PHARM - Manage , Report, Analyze your distributed Nepenthes instances
What is Nepenthes pharm a.k.a "PHARM"?PHARM - is a client/server tool to manage, report and analyze all your distributed nepenthes instances from one interface.
What is Nepenthes?Excerpt from Nepenthes website: Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.
Pharm Clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the Pharm server.
PHARM server munges all the data collected from Pharm Clients and the web portal provides all the data collected from various Nepenthes based Honeypots. It provides a central location to view all the malware collected on all you nepenthes instances. On the analytical part, Pharm actually queries Virus total's publicly available data to report back the detail of the malware collected.
Little background on this tool, I created this as it was very time consuming to go over logs of all the distributed instances of nepenthes I had.
In PHARM's term, a sensor is basically the IP that the clients uses to connect to the server. That client however could have multiple ips configured running nepenthes.
Brief explanation of Pharm server , clients and Pharm web portal
PHARM has 3 main components. Basically a server, clients and a web portal based on perl and cgi.
Pharm server is deployed on a management box where you would like to collect all the data and malware from all your Nepenthes based honeypots.
Pharm Clients should be deployed on the Nepenthes based honeypots. ** ps: One main pre requisite of Pharm is that your Nepenthes install should be up and running.
Pharm web portal: Is where you can view all the data collected from various Nepenthes installs. Pharm web portal requires a regular apache web server with enabled cgi support and some perl modules installed. We will go over them in this docs.
My strong recommendation would be to put PHARM server behind a firewall allowing only access from specified IPs of Honeypots running PHARM client to the PHARM server.
All rights reserved.