Tuesday, May 12, 2015

Post #2 (Or "MHN, Maltrieve, And A Malicious Internet.")

So, finally got the analysis lab set up to the point where I can actually use it without building it as I go. Last thing I did last night was get the Modern Honey Network (https://github.com/threatstream/mhn) and maltrieve (https://github.com/krmaxwell/maltrieve) running on an Ubuntu box I have completely segregated from the rest of the lab.

I have read a multitude of reports in the past detailing just how quickly a box placed on the public Internet without any protections will suffer attacks, and I have reviewed my own firewall logs every morning long enough to know that port scanning and general poking around is ubiquitous on the public Internet, but to see it broken down and in such a nice format really adds some gravity to the notion. Hoping that dionaea (http://dionaea.carnivore.it/, but I set it up with the MHN deployment script) picks up some decent payloads to analyze soon.

These attacks were logged less than 10 minutes after I opened up the machine to the public Internet.

Maltrieve ran for the first time last night, and in one run it pulled over 1k malicious samples to be reviewed. Probably going to cron it to run every night at the same time so I can keep a fresh stock of samples for analysis.

On the other side of the network pond, finally got enough guest VMs set up to perform both static and dynamic analysis of malware samples that I gather, either automatically via the honeypot or manually as I clean up machines in day-to-day work.

Anyway, just wanted to drop a post and let everyone know that, if you have ever had the pleasure (and I say that with sarcasm) of setting up a honeypot/honeynet manually piece-by-piece, you should definitely try the MHN by ThreatStream. It is amazingly simple to use and they are adding more and more to it all the time.

Cheers, and stay safe out there!

***EDIT (05/14/2015, 17:48 Eastern): I had originally stated that Suricata is an upcoming addition to the MHN, but as it turns out it is already present!

No comments:

Post a Comment