honeyclient.xml

Revision 1401, 19.2 kB (checked in by kindlund, 9 months ago)
Updated operational master VM.
Property svn:keywords set to `Id "$file"`

Line
1	<?xml version="1.0" encoding="utf-8"?>
2	<!--
3	#######################################################################
4	HoneyClient Configuration File
5
6	This configuration file is used by the HoneyClient perl modules in
7	order to specify and use the following global configuration options.
8
9	For information about the syntax of this file format, please type
10	"perldoc XML::Simple".
11
12	CVS: $Id$
13
14	#######################################################################
15
16	Syntax Notes:
17
18	Note: During processing, if the HoneyClient expects a module-specific
19	variable to be present within this configuration file (e.g., "address")
20	but it is not listed or commented out, then the code will attempt
21	to look for the same variable within any of the module's parents.
22
23	For example, the code may expect:
24	<HoneyClient>
25	<Agent>
26	<Driver>
27	<address>localhost</address>
28	</Driver>
29	</Agent>
30	</HoneyClient>
31
32	But the following will work as well:
33	<HoneyClient>
34	<Agent>
35	<address>localhost</address>
36	</Agent>
37	</HoneyClient>
38
39	<HoneyClient>
40	<address>localhost</address>
41	</HoneyClient>
42
43	Keep in mind, though, that some variables should remain module-specific
44	(i.e., "port") in order to avoid collisions between modules.
45
46	-->
47	<HoneyClient>
48	<!-- Global Options -->
49	<organization description="The name of the organization that owns the host system.">
50	MITRE
51	</organization>
52	<!-- Note: This timeout should be long enough so that the Agent watchdog code will properly let the integrity checking code finish, before detecting a faulty timeout in processing. -->
53	<timeout description="Default timeout used for all communications between each module (in seconds)." default="3600">
54	3600
55	</timeout>
56	<log_config description="The global Log4perl configuration file, used throughout all modules. This setting should not need to be changed." default="etc/honeyclient_log.conf">
57	etc/honeyclient_log.conf
58	</log_config>
59	<syslog_address description="The IP address of the syslog server that all logging messages will be sent to by both Agent and Manager processes over UDP port 514." default="10.0.0.1">
60	10.0.0.1
61	</syslog_address>
62	<!-- HoneyClient::Agent Options -->
63	<Agent>
64	<!-- TODO: Update this. -->
65	<address description="The IP or hostname that all Agent modules should use, when accepting SOAP requests." default="0.0.0.0">
66	0.0.0.0
67	</address>
68	<!-- TODO: Update this. -->
69	<!-- Note: This port should be unique and not already in use by other modules, services, or daemons running inside the VM. -->
70	<port description="The TCP port number that the SOAP server for all Agent modules will listen on for requests." default="9000">
71	9000
72	</port>
73	<allowed_drivers description="List of implemented Drivers that the Agent is allowed to run directly.">
74	<name>HoneyClient::Agent::Driver::Browser::IE</name>
75	<name>HoneyClient::Agent::Driver::Browser::FF</name>
76	</allowed_drivers>
77	<default_driver description="If no driver is manually specified, then this Driver will be used as the default by the Agent." default="HoneyClient::Agent::Driver::Browser::IE">
78	HoneyClient::Agent::Driver::Browser::IE
79	</default_driver>
80	<!-- HoneyClient::Agent::Driver Options -->
81	<Driver>
82	<!-- TODO: Update this. -->
83	<timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60">
84	20
85	</timeout>
86	<ActiveContent>
87	<enable description="Enables active content parsing. 1 enables, 0 disables." default="1">
88	0
89	</enable>
90	<Flash>
91	<flasm_exec description="Path to the flasm executable." default="thirdparty/flasm/flasm.exe">
92	thirdparty/flasm/flasm.exe
93	</flasm_exec>
94	</Flash>
95	</ActiveContent>
96	<Browser>
97	<!-- HoneyClient::Agent::Driver::IE Options -->
98	<!-- TODO: Update this. -->
99	<ignore_links_timed_out description="If this parameter is 1, then the browser will never attempt to revisit any links that caused the browser to initially time out." default="0">
100	1
