All Apps and Add-ons

IP Reputation App - Project HoneyPot website is under maintanance

BenTan
Path Finder

Hi,

Currently we are trying to deploy the IP Reputation App to monitor IP threatscore going through our Bluecoat proxy servers. However, all the threatscore returning is 0 and I tried to check the projecthoneypot.org and its under maintanance for more than 5 days now.

If the projecthoneypot server is down, does it mean this app will stop working?

Any help will be appreciated!

Regards,
Benjamin

0 Karma
1 Solution

mmaier_splunk
Splunk Employee
Splunk Employee

Hi Benjamin,

thanks for reaching out and asking. It seems they are in maintenance mode - however unusually for so long.

The Splunk App here is using dns queries to their dns blacklist via: dnsbl.httpbl.org

i tried a nslookup of a test ip which i documented in the scorelookup.py and it tells me that the destination server is not reachable.

so let's wait some more time and see if the projecthoneypot service comes back - otherwise we need to remove the ip reputation app.

There are many out of the box threat intelligence lists (including Stix/open IOC support) in Splunk's Enterprise Security product (licensed). You can also utilise Apps from Kaspersky Threat Intelligence, Symantec, PhishMe, DomainTools etc.

However there is nothing i can change currently.

Br

View solution in original post

0 Karma

mmaier_splunk
Splunk Employee
Splunk Employee

Update:
Their website is back and everything working.

mmaier_splunk
Splunk Employee
Splunk Employee

Hello,
Quick update to this:

Seems the website is still under maintenance. Was looking to put the IP Reputation app offline. However i tried the service and it gives me the right responses through the DNS blacklist interface if you do nslookups. So the IP lookups are working - just not sure what quality it is currently.

You can follow their upgrade and maintenance updates on the twitter feed of projecthoneypot:
https://twitter.com/projecthoneypot

best

0 Karma

mmaier_splunk
Splunk Employee
Splunk Employee

Hi Benjamin,

thanks for reaching out and asking. It seems they are in maintenance mode - however unusually for so long.

The Splunk App here is using dns queries to their dns blacklist via: dnsbl.httpbl.org

i tried a nslookup of a test ip which i documented in the scorelookup.py and it tells me that the destination server is not reachable.

so let's wait some more time and see if the projecthoneypot service comes back - otherwise we need to remove the ip reputation app.

There are many out of the box threat intelligence lists (including Stix/open IOC support) in Splunk's Enterprise Security product (licensed). You can also utilise Apps from Kaspersky Threat Intelligence, Symantec, PhishMe, DomainTools etc.

However there is nothing i can change currently.

Br

0 Karma

BenTan
Path Finder

Hi,

Thanks for your suggestion! I ended up using Optiv Threat Intelligence App, althought still in the middle of configuration and troubleshooting for the app but it's a good start!

Once again, thank you. 🙂

Regards,
Benjamin

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...