search

qeeqbox / chameleon

19 Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres, MySQL, MSSQL, Elastic and ldap)
GNU Affero General Public License v3.0
661 stars 115 forks source link

log to file #5

Closed Sparkxxx closed 3 years ago

Sparkxxx commented 3 years ago

Hi and thank your for this project,

Is it possible to get a log file/output like syslog from the honeypots? I plan to use chameleon on the internal network and I have centralised logging that would alert when there are failed logins.

Thank you

giga-a commented 3 years ago

Hey @Sparkxxx,

I can make that happen, but what about my other project Honeypots? Chameleon is built on top of Honeypots - it's super easy to set it up! You can setup all sort of honeypots and output the logs to file, terminal or both

pip3 install honeypots
honeypots --setup ssh,ftp --config config.json

config.json
{
    "logs":"file,terminal",
    "logs_location":"/temp/honeypots_logs/"
    "honeypots": {
        "ftp": {
            "port": 21,
            "ip": "0.0.0.0",
            "username": "test",
            "password": "test"
            }
        },
        "ssh": {
            "port": 22,
            "ip": "0.0.0.0",
            "username": "test",
            "password": "test"
            }
        }
}

[edit]

You can enable logging to file -> Chameleon project -> config.json -> change

    "logs": "db",

to

    "logs":"db,file",
    "logs_location":"/temp/honeypots_logs/"
Sparkxxx commented 3 years ago

Thanks for the reply, Using "logs":"db,file", works but the format of the log is not compatible with syslog so it's not much use without a syslog-ng filter/parser. Regarding honeypots I've upgraded the chameleon container with the latest version from honeypots-Dockerfile to the latest version RUN pip3 install honeypots==0.25 instead of 0.23 which was the default one but I have not tested functionality yet. I prefer using docker since it would not require maintaining python processes on vms running docker containers, it makes more sense for me. My scenario is that I have a VM with docker-compose chameleon and nobody should touch that host. When this happens I would like to have the attempt in syslog format so that I can act upon it, and it would be great if we could use the docker syslog driver directly to redirect stdout:

      driver: syslog
      options:
        syslog-address: "udp://10.1.0.x:514"
        tag: "honeypots"

Thanks

P.S. Couldn't find much info on honeypots either and searching the web I found some references to chameleon honeypots https://owasp.org/www-pdf-archive/GOD17-Chameleon.pdf https://www.tu-braunschweig.de/index.php?eID=dumpFile&t=f&f=74776&token=78405aa9f5db4f5c28b1c071af0e27fb8893c2b7 , are you affiliated, is it the same project or behavior expected from this project?

giga-a commented 3 years ago

@Sparkxxx

Using "logs":"db,file", works but the format of the log is not compatible with syslog so it's not much use without a syslog-ng filter/parser.

Would you be able to share your syslog-ng config file?

Regarding honeypots I've upgraded the chameleon container with the latest version from honeypots-Dockerfile to the latest version RUN pip3 install honeypots==0.25 instead of 0.23 which was the default one but I have not tested functionality yet. I prefer using docker since it would not require maintaining python processes on vms running docker containers, it makes more sense for me.

I have pushed many updates and now you can specify syslog server in the config.json in any stage ./run.sh test, ./run.sh dev or ./run.sh deploy

Add syslog to logs, configure the syslog_address as URI and syslog_facility value

    "logs": "db,syslog",
    "logs_location": "",
    "syslog_address":"udp://syslog:514",
    "syslog_facility":3,
    "postgres":"//changeme027a088931d22:changeme0f40773877963@chameleon_postgres:9999/chameleon",
    "filter": "not port 9999 and not port 514",
    "interface": "eth0",

Also, I have added a syslog server to test that functionality (If you do not have one). You can run the project in test stage ./run.sh test and view the logs by accessing the chameleon_syslog container. The location is specified in the syslogs-ng

Couldn't find much info on honeypots either and searching the web I found some references to chameleon honeypots https://owasp.org/www-pdf-archive/GOD17-Chameleon.pdf https://www.tu-braunschweig.de/index.php?eID=dumpFile&t=f&f=74776&token=78405aa9f5db4f5c28b1c071af0e27fb8893c2b7 , are you affiliated, is it the same project or behavior expected from this project?

No, the links you listed above are different. I was referring to this honeypots package (You won't be able to find much information about QeeqBox projects because they were closed-source and used internally)

Let me know if the new updates make sense or not!