I've been running this honeypot for about a month in the latest version. So far, so good.
This morning I went to check on things and I noticed that the web honeypot "public" front end had changed from a "hello world" CMS to a "You've successfully installed Apache Tomcat" splash page.
Is this normal behavior? I'm accustomed to the web front end on the honeypot (is it Tanner?) remaining relatively static. Do the pages change now?
I've logged in to the console and took a number of screenshots. The box seemed sluggish and, in fact, all four processors were running at nearly 100%, so I tried a reboot, but the box was still mostly unresponsive in the console and none of the Web interfaces came back up. I paused the VM and took a snapshot, then performed an update.sh, and rebooted a second time. That seemed to stabilize it and reverted the honeypot web front end back to faux-Drupal.
I took a closer look at saw that there was a short period where the web honeypot was unavailable. The change happened between 03:27 (UTC-7) and 03:33 today. The last faux-Drupal page was served at 03:26:58, and then a request was received at 03:27:02 which the honeypot server did not respond to.
At 03:31:36 the honeypot made a HTTP HEAD request to rules.emergingthreatspro.com and to rules.emergingthreats.net. At 03:33:28 the honeypot received an HTTP request for a page and served the Tomcat splash page. Until I rebooted the honeypot, the only pages it delivered were either the Tomcat splash page, or a Tomcat-generated error page.
I have a full PCAP I can provide for the 10 minutes between 03:25 and 03:35 but I'd prefer not to post it here. Please let me know if you'd like a copy of it.
Basic support information
What T-Pot version are you currently using? 18.11
Are you running on a Intel NUC or a VM? VM
How long has your installation been running? ~14 days since last reboot
Did you install any upgrades or packages? no
Did you modify any scripts? no
Have you turned persistence on/off? I don't know what this means
How much RAM is available (login via ssh and run htop)? 10GB
How much stress are the CPUs under (login via ssh and run htop)? 100%
How much swap space is being used (login via ssh and run htop)? 0K
How much free disk space is available (login via ssh and run sudo df -h)? 205GB
What is the current container status (login via ssh and run sudo dps.sh)?
(FWIW dps.sh is in /opt/tpot/bin/ and doesn't run from the tsec home directory)
./dps.sh: 11: ./dps.sh: function: not found
adbhoney Up 6 minutes 0.0.0.0:5555->5555/tcp
ciscoasa Up 6 minutes
conpot_guardian_ast Up 6 minutes 0.0.0.0:10001->10001/tcp
conpot_iec104 Up 6 minutes 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp
conpot_ipmi Up 5 minutes 0.0.0.0:623->623/tcp
conpot_kamstrup_382 Up 6 minutes 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp
cowrie Up 6 minutes 0.0.0.0:22-23->22-23/tcp
cyberchef Up 5 minutes (healthy) 127.0.0.1:64299->8000/tcp
dionaea Up 5 minutes
elasticpot Up 5 minutes 0.0.0.0:9200->9200/tcp
elasticsearch Up 6 minutes (healthy) 127.0.0.1:64298->9200/tcp
ewsposter Up 5 minutes
glutton Up 5 minutes
head Up 3 minutes (healthy) 127.0.0.1:64302->9100/tcp
heralding Up 6 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp
kibana Up 3 minutes (healthy) 127.0.0.1:64296->5601/tcp
logstash Up 3 minutes (healthy)
mailoney Up 6 minutes 0.0.0.0:25->25/tcp
medpot Up 5 minutes 0.0.0.0:2575->2575/tcp
nginx Up 5 minutes
p0f Up 6 minutes
rdpy Up 5 minutes 0.0.0.0:3389->3389/tcp
snare Up 4 minutes 0.0.0.0:80->80/tcp
spiderfoot Up 6 minutes (healthy) 127.0.0.1:64303->8080/tcp
suricata Up 6 minutes
tanner Up 5 minutes
tanner_api Up 5 minutes
tanner_phpox Up 6 minutes
tanner_redis Up 6 minutes 6379/tcp
tanner_web Up 5 minutes
./dps.sh: 13: ./dps.sh: Syntax error: "}" unexpected
Issues
I've been running this honeypot for about a month in the latest version. So far, so good.
This morning I went to check on things and I noticed that the web honeypot "public" front end had changed from a "hello world" CMS to a "You've successfully installed Apache Tomcat" splash page.
Is this normal behavior? I'm accustomed to the web front end on the honeypot (is it Tanner?) remaining relatively static. Do the pages change now?
I've logged in to the console and took a number of screenshots. The box seemed sluggish and, in fact, all four processors were running at nearly 100%, so I tried a reboot, but the box was still mostly unresponsive in the console and none of the Web interfaces came back up. I paused the VM and took a snapshot, then performed an update.sh, and rebooted a second time. That seemed to stabilize it and reverted the honeypot web front end back to faux-Drupal.
I took a closer look at saw that there was a short period where the web honeypot was unavailable. The change happened between 03:27 (UTC-7) and 03:33 today. The last faux-Drupal page was served at 03:26:58, and then a request was received at 03:27:02 which the honeypot server did not respond to.
At 03:31:36 the honeypot made a HTTP HEAD request to rules.emergingthreatspro.com and to rules.emergingthreats.net. At 03:33:28 the honeypot received an HTTP request for a page and served the Tomcat splash page. Until I rebooted the honeypot, the only pages it delivered were either the Tomcat splash page, or a Tomcat-generated error page.
I have a full PCAP I can provide for the 10 minutes between 03:25 and 03:35 but I'd prefer not to post it here. Please let me know if you'd like a copy of it.
Basic support information
htop
)? 10GBhtop
)? 100%htop
)? 0Ksudo df -h
)? 205GBsudo dps.sh
)? (FWIW dps.sh is in /opt/tpot/bin/ and doesn't run from the tsec home directory)./dps.sh: 11: ./dps.sh: function: not found adbhoney Up 6 minutes 0.0.0.0:5555->5555/tcp ciscoasa Up 6 minutes conpot_guardian_ast Up 6 minutes 0.0.0.0:10001->10001/tcp conpot_iec104 Up 6 minutes 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 5 minutes 0.0.0.0:623->623/tcp conpot_kamstrup_382 Up 6 minutes 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 6 minutes 0.0.0.0:22-23->22-23/tcp cyberchef Up 5 minutes (healthy) 127.0.0.1:64299->8000/tcp dionaea Up 5 minutes elasticpot Up 5 minutes 0.0.0.0:9200->9200/tcp elasticsearch Up 6 minutes (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 5 minutes glutton Up 5 minutes head Up 3 minutes (healthy) 127.0.0.1:64302->9100/tcp heralding Up 6 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp kibana Up 3 minutes (healthy) 127.0.0.1:64296->5601/tcp logstash Up 3 minutes (healthy) mailoney Up 6 minutes 0.0.0.0:25->25/tcp medpot Up 5 minutes 0.0.0.0:2575->2575/tcp nginx Up 5 minutes p0f Up 6 minutes rdpy Up 5 minutes 0.0.0.0:3389->3389/tcp snare Up 4 minutes 0.0.0.0:80->80/tcp spiderfoot Up 6 minutes (healthy) 127.0.0.1:64303->8080/tcp suricata Up 6 minutes tanner Up 5 minutes tanner_api Up 5 minutes tanner_phpox Up 6 minutes tanner_redis Up 6 minutes 6379/tcp tanner_web Up 5 minutes ./dps.sh: 13: ./dps.sh: Syntax error: "}" unexpected