All Apps and Add-ons

IP Reputation App - Project HoneyPot website is under maintanance

BenTan
Path Finder

Hi,

Currently we are trying to deploy the IP Reputation App to monitor IP threatscore going through our Bluecoat proxy servers. However, all the threatscore returning is 0 and I tried to check the projecthoneypot.org and its under maintanance for more than 5 days now.

If the projecthoneypot server is down, does it mean this app will stop working?

Any help will be appreciated!

Regards,
Benjamin

0 Karma
1 Solution

mmaier_splunk
Splunk Employee
Splunk Employee

Hi Benjamin,

thanks for reaching out and asking. It seems they are in maintenance mode - however unusually for so long.

The Splunk App here is using dns queries to their dns blacklist via: dnsbl.httpbl.org

i tried a nslookup of a test ip which i documented in the scorelookup.py and it tells me that the destination server is not reachable.

so let's wait some more time and see if the projecthoneypot service comes back - otherwise we need to remove the ip reputation app.

There are many out of the box threat intelligence lists (including Stix/open IOC support) in Splunk's Enterprise Security product (licensed). You can also utilise Apps from Kaspersky Threat Intelligence, Symantec, PhishMe, DomainTools etc.

However there is nothing i can change currently.

Br

View solution in original post

0 Karma

mmaier_splunk
Splunk Employee
Splunk Employee

Update:
Their website is back and everything working.

mmaier_splunk
Splunk Employee
Splunk Employee

Hello,
Quick update to this:

Seems the website is still under maintenance. Was looking to put the IP Reputation app offline. However i tried the service and it gives me the right responses through the DNS blacklist interface if you do nslookups. So the IP lookups are working - just not sure what quality it is currently.

You can follow their upgrade and maintenance updates on the twitter feed of projecthoneypot:
https://twitter.com/projecthoneypot

best

0 Karma

mmaier_splunk
Splunk Employee
Splunk Employee

Hi Benjamin,

thanks for reaching out and asking. It seems they are in maintenance mode - however unusually for so long.

The Splunk App here is using dns queries to their dns blacklist via: dnsbl.httpbl.org

i tried a nslookup of a test ip which i documented in the scorelookup.py and it tells me that the destination server is not reachable.

so let's wait some more time and see if the projecthoneypot service comes back - otherwise we need to remove the ip reputation app.

There are many out of the box threat intelligence lists (including Stix/open IOC support) in Splunk's Enterprise Security product (licensed). You can also utilise Apps from Kaspersky Threat Intelligence, Symantec, PhishMe, DomainTools etc.

However there is nothing i can change currently.

Br

0 Karma

BenTan
Path Finder

Hi,

Thanks for your suggestion! I ended up using Optiv Threat Intelligence App, althought still in the middle of configuration and troubleshooting for the app but it's a good start!

Once again, thank you. 🙂

Regards,
Benjamin

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...