| 42 | | =head2 CREATING THE SOAP SERVER |
|---|
| 43 | | |
|---|
| 44 | | # XXX: Fill this in. |
|---|
| 45 | | |
|---|
| 46 | | =head2 INTERACTING WITH THE SOAP SERVER |
|---|
| 47 | | |
|---|
| 48 | | # XXX: Fill this in. |
|---|
| | 43 | use HoneyClient::Manager; |
|---|
| | 44 | use Data::Dumper; |
|---|
| | 45 | |
|---|
| | 46 | # Utility functions to encode configuration data. |
|---|
| | 47 | use Storable qw(nfreeze thaw); |
|---|
| | 48 | use MIME::Base64 qw(encode_base64 decode_base64); |
|---|
| | 49 | |
|---|
| | 50 | # Note: Make sure only one of these "my driver =" lines |
|---|
| | 51 | # is uncommented. |
|---|
| | 52 | |
|---|
| | 53 | # Use Internet Explorer as the instrumenting application. |
|---|
| | 54 | my $driver = "HoneyClient::Agent::Driver::Browser::IE"; |
|---|
| | 55 | |
|---|
| | 56 | # Use Mozilla Firefox as the instrumenting application. |
|---|
| | 57 | #my $driver = "HoneyClient::Agent::Driver::Browser::FF"; |
|---|
| | 58 | |
|---|
| | 59 | # Start the Manager. |
|---|
| | 60 | HoneyClient::Manager->run( |
|---|
| | 61 | |
|---|
| | 62 | driver => $driver, |
|---|
| | 63 | |
|---|
| | 64 | agent_state => encode_base64(nfreeze({ |
|---|
| | 65 | |
|---|
| | 66 | $driver => { |
|---|
| | 67 | |
|---|
| | 68 | # Specify the next link for the Agent VM to visit. |
|---|
| | 69 | next_link_to_visit => "http://www.mitre.org", |
|---|
| | 70 | |
|---|
| | 71 | # If you have more than one link, you can also |
|---|
| | 72 | # set this type of hashtable: |
|---|
| | 73 | links_to_visit => { |
|---|
| | 74 | 'http://www.google.com' => 1, |
|---|
| | 75 | }, |
|---|
| | 76 | }, |
|---|
| | 77 | |
|---|
| | 78 | })), |
|---|
| | 79 | ); |
|---|
| 52 | | # XXX: Fill this in. |
|---|
| | 83 | This module provides centralized control over provisioning, initializing, |
|---|
| | 84 | running, and suspending all Agent VMs. Upon calling the run() function, |
|---|
| | 85 | the Manager will proceed to create a new clone of the master Honeyclient VM |
|---|
| | 86 | (aka. an Agent VM) and feed this Agent VM a new list of URLs to crawl. |
|---|
| | 87 | |
|---|
| | 88 | While the Agent VM is crawling, the Manager will check to make sure the |
|---|
| | 89 | Agent VM has not been compromised. If no compromise was found, then the |
|---|
| | 90 | Manager will signal the Firewall to allow the Agent VM to contact the |
|---|
| | 91 | next set of network resources (i.e., a webserver). |
|---|
| | 92 | |
|---|
| | 93 | If the Manager discovers the Agent VM has been compromised, then the |
|---|
| | 94 | Manager will suspend the clone VM, log the incident, and create a new Agent |
|---|
| | 95 | VM clone -- where this new clone picks up with the next set of URLs to |
|---|
| | 96 | crawl. |
|---|
| | 97 | |
|---|
| | 98 | If there are no URLs left for the Agent VM to visit OR if the user |
|---|
| | 99 | presses CTRL+C while the Manager is running, then the Manager will |
|---|
| | 100 | suspend the currently running Agent VM and write its state information |
|---|
| | 101 | out to the filesystem on the host system. This file is usually |
|---|
| | 102 | called 'Manager.dump'; however, the name can be changed by editing |
|---|
| | 103 | the <HoneyClient/><Manager/><manager_state/> section of the |
|---|
| | 104 | etc/honeyclient.xml file. |
|---|
| | 105 | |
|---|
| | 106 | This 'Manager.dump' file contains the set of URLs that the Honeyclients |
|---|
| | 107 | have visited, ignored, or tried to visit. In order to determine |
|---|
| | 108 | which URLs were identified as malicious, you will need to check |
|---|
| | 109 | the syslog on the host system and search for the keyword of "FAILED". |
|---|
| | 110 | |
|---|
| | 111 | By default, all cloned VMs that the Manager suspends will have been |
|---|
| | 112 | flagged as compromised -- unless the set of URLs has been exhausted |
|---|
| | 113 | or the user prematurely terminates the process (by pressing CTRL+C). |
|---|
