Home

Awesome

Overview

The purpose of this is app is to provide dashboards and metrics to aid in increasing the engagement of attackers on your SSH honeypot. The goal of the metrics is to allow you to observe the behavioral changes of the attackers when configuration changes are made to the honeypot. By increasing the engagement level of your attackers you should be able to obtain higher quality threat intelligence than a default installation while still remaining low-interaction.

Before You Begin

In order to use Engaged Threat you should first download the Engaged Threat Splunk App and follow the installation instructions located here -

https://splunkbase.splunk.com/app/3580/

Restart Splunk after you’ve installed the above app.

Key Notes

The Engaged Threat Splunk App is built using the JSON logging from Cowrie SSH Honeypot. Cowrie is an SSH honeypot that was forked from Kippo by Michael Oosterhof and can be found here.

https://github.com/micheloosterhof/cowrie

Sensor Installation

These installation instructions are assuming that you have already have a working Cowrie SSH Honeypot up and running. To start analyzing Cowrie's logs in the Engaged Threat Splunk App you simply have to run the splunk_forwarder.sh script, which will install the Splunk Universal Forwarder on your honeypot sensor, along with configuring the inputs and outputs necessary to start viewing the logs in the Engaged Threat App.

To get started, follow the commands below and enter the necessary information when prompted.

<pre><code>git clone https://github.com/jamesbower/EngagedThreat.git /tmp/engagedthreat chmod +x /tmp/engagedthreat/splunk_forwarder.sh cd /tmp/engagedthreat/ ./splunk_forwarder.sh</code></pre>

Using the Engaged Threat Splunk App

When you open up the Engaged Threat Splunk App you’ll be taken to the “Overview” section of the app by default. You will see that the app contains three other sections. The second section is “Session Analysis” and the third is “Session Engagement”. The fourth and final section of the app is the typical Splunk “Search” section. An synopsis of each section is provided below.

Overview

The “Overview” section provides some key analytics consisting of the following.

alt text

Session Analysis

alt text

Session Engagement

alt text

To-Do

Known Issues

Credits