tcpdump honeypot forward to Splunk

Asphyxia

Owner
Administrator
Apr 25, 2015
1,812
2,177
287
Video:
Splunk TCPDUMP honeypot forward Linux terminal commands output - YouTube

I am assuming you have Splunk Cloud or something:
1621562778236.png
trial: https://www.splunk.com/getsplunk/cloud_trial


1. Install Universal Splunk Forwarder on a Linux VM
2. Install your cloud credential file on the VM, restart Splunk daemon (/opt/splunk...../bin ) .. ./splunk restart
3. Go inside /var/log and mkdir 'honey', touch eww - and optionally chmod the file to be accessible for the Splunk log forwarder.

Open up/make /etc/system/local/inputs.conf:
Code:
[monitor:///var/log/honey/eww]
disabled = 0

Now it is just a matter of the scripting:
Code:
sudo tcpdump -tttt -q -l -i eth0 -n -s0 port 443 and not net 20.150.32.36/32 > eww&
disown

.. give 'er a reboot and you should be set.

Ask any questions!
 
Top