Honeyclients should support upstream proxies

[dkindlund]

When proxy for crawling url is required, firewall is not allowing access to this proxy automaticaly.

Workaround is allow forward to proxy manualy throught iptables, but i think it is not production solution o/

I tried use same export http_proxy="http://...:3128" but without succes.

Thank you for any hints..

[dkindlund]

Author: kindlund Hi David,

Are you using v1.0.2? If so, then yes, I understand the issue.

Specifically, the firewall code running on the Firewall VM generally blocks honeyclient VM traffic at the TCP port level -- only allowing TCP ports 80 and 443 to pass. It would be possible to patch the code to allow TCP port 3128 through; however, it may not work reliably.

It sounds like your solution of forwarding the proxy via iptables works for you. Essentially, I think you have set up a transparent proxy (using iptables). If that is the case, then I would recommend keeping this solution, as it requires no code/architecture changes and has been tested in a production environment.

The only caveat is that you should have this transparent proxy setup (preferrably) outside the host system -- or, at the very least, in a separate VM than the Firewall VM.

I will certainly mark this issue as a new feature request, as I believe the system should support upstream proxies in the future.

Regards,

-- Darien

[dkindlund]

Author: David Vorel Hi kindlund,

thank you for quick response.

Yes, I'm using 1.0.2.

I'm using proxy outside of vmware on different server, requests goes directly to proxy throught firewall. I mean that i'm completely jumping over procedures on Firewall, is it right ? (I'm doing iptables -I FORWARD -p tcp --destination-port 3128 after FW/iptables are up) Are there some disadvantages when FW is "out" ?

Yes, I agree that it's possible do it with transparent proxy (no needs to allow access after each cloning + as you don't flush POSTROUTING table -> is possible do it only once and map local port on FW as proxy redirect). But is not there same handicap as in direct access to proxy via FW ?

Sorry about questions, but proxy is now easiest way to extract exact inner url serving malware. (i was thinking about use of urlsnarf to do this work). I'm too lazy extract malware url manualy ;]

[dkindlund]

Author: kindlund Hi David,

Okay, so to be clear, you are currently modifying the firewall ruleset that's located on the "Firewall VM" in order to add an additional rule that redirects all honeyclient VM traffic through a proxy server that is on your local network. Is this correct?

If yes, then you are correct that your redirection rule may be overriding all other firewall behavior on the "Firewall VM". The disadvantage is that if a honeyclient VM becomes compromised, there is a small period of time before the VM is suspended. During this period of time, the firewall blocks all of the VM's network connections; however, it's possible that your firewall may not be doing this properly.

If this risk is acceptable, then sure, you can continue using the system with the modifications you've described. Otherwise, I'd recommend moving the redirection rules out onto the proxy server itself, so that it becomes a transparent proxy server.

Hope this helps,

-- Darien

[dkindlund]

Author: David Vorel Hi Darien,

1) Correct

2) Ok, it's clear to me now.

3) Thank you for recommendation.

Great project and great support, once thanks for help.