Monitoring Adversaries at Your Trapdoor with Security Onion

Introduction

  • Client IP
  • Client Browser/User Agent
  • Client Language(s)
  • Client/host machine specs
  • Client/host display characteristics
  • How many times (and at what times) a specific client has triggered our trapdoor
  • and much more! 👏

VPC

Security Onion

Logstash

input {
http {
id => "trapdoor_alerts"
port => 5044
tags => [“trapdoor”]
}
}
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('manager:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
{%- endif %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
output {
if "trapdoor" in [tags] {
elasticsearch {
pipeline => "trapdoor"
hosts => "{{ ES }}"
index => "so-honeypot"
template_name => "so-common"
template => "/templates/so-common-template.json"
template_overwrite => true
{%- if grains['role'] in ['so-node','so-heavynode'] %}
ssl => true
ssl_certificate_verification => false
{%- endif %}
}
}
}
{%- set PIPELINE = salt['pillar.get']('global:pipeline', 'minio') %}
logstash:
pipelines:
search:
config:
- so/0900_input_redis.conf.jinja
- so/9000_output_zeek.conf.jinja
- so/9002_output_import.conf.jinja
- so/9034_output_syslog.conf.jinja
- so/9100_output_osquery.conf.jinja
- so/9400_output_suricata.conf.jinja
- so/9500_output_beats.conf.jinja
- so/9600_output_ossec.conf.jinja
- so/9700_output_strelka.conf.jinja
- custom/9888_output_trapdoor.conf.jinja

Elastic Ingest

  • Create a file called trapdoor in: /opt/so/saltstack/local/salt/elasticsearch/files/ingest
  • Within the file, include the following content:
{
"description" : "Trapdoor honeypot alerts",
"processors" : [
{ "set": { "field": "event.module", "value": "trapdoor" } },
{ "set": { "field": "event.dataset", "value": "alert" } },
{ "rename": { "field": "host", "target_field": "destination.nat.ip", "ignore_missing": true } },
{ "rename": { "field": "Source IP", "target_field": "source.ip", "ignore_missing": true } },
{ "set": { "field": "client.ip", "value": "{{source.ip}}", "ignore_failure": true } },
{ "rename": { "field": "Browser Language", "target_field": "client.browser_language", "ignore_missing": true } },
{ "rename": { "field": "Full Path", "target_field": "http.uri", "ignore_missing": true } },
{ "rename": { "field": "Host", "target_field": "observer.url", "ignore_missing": true } },
{ "rename": { "field": "HTTP Method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "IP Hits", "target_field": "client.times_seen", "ignore_missing": true } },
{ "rename": { "field": "Hardware Concurrency", "target_field": "host.cpu.cores", "ignore_missing": true } },
{ "rename": { "field": "Viewer Device", "target_field": "host.type", "ignore_missing": true } },
{ "rename": { "field": "Viewer Country", "target_field": "host.geo.country", "ignore_missing": true } },
{ "rename": { "field": "Hardware Concurrency", "target_field": "host.cpu.cores", "ignore_missing": true } },
{ "rename": { "field": "User Agent", "target_field": "http.user_agent", "ignore_missing": true } },
{ "rename": { "field": "Session ID", "target_field": "http.session_id", "ignore_missing": true } },
{ "rename": { "field": "Session ID Hits", "target_field": "http.session_id_hits", "ignore_missing": true } },
{ "rename": { "field": "Screen Width", "target_field": "host.screen_width", "ignore_missing": true } },
{ "rename": { "field": "Screen Height", "target_field": "host.screen_height", "ignore_missing": true } },
{ "rename": { "field": "Screen Orientation", "target_field": "host.screen_orientation", "ignore_missing": true } },
{ "rename": { "field": "Screen Color Depth", "target_field": "host.screen_color_depth", "ignore_missing": true } },
{ "rename": { "field": "Round Trip Delay", "target_field": "network.rtd", "ignore_missing": true } },
{ "rename": { "field": "Other Languages", "target_field": "client.languages", "ignore_missing": true } },
{ "rename": { "field": "Media Devices", "target_field": "host.media_devices", "ignore_missing": true } },
{ "rename": { "field": "Java Enabled", "target_field": "client.java_enabled", "ignore_missing": true } },
{ "rename": { "field": "Client Timezone", "target_field": "client.timezone", "ignore_missing": true } },
{ "rename": { "field": "Clipboard", "target_field": "client.clipboard", "ignore_missing": true } },
{ "rename": { "field": "Cookies Enabled", "target_field": "http.cookies_enabled", "ignore_missing": true } },
{ "rename": { "field": "Device Memory", "target_field": "host.memory", "ignore_missing": true } },
{ "rename": { "field": "Effective Type (Up to 4g)", "target_field": "network.effective_type", "ignore_missing": true } },
{ "rename": { "field": "Path", "target_field": "client.access_path", "ignore_missing": true } },
{ "rename": { "field": "Tor Network", "target_field": "network.tor", "ignore_missing": true } },
{ "rename": { "field": "AdBlock", "target_field": "client.adblock_enabled", "ignore_missing": true } },
{ "rename": { "field": "Bandwidth (Mbps)", "target_field": "network.bandwidth", "ignore_missing": true } },
{ "rename": { "field": "Battery Level", "target_field": "host.battery_level", "ignore_missing": true } },
{ "rename": { "field": "Battery Charging", "target_field": "host.battery_charging", "ignore_missing": true } },
{ "rename": { "field": "Browser", "target_field": "client.browser", "ignore_missing": true } },
{ "rename": { "field": "Client Time", "target_field": "client.time", "ignore_missing": true } },
{ "rename": { "field": "Friendly Reminder", "target_field": "rule.name", "ignore_missing": true } },
{ "set": { "field": "event.category", "value": "honeytoken", "override": true } },
{ "set": { "field": "event.severity", "value": 3, "override": true } },
{ "remove": { "field": "headers" } },
{ "pipeline": { "name": "common" } }
]
}
  • Restart Elasticsearch with so-elasticsearch-restart .

Trapdoor

  • Connecting the Trapdoor Lambda to our VPC
  • Specifying additional alert paths/friendly reminders for Trapdoor
  • From the AWS Lambda page, click the Functions tab on the left side of the page
  • Click the Trapdoor function
  • Under the Function overview, click Configuration
  • Click the VPC tab
  • Click Edit to add details for your VPC, private subnet, and security group to be associated with the Lambda interface to communicate with EC2 instances (the interface will need to be able to send to the Security Onion instance over port 5044)
  • Click Save (it will take several minutes to update the function after doing so)

Firewall

Testing Our Work

Summary

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store