Honeymap doesn't work with Singapore IPs

[nitrogen17]

Can anyone reproduce fresh installation of MHN if the Honeymap is working in the latest master branch? I did MHN and Sensor Installation in Public IP two times already but the Honeymap didn't work. All working fine except the Honeymap. Issue #664 dont work either.

All supervisor are working normal both mhn and sensor

MHN supervisorctl

geoloc RUNNING pid 9670, uptime 3:45:47 honeymap RUNNING pid 9671, uptime 3:45:47 hpfeeds-broker RUNNING pid 22250, uptime 3:48:25 mhn-celery-beat RUNNING pid 11662, uptime 3:37:54 mhn-celery-worker RUNNING pid 11743, uptime 3:36:54 mhn-collector RUNNING pid 11743, uptime 3:36:54 mhn-uwsgi RUNNING pid 11666, uptime 3:37:54 mnemosyne RUNNING pid 8299, uptime 3:46:30

Snort Sensor

conpot RUNNING pid 7753, uptime 0:06:40

Thanks!

[jtsamas]

I did not do a fresh installation on my Ubuntu 16.04 as i had made a second fresh installation in May 2019, however I followed the instructions given by @d1str0 ( and past help support from @jatrost). Unfortunately I only got this mhn-collector: ERROR

Looking at my logs in mhn-collector.log and mhn-collector.err

sudo tail /var/log/mhn/mhn-collector.log File "/opt/mhn/env/src/hpfeeds-logger/hpfeedslogger/processors.py", line 77, in geo_intel AttributeError: 'Location' object has no attribute 'lattitude' 2019-06-20 14:32:51,633 - collector - ERROR - 'Location' object has no attribute 'lattitude' Traceback (most recent call last): File "collector_v2.py", line 100, in on_message results = processor.process(identifier, channel, payload, ignore_errors=True) File "/opt/mhn/env/src/hpfeeds-logger/hpfeedslogger/processors.py", line 631, in process File "/opt/mhn/env/src/hpfeeds-logger/hpfeedslogger/processors.py", line 607, in geo_intelligence_enrichment File "/opt/mhn/env/src/hpfeeds-logger/hpfeedslogger/processors.py", line 77, in geo_intel AttributeError: 'Location' object has no attribute 'lattitude'

sudo tail /var/log/mhn/mhn-collector.err src_ip=dec.src_ip, ^ SyntaxError: invalid syntax Traceback (most recent call last): File "collector_v2.py", line 5, in from hpfeedslogger import processors File "/opt/mhn/env/local/lib/python2.7/site-packages/hpfeedslogger/processors.py", line 166 src_ip=dec.src_ip, ^ SyntaxError: invalid syntax

sudo supervisorctl restart all

mhn-collector: ERROR (spawn error) cowrie: ERROR (spawn error) suricata: started snort: started mhn-celery-beat: started hpfeeds-broker: started mnemosyne: started geoloc: started mhn-uwsgi: started mhn-celery-worker: started honeymap: started

sudo tail -f **/var/log/mhn/geoloc.***

==> /var/log/mhn/geoloc.err <== error: [Errno 111] Connection refused connected to @hp2 Parsing config file: /opt/hpfeeds/geoloc.json Traceback (most recent call last): File "/opt/hpfeeds/env/local/lib/python2.7/site-packages/hpfeeds.py", line 137, in connect self.s.connect((addr, self.port)) File "/usr/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) error: [Errno 111] Connection refused connected to @hp2

