Splunk and Cowrie Honey Pots
153 views
Skip to first unread message
Jeffery W
Feb 17, 2017, 11:52:59 PM2/17/17
to Modern Honey Network
So I got MHN forwarding events to splunk and it show attack count but no data for Cowrie is showing in dashboard. Would I be correct in assuming mhn splunk doesn't support cowrie? If not can it be added or is best to ditch cowrie in favor of kippo? Thanks
Jeff
Jason Trost
Feb 18, 2017, 8:27:44 AM2/18/17
to Jeffery W, Modern Honey Network
That is correct but the changes needed to support cowrie are likely very small. Changing this file is likely all that is needed
The "type=kippo.sessions" needs to be "(type=kippo.sessions OR type=cowrie.sessions)"
You can do these changes in your local instance of splunk if you simply customize the views.
Ultimately Anomali will need to make these changes since they own this splunk app.
On Fri, Feb 17, 2017 at 11:53 PM Jeffery W <jeff.mag...@gmail.com> wrote:
So I got MHN forwarding events to splunk and it show attack count but no data for Cowrie is showing in dashboard. Would I be correct in assuming mhn splunk doesn't support cowrie? If not can it be added or is best to ditch cowrie in favor of kippo? ThanksJeff
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/66d08f9f-de3b-4450-af0e-6ba06a8ebc79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dgree...@anomali.com
Feb 19, 2017, 4:25:36 AM2/19/17
to Modern Honey Network, jeff.mag...@gmail.com
I've tokenised the Cowrie dashboard here (allowing you to switch between Cowrie / Kippo / all data):
I haven't tested so can't guarantee this will work perfectly.
On Saturday, 18 February 2017 13:27:44 UTC, Jason Trost wrote:
That is correct but the changes needed to support cowrie are likely very small. Changing this file is likely all that is neededThe "type=kippo.sessions" needs to be "(type=kippo.sessions OR type=cowrie.sessions)"You can do these changes in your local instance of splunk if you simply customize the views.Ultimately Anomali will need to make these changes since they own this splunk app.
On Fri, Feb 17, 2017 at 11:53 PM Jeffery W <jeff.mag...@gmail.com> wrote:
So I got MHN forwarding events to splunk and it show attack count but no data for Cowrie is showing in dashboard. Would I be correct in assuming mhn splunk doesn't support cowrie? If not can it be added or is best to ditch cowrie in favor of kippo? Thanks--Jeff
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
dgree...@anomali.com
Feb 19, 2017, 4:29:34 AM2/19/17
to Modern Honey Network, jeff.mag...@gmail.com
p.s You can add this XML to the dashboard by navigating to the Cowrie dashboard page > selecting edit > edit source / xml > paste in code.
(The original XML is still on Github if my code is broken - via the link Jason posted)
Wilson Flips
Aug 19, 2018, 2:41:30 PM8/19/18
to Modern Honey Network
This worked great. Thanks 👍
Reply all
Reply to author
Forward
0 new messages