Hello,
I've installed IP Reputation in my splunk server, but nothing shows up in all dashboards.
After requesting a key from www.projecthoneypot.org for http:bl and embedding it in scorelookup.py, dashboards still not works.
The script makes lookup by calling python's socket.gethostbyname(host), I ran it manually with passing correct query format defined by www.projecthoneypot.org(
Even I ran nslookup in linux shell like : nslookup
Do I miss anything?
Any help will be very appreciate!
Hi Kurt,
i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175
nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.
i even tried
nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5
So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉
with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.
br
Matthias
Hi Kurt,
i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175
nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.
i even tried
nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5
So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉
with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.
br
Matthias
Hi Matthias,
Thank you for replying. I know how to do now, thanks.
Regards
Kurt
Good Morning Kurt,
the dashboards might be empty because you haven't configured/set the eventtype=check_ip. this event type was introduced to ensure the app is not going after all your machine data by default. So you can create a search and save those filter as event type - this will then be displayed on the dashboards. for example you want to exclude all your internal IP's (NOT 172.* etc.) and even you might only want to lookup accepted connections or logins etc.
regarding the nslookup you should review this: "ww*.projecthoneypot.org/httpbl_api.php"
currently you even do not need the api key. 😉
So sending this query:
nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org
should give you back:
Address: 127.3.5.1
you can test it from your laptop. then from your splunk search head. on the bottom of the documentation you even find a lot of other test values.
br
matthias
Good morning Matthias,
Thanks for replying. I still have some questions:
I can get correct results by running "nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org" and "nslookup
In scopelookup.py, the "Configuration" says that I need to copy the http:BL key into VAR key, why I don't need the api key currently?
Regards
Kurt