Simply parsing through the logs may not always give you a complete picture either.
This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious files, HTTP requests, Cowrie/Webhoneypot JSON logs and PCAPs.
Reviewing the cowrie JSON logs pulls everything with all relevant details for each IP address into a format I feel is a bit easier to follow.
Some data may not always populate on the SIEM, so it isn't a bad idea to review the logs from the honeypot to confirm.
You could also parse through the logs manually to get similar data.
For me, reviewing these requests on the SIEM or parsing through the logs still didn't answer why.
Since the SIEM wasn't cutting it for me with web requests, I turned to the logs from the sensors to manually parse.
Parsing the logs reveals a lot of details about an IP address or even web requests.
Once you understand the structure of the JSON files, it is simple to parse the logs based on just about any search criteria.
Aside from manually parsing the files like the TELNET/SSH logs, I created a script specific to the format for these logs.
While the web logs provide a lot of details, this goes back to what I mentioned earlier about something still seemed to be missing and answering the question of why these are being accessed.
Having a honeypot running provides only so much insight into what a threat actor is doing just by reviewing the logs.
What you don't get with the web logs from the honeypot is any inclination of what the threat actor may be doing - at least not from what I was able to observe.
Going back to how Daemonlogger is setup, it logs one PCAP file to a daily folder.
Parsing through the honeypot logs, I couldn't find any correlation of that command.
Without it, all you would find in the logs is that the HTTP request method is POST and URL is /device.
If you didn't catch the details regarding data retention on the sensor at the start of the internship, the logs are deleted at certain intervals.
If you want to retain logs, set up an automatic way to transfer the logs to a separate system or a separate folder on the sensor.
My first or second attack observation included some logs that just so happen to be at the tail end of when they are deleted.
If you want long-term data retention for any of the logs, transfer the logs to another folder or system.
This Cyber News was published on isc.sans.edu. Publication date: Wed, 29 May 2024 01:13:14 +0000