honeyclient.xml

Revision 1866, 28.4 kB (checked in by kindlund, 2 months ago)
More integration testing.
Property svn:keywords set to `Id "$file"`

Line
1	<?xml version="1.0" encoding="utf-8"?>
2	<!--
3	#######################################################################
4	HoneyClient Configuration File
5
6	This configuration file is used by the HoneyClient perl modules in
7	order to specify and use the following global configuration options.
8
9	For information about the syntax of this file format, please type
10	"perldoc XML::Simple".
11
12	CVS: $Id$
13
14	#######################################################################
15
16	Syntax Notes:
17
18	Note: During processing, if the HoneyClient expects a module-specific
19	variable to be present within this configuration file (e.g., "address")
20	but it is not listed or commented out, then the code will attempt
21	to look for the same variable within any of the module's parents.
22
23	For example, the code may expect:
24	<HoneyClient>
25	<Agent>
26	<Driver>
27	<address>localhost</address>
28	</Driver>
29	</Agent>
30	</HoneyClient>
31
32	But the following will work as well:
33	<HoneyClient>
34	<Agent>
35	<address>localhost</address>
36	</Agent>
37	</HoneyClient>
38
39	<HoneyClient>
40	<address>localhost</address>
41	</HoneyClient>
42
43	Keep in mind, though, that some variables should remain module-specific
44	(i.e., "port") in order to avoid collisions between modules.
45
46	-->
47	<HoneyClient>
48	<!-- Global Options -->
49	<organization description="The name of the organization that owns the host system.">
50	MITRE
51	</organization>
52	<!-- Note: This timeout should be long enough so that the Agent watchdog code will properly let the integrity checking code finish, before detecting a faulty timeout in processing. -->
53	<timeout description="Default timeout used for all communications between each module (in seconds)." default="3600">
54	3600
55	</timeout>
56	<log_config description="The global Log4perl configuration file, used throughout all modules. This setting should not need to be changed." default="etc/honeyclient_log.conf">
57	etc/honeyclient_log.conf
58	</log_config>
59	<syslog_address description="The IP address of the syslog server that all logging messages will be sent to by both Agent and Manager processes over UDP port 514." default="10.0.0.1">
60	10.0.0.1
61	</syslog_address>
62	<!-- HoneyClient::Agent Options -->
63	<Agent>
64	<address description="The IP or hostname that all Agent modules should use, when accepting SOAP requests." default="0.0.0.0">
65	0.0.0.0
66	</address>
67	<!-- TODO: Update this. -->
68	<!-- Note: This port should be unique and not already in use by other modules, services, or daemons running inside the VM. -->
69	<port description="The TCP port number that the SOAP server for all Agent modules will listen on for requests." default="7627">
70	7627
71	</port>
72	<allowed_drivers description="List of implemented Drivers that the Agent is allowed to run directly.">
73	<name>HoneyClient::Agent::Driver::Browser::IE</name>
74	<name>HoneyClient::Agent::Driver::Browser::FF</name>
75	</allowed_drivers>
76	<default_driver description="If no driver is manually specified, then this Driver will be used as the default by the Agent." default="HoneyClient::Agent::Driver::Browser::IE">
77	HoneyClient::Agent::Driver::Browser::IE
78	</default_driver>
79	<!-- HoneyClient::Agent::Driver Options -->
80	<Driver>
81	<!-- TODO: Update this. XXX: Command-line option, eventually? -->
82	<timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60">
83	20
84	</timeout>
85	<Browser>
86	<IE>
87	<!-- HoneyClient::Agent::Driver::Browser::IE Options -->
88	<process_exec description="The absolute path to the Internet Explorer application process, as it sits in the VM filesystem." default="C:\Program Files\Internet Explorer\iexplore.exe">
89	C:\Program Files\Internet Explorer\iexplore.exe
90	</process_exec>
91	<process_name description="The name of the Internet Explorer executable, as it appears on the VM filesystem." default="iexplore.exe">
92	iexplore.exe
93	</process_name>