101	</ignore_links_timed_out>
102	<limit_spidering description="When set to 1, the Browser will not visit any derived links other than the initial set of URLs given. This is useful when you want the Browser to only visit a specific set of URLs (perhaps malicious) and no other links that it finds on any of the visited pages. When set to 1, this option will override max_relative_links_to_visit (essentially setting it to 0). If you want the Browser to spider through derived links, set this value to 0." default="1">
103	1
104	</limit_spidering>
105	<max_relative_links_to_visit description="An integer, representing the maximum number of relative links that the browser should visit, before moving onto another website. If negative, then the browser will exhaust all possible relative links found, before moving on. This functionality is best effort; it's possible for the browser to visit new links on previously visited websites. Note that this value can be overridden if limit_spidering is set to 1 above." default="-1">
106	5
107	</max_relative_links_to_visit>
108	<positive_words description="If a link contains any number of these words, then its probability of being visited (its score) will increase.">
109	<word>news</word>
110	<word>new</word>
111	<word>big</word>
112	<word>latest</word>
113	<word>main</word>
114	<word>update</word>
115	<word>sell</word>
116	<word>free</word>
117	<word>buy</word>
118	<word>science</word>
119	</positive_words>
120	<negative_words description="If a link contains any number of these words, then its probability of being visited (its score) will decrease.">
121	<word>archive</word>
122	<word>privacy</word>
123	<word>legal</word>
124	<word>disclaim</word>
125	<word>about</word>
126	<word>contact</word>
127	<word>copyright</word>
128	<word>jobs</word>
129	<word>careers</word>
130	<word>term</word>
131	</negative_words>
132	<IE>
133	<!-- HoneyClient::Agent::Driver::Browser::IE Options -->
134	<process_exec description="The absolute path to the Internet Explorer application process, as it sits in the VM filesystem." default="C:\Program Files\Internet Explorer\iexplore.exe">
135	C:\Program Files\Internet Explorer\iexplore.exe
136	</process_exec>
137	<process_name description="The name of the Internet Explorer executable, as it appears on the VM filesystem." default="iexplore.exe">
138	iexplore.exe
139	</process_name>
140	</IE>
141	<FF>
142	<!-- HoneyClient::Agent::Driver::Browser::FF Options -->
143	<process_exec description="The absolute path to the Mozilla Firefox application process, as it sits in the VM filesystem." default="C:\Program Files\Mozilla Firefox\firefox.exe">
144	C:\Program Files\Mozilla Firefox\firefox.exe
145	</process_exec>
146	<process_name description="The name of the Mozilla Firefox executable, as it appears on the VM filesystem." default="firefox.exe">
147	firefox.exe
148	</process_name>
149	</FF>
150	</Browser>
151	<EmailClient>
152	</EmailClient>
153	</Driver>
154	<perform_integrity_checks description="An integer, representing whether the Agent should perform any integrity checks. 1 enables, 0 disables." default="1">
155	1
156	</perform_integrity_checks>
157	<!-- HoneyClient::Agent::Integrity Options -->
158	<Integrity>
159	<changes_found_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/changes.txt">
160	/tmp/changes.txt
161	</changes_found_file>
162	<realtime_changes_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/realtime-changes.txt">
163	/tmp/realtime-changes.txt
164	</realtime_changes_file>
165	</Integrity>
166	</Agent>
167	<Manager>
168	<manager_state description="Upon termination, the Manager will attempt to append a complete copy of its state into this file, if specified." default="">
169	manager.dump
170	</manager_state>
171	<fingerprint_dump description="When the Manager encounters a suspicious VM, it will attempt to append a complete copy of the fingerprint information to this file, if specified.">
172	fingerprint.dump
173	</fingerprint_dump>
174	<!-- TODO: Update this. -->
175	<address description="The IP or hostname that all Manager modules should use, when accepting SOAP requests." default="localhost">
176	localhost
177	</address>
178	<!-- TODO: Update this. -->
179	<!-- Note: This port should be unique and not already in use by other modules, services, or daemons running on the host system. -->
180	<port description="The TCP port number that the SOAP server for all Manager modules will listen on for requests." default="8089">
181	8089
182	</port>
183	<max_agent_error_count description="When the Agent is running, this value is the maximum number of SOAP communication errors the Manager will ignore (e.g., timeouts) before the Manager suspends the corresponding VM and clones a new Agent. These errors mainly occur when the Manager loses connectivity to the Agent for some reason (i.e., software/OS crashing inside the VM). Otherwise, the Manager would loop forever trying to reconnect with the faulty VM. This value should never be set to 0 and should always be positive." default="3">
184	3
185	</max_agent_error_count>
186	<!-- HoneyClient::Manager::Database Options -->
187	<Database>
188	<enable description="Enables database operations. 1 enables, 0 disables." default="1">
189	1
190	</enable>
191	<!-- TODO: Update this. -->
192	<url description="The URL of the local Ruby web service, which interfaces with the local HoneyClient database.">
193	http://172.16.164.1/hc_database/api
194	</url>
195	</Database>
196	<!-- HoneyClient::Manager::FW Options -->
197	<FW>
198	<vmnet_nat_router_address description="The IP address assigned to the VMware NAT interface (usually called vmnet8)." default="192.168.0.1">
199	192.168.0.1
200	</vmnet_nat_router_address>
201	<!-- TODO: Update this. -->
202	<address description="eth0 interface static IP">
203	192.168.0.128
204	</address>
205	<!-- TODO: Update this. -->
206	<port description="Default FW port number" default="8083">
207	8083
208	</port>
209	<!-- TODO: Update this. -->
210	<primaryDns description="Primary DNS IP Address">
211	128.29.154.150
212	</primaryDns>
213	<!-- TODO: Update this. -->
214	<secondaryDns description="Secondary DNS IP address">
215	128.29.40.1
216	</secondaryDns>
217	<!-- TODO: Update this. -->
218	<gsx_gateway description="IP address of VMware Server">
219	10.0.0.1/32
220	</gsx_gateway>
221	<!-- TODO: Update this. -->
222	<fwGateway description="Gateway IP address of the Firewall">
223	10.0.0.254/32
224	</fwGateway>
225	<!-- TODO: Update this. -->
226	<honeyclientnet description="CIDR notation for honeyclient netblock">
227	10.0.0.0/24
228	</honeyclientnet>
229	<!-- TODO: Update this. -->
230	<fwconfig description="Location of Firewall VM configuration file">
231	/vm/honeywall-test/honeywall.vmx
232	</fwconfig>
233	<!-- TODO: Update this. -->
234	<outputdir description="Output directory where logs will go on Firewall">
235	fw-output
236	</outputdir>
237	<!-- TODO: Update this. -->
238	<argus description="Argus binary location">
239	/usr/local/sbin/argus
240	</argus>
241	<!-- TODO: Update this. -->
242	<argusconfig description="Argus configuration file.">
243	/etc/argus.conf
244	</argusconfig>
245	<!-- TODO: Update this. -->
246	<argusoutput description="Argus logging directory">
247	/var/log/argus
248	</argusoutput>
249	<!-- TODO: Update this. -->
250	<arguspid description="Argus Process ID">
251	/var/run/argus.pid
252	</arguspid>
253	<!-- TODO: Update this. -->
254	<tcpdumplog description="Tcpdump log location directory">
255	/var/log/tcpdump
256	</tcpdumplog>
257	<!-- TODO: Update this. -->
258	<tcpdump description="Tcpdump binary">
259	/usr/sbin/tcpdump
260	</tcpdump>
261	<!-- TODO: Update this. -->
262	<dnspath description="DNS nameserver file">
263	/etc/resolv.conf
264	</dnspath>
265	<!-- TODO: Update this. -->
266	<dnsport description="DNS port number">
267	53
268	</dnsport>
269	<!-- TODO: Update this. -->
270	<LOCALHOST description="localhost address">
271	127.0.0.1
272	</LOCALHOST>
273	<!-- TODO: Update this. -->
274	<sshport description="SSH port number listening on">
275	22
276	</sshport>
277	<!-- TODO: Update this. -->
278	<debug description="Debug value (0 for no debugging, 1 for debugging output)">
279	0
280	</debug>
281	<!-- TODO: Update this. -->
282	<fwprocess description="Name of external SOAP listener.">
283	startFWListener.pl
284	</fwprocess>
285	<!-- TODO: Update this. -->
286	<config_file description="Location of config_file">
287	etc/honeyclient_log.conf
288	</config_file>
289	</FW>
290	<!-- HoneyClient::Manager::VM Options -->
291	<VM>
292	<master_vm_config description="The full absolute path to the VM configuration file on the host system that will be used by all subsequent cloned VMs.">
293	/vm/masters/Agent.Master-36/winXPPro.cfg
294	</master_vm_config>
295	<port description="The TCP port number that the SOAP server of the VM daemon will listen on for requests. Note: This port should be unique and not already be used by other modules, services, or daemons running on the host system." default="8089">
296	8089
297	</port>
298	<datastore_path description="The absolute path to the parent directory, where all HoneyClient VM data is stored on the host server. It is assumed that individual VM data is stored in separate subdirectories within this parent directory." default="/vm">
299	/vm/clones
300	</datastore_path>
301	<snapshot_path description="The absolute path to the directory that contains all snapshot data, associated with every HoneyClient VM." default="/vm/snapshots">
302	/vm/snapshots
303	</snapshot_path>
304	<min_space_free description="The minimum amount of disk space (in GB) that must remain free in both the datastore_path and snapshot_path in order for the Manager to continue processing. If the free disk space drops below this threshold, then the Manager will gracefully terminate." default="2">
305	2
306	</min_space_free>
307	<vmware_port description="The TCP port that VMware Server uses for console communication. By default, this TCP port is 902. Unless you've explicitly changes this port during the vmware-config.pl setup process, leave this setting as the default." default="902">
308	902
309	</vmware_port>
310	<bin_tar description="The absolute path to the 'tar' executable, accessible on the host filesystem." default="/bin/tar">
311	/bin/tar
312	</bin_tar>
313	<vm_id_length description="The length of each corresponding VM identifier (VMID). This value can be any integer between 1 and 32, inclusive. The VMID is a hexadecimal string that represents the VM's name. It is designed to be generated once per clone and remain for the life of the VM (regardless of where it runs). The VMID is used externally by HoneyClient::Manager and HoneyClient::Manager::FW. The HoneyClient::Manager::FW package uses IPTables and binds each rule to a specific VMID. However, IPTable's firewall rule labels can only be a maximum of 30 characters in length. Thus, 26 is specified here, to account for 'VMID-OUT' as a possible chain name." default="26">
314	26
315	</vm_id_length>
316	<dhcp_log description="The absolute path to the file that contains the DHCP logs, when a new VM gets a DHCP lease from the VMware Server." default="/var/log/messages">
317	/var/log/messages
318	</dhcp_log>
319	<!-- HoneyClient::Manager::VM::Test Options -->
320	<Test>
321	<!--
322	Note: you should never need to change any values
323	within this section of the configuration. All contents
324	are only used for unit testing.
325	-->
326	<test_vm_config description="The relative path to the (empty) test VM, that's used during unit testing." default="t/test_vm/winXPPro.vmx">
327	t/test_vm/winXPPro.vmx
328	</test_vm_config>
329	</Test>
330	</VM>
331	</Manager>
332	<!-- HoneyClient::Util Options -->
333	<Util>
334	<!-- HoneyClient::Util::Config Options -->
335	<Config>
336	<!-- HoneyClient::Util::Config::Test Options -->
337	<Test>
338	<!--
339	Note: you should never need to change any values
340	within this section of the configuration. All contents
341	are only used for unit testing.
342	-->
343	<address description="The IP or hostname that this module should use, when performing unit tests." default="localhost" zing="foobar">localhost</address>
344	<zingers>foobar</zingers>
345	<Foo>
346	<Bar>
347	<address>baz</address>
348	</Bar>
349	</Foo>
350	<Yok>
351	<childA>12345678</childA>
352	<childA>ABCDEFGH</childA>
353	<childB>09876543</childB>
354	<childB>ZYXVTUWG</childB>
355	</Yok>
356	</Test>
357	</Config>
358	</Util>
359	</HoneyClient>

Note: See TracBrowser for help on using the browser.

root/honeyclient/tags/exp/PRE-kindlund-simpler_agent/etc/honeyclient.xml

Download in other formats: