18

Maybe a weird question but I've had a public facing HTTP/SSH honeypot for a little bit over a year now and was wondering if there was any place that I can upload my logs to? There are a bunch of automated scans, some interesting RFI / RCE attempts and malicious SSH login attempts and I'm sure it can benefit the community in a whole to log those IP Addresses for possible malicious activity. I've asked this on a subreddit before and apparently there are private groups/organizations who collect these, but not any public ones? Can anyone elaborate on this? Is there really no public effort in this domain? Thanks in advance...

vladimir
  • 341
  • 1
  • 2
  • 6
  • 1
    Interesting question. Look forward to hopefully seeing a response. +1 – Citizen Jun 22 '16 at 00:08
  • 6
    I know of places doing this, but they typically have their own honeypots and (if applicable) do their own scanning. How would they know you're a trusted source? You could easily have a public IP address somewhere and forward a bunch of legit reports, but at the same time insert one or two IP addresses of people you don't like. I'm not saying no project ever accepts outside sources, but this is probably why they are hard to find. – Luc Jul 06 '16 at 00:11

5 Answers5

8

One comment by Luc raises an interesting concern. The problem for any site that would accept honeypot logs is to tell whether you're a trusted source or just full of it. They don't want you to accidently/maliciously include legitimate traffic in an attempt to ruin those user's reputations or simply "dilute" the pool by flooding it with meaningless traffic that is not malicious.

I would suggest you just start your own site, publish logs and follow up manually on the more interesting attacks you've found, possibly by disassembling their malware or trying to track down/shut down the C&C. Try to break the news about newer threats never seen before. You would slowly build yourself a reputation and be recognized as a trusted source by the infosec community.

André Borie
  • 12,706
  • 3
  • 39
  • 76
3

Check out this platform from AlienVault:

https://otx.alienvault.com

This is an open platform to share threats information. Aside from specific malware campaigns I've seen there logs from private honeypots that people are willing to share with the community

z4k4
  • 531
  • 3
  • 6
2

I've heard something like this mentioned on the SANS ISC podcast a few times. Have you checked out https://isc.sans.edu/webhoneypot/ ? Seems similar to what you are looking to do.

micah
  • 131
  • 4
1

This sounds like a perfect time to dive into AWS if you are able to. Amazon has awesome log management and aggregation services for stuff like this. I would recommend using an ELK stack for the build, but the services you choose are up to you. Technically, you could forward your logs for use in CloudWatch, but it isn't that much more effort to add more functionality to give you actionable logs (i.e. for alerting etc...). Below is a simple diagram I put together that shows how to do this at a high level.

enter image description here

Also, it seems like you are looking for a standardized way to share information about IOCs. I would also look into OpenIOC and a range of other free tools from Mandiant. Link is below:

OpenIOC

Mandiant Free Tools

Tyler Gallenbeck
  • 417
  • 2
  • 7
0

The Internet Storm Center has a project called "Dshield" that accepts firewall logs and aggregates/publishes their findings.

More information is available at http://www.dshield.org/howto.html

DenyHosts includes a shared attack database. Other similar services include blocklist.de and badips.com.

gbroiles
  • 301
  • 1
  • 7