blog.edie.io Open in urlscan Pro
192.0.78.178  Public Scan

Form analysis
4 forms found in the DOM

GET https://blog.edie.io/

<form method="get" class="search-form navigation-search" action="https://blog.edie.io/">
  <input type="search" class="search-field" value="" name="s" title="Search">
</form>

GET https://blog.edie.io/

<form method="get" class="search-form navigation-search" action="https://blog.edie.io/">
  <input type="search" class="search-field" value="" name="s" title="Search">
</form>

<form id="commentform" class="comment-form">
  <iframe title="Comment Form"
    src="https://jetpack.wordpress.com/jetpack-comment/?blogid=139491300&amp;postid=1573&amp;comment_registration=0&amp;require_name_email=1&amp;stc_enabled=1&amp;stb_enabled=1&amp;show_avatars=1&amp;avatar_default=identicon&amp;greeting=Start+a+discussion+or+ask+a+question.&amp;jetpack_comments_nonce=1636ce7374&amp;greeting_reply=Leave+a+Reply+to+%25s&amp;color_scheme=transparent&amp;lang=en_US&amp;jetpack_version=12.5-a.1&amp;show_cookie_consent=10&amp;has_cookie_consent=0&amp;token_key=%3Bnormal%3B&amp;sig=4d3d9dd95a2df9bb64cc1a087aaf49910fe1a089#parent=https%3A%2F%2Fblog.edie.io%2F2020%2F04%2F30%2Fdiy-ip-threat-feed%2F"
    name="jetpack_remote_comment" style="width: 100%; height: 75px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
  </iframe>
  <!--[if !IE]><!-->
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      var commentForms = document.getElementsByClassName('jetpack_remote_comment');
      for (var i = 0; i < commentForms.length; i++) {
        commentForms[i].allowTransparency = true;
        commentForms[i].scrolling = 'no';
      }
    });
  </script>
  <!--<![endif]-->
</form>

<form id="jp-carousel-comment-form">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email (Required)</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name (Required)</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

Text Content

Skip to content


Michael Edie


Menu
 * Home
 * About
 * Talks
 * Code
 * PGP
 * RSS
 * 


Menu
 * Home
 * About
 * Talks
 * Code
 * PGP
 * RSS
 * 


DIY IP THREAT FEED

May 1, 2020April 30, 2020 by tankmek

A threat feed is a collection of actionable information about threats that
allows for mitigating harmful events. This blog post is concerned with
developing an IP based threat feed or blacklist. We will look at how to gather,
aggregate, enrich, and extract threat data for consumption.

Table Of Contents
 1. Gathering the threat data
 2. Aggregation of the threat data
 3. Data Enrichment
 4. Extraction

GATHERING THE THREAT DATA

I have several servers in the US, Europe, and Asia running modified versions of
cowrie, a medium interaction honey pot. These honey pots allow ssh access by
accepting logins based on a random number of guesses for each attacker. The
configuration setting is below:

auth_class = AuthRandom

Once an attacker gains entry to a server, the honeypot records their actions and
saves any artifacts they create. A Splunk Universal Forwarder (UF) monitors the
honey pot log file and ships it to a Security Information and Event Management
(SIEM) platform. This process happens for every honey pot that I have deployed.

AGGREGATION OF THE THREAT DATA

The objective is to consolidate IP addresses from attackers that have gained
unauthorized access to at least one server. Capturing IP addresses that only
scan or connect to one of our servers is not a high confidence metric in terms
of determining whether they are a malicious actor or compromised machine. The
additional requirement that they must also gain entry provides enough confidence
that the source address has malicious intent. We can use a Splunk query to
achieve the objective and bucket the aggregated log events that have source IP
addresses with a login_success event type.

At the time of this writing, the query above generated over 15 thousand unique
IP addresses using my honey pot dataset. This generated list can be used in an
IP blacklist or IP based egress filter. Another option is to check how much
overlap exists with commercial and open-source IP lists you utilize.

DATA ENRICHMENT

The IP address list alone has limited value. We can make the data more useful by
adding additional context. We can pull in third-party IP reputation information
from Virus Total or ABuseIPDB and many other providers. The graphic below
contains another Splunk query that enhances the IP address list with the
associated country, last-seen-time, and first-seen-time.

EXTRACTION

Splunk allows you to run scheduled searches and output the results to a lookup
table. I have a reoccurring search that saves a CSV file with the results below
and then pushes the changes to a git repo once a day. There is also an option to
save the results as XML, JSON, or PDF.

Thanks for reading.




SHARE THIS:

 * Click to share on Twitter (Opens in new window)
 * Click to share on Facebook (Opens in new window)
 * Click to share on Pocket (Opens in new window)
 * Click to share on LinkedIn (Opens in new window)
 * Click to share on Reddit (Opens in new window)
 * 


LIKE THIS:

Like Loading...
Categories Network Security, SIEM Tags blacklist, cowrie, DIY, SIEM, splunk,
threat feed
Deploying Splunk Universal Forwarders via GPO
Blue Team Tactics: Honey Tokens Pt. I


2 THOUGHTS ON “DIY IP THREAT FEED”

 1. Chad Burch
    July 28, 2020 at 21:46
    
    thanks for the knowledge share.
    
    Loading...
    
    Reply
    * tankmek
      August 21, 2020 at 13:23
      
      No problem. Glad to give back.
      
      Loading...
      
      Reply
      
    


START A DISCUSSION OR ASK A QUESTION.CANCEL REPLY



This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Sawbox Consulting, 2017-2023


 

Loading Comments...

 

Write a Comment...
Email (Required) Name (Required) Website

%d bloggers like this: