Solved: IP reputation apps - does scorelookup.py work?

kurt28 · ‎03-10-2014

Hello,

I've installed IP Reputation in my splunk server, but nothing shows up in all dashboards.

After requesting a key from www.projecthoneypot.org for http:bl and embedding it in scorelookup.py, dashboards still not works.
The script makes lookup by calling python's socket.gethostbyname(host), I ran it manually with passing correct query format defined by www.projecthoneypot.org(..dnsbl.httpbl.org) as parameter host but get an exception about "No address associated with hostname".
Even I ran nslookup in linux shell like : nslookup ..dnsbl.httpbl.org I got "server can't find ..dnsbl.httpbl.org : NXDOMAIN".

Do I miss anything?
Any help will be very appreciate!

Matthias_BY · ‎03-11-2014

Hi Kurt,

i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175

nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org

Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.

i even tried

nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org

Response: Address: 127.1.64.5

So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉

with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.

br
Matthias

View solution in original post

Matthias_BY · ‎03-11-2014

Hi Kurt,

i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175

nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org

Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.

i even tried

nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org

Response: Address: 127.1.64.5

So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉

with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.

br
Matthias

kurt28 · ‎03-13-2014

Hi Matthias,

Thank you for replying. I know how to do now, thanks.

Regards
Kurt

Matthias_BY · ‎03-11-2014

Good Morning Kurt,

the dashboards might be empty because you haven't configured/set the eventtype=check_ip. this event type was introduced to ensure the app is not going after all your machine data by default. So you can create a search and save those filter as event type - this will then be displayed on the dashboards. for example you want to exclude all your internal IP's (NOT 172.* etc.) and even you might only want to lookup accepted connections or logins etc.

regarding the nslookup you should review this: "ww*.projecthoneypot.org/httpbl_api.php"

currently you even do not need the api key. 😉

So sending this query:

nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org

should give you back:

Address: 127.3.5.1

you can test it from your laptop. then from your splunk search head. on the bottom of the documentation you even find a lot of other test values.

br
matthias

kurt28 · ‎03-11-2014

Good morning Matthias,

Thanks for replying. I still have some questions:

I can get correct results by running "nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org" and "nslookup .2.1.9.127.dnsbl.httpbl.org, however, fail in "abcdefghijkl.94.31.125.74.dnsbl.httpbl.org" and ".94.31.125.74.dnsbl.httpbl.org" where "94.31.125.74" is the reversed ip of "www.google.com.tw"
In scopelookup.py, the "Configuration" says that I need to copy the http:BL key into VAR key, why I don't need the api key currently?

Regards
Kurt

IP reputation apps - does scorelookup.py work?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life