- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
Video:
Splunk TCPDUMP honeypot forward Linux terminal commands output - YouTube
I am assuming you have Splunk Cloud or something:
trial: https://www.splunk.com/getsplunk/cloud_trial
1. Install Universal Splunk Forwarder on a Linux VM
2. Install your cloud credential file on the VM, restart Splunk daemon (/opt/splunk...../bin ) .. ./splunk restart
3. Go inside /var/log and mkdir 'honey', touch eww - and optionally chmod the file to be accessible for the Splunk log forwarder.
Open up/make /etc/system/local/inputs.conf:
Now it is just a matter of the scripting:
.. give 'er a reboot and you should be set.
Ask any questions!
Splunk TCPDUMP honeypot forward Linux terminal commands output - YouTube
I am assuming you have Splunk Cloud or something:
trial: https://www.splunk.com/getsplunk/cloud_trial
1. Install Universal Splunk Forwarder on a Linux VM
2. Install your cloud credential file on the VM, restart Splunk daemon (/opt/splunk...../bin ) .. ./splunk restart
3. Go inside /var/log and mkdir 'honey', touch eww - and optionally chmod the file to be accessible for the Splunk log forwarder.
Open up/make /etc/system/local/inputs.conf:
Code:
[monitor:///var/log/honey/eww]
disabled = 0Now it is just a matter of the scripting:
Code:
sudo tcpdump -tttt -q -l -i eth0 -n -s0 port 443 and not net 20.150.32.36/32 > eww&
disown.. give 'er a reboot and you should be set.
Ask any questions!