page-loader

Cowrie Honeypot Series – Part 2

In part 1 of the Cowrie Honeypot Series I covered the configuring of the HoneyPot in Azure, and setting up everything needed in Splunk to work with the logs. In today’s blog post, I’m going to be expanding on my Alert Framework and creating a new simple playbook to block SSH connections from attackers. My intent in this small project is to block any attacker’s IP address that successfully connects

Cowrie Honeypot Series – Part 1

This will be a multi part series on building a cloud-hosted honeypot, integrating it with Splunk, and automating actions based on the intel gathered through Ansible, all orchestrated by Splunk. This blog post will mainly go over the groundwork of getting the honeypot set up, and connected to Splunk and Ansible, as well as some scheduled searches set up to gather activity information from the honeypot, and lastly a small

Automating Splunk Universal Forwarder deployment with Ansible

As I’m spinning up more and more VMs on my Proxmox hypervisor, I started getting tired of installing Splunk forwarders on each system. Going out to the Splunk site to grab the wget command, pulling up the Universal Forwarder manual to remember the steps to get it up and running, it all got to be annoying. So, I decided to automate that process using Ansible. I started scratching the surface

Designing an Alert Framework for Splunk

What originally started off as a very simple goal, ended up turning into a rather large project that I’m rather happy with. I wanted my homelab Splunk instance to be able to send me emails for various things happening in my environemnt, but Spectrum doesn’t allow any SMTP traffic to originate from one of their residential IP addresses, so anything sourcing directly from one of my servers was out…

Homelab Hardware and Services

Brief record of what hardware I’m running in my lab, and what its being used for: Dell R210 II Running pfSense as a Firewall, router, and OpenVPN server. Specs: CPU: Intel Xeon E3-1220 V2 @ 3.10 GHz Memory: 4 GB DDR3 ECC Storage: 50 GB SSD Dell R210 II Running Splunk as a Standalone server and running Ansible. Specs: CPU: Intel Xeon E3-1230 V2 @ 3.20 GHz Memory: 16 GB