Thursday, November 26, 2009

Distributed Nepenthes with PHARM

Just finished releasing version 1.0 of Nepenthes PHARM.

Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations to catch Malware in the wild. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

PHARM Clients are installed on along with your Nepenthes installs, PHARM clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the PHARM server.

PHARM server munges all the data collected from PHARM Clients and provides analysis/report of your honeypots through the PHARM Web portal. On the analytical part, Pharm actually queries Virus total's publicly available data to report back the detail of the malware collected.

PHARM is available for download at www.nepenthespharm.com . PHARM is developed and maintained by yours truly ME :) Parvinder S. Bhasin.

6 comments:

Commiebstrd said...

Hello, Ive been installing this system today. all seems well, and your instructions are certainly clear enough to follow. However when browsing the web interface, i am sent to the /pharm/cgi-bin/pharm_dologin.cgi as text instead of the interactive display intended. I have installed the entire thing so far as root, and have chmod -R +rx /var/www/pharm and to /cgi-bin/. I have also chmod 7777 the directories. any suggestions? thanks!

Parvinder Bhasin said...

Hi Commie,

It seems that you are having some configuration issue with Apache. Perhaps you are missing or haven't uncommented line in your apache config that reads,

"AddHandler cgi-script .cgi"

Make sure this exists in your apache config file and you have the "+ExecCGI" option enabled.

Hope this helps.

Cheers!!
-Parvinder Bhasin

Malware Forensics said...

Parvinder,

I'm having a similar issue. Per your instructions in the previous post, I added the "AddHandler cgi-script .cgi" line to my apache config. Unfortunately, I now get the following error:

mkdir /var/www/pharm/temp: Permission denied at /usr/local/share/perl/5.10.1/CGI/Session/Driver/file.pm line 34

Line 34 of file.pm is:

" unless ( File::Path::mkpath($self->{Directory})) {"

Any help would be appreciated!

Thanks!

Parvinder Bhasin said...

Malware Forensics,

It seems you haven't set proper permissions on the temp directory.

As I mentioned in the instructions, I wouldn't recommend creating the temp directory under /var/www/pharm .

Make sure you give read/write access to the apache user (daemon) or any other user that you are running apache under to that directory. This is where you session info is stored.

Additionally, If you change the location of this directory , make sure you change it in the conf file also. Change the following in your conf file:


[web_session]
session_dir = /var/www/temp


You should be good to go :)

-Parvinder Bhasin

Malware Forensics said...

Parvinder, thanks for the info--I was able to get PHARM working. I logged into the web portal and changed the admin password; now I can not re-authenticate. Perhaps there was a typo when I created the password and I did not realize it? However, if I cannot login to the portal to change the password, do you have any other recommendations on how to reset it? If I need to manually change the password from a command shell, where does the database containing the web authentication credentials reside?

Thanks!

Parvinder Bhasin said...

Malware Forensics,

You can basically change the password from mysql directly by :


mysql> update usr_tbl SET usr_pass = 'foobar' WHERE usr_name='admin';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0

-Parvinder Bhasin