94	</IE>
95	<FF>
96	<!-- HoneyClient::Agent::Driver::Browser::FF Options -->
97	<process_exec description="The absolute path to the Mozilla Firefox application process, as it sits in the VM filesystem." default="C:\Program Files\Mozilla Firefox\firefox.exe">
98	C:\Program Files\Mozilla Firefox\firefox.exe
99	</process_exec>
100	<process_name description="The name of the Mozilla Firefox executable, as it appears on the VM filesystem." default="firefox.exe">
101	firefox.exe
102	</process_name>
103	</FF>
104	</Browser>
105	</Driver>
106	<perform_integrity_checks description="An integer, representing whether the Agent should perform any integrity checks. 1 enables, 0 disables." default="1">
107	1
108	</perform_integrity_checks>
109	<!-- HoneyClient::Agent::Integrity Options -->
110	<Integrity>
111	<changes_found_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/changes.txt">
112	/tmp/changes.txt
113	</changes_found_file>
114	<realtime_changes_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/realtime-changes.txt">
115	/tmp/realtime-changes.txt
116	</realtime_changes_file>
117	<!-- HoneyClient::Agent::Integrity::Test Options -->
118	<Test>
119	<!--
120	Note: you should never need to change any values
121	within this section of the configuration. All contents
122	are only used for unit testing.
123	-->
124	<realtime_changes_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/realtime-changes.txt">
125	t/test_integrity/realtime-changes.txt
126	</realtime_changes_file>
127	</Test>
128	</Integrity>
129	</Agent>
130	<!-- TODO: Update this. -->
131	<Crawler>
132	<ActiveContent>
133	<enable description="Enables active content parsing. 1 enables, 0 disables." default="1">
134	0
135	</enable>
136	<Flash>
137	<flasm_exec description="Path to the flasm executable." default="thirdparty/flasm/flasm.exe">
138	thirdparty/flasm/flasm.exe
139	</flasm_exec>
140	</Flash>
141	</ActiveContent>
142	<Browser>
143	<!-- TODO: Update this. -->
144	<ignore_links_timed_out description="If this parameter is 1, then the browser will never attempt to revisit any links that caused the browser to initially time out." default="0">
145	1
146	</ignore_links_timed_out>
147	<limit_spidering description="When set to 1, the Browser will not visit any derived links other than the initial set of URLs given. This is useful when you want the Browser to only visit a specific set of URLs (perhaps malicious) and no other links that it finds on any of the visited pages. When set to 1, this option will override max_relative_links_to_visit (essentially setting it to 0). If you want the Browser to spider through derived links, set this value to 0." default="1">
148	1
149	</limit_spidering>
150	<max_relative_links_to_visit description="An integer, representing the maximum number of relative links that the browser should visit, before moving onto another website. If negative, then the browser will exhaust all possible relative links found, before moving on. This functionality is best effort; it's possible for the browser to visit new links on previously visited websites. Note that this value can be overridden if limit_spidering is set to 1 above." default="-1">
151	5
152	</max_relative_links_to_visit>
153	<positive_words description="If a link contains any number of these words, then its probability of being visited (its score) will increase.">
154	<word>news</word>
155	<word>new</word>
156	<word>big</word>
157	<word>latest</word>
158	<word>main</word>
159	<word>update</word>
160	<word>sell</word>
161	<word>free</word>
162	<word>buy</word>
163	<word>science</word>
164	</positive_words>
165	<negative_words description="If a link contains any number of these words, then its probability of being visited (its score) will decrease.">
166	<word>archive</word>
167	<word>privacy</word>
168	<word>legal</word>
169	<word>disclaim</word>
170	<word>about</word>
171	<word>contact</word>
172	<word>copyright</word>
173	<word>jobs</word>
174	<word>careers</word>
175	<word>term</word>
176	</negative_words>
177	</Browser>
178	</Crawler>
179	<Manager>
180	<num_simultaneous_clones description="Upon startup, the Manager will attempt to spawn the specified number of cloned VMs simultaneously. To figure out an optimal value, take the amount of RAM allocated for your master VM (e.g., 256MB) and multiply that amount by this specified number (e.g., 4 simultaneous VMs x 256MB = 1GB). You want to make sure that the total RAM requirements do not exceed the amount of RAM the host system can provision. Allow the host system at least 512MB of RAM for normal operations." default="1">
181	1
182	</num_simultaneous_clones>
183	<worker_startup_delay description="The amount of time (in seconds) that the Manager should wait between starting up successive clone VMs, so that the host system is not initially overwhelmed too much activity." default="300">
184	300
185	</worker_startup_delay>
186	<fingerprint_dump description="When the Manager encounters a suspicious VM, it will attempt to append a complete copy of the fingerprint information to this file, if specified.">
187	fingerprint.dump
188	</fingerprint_dump>
189	<address description="The IP or hostname that all Manager modules should use, when accepting SOAP requests." default="localhost">
190	localhost
191	</address>
192	<!-- Note: This port should be unique and not already in use by other modules, services, or daemons running on the host system. -->
193	<port description="The TCP port number that the SOAP server for all Manager modules will listen on for requests." default="7627">
194	7627
195	</port>
196	<num_urls_to_process description="If database support is enabled, this value indicates how many URLs the Manager will fetch from the database, process, and report back, before fetching for more URLs." default="10">
197	10
198	</num_urls_to_process>
199	<database_retry_delay description="If database support is enabled, this value indicates how often (in seconds) the Manager will retry contacting the database, when it is ready for more URLs to process and no URLs were provided during the first request." default="2">
200	2
201	</database_retry_delay>
202	<command_line_base_priority description="When the Manager is supplied URLs from the command line, it will assign each URL the following numerical base priority." default="1000">
203	1000
204	</command_line_base_priority>
205	<!-- HoneyClient::Manager::Database Options -->
206	<Database>
207	<enable description="Enables database operations. 1 enables, 0 disables." default="1">
208	1
209	</enable>
210	<!-- TODO: Update this. -->
211	<url description="The URL of the local Ruby web service, which interfaces with the local HoneyClient database.">
212	http://127.0.0.1:3000/hc_database/api
213	</url>
214	<max_retry_count description="If the Manager is unable to contact the Ruby web service due to connectivity issues, then the Manager will retry up to the specified number of times before giving up." default="1800">
215	1800
216	</max_retry_count>
217	<delay_between_retries description="If the Manager is unable to contact the Ruby web service due to connectivity issues, then the Manager will retry, waiting the specified amount of time (in seconds) between each retry attempt." default="2">
218	2
219	</delay_between_retries>
220	</Database>
221	<!-- HoneyClient::Manager::FW Options -->
222	<FW>
223	<vmnet_nat_router_address description="The IP address assigned to the VMware NAT interface (usually called vmnet8)." default="192.168.0.1">
224	192.168.0.1
225	</vmnet_nat_router_address>
226	<!-- TODO: Update this. -->
227	<address description="eth0 interface static IP">
228	192.168.0.128
229	</address>
230	<!-- TODO: Update this to 7627, eventually. -->
231	<port description="Default FW port number" default="8083">
232	8083
233	</port>
234	<!-- TODO: Update this. -->
235	<primaryDns description="Primary DNS IP Address">
236	128.29.154.150
237	</primaryDns>
238	<!-- TODO: Update this. -->
239	<secondaryDns description="Secondary DNS IP address">
240	128.29.40.1
241	</secondaryDns>
242	<!-- TODO: Update this. -->
243	<gsx_gateway description="IP address of VMware Server">
244	10.0.0.1/32
245	</gsx_gateway>
246	<!-- TODO: Update this. -->
