search

mrheinen / lophiid

A distributed honeypot for monitoring large scale web attacks
GNU General Public License v2.0
6 stars 1 forks source link

Add IP reputation tracking #13

Closed mrheinen closed 2 months ago

mrheinen commented 2 months ago

It would be useful to track some of the badness around an IP. For example, if an attacker IP sends a payload that is flagged as malicious by VirusTotal then we can be certain that this IP is bad. There are also other signals we can lean on.

Create a table to store IP reputation and create API endpoints to display and query this information. Also update the UI (e.g. requests UI) to add information when we know an IP is bad.

mrheinen commented 2 months ago

First step is/was to add a way to track IP events in a table. We can then query this table to see what the reputation of an IP is. Additionally we get some history on what happens with an IP and track it that way.

mrheinen commented 2 months ago

Here is an example from the table:

` 16 | 206.81.3.75 | | rule 97 indicated the IP reconned | | RECONNED | 2024-08-26 19:14:33.96866 | 2024-08-26 19:14:33.968616 | 1 | 14711412 17 | 118.194.251.58 | | rule 236 indicated the IP attacked | | ATTACKED | 2024-08-26 19:46:01.122146 | 2024-08-26 19:46:01.122001 | 1 | 14713283 18 | 142.93.49.151 | | rule 97 indicated the IP reconned | | RECONNED | 2024-08-26 19:54:01.123056 | 2024-08-26 19:54:01.122917 | 1 | 14713847 19 | 206.217.206.69 | | rule 109 indicated the IP attacked | | ATTACKED | 2024-08-26 20:03:01.122259 | 2024-08-26 20:03:01.122105 | 10 | 14714460 20 | 77.90.22.54 | | Hosted file that VirusTotal reported on (16 malicious, 0 suspicious) | | HOSTED_MALWARE | 2024-08-26 20:06:01.121885 | 2024-08-26 20:06:01.121747 | 2 | 14714290 21 | 219.156.96.145 | | Hosted file that VirusTotal reported on (46 malicious, 0 suspicious) | | HOSTED_MALWARE | 2024-08-26 20:07:01.122372 | 2024-08-26 20:07:01.122231 | 2 | 487764 22 | 108.233.83.51 | | Hosted file that VirusTotal reported on (7 malicious, 0 suspicious) | | HOSTED_MALWARE | 2024-08-26 20:08:01.12266 | 2024-08-26 20:08:01.122516 | 2 | 14674014 23 | 89.39.210.115 | | rule 109 indicated the IP attacked | | ATTACKED | 2024-08-26 20:13:01.122771 | 2024-08-26 20:13:01.122666 | 7 | 14715029 24 | 103.114.107.59 | | rule 80 indicated the IP attacked | | ATTACKED | 2024-08-26 20:19:01.122854 | 2024-08-26 20:19:01.122705 | 1 | 14715377 25 | 209.38.193.181 | | rule 97 indicated the IP reconned | | RECONNED | 2024-08-26 20:25:01.122651 | 2024-08-26 20:25:01.122549 | 1 | 14715667

`

mrheinen commented 2 months ago

UI looks like this Screenshot Capture - 2024-08-27 - 15-44-20

mrheinen commented 2 months ago

Also add logic to detect scans: if multiple scan related events are triggered for the same IP.

mrheinen commented 2 months ago

And update the IP event to also have the IP of the honeypot to be able to detect scans across honeypots.

mrheinen commented 2 months ago

Additional changes in https://github.com/mrheinen/lophiid/pull/26