Just few questions

[ehnwebmaster]

Hello,

Interesting and nice project. Great idea automatization reporting IP's to Twitter via API

May I ask how is developed the honeypot? I mean, you're using Cowrie yes, but is dockerized? Custom modifications? AbuseIPDB output API perl script or using Fail2ban?

I was looking for nice projects for my Raspberry Pi and found this one.

I'm actually using Tpot honeypot and Dshield honeypot, basically cowrie based, but want to add some Suricata reports to AbuseIPDB (among SSH, report RPC and Samba attacks)

[losttroll]

Hi,

I am using Cowrie and feeding it to Dshield, VirusTotal, and Spunk Free Edition, it is dockerized. Splunk has a nice Cowrie app, and I am already using it for monitoring my various systems at home. The AbuseIPDB integration I wrote in Python. It queries the Splunk API for connections in the last hour, and then does lookups on the unique IPs, and reports them. It then takes the lookup info and regex's the ISP and hostname data for companies of interest - and it will Tweet me if there is a match.

Right now the various scripts I am running are all cronjobs. I am in the process of writing a Discord bot that will operate the various scripts, and notify me if there is something interesting.

It's a great Raspberry Pi project, that's what I started on. I've since migrated the honeypot to a VM and run it on a segmented virtual network.

[ehnwebmaster]

Hello!

Great, I'm also using right now Dshield honeypot on a RaspBerry Pi 4, also cowrie output to VirusTotal API and AbuseIPDB.

I've tried to migrate to Tpot Honeypot but the docker containers are all made for x86_64 arquitecture, even emulate with qemu and qus failed, because ELK stack is too heavy and failed docker containers using Java. So then i'm runing Tpot into a a Virtual Machine, also adding output from cowrie to VirusTotal and AbuseIPDB.

Most are automated scanners, just few interesting elf binaries uploaded to VirusTotal. Just using two public spain's ip's managed to report nearly 45k in just two months. That's insane. https://www.abuseipdb.com/user/52197

Cool idea made a Discord or Telegram bot for updates. As an idea try also to report RDP tcp 3389 port and 445/135 port, most attacked port just besides ssh port

Thanks for the feedback. Will be nice share some of your code or made public all the scripts, or make a tutorial, or document explaining everything. I'm totally new to honeypots world, but seems fascinating! Just trying new honeypots and implementation, that's how i found your project.

[losttroll]

That's a lot of reports in two month! I'm hoping to expand at some point, and rent a few servers in the US and Europe to collect more data. But yeah, RDP is my next goal. I am hopefully going to have that soon, and integrate it with my other processes. SMB/Netbios will be after that. I am currently working on HTTP, and collecting data regarding ongoing attacks and am trying to figure out how to make that data useful.