hpfeeeds-bhr
The hpfeeeds-bhr container, when added to a CHN-Server instance, will forward an "observation" of the malicious activity to a specified instance of NCSA BHR. You can read more about BHR here.
Adding hpfeeeds-bhr to CHN-Server
The simplest way to integrate CHN reporting to BHR is to:
First, include this stanza in the docker-compose.yml file for CHN-server:
hpfeeds-bhr:
image: stingar/hpfeeds-bhr:1.9
env_file:
- hpfeeds-bhr.env
links:
- redis:redis
- hpfeeds3:hpfeeds3
- mongodb:mongodb
Next, add the following hpfeeeds-bhr.sysconfig configuration file:
Defaults here are for containers, but can be adjusted to customize the containers
DEBUG=false
HPFEEDS_HOST=hpfeeds3
HPFEEDS_PORT=10000
IDENT=hpfeeds-bhr
MONGODB_HOST=mongodb
MONGODB_PORT=27017
BHR_HOST=https://bhr.edu
BHR_TOKEN={api-token}
BHR_VERIFY_SSL=True
BHR_TAGS=stingar-chn
# Specify CIDR networks for which we should NOT submit to BHR
# Useful for not reporting any locally compromised hosts and prepopulated with RFC1918 addresses
IGNORE_CIDR=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
# Include the honeypot specific tags in the comment for BHR
INCLUDE_HP_TAGS=False
# ADVANCED: Specify the Redis database number to use for caching BHR submissions. This is only necessary when
# running multiple BHR containers on the same host submitting to different instances. Note that hpfeeds-bhr defaults
# to using database 1 and hpfeeds-cif defaults to using database 2, so generally safe choices are in the range of 3-15.
BHR_CACHE_DB=1
The IGNORE_CIDR
option allow you to specify a set of ranges for which you wish hpfeeeds-bhr to ignore and NOT submit
to the configured BHR server. This option comes pre-populated with RFC1918 addresses, and can be modified to include
your local IP ranges and sensitive external services.
Once the docker-compose.yml is updated and the hpfeeeds-bhr.sysconfig file is present, you can simply:
docker-compose down && docker-compose up -d
To examine logs of the transactions with the BHR instance, run:
docker-compose logs hpfeeeds-bhr