247	<fwGateway description="Gateway IP address of the Firewall">
248	10.0.0.254/32
249	</fwGateway>
250	<!-- TODO: Update this. -->
251	<honeyclientnet description="CIDR notation for honeyclient netblock">
252	10.0.0.0/24
253	</honeyclientnet>
254	<!-- TODO: Update this. -->
255	<fwconfig description="Location of Firewall VM configuration file">
256	/vm/honeywall-test/honeywall.vmx
257	</fwconfig>
258	<!-- TODO: Update this. -->
259	<outputdir description="Output directory where logs will go on Firewall">
260	fw-output
261	</outputdir>
262	<!-- TODO: Update this. -->
263	<argus description="Argus binary location">
264	/usr/local/sbin/argus
265	</argus>
266	<!-- TODO: Update this. -->
267	<argusconfig description="Argus configuration file.">
268	/etc/argus.conf
269	</argusconfig>
270	<!-- TODO: Update this. -->
271	<argusoutput description="Argus logging directory">
272	/var/log/argus
273	</argusoutput>
274	<!-- TODO: Update this. -->
275	<arguspid description="Argus Process ID">
276	/var/run/argus.pid
277	</arguspid>
278	<!-- TODO: Update this. -->
279	<tcpdumplog description="Tcpdump log location directory">
280	/var/log/tcpdump
281	</tcpdumplog>
282	<!-- TODO: Update this. -->
283	<tcpdump description="Tcpdump binary">
284	/usr/sbin/tcpdump
285	</tcpdump>
286	<!-- TODO: Update this. -->
287	<dnspath description="DNS nameserver file">
288	/etc/resolv.conf
289	</dnspath>
290	<!-- TODO: Update this. -->
291	<dnsport description="DNS port number">
292	53
293	</dnsport>
294	<!-- TODO: Update this. -->
295	<LOCALHOST description="localhost address">
296	127.0.0.1
297	</LOCALHOST>
298	<!-- TODO: Update this. -->
299	<sshport description="SSH port number listening on">
300	22
301	</sshport>
302	<!-- TODO: Update this. -->
303	<debug description="Debug value (0 for no debugging, 1 for debugging output)">
304	0
305	</debug>
306	<!-- TODO: Update this. -->
307	<fwprocess description="Name of external SOAP listener.">
308	startFWListener.pl
309	</fwprocess>
310	<!-- TODO: Update this. -->
311	<config_file description="Location of config_file">
312	etc/honeyclient_log.conf
313	</config_file>
314	</FW>
315	<!-- HoneyClient::Manager::ESX Options -->
316	<ESX>
317	<service_url description="The full URL to the VIM service running on the ESX server." default="https://localhost/sdk/vimService">
318	http://172.16.164.10/sdk/vimService
319	</service_url>
320	<user_name description="The username used to login to the VIM service running on the ESX server." default="root">
321	root
322	</user_name>
323	<password description="The password used to login to the VIM service running on the ESX server.">
324	passw0rd
325	</password>
326	<vm_id_length description="The length of each corresponding VM identifier (VMID). This value can be any integer between 1 and 32, inclusive. The VMID is a hexadecimal string that represents the VM's name. It is designed to be generated once per clone and remain for the life of the VM (regardless of where it runs). The VMID is used externally by HoneyClient::Manager and HoneyClient::Manager::FW. The HoneyClient::Manager::FW package uses IPTables and binds each rule to a specific VMID. However, IPTable's firewall rule labels can only be a maximum of 30 characters in length. Thus, 26 is specified here, to account for 'VMID-OUT' as a possible chain name." default="26">
327	26
328	</vm_id_length>
329	<default_quick_clone_snapshot_name description="When performing a quick clone, this value is the name of the initial snapshot that is created on the clone VM." default="Initial Snapshot - DO NOT ALTER OR RENAME THIS SNAPSHOT">
330	Initial Snapshot - DO NOT ALTER OR RENAME THIS SNAPSHOT
331	</default_quick_clone_snapshot_name>
332	<default_quick_clone_snapshot_description description="When performing a quick clone, this value is the description of the initial snapshot that is created on the clone VM." default="">
333	State: Initialized - This snapshot marks the initial state of this clone VM, that is then used by all subsequent snapshots. WARNING: If you alter delete this snapshot (or any dependent snapshots), then all dependent snapshots will become corrupted as well.
