Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions. There are two scripts provided which facilitate the installation of the honeypots and/or Splunk Universal Forwarder. One of the scripts uf_only.sh
will install the Splunk Universal Forwarder and install the necessary input and output configuration files. The other script sensor.sh
will install the Splunk Universal Forwarder along with the Cowrie honeypot required for the Tango Honeypot Intelligence app to work.
Version 2.0 now supports the Cowrie honeypot as well as updates the Sensor forwarders to 6.3.0
There are a few things that should be noted before you install:
This script has been tested on a brand-new install of Ubuntu 14.04 and Cent OS 7 with no reported issues.
To get started, run the commands below and follow the prompts to enter the necessary input.
git clone https://github.com/aplura/Tango.git /tmp/tango; chmod +x /tmp/tango/sensor.sh
cd /tmp/tango/
./sensor.sh
There are some options you can change in /opt/cowrie/cowrie.cfg if you choose, however, some of these will break the forwarding of logs (such as changing the listening port set to 2222), however, there are some extra modules, such as mysql or xmpp logging you can enable if you choose, as well as changing the hostname of the honeypot.
cowrie is highly configurable, so if you wish to add extra commands or output to cowrie, there are tons of resources on github or google, which can help you do that if you choose.
The script will install the required packages based on the OS, then install cowrie, and lastly, install the Splunk Universal Forwarder.
If you already have cowrie honeypots deployed and wish to start analyzing their logs in the Tango Honeypot Intelligence Splunk App, you can run the uf_only.sh script, which will install the Splunk UF on your host, and configure the inputs and outputs necessary to start viewing your logs.
To get started, run the commands below and follow the prompts to enter the necessary input.
git clone https://github.com/aplura/Tango.git /tmp/tango; chmod +x /tmp/tango/uf_only.sh
cd /tmp/tango/
./uf_only.sh
In order to view the logs you are sending from cowrie, you will need to install Splunk Enterprise on a server, and install the Tango Honeypot Intelligence for Splunk App from this repo. There are plenty of guides on Splunk's website to get Splunk Enterprise running, however, the basic gist of setting up a server is this:
/opt/splunk/etc/apps/tango/bin/
. Requests can be found here: Kenneth Reitz Github. This is needed for the VirusTotal lookup.Once in Splunk, you can start using the Tango app to analyze your Honeypot logs.
Now that you have your sensors and server running, you'll want to use the Tango Splunk App to analyze your logs and start identifying what the attackers are doing on your systems. Start by logging into Splunk and clicking on the "Tango Honeypot Intelligence App" on the left-hand side.
Once you enter the app, you'll be first taken to the "Attack Overview" portion of the app, which shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.
You'll notice at the top of the app, in the navigation pane, there are multiple categories of reports available to you, which include:
Below we will go through each section and describe some of the data available in each section.
This dashboard shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.
This is one of the most beneficial dashboards available in the app, since it actually shows you what the attacker is doing on your honeypot. At the top of the dashboard, you can see the most recent sessions along with a filter to select a particular sensor. Clicking on a session will populate the panels below, which includes the passwords attempted/accepted, the commands entered, any files downloaded during the session and the raw logs for the session.
Using this dashboard, you can inquire about a certain IP and if seen in the app, you can get valuable information pertaining to that IP to include:
This series of dashboards contains some analytical information, to include the % of sessions with interaction, the various SSH versions seen, some environment details extracted by the session, and a Human vs. Bot Identification dashboard.
In this section, you are able to see various geographical data related to each session and attacker. There are currently three dashboards available:
We also include a map which includes the location of attackers seen.
Currently, this dashboard contains the top usernames and passwords seen being attempted by the attackers, as well as the top username/password combinations.
Starting at the top of this page, you can see the latest files downloaded by attackers, which includes the following:
Below that is the latest "Attempted" file downloads. This contains URL's that were seen in a session that do not have a corresponding SHA256 hash (which indicates a successful download). This can be due to a server error on the hosting website, an incorrect spelling of the file, or if this URL was seen elsewhere in the command, perhaps as an argument or target site of the malware.
Lastly, is a panel which you are able to look up a particular SHA256 hash seen previously downloaded in VirusTotal to retrieve the following information:
Please note that the VirusTotal API is limited to 4 requests per minute. With that being said, you can use this panel to quickly lookup the file hashes seen by in your sessions.
This "lookup" will produce a local "cache" to use in other dashboards, so it's useful to run lookups on any malware you see. This was created do to limitations in the Virustotal API, and will be used as a workaround for the time being.
This dashboard will show the Top 10 Malware Signatures we've seen over time, as well as the most recent legitimate malware. This dashboard is populated from the VirusTotal local "cache" found on the File Analysis page. This dashboard will also show you files that have been downloaded, but, produced no signatures in Virustotal.
This set of reports give you information on possible campaigns associated with your sessions. Currently this includes:
This section will continue to be developed to include other possible campaign attribution by looking at other TTP's associated with each session. This could include commands entered during each session, terminal variables (size, language, SSH keys, etc.). For now, we can see the URL's, Domain's and Filenames that have been seen being used by multiple attackers.
This dashboard currently includes reports on the following:
This dashboard provides geographical information pertaining to each sensor currently deployed. You will find the following information available to you in this dashboard:
This dashboard also provides you with a map populated with the locations of all your sensors deployed.
In this dashboard, you are able to edit a few fields for your sensors, these fields are:
Lastly, this dashboard contains feeds which you can download and integrate with other network monitoring solutions, which will hopefully be automated in the future.
The feeds currently available are:
Below are some screenshots which illustrate the features of Tango: