Honeypot generating blacklists for Cisco Firepower
Dennis Perto
Leading engineering in the OT SOC | Public speaker | OSCP | CCNP Security | Bitcoin maximalist | OWASP Chapter Leader
I will iterate through the steps of grabbing data from the log files generated by Heralding to make blacklists on the fly.
I quickly spun up an Ubuntu 16.04 LXC container on my Qnap NAS to begin some testing. I found out that the container is initialized with the user ubuntu with the password of ubuntu.
The most important prerequisite for installing Heralding is Python 3.5 or never.
After following (do this first!) this guide for installing Heralding I found the log in the same folder.
The log file is named heralding_activity.log
Now I needed to make a few things work. I know that I can not use port 80 for my webserver, serving the blacklists to Firepower so I made my own. Luckily there is a build-in one in Python.
I made a folder, called "http" in the Heralding install directory, and after that a service for the webserver to start on port 8181, just as the service in the Heralding install guide was configured.
After this I of cause restarted the daemons and made the service run at system startup.
sudo systemctl daemon-reload sudo systemctl enable blacklist.webserver sudo service blacklist.webserver start
Almost done!
Now we just need to extract the IPs and put them in the "http" folder, so they are served on port 8181. I did it with a file called "update.sh" which is run automaticly with CRON. Every 30min should be fine, but for testing purposes I run it every 5 minutes.
Make note of the log file.
If you want to copy my script, go to the bottom of this article.
After a successful run we should have these files in our http folder
Global.txt contains all the unique IPs.
Add a security intelligence to your Firepower Management Center by giving it the path:
http://[IP Address]:8181/global.txt
Have fun!
If you liked this post, please click "Like" so that others can find it.
About: Dennis Perto is an enthusiastic security consultant who places great honour in genuinely humble consulting. He believes in serving the client with expert knowledge, and in not being afraid to admit when he is not the right expert anymore. He enjoys configuring Cisco Firepower for every special need.
Feel free to connect with me here on LinkedIn, and follow me on Twitter: @PertoDK
#!/bin/sh
cd /home/ubuntu/heralding/http
echo "$(date): Updating blacklists"
echo "$(cat global.txt | wc -l) lines in honeypot global blacklist before update"
for blacklist in ftp telnet ssh http https pop3 pop3s imap imaps smtp; do
cat ../heralding_activity.log | grep $blacklist | awk -F',' '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/{print $4}' | sort | uniq | tee $blacklist.txt >> temp
echo "$(cat $blacklist.txt | wc -l) lines in honeypot $blacklist blacklist"
done
cat temp | sort | uniq > global.txt
echo "$(cat global.txt | wc -l) lines in honeypot global blacklist after update"
rm temp
echo "$(date): Blacklist update done"
Claudio Arras e Riccardo Mazza, cosa ne dite?
An energetic go-getter and networker who "opens doors for you to walk through" with skills in Product Design, Business development, Scrum Master, business intelligence analyst and Lab leader. Are you "the one"?
7 年Thank you so much Dennis Perto I'm going to look into this with the team ^^.
Leading engineering in the OT SOC | Public speaker | OSCP | CCNP Security | Bitcoin maximalist | OWASP Chapter Leader
7 年Updated with a high level overview block diagram in the bottom of the article. :)
Computer Psychiatrist, Network Administrator. Left field composer. Got blockchain?
7 年I appreciate the information - and the screen shots.
Very good stuff.