334	</default_quick_clone_snapshot_description>
335	<default_quick_clone_master_annotation description="When performing a quick clone, we annotate the source VM in order to inform the user to NEVER alter the source VM ever again." default="">
336	Type: Master VM
337	WARNING: DO NOT ALTER THIS VM FURTHER
338	OTHERWISE, ALL SUBSEQUENT CLONES WILL BE CORRUPTED
339	</default_quick_clone_master_annotation>
340	<operational_quick_clone_snapshot_description description="When initializing a new clone, this value is the description of the operational snapshot that is created on the clone VM." default="">
341	State: Operational - This snapshot marks the operational state of this clone VM. At this point, the clone VM has a valid MAC and IP address, as well as a fully-started Agent running inside the VM.
342	</operational_quick_clone_snapshot_description>
343	<compromised_quick_clone_snapshot_description description="When initializing a new clone, this value is the description of a compromised snapshot that is created on the clone VM." default="">
344	State: Compromised - This snapshot marks a compromised state of this clone VM. At this point, the clone VM has failed an integrity check after peforming some type of work.
345	</compromised_quick_clone_snapshot_description>
346	<master_vm_name description="The name of the master VM on the VMware ESX system that will be used by all subsequent cloned VMs.">
347	Agent.Master-44-IE6
348	</master_vm_name>
349	<min_space_free description="The minimum amount of disk space (in GB) that must remain free in the primary datastore in order for the Manager to continue processing. If the free disk space drops below this threshold, then the Manager will gracefully terminate." default="2">
350	2
351	</min_space_free>
352	<!-- HoneyClient::Manager::ESX::Clone Options -->
353	<Clone>
354	<snapshot_upon_suspend description="If set to 1, then everytime a cloned VM is suspended, a snapshot of the VM will be saved upon suspend. Set this option to 0, if you discover errors during cloning operations, where the hard disk on the VMware ESX System is overworked by slow disk operations." default="1">
355	1
356	</snapshot_upon_suspend>
357	<work_unit_limit description="An integer, indicating how many work units (e.g., URLs) the clone VM should process before destroying the VM and regenerating a new clone VM. This option is useful to set, when trying to drive an application that appears to create slow memory leaks within the VM's OS. For example, after processing X work units, the VM's OS runs out of memory altogether. To deal with this issue, we preemptively destroy and regenerate a new clone VM at (X-1) work units, so that the leak no longer affects our operations. To completely disable this functionality, specify -1." default="2000">
358	2000
359	</work_unit_limit>
360	</Clone>
361	<!-- HoneyClient::Manager::ESX::Test Options -->
362	<Test>
363	<!--
364	Note: you should never need to change any values
365	within this section of the configuration. All contents
366	are only used for unit testing.
367	-->
368	<test_vm_name description="The name of the test VM on the ESX server, that's used during unit testing." default="Test_VM">
369	Ubuntu_Test_VM
370	</test_vm_name>
371	</Test>
372	</ESX>
373	<!-- HoneyClient::Manager::VM Options -->
374	<VM>
375	<master_vm_config description="The full absolute path to the VM configuration file on the host system that will be used by all subsequent cloned VMs.">
376	/vm/masters/IE.7-Patched-2008-03-27-Default.Policy-Disabled.Active.Scripting-Disabled.File.Downloads-Disabled.Error.Reporting/winXPPro.cfg
377	</master_vm_config>
378	<port description="The TCP port number that the SOAP server of the VM daemon will listen on for requests. Note: This port should be unique and not already be used by other modules, services, or daemons running on the host system." default="7627">
379	7627
380	</port>
381	<datastore_path description="The absolute path to the parent directory, where all HoneyClient VM data is stored on the host server. It is assumed that individual VM data is stored in separate subdirectories within this parent directory." default="/vm">
382	/vm/clones
383	</datastore_path>
384	<snapshot_path description="The absolute path to the directory that contains all snapshot data, associated with every HoneyClient VM." default="/vm/snapshots">
385	/vm/snapshots
386	</snapshot_path>
