honeynet / ochi Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://ochi.mushmush.org
License: GNU General Public License v3.0
Home Page: https://ochi.mushmush.org
License: GNU General Public License v3.0
I agree this ended up to be much more complex from a UX point of view.
I wonder if a better approach would be to show on the main page a list with all the enabled queries and the user can define the boolean operator between them. I will create a sketch to make it a bit more clear what I mean.
We should park this ticket until we find a solution that is understandable to the user from a UX point of view.
We should introduce a tcp
and udp
filter to include and exclude by transport type.
This is currently not supported as the honeypot needs to indicate the transport type in the event payload.
Leaving this here as there are going to be people wanting to discuss this:
There is an obvious possibility of a sensor IP address to be leaked through Ochi. I have addressed this for simple cases in Glutton.
For everyone else: If you hook up your sensor to Ochi, you are responsible for making sure you are not leaking your IP address. We will not sanitize payload data in Ochi.
Create a new page with a statistics overview. Statistics consist of aggregations of:
Statistics are stored client side. They only persist in the local storage.
In PR I implemented query editing using inline form. It would be nice to use modal dialog same as for config.
If the event comes from a sensor with valid UUID, accept the event
Currently, we have a fixed-size input field limiting usability when providing multiple filter rules.
Look at Greynoise input field for inspiration.
We pass service configuration as parameters. We should use a config file instead. Create config file if it doesn't exist. Default config shoold have configuration for local testing.
Use github.com/hashicorp/hcl/v2 for the configuration.
The backend will have access to binaries for each architecture.
UUID of the sensor needs to be baked into binary. Use the following snippet to replace a placeholder sensor UUID in the binary:
// IndexReplace uses the optimized offset finding
func IndexReplace(b, old, new []byte) []byte {
i := bytes.Index(b, old)
if i == -1 {
return b
}
copy(b[i:], new)
return b
}
Currently, hot reloading is only available for svelte frontend. Ideally we can run golang backend with svelte frontend reloading both. To support that we need the following:
The App.svelte has a lot of hard-coded layout glory. This makes is rather difficult to add new layout elements without breaking the current layout. Even adding new pages would be challenging. Here are some offenders:
Redo the layout allowing for:
A GitHub workflow should be set up to test the formatting of PR and new pushes.
Outcome: Queries can be tagged
Query metadata:
Tags:
Flow:
This issue depends on #6
It would be nice if the width of the component was dynamic in response to the current window width. When the window is too narrow, we can decrease width
parameter passed to hexy
.
Create a new page with statistics
There is an endpoint for statistics.
There is a websocket with statistics updates.
Add a confirmation modal.
Add a new endpoint DELETE /sensor/:uuid
that removes the sensor.
Make sure that only owners can delete a sensor, otherwise return 404.
We introduce the term Queries for filters and labels.
Goals:
Approach:
Branch:
Example Queries:
Outcome: On-demand, create a permanent link to an event.
/events/<uuid>
reusing the Content component, showing the event from the JSON blob./sensors
that returns the sensors by authenticated user IDI need to provide a valid filter query and can't reset the filter by providing an empty query.
Add a config for Prettier. Initially should set the line length to something reasonable.
We use hexy to display the payload as hex and ASCII, but if you want to mark and copy multiple lines of the ascii you end up also copying hex. Modify hexy so the HTML output has the hex and ASCII in two separate columns instead of line by line.
Outcome: Stop following new events on scroll, resume with button
When scrolling in the events list, stop following new events. There should be a button at the bottom of the events list that resumes following events.
Currently the config modal code is in App.svelte but should be moved to Modal.svelte.
Section could be footer, header or grid element.
We should stop Action if generate-check produces a different file.
Developers should always re-generate changes and check in all changes.
Before publishing to the websockets, truncate the sensor UUID to only the first part until the first -
.
Remove truncating from the front-end code.
Add Apply button to each saved query implemented in #77.
Readability can be improved by adding custom css styles to alternating lines.
Endpoint returning a config for Glutton with http producer enabled and pointing to Ochi with sensor ID and secret.
Events from sensors with configs from this endpoint are by default private and only visible to the owner.
Add sensor ID to the event list/details. Probably a synonym and not the actual sensor ID.
Disable sensor configs sending invalid events.
Have a list of sensor configs per user. Users can CRUD sensor configs.
In #46 we introduced the initial version of filtering syntax using chevrotain. We need to improve the syntax by adding new features.
Some things to consider:
contains
or matches
?in
operator?tcp
, ip.src
, etc)?Currently we parse the event filter using chevrotain DSL definition when user types. When user clicks Apply
, we parse the same filter again. We can do some optimization by persisting the result of filter parsing on input change and reusing it on pressing Apply
button. Things to consider here is that persisted event might be out of date or invalid.
Ochi is participating as part of the Honeynet project in the Google Summer of Code 2023 (GSoC). Ochi is looking for engaged and motivated students to join us during 12 weeks of exciting collaboration. This is a very new project so there is a lot of potential to work on the foundation of it.
Ochi is a web interface for live Honeypot events to correlate, filter and annotate.
As part of the GSoC'23 we would like to add the ability to filter the events using a version of the Wireshark query syntax as a DSL. Queries should be persistent and the backend should calculate metrics how often a query is matched.
Furthermore the backend should support perma-links to events so they can be shared:
Primary skills required are HTML/CSS/JavaScript. Secondary would be Golang but this can also be covered by the mentor of the project.
Button opens modal with form for sensor name.
Create a new backend endpoint POST /sensors
to create new sensors.
Sensor names are unique per user, not globally.
Confirming form creates a new sensor entry in the database with the chosen name.
Add a button to open configuration to the top bar.
On click open a model to configure:
dial()
and test()
This is crashing the app and I need to reload.
Add a button in the content section to download the raw payload.
This is a feature of chevrotain, documentation is here
I don't think we need to be concerned regarding the performance but have a look at the related section in the documentation.
Outcome: User can save and load their queries.
Metadata:
Flow:
This issue depends on #4
Add a new endpoint GET /configs
Add a new endpoint GET /rules
Populate the config with the Ochi details.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.