Docker & MHN

Install docker

# apt-get install docker.io

Create & run Docker container for MHN

# docker run -p 10000:10000 -p 80:80 -p 8443:443 -p 3000:3000 -p 8091:8091 --name mhnsrv --hostname=mhnsrv01 -t -i ubuntu:14.04.2 /bin/bash

Install & configure MHN server

#!/bin/bash

set -x

apt-get update 
apt-get upgrade -y 
apt-get install git wget gcc supervisor -y 
cd /opt/ 
git clone https://github.com/threatstream/mhn.git 
cd mhn

cat > /etc/supervisor/conf.d/mhntodocker.conf <<EOF
[program:mongod]
command=/usr/bin/mongod
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
autorestart=true
autostart=true

[program:nginx]
command=/usr/sbin/nginx
stdout_events_enabled=true
stderr_events_enabled=true
autostart=true
autorestart=true

EOF

mkdir -p /data/db /var/log/mhn /var/log/supervisor

supervisord &

#Starts the mongod service after installation
echo supervisorctl start mongod >> /opt/mhn/scripts/install_mongo.sh

./install.sh

supervisorctl restart all 

MHN Configuration

Do you wish to run in Debug mode?: y/n n
Superuser email: fname.lname@mail.com
Superuser password:
Superuser password: (again):
Server base url [“http://1.2.3.4”]: 127.0.0.1
Honeymap url [“127.0.0.1:3000”]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“/var/log/mhn/mhn.log”]:

Create & run a MHN sensor docker container

Container w/ all ports published

# docker run --publish-all=true --name mhnsensor --hostname=mhnsensor01 -t -i ubuntu:14.04.2 /bin/bash

Container w/ specific ports published

# docker run -p 21:21 -p 2222:22 -p 23:23 -p 25:25 -p 8080:80 -p 110:110 -p 135:135 -p 139:139 -p 445:445 -p 1433:1433 -p 3306:3306 -p 3389:3389 -p 5060:5060 -p 5061:5061 -p 5900:5900 -p 8081:8081 --name mhnsensor --hostname=mhnsensor01 -t -i ubuntu:14.04.2 /bin/bash

Install additional apps

# apt install wget python

Install Splunk

  • Download Splunk Enterprise
    • Browse to https://www.splunk.com, login and download Splunk *.deb package
  • Install Splunk
    • On Linux host, do:
      • copy splunk to /opt
      • # dpkg -i splunk_package_name.deb
  • Start Splunk
    • # cd /opt/splunk/bin
    • # /opt/bin/splunk start
  • Install MHN Splunk app
    • Download from here: https://splunkbase.splunk.com/app/2707/
    • From Splunk main page, click on the cogwheel icon in the upper left corner of the screen
    • Click on ‘Install app from file’ and browse to the newly downloaded MHN Splunk App and then click on ‘Upload’ to have it installed.
    • Restart Splunk to have the changes commited

Configure MHN server to send logs to Splunk

# cd /opt/mhn/scripts
# ./install_hpfeeds-logger-splunk.sh
# ./install_splunk_universalforwarder.sh 127.0.0.1 9997

Commands

# docker ps : show docker processes

# docker logs [container_id]: show docker logs

# docker inspect [container_id]: show docker details

# docker stats [container_id]: show docker stats

# docker port [container_id]: show docker port

# docker attach mhn : interact with mhn docker container

CTRL-p CTRL-q : detach from container & leave it running

# docker start [container_id] : start a container

# docker exec [container_id] supervisord & : start the mhn server container + supervisor app.

More info

Docker User guides

https://docs.docker.com/engine/userguide/