I successfully installed MHN from github. After deploying several sensors I observed that the honeymap and attack page of MHN registers attacks (nmap or logins to wordpot or cowrie) correctly. However the ELK Stack is only picking up the wordpot and cowrie events.
The channels in /opt/hpfeeds-logger/json.json include suricata.events.
"host": "0.0.0.0",
"port": 10000,
"ident": "hpfeeds-logger-json",
"secret": "f4e860162e2644488d950023df055a66",
"channels": [
"amun.events",
"dionaea.connections",
"dionaea.capture",
"glastopf.events",
"beeswarm.hive",
"kippo.sessions",
"cowrie.sessions",
"conpot.events",
"snort.alerts",
"suricata.events",
"wordpot.events",
"shockpot.events",
"p0f.events",
"elastichoney.events"
],
"log_file": "/var/log/mhn/mhn-json.log",
"formatter_name": "json"
The /opt/suricata/etc/suricata/suricata.yml contains to following hpfeeds output:
# hpfeeds output
- alert-hpfeeds:
enabled: yes
host: xxx.xxx.xxx.xxx # Server IP
port: 10000
ident: xxx
secret: xxx
channel: suricata.events
reconnect: yes # do we reconnect if publish fails ?!
The /opt/wordpot/wordpot.conf for example contains the following:
HPFEEDS_ENABLED = True
HPFEEDS_HOST = 'xxx.xxx.xxx.xxx' # Server IP
HPFEEDS_PORT = 10000
HPFEEDS_IDENT = 'xxx'
HPFEEDS_SECRET = 'xxx'
HPFEEDS_TOPIC = 'wordpot.events'
As far as i understand the MHN ELK idea, all the outputs should go to the file on the server:
/var/log/mhn/mhn-json.log
Unfortunately only the wordpot/cowrie events make it there. Is there a way to check where the suricata.events get lost on their way to logstash?
The whole thing is behind a parent-proxy, while the mhn server itself is running a squid instance to provide a proxy to the parent-proxy for the sensors to be installed (avoiding direct internet access of the sensors).
