Using Logstash to add WhoIS information to IP addresses

In my previous post, I talked about how I used Logstash and Memcached to enrich IP addresses collected from HoneyPotDB with confidence scores from AbuseIPDB, which worked great! In this post I’ll quickly go over how I used the same methods to add data Whois from https://ip-api.com/ to enrich IP addresses with: GeoLocation Data ISP Organsation ASN Number ASN Name Mobile IP status VPN/Tor/Proxy IP status Datacenter IP status Creating a logstash pipeline Here is my Logstash pipeline to do this, I’d recommend taking a look at my previous post to understand more about how this works.

Using python to send Wazuh alerts to TheHive

Introduction In a previous post, I created a bash script to send a Wazuh HIDS alert to TheHive using TheHive API. This script works pretty well, but lacked some features I really wanted to add and sometimes crashes if alert contained some characters that needed to be properly escaped, such as JSON strings. In response to that, I have created a new script, written in python that solves these issues. This script using the click library to take in CLI arguments for alert data, much like the previous script, making it really easy to ingerate with elastAlert for example.

Using LogStash to add AbuseIPDB confidence scores to IP Addressess

Introduction I really wanted a way to enrich the data collected from my HoneyPots with data from third party sources. AbuseIPDB is one such source. If you don’t know already, AbuseIPDB allows you to query it’s API to check an IP has been previously reported to be involved in malicious activity. You can also pull an up-to-date blacklist of thousands of IP addresses, which is really neat. AbuseIPDB gives each reported IP address an abuse confidence score as a percentage, based off the amount, frequency and types of attacks reported.

Collecting data from SSH Honeypots

Introduction The first of many honeypots are live and data rolling s in! :D I’ve been chipping away at HoneypotDB, a project to create a global honeypot network comprised of many honeypot types that all report to one centralised data index, that can be queried via public API. So far, I’ve used Ansible to build and deploy some basic Cowrie SSHhoneypots in docker containers and built a basic elasticSearch and logstash set up to analyse and store collected data.

Storing honeypot data with elasticSearch and fileBeat

You Know, for Search! I really love elasticSearch. I’ve been using it for around 2 years now, both as a user and deploying/managing a fairly large cluster with good data ingest. So I knew elasticSearch would be the perfect data storage platform for HoneypotDB, my global Honeypot project. For those of you that don’t know, elasticSearch is an incredible saleable, non-relational database that is built from the ground up for massive data ingest, while supporting advanced queries.

Deploying Cowrie SSH Honeypots with Ansible

Introduction To be able to easily spin up honeypots across the globe, I need an automated way to mass deploy and configure pots, hurrah for Ansible! Using Ansible Until now, I’ve never properly created my own Ansible playbooks before. I have had experience using Ansible Tower/AWX to run playbooks etc, but this opportunity to create my own was great fun. The playbook I’ve created will install a Cowrie based SSH honeypot, configured to random mode, allowing attackers to SSH in after a random number of authentication attempts.