387	<min_space_free description="The minimum amount of disk space (in GB) that must remain free in both the datastore_path and snapshot_path in order for the Manager to continue processing. If the free disk space drops below this threshold, then the Manager will gracefully terminate." default="2">
388	2
389	</min_space_free>
390	<vmware_port description="The TCP port that VMware Server uses for console communication. By default, this TCP port is 902. Unless you've explicitly changes this port during the vmware-config.pl setup process, leave this setting as the default." default="902">
391	902
392	</vmware_port>
393	<bin_tar description="The absolute path to the 'tar' executable, accessible on the host filesystem." default="/bin/tar">
394	/bin/tar
395	</bin_tar>
396	<vm_id_length description="The length of each corresponding VM identifier (VMID). This value can be any integer between 1 and 32, inclusive. The VMID is a hexadecimal string that represents the VM's name. It is designed to be generated once per clone and remain for the life of the VM (regardless of where it runs). The VMID is used externally by HoneyClient::Manager and HoneyClient::Manager::FW. The HoneyClient::Manager::FW package uses IPTables and binds each rule to a specific VMID. However, IPTable's firewall rule labels can only be a maximum of 30 characters in length. Thus, 26 is specified here, to account for 'VMID-OUT' as a possible chain name." default="26">
397	26
398	</vm_id_length>
399	<dhcp_log description="The absolute path to the file that contains the DHCP logs, when a new VM gets a DHCP lease from the VMware Server." default="/var/log/messages">
400	/var/log/messages
401	</dhcp_log>
402	<max_connect_retries description="When the VMware Server attempts to connect to any VM, it will repeatedly attempt to connect to the VM if the first attempt fails, for a maximum number of times specified by this value. Generally, this value should not be changed, unless the host system has an exceptionally slow disk - in which case, increasing this value may help." default="5">
403	5
404	</max_connect_retries>
405	<!-- HoneyClient::Manager::VM::Clone Options -->
406	<Clone>
407	<archive_upon_suspend description="If set to 1, then everytime a cloned VM is suspended, a copy of the VM will be archived in the 'snapshot_path' directory. Set this option to 0, if you discover errors during cloning operations, where the hard disk on the host system is overworked on slow systems." default="1">
408	1
409	</archive_upon_suspend>
410	<work_unit_limit description="An integer, indicating how many work units (e.g., URLs) the clone VM should process before destroying the VM and regenerating a new clone VM. This option is useful to set, when trying to drive an application that appears to create slow memory leaks within the VM's OS. For example, after processing X work units, the VM's OS runs out of memory altogether. To deal with this issue, we preemptively destroy and regenerate a new clone VM at (X-1) work units, so that the leak no longer affects our operations. To completely disable this functionality, specify -1." default="2000">
411	2000
412	</work_unit_limit>
413	</Clone>
414	<!-- HoneyClient::Manager::VM::Test Options -->
415	<Test>
416	<!--
417	Note: you should never need to change any values
418	within this section of the configuration. All contents
419	are only used for unit testing.
420	-->
421	<test_vm_config description="The relative path to the (empty) test VM, that's used during unit testing." default="t/test_vm/winXPPro.vmx">
422	t/test_vm/winXPPro.vmx
423	</test_vm_config>
424	</Test>
425	</VM>
426	</Manager>
427	<!-- HoneyClient::Util Options -->
428	<Util>
429	<!-- HoneyClient::Util::Config Options -->
430	<Config>
431	<!-- HoneyClient::Util::Config::Test Options -->
432	<Test>
433	<!--
434	Note: you should never need to change any values
435	within this section of the configuration. All contents
436	are only used for unit testing.
437	-->
438	<address description="The IP or hostname that this module should use, when performing unit tests." default="localhost" zing="foobar">localhost</address>
439	<zingers>foobar</zingers>
440	<Foo>
441	<Bar>
442	<address>baz</address>
443	</Bar>
444	</Foo>
445	<Yok>
446	<childA>12345678</childA>
447	<childA>ABCDEFGH</childA>
448	<childB>09876543</childB>
449	<childB>ZYXVTUWG</childB>
450	</Yok>
451	</Test>
452	</Config>
453	</Util>
454	</HoneyClient>

Note: See TracBrowser for help on using the browser.

root/honeyclient/branches/exp/jpuchalski-esx/etc/honeyclient.xml

Download in other formats: