-
Notifications
You must be signed in to change notification settings - Fork 630
Incorporate an already deployed Honeypot into MHN
Jason Trost edited this page Apr 20, 2015
·
7 revisions
This page explains how you can take a honeypot that is already deployed and bring it under MHN's management.
Note: it is often easier to just redeploy the honeypot using MHN than it is to manually integrate an existing sensor since some sensors don't come with hpfeeds support.
General Steps:
-
Go to the MHN add sensor page and add your sensor: http://<YOUR_MHN_SERVER>/ui/add-sensor/. This will provide you with a UUID you will need for the next step.
-
Add an identifier and secret (and channels) to the hpfeeds auth_key database. Here's how:
IDENT=<UUID FROM MHN>
SECRET=<CHOOSE A RANDOM STRING OF LETTERS AND NUMBERS, THE LONGER THE BETTER>
PUBLISH_CHANNELS=<COMMA SEPARATED LIST OF CHANNELS>
SUBSCRIBE_CHANNELS=""
cd /opt/hpfeeds/broker
source env/bin/activate
python add_user.py "$IDENT" "$SECRET" "$PUBLISH_CHANNELS" "$SUBSCRIBE_CHANNELS"
- Configure the honeypot's hfeeds section to use your MHN server's IP, identifier, secret, and channels. The deploy_*.sh scripts in https://github.com/threatstream/mhn/tree/master/scripts/ have the specific steps for specific sensor. Please look at these scripts to see which configs need to be modified.
- Restart the honeypot and make sure data is flowing. If your sensors was pre-deployed, then steps for restarting are up to you. MHN uses supervisord for managing honeypots and
supervisorctl restart <HONEYPOT>is how we do it.