aplura / Tango

Honeypot Intelligence with Splunk
GNU General Public License v2.0
255 stars 43 forks source link

About

Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions. There are two scripts provided which facilitate the installation of the honeypots and/or Splunk Universal Forwarder. One of the scripts uf_only.sh will install the Splunk Universal Forwarder and install the necessary input and output configuration files. The other script sensor.sh will install the Splunk Universal Forwarder along with the Cowrie honeypot required for the Tango Honeypot Intelligence app to work.

Version 2.0

Version 2.0 now supports the Cowrie honeypot as well as updates the Sensor forwarders to 6.3.0

Before You Begin

There are a few things that should be noted before you install:

Installation

Sensor Installation (Cowrie and Splunk Universal Fowarder)

This script has been tested on a brand-new install of Ubuntu 14.04 and Cent OS 7 with no reported issues.

To get started, run the commands below and follow the prompts to enter the necessary input.

git clone https://github.com/aplura/Tango.git /tmp/tango; chmod +x /tmp/tango/sensor.sh
cd /tmp/tango/
./sensor.sh

There are some options you can change in /opt/cowrie/cowrie.cfg if you choose, however, some of these will break the forwarding of logs (such as changing the listening port set to 2222), however, there are some extra modules, such as mysql or xmpp logging you can enable if you choose, as well as changing the hostname of the honeypot.

cowrie is highly configurable, so if you wish to add extra commands or output to cowrie, there are tons of resources on github or google, which can help you do that if you choose.

The script will install the required packages based on the OS, then install cowrie, and lastly, install the Splunk Universal Forwarder.

Sensor Installation (Splunk UF Only)

If you already have cowrie honeypots deployed and wish to start analyzing their logs in the Tango Honeypot Intelligence Splunk App, you can run the uf_only.sh script, which will install the Splunk UF on your host, and configure the inputs and outputs necessary to start viewing your logs.

To get started, run the commands below and follow the prompts to enter the necessary input.

git clone https://github.com/aplura/Tango.git /tmp/tango; chmod +x /tmp/tango/uf_only.sh
cd /tmp/tango/
./uf_only.sh

Server Installation

In order to view the logs you are sending from cowrie, you will need to install Splunk Enterprise on a server, and install the Tango Honeypot Intelligence for Splunk App from this repo. There are plenty of guides on Splunk's website to get Splunk Enterprise running, however, the basic gist of setting up a server is this:

Once in Splunk, you can start using the Tango app to analyze your Honeypot logs.

Tango Honeypot Intelligence for Splunk App

Now that you have your sensors and server running, you'll want to use the Tango Splunk App to analyze your logs and start identifying what the attackers are doing on your systems. Start by logging into Splunk and clicking on the "Tango Honeypot Intelligence App" on the left-hand side.

Once you enter the app, you'll be first taken to the "Attack Overview" portion of the app, which shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.

You'll notice at the top of the app, in the navigation pane, there are multiple categories of reports available to you, which include:

Below we will go through each section and describe some of the data available in each section.

Attack Analysis

Attack Overview

This dashboard shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.

Session Playlog

This is one of the most beneficial dashboards available in the app, since it actually shows you what the attacker is doing on your honeypot. At the top of the dashboard, you can see the most recent sessions along with a filter to select a particular sensor. Clicking on a session will populate the panels below, which includes the passwords attempted/accepted, the commands entered, any files downloaded during the session and the raw logs for the session.

Attacker Profile

Using this dashboard, you can inquire about a certain IP and if seen in the app, you can get valuable information pertaining to that IP to include:

Session Analysis

This series of dashboards contains some analytical information, to include the % of sessions with interaction, the various SSH versions seen, some environment details extracted by the session, and a Human vs. Bot Identification dashboard.

Location Overview

In this section, you are able to see various geographical data related to each session and attacker. There are currently three dashboards available:

We also include a map which includes the location of attackers seen.

Username/Password Analysis

Currently, this dashboard contains the top usernames and passwords seen being attempted by the attackers, as well as the top username/password combinations.

Malware Analysis

File Analysis

Starting at the top of this page, you can see the latest files downloaded by attackers, which includes the following:

Below that is the latest "Attempted" file downloads. This contains URL's that were seen in a session that do not have a corresponding SHA256 hash (which indicates a successful download). This can be due to a server error on the hosting website, an incorrect spelling of the file, or if this URL was seen elsewhere in the command, perhaps as an argument or target site of the malware.

Lastly, is a panel which you are able to look up a particular SHA256 hash seen previously downloaded in VirusTotal to retrieve the following information:

Please note that the VirusTotal API is limited to 4 requests per minute. With that being said, you can use this panel to quickly lookup the file hashes seen by in your sessions.

This "lookup" will produce a local "cache" to use in other dashboards, so it's useful to run lookups on any malware you see. This was created do to limitations in the Virustotal API, and will be used as a workaround for the time being.

Malware Analysis

This dashboard will show the Top 10 Malware Signatures we've seen over time, as well as the most recent legitimate malware. This dashboard is populated from the VirusTotal local "cache" found on the File Analysis page. This dashboard will also show you files that have been downloaded, but, produced no signatures in Virustotal.

Malware Campaigns

This set of reports give you information on possible campaigns associated with your sessions. Currently this includes:

This section will continue to be developed to include other possible campaign attribution by looking at other TTP's associated with each session. This could include commands entered during each session, terminal variables (size, language, SSH keys, etc.). For now, we can see the URL's, Domain's and Filenames that have been seen being used by multiple attackers.

Network Analysis

This dashboard currently includes reports on the following:

Sensor Management

Sensor Status

This dashboard provides geographical information pertaining to each sensor currently deployed. You will find the following information available to you in this dashboard:

This dashboard also provides you with a map populated with the locations of all your sensors deployed.

Edit Sensor

In this dashboard, you are able to edit a few fields for your sensors, these fields are:

Threat Feed

Lastly, this dashboard contains feeds which you can download and integrate with other network monitoring solutions, which will hopefully be automated in the future.

The feeds currently available are:

Screenshots

Below are some screenshots which illustrate the features of Tango:

Attack Overview

Session Analysis

Malware Campaigns

Session Playlog

IOC Feed

Network Analysis

Malware Analysis

To-Do

Credits