
| --csv --quiet \ | |
| --fields timestamp,source_ip,source_port,destination_port,honeypot \ | |
| --db mnemosyne \ | |
| --collection session \ | |
| --query "{ timestamp: {\$gt: new Date($PAST_TIMESTAMP)}}" > /tmp/mhn-report.txt |
jatrost
/ mhn-template.json
Last active
January 19, 2016 14:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "template": "mhn-*", | |
| "settings": { | |
| "number_of_shards": 5, | |
| "number_of_replicas": 0, | |
| "refresh_interval": "30s" | |
| }, | |
| "mappings": { | |
| "_default_": { | |
| "_source": { |
jatrost
/ mongo2log.json
Last active
July 26, 2016 09:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "channels": [ | |
| "amun.events", | |
| "dionaea.connections", | |
| "dionaea.capture", | |
| "glastopf.events", | |
| "beeswarm.hive", | |
| "kippo.sessions", | |
| "conpot.events", | |
| "snort.alerts", |
jatrost
/ mhn-install-behind-proxy.md
Last active
February 13, 2017 19:10
For each of the files below, make sure the proxy settings are added (and obviously change the user/pass/domain/port)
These need to be set for both the MHN server and the honey systems you intend to deploy on (assuming the honeypots are behind the firewall).
ALL_PROXY=http://user:[email protected]:8080
HTTP_PROXY=http://user:[email protected]:8080
HTTPS_PROXY=http://user:[email protected]:8080
jatrost
/ base64_regex.py
Created
September 22, 2017 14:45
Python implementation of http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import base64 | |
| import sys | |
| def remove_padding(b): | |
| b = b.rstrip('\n') | |
| m = re.search(r'(=+)', b) | |
| if m: | |
| padding_amt = len(m.group(1)) + 1 | |
| return b[:len(b)-padding_amt] |