T-Pot integration to SISSDEN

Running the latest T-Pot as a vetted SISSDEN user? You can now contribute your data to SISSDEN!

For the last couple of years, T-Pot , the docker-based open source honeypot platform developed by our partner Deutsche Telekom (DTAG), evolved as one of the most successful honeypot platforms, not only due to its simple setup and low maintenance, but also because of the nice dashboards and investigation tools.

Setting up multiple honeypots, maintaining installations over time and eventually analyzing the data captured has always been a task which required expert knowledge and made the entry into the honeypot business quite challenging. Since 2015 when Deutsche Telekom introduced their honeypot platform T-Pot, the efforts for setting up honeypots, running and maintaining a multi-honeypot system have decreased significantly. Now everyone running a Debian-based virtual machine can transform their machine to a fully-fledged collection and analysis machine. The install on a blank system is as easy as installing Debian. Everything is automated to the maximum.

T-Pot offers numerous honeypot daemons running in parallel and reroutes the traffic captured on the network interface to the most suitable open source honeypots available. The data is processed and stored in a local ELK stack.

On top, all data captured by the honeypot daemons is displayed in beautiful dashboards which invites users to dig into the data captured, analyze the attacks and do some research on the data.

For those unaware of T-Pot, just head over to their GitHub repo for more information on T-Pot including all the great features.

Just recently, T-Pot was released in version 19.03. It is now based on Debian (Sid), features new honeypots, tools and another nitpicky detail: hpfeeds submission to our SISSDEN community broker!

Community data submission

By default and unless you opt out, when you run T-Pot you submit data to DTAG’s community backend. This data includes normalized and comparable attack data from the various honeypot daemons running on T-Pot. DTAG does not use your data for anything in particular (as they run their own T-Pot nodes with trusted data), but the data is included in their management awareness website to generate statistics.

So by default, you kindly forward attack information to Deutsche Telekom for display purposes and you have your own data stored locally which you can dig and dive into. Piles of nice dashboards, malware artefacts and exploits to review and go through…

Still missing out something? Like sharing data with one of the largest honeypot networks worldwide which actually uses your data for analysis, research and informing the public?

Share your trusted data with SISSDEN and help SISSDEN grow

If you are a registered, vetted SISSDEN user, you now have an additional option to submit attack data via SISSDEN’s hpfeeds community broker and contribute to SISSDEN’s honeypot data collection.

The onboarding process is simple: Once you have signed up at portal.sissden.eu and have completed the vetting process you can request a set of credentials. Just visit https://portal.sissden.eu/profile and click on “Contribute T-Pot logs to SISSDEN”. A form will open and request some additional information from you. Simply fill it out and submit it to us.

Once your request for credentials has been processed, you will get a set of credentials via email which you can use for data submission to SISSDEN . The process of setting up data submission to SISSDEN is as simple as T-Pots itself.

On a running T-Pot 19.03, simply

  • run hpfeeds_optin.sh
  • select [1] – SISSDEN
  • Enter the ident provided via email, confirm with <enter>, e.g. share-with-sissden
  • Enter your secret provided by SISSDEN, confirm with <enter>, e.g. SGZnYBXmNwo6QSXXasTtF3OBdquOc1DK

That’s it! You’re done!

Below you can see the flow. It really is just that simple. In the end, you configured your T-Pot instance to submit data to the SISSDEN community hpfeeds broker.

Just FYI, T-Pot versions prior to 19.03 are not supported. So just grab a fresh copy of T-Pot 19.03. It’s still hot and fresh! 🙂

Please be reminded, should you run the /opt/tpot/update.sh script you need opt-in again. At best you copy tpot.yml before you run the update.sh script. In case you forgot this one time, no harm done, the T-Pot folks got you covered and you always find a backup in /root.

Interested to setup and run your own backend?

DTAG also open sourced their backend for data ingestion and provides statistic APIs. When setting up multiple T-Pots this might be a good place to centrally collect your data. More info can be found at https://github.com/dtag-dev-sec/PEBA And you can still submit data to SISSDEN and your own backend!

Leave a Reply

Your email address will not be published. Required fields are marked *