During our presentation on "Lessons Learned from Building and Running MHN, the World's Largest Crowd-sourced Honeynet" at the BSidesSF 2015 conference we released a free and open source (LGPL) Modern Honey Network application for Splunk. The application is available for download from Splunkbase here and the code is available on Github here. Here is a link to a recording of the talk and the slides. Modern Honey Network is a free and open source (LGPL) platform for deploying and managing honeypots and leveraging their data.
The MHN Splunk app allows MHN users to deploy honeypots and then search, explore, analyze, and alert on events from honeypots using their Splunk instance. All page show the last 24 hours of data by default, but this can be changed by selecting a larger date range from time window drop down. Below are some screenshots of some of the dashboards this application includes.
Overview Dashboard: this is the home screen of the MHN Splunk app. It shows a high level summary statistics about all of your honeypots including:
- Number of Attacks
- Unique Attacker IPs
- Unique MD5s collected
- Unique URLs collected
- Number of commands executed
- Attacks per hour
- Global Distribution of attack sources
- And many more
Kippo Analytics: this page shows all the relevant data collected by Kippo honeypots. Kippo is an SSH honeypot that allows attackers to successfully "login" and gain a command shell on an emulated linux system. It allows defenders to capture the commands the attacker uses during their post compromise activities. This can be very useful for getting copies of their tools and locating their distribution sites for malware. This dashboard includes top usernames, passwords, username/password combos, and top commands executed.
p0f Analytics: this page show all the data collected when performing passive OS fingerprinting using p0f. This allows defenders to sometimes glean the operating system, connection type, application name, uptime, and other features about hosts that are actively probing or interacting with your honeypot systems.
Conpot Analytics: this dashboard displays all the event data collected from Conpot, an industrial control systems (ICS) honeypot.
Shockpot Analytics: this dashboard displays all the event data collected from Shockpot. Shockpot is a web application honeypot designed to mimic an application that is vulnerable ShellShock vulnerability and capture HTTP payloads used during exploitation.
Dionaea Analytics: this dashboard displays all the event data collected from Dionaea. Dionaea is a very extensible honeypot that emulates many different services including: SMB, http, ftp, tftp, MSSQL, MySQL, SIP, and SDP. It excels at capturing payloads and malware, especially around Windows exploitation attempts.
Snort/Suricata Analytics: this dashboard displays all the event data collected from Snort or Suricata. Snort and Suricata are not honeypots, but they are incredibly useful when deployed alongside honeypots for providing added context around what specific vulnerabilities are being exploited.
We will continue building out this Splunk application for the other honeypots supported by MHN (Wordpot, ElasticHoney, Glastopf, and Amun) and as new honeypots are added to the MHN platform. This project is open source (LGPL) and we encourage anyone interested to checkout the project out from Github and give us feedback on how to make it better (or pull requests with new features).
If this sort of work interests you, ThreatStream is hiring both researchers and engineers and if you want to be protected from threats like this, sign up to try ThreatStream Optic. Lastly, if you are getting benefit from honeypots we would highly recommend donating to the Honeynet Project, an international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.