==> /var/log/mhn/geoloc.log <== File "/opt/hpfeeds/env/local/lib/python2.7/site-packages/geoip2/database.py", line 114, in city return self._model_for(geoip2.models.City, 'City', ip_address) File "/opt/hpfeeds/env/local/lib/python2.7/site-packages/geoip2/database.py", line 195, in _model_for record = self._get(types, ip_address) File "/opt/hpfeeds/env/local/lib/python2.7/site-packages/geoip2/database.py", line 191, in _get "The address %s is not in the database." % ip_address) AddressNotFoundError: The address 10.2.2.74 is not in the database. invalid message {"sensor": "21d0126a-8f53-11e9-a264-d4ae52c399cf", "timestamp": "2019/06/20 16:16:13.146814", "tcp_seq": "0xC0B4F9C", "proto": "TCP", "ip_tos": 0, "destination_ip": "10.2.2.74", "source_ip": "185.176.26.27", "ip_ttl": 238, "ip_id": 62164, "eth_src": "50:57:A8:D4:A5:84", "eth_dst": "D4:AE:52:C3:99:CF", "tcp_len": 20, "eth_type": "0x800", "eth_len": "0x3C", "tcp_ack": "0x0", "tcp_win": "0x4000000", "source_port": 42837, "signature_id": 2402000, "destination_port": 3333, "tcp_flags": "**S*", "action": "allowed", "signature_rev": 5189, "signature": "ET DROP Dshield Block Listed Source group 1"} Traceback (most recent call last): File "/opt/hpfeeds/examples/geoloc/geoloc.py", line 84, in

[tiancu1980]

Honneymapo not show the map https://github.com/threatstream/mhn/issues/246

[nitrogen17]

I tried that @tiancu1980 but no luck. Anyway I have an idea based on that #246 .

Instead of sudo tcpdump -A -nnNN 'tcp port 10000' | grep -o '\{.*' --line-buffered

Try to use sudo tcpdump -A -nnNN 'tcp port 3000' | grep -o '\{.*' --line-buffered

port 3000 indicates to the Honeymap page, i used that 3000 to sniff if theres packet received in that port and yes, i got packets

https://i.imgur.com/xsdMIAV.png {\"city\":\"Xinpu\",\"city2\":\"Singapore\",\"countrycode\":\"CN\",\"countrycode2\":\"SG\",\"latitude\":34.5997,\"latitude2\":1.2929,\"longitude\":119.1594,\"longitude2\":103.8547,\"type\":\"snort.alerts\"}

[nitrogen17]

I found the culprit! It seems that there's a problem when you deploy mhn server or sensor in a Singapore Public IP. This issue is exact as my problem #256.

https://i.imgur.com/wpD7D4w.png As you can see, theres no SG in mapData.paths indicating Singapore object and it returns undefined.

The temporary fix is to make the return of function(e) parameter into already exisiting objects and the honeymap will work. https://i.imgur.com/0EM7BxL.png

[jtsamas]

@nitrogen17 kindly guide me on steps, maybe i have the same issue

[d1str0]

@nitrogen17 can you elaborate on your fix? What file is mapData.paths? Is this from the GeoLite2.mmdb? Or a script in honeymap? Unfortunately images don't help as much as text file links.

If you can elaborate I would love to fix this.

[nitrogen17]

Sure, I’ll iterate the problem from the start

1. I check if the honey map receives any data by using this command to port 3000 sudo tcpdump -A -nnNN 'tcp port 3000' | grep -o '\{.*' --line-buffered
2. Since I get the data from using that command from my dry attacks I doubted that the problem would be on the client side or UI
3. I check the honey map log by right click and inspect elements. I found this JQuery error https://i.imgur.com/BoLUsUM.png
4. I debug it by inserting console.log(e) to check the content of undefined from the getRegionName:function(e) and it seems that the problem is when you have SG data the return type of of the function will be undefined and it causing JS error.
   1. So ill tried to put a code that if the data is SG then I’ll return the data of PH if(e=='SG') return this.mapData.paths['PH'].name;

You can check the code here Filename Path: honeymap/client/extern/jquery-jvectormap-1.0.min.js Note: This is only temporary fix to bypass error for SG Link

So far the problem would be on the Database, im not sure if it's the GeoLite2.mmdb but the data would be like this

https://i.imgur.com/wpD7D4w.png

The SG must be included there in order to fix this issue

[dykno]

Also worth checking out #54 from a few years back if anybody is still bumping into this.