cymmetria / honeycomb Goto Github PK

Note two things:

1. Honeycomb is capitalized. This persists throughout the page (http://honeycomb.cymmetria.com/en/master/cli.html#honeycomb-integration)

2. The default home path contains /docs/ for whatever reason (/home/docs/.config/honeycomb). This is obviously not the case, even in my system, but rather "docs" should be replaced by my username.

service test invokes the test command then search the current DEBUG_LOG for alerts
if the log has existing alerts from previous runs it will always return true
need to figure out how to run the test in an isolated manner to be accurate

docker hub uses Docker Version: 17.06.1-ce which doesn't support --chown (https://github.com/Cymmetria/honeycomb/blob/master/Dockerfile#L19)

Add docker build to github or change Dockerfile

Click supports auto complete pretty much out of the box http://click.pocoo.org/6/bashcomplete/
https://github.com/click-contrib/click-completion - also looks interesting

If user doesn't have it installed we should offer to generate and install it

Check current version against pypi on startup and offer to upgrade if new version is available

Consider storing last check timestamp in HC_HOME and check once a day/week

"parameters": [
{
"type": "text",
"value": "username",
"label": "Authentication username",
"required": true
},
{
"type": "text",
"value": "password",
"label": "Authentication password",
"required": true
},
{
"type": "file",
"value": "dit",
"label": "DIT file (database for the LDAP server)"
}

This works on Mazerunner, but HC reports this as:

"Error: [-] Parameters: 'file' is not a valid type"

Pushed a fix in click-contrib/sphinx-click#23 but waiting for pypi to include 1.2.0, will pin to github master if not fixed.

It's only possible to install/uninstall a plugin, need to provide versioning mechanism and add upgrade command

https://codecov.io/gh/Cymmetria/honeycomb/src/69e3210a32c2b4455a93195bf89de46a3e19dbf5/honeycomb/integrationmanager/tasks.py

When you type honeycomb integration configure syslog, you get the text:
"Error: [-] Parameters: 'to_phone' is missing (use --args to see all parameters)"
But the option name is actually --show_args.
Should fix either the option name or the help text.

We should add the video from the defcon demo labs

The data that we send to the integrations (from the events) is missing the ip of the target machine (the ip that was attacked).
This is very important when we have multiple honeypots with multiple ips sending alerts to a single integration. It's impossible to know the machine that was targeted.