Attack Analysis

Honeypot attack information is stored in an elasticsearch repository on your local server. To access the data, you will need to provide the API_KEY that was created for your STINGAR instance when you ran the QuickStart script. This key can be found in the stingar.env file in the STINGAR root directory.

You may access and analyze data in the elasticsearch repository a number of ways:

Elasticsearch Direct Access

You may query the elasticsearch repository directly using 'curl' or by entering the query command into a browser. You need to specify your STINGER server name and provide your API key on the command line. An example elasticsearch query:

  curl -XGET '{your STINGAR hostname}:9200/stingar\-\*/\_search?pretty' -H 'api-key: {your key}'

STINGAR API

STINGAR includes an API which provides a set of queries to retrieve data from elasticsearch in ways that are commonly needed. For example, it allows you to retrieve all attack events on cowrie honey pots between date A & date B; the information is provided in json format. An example of such a query:

curl -X GET "{your STINGAR hostname}/api/v2/sessions?from_date=2020-01-28&to_date=2020-01-30&show_data=true&app=cowrie" -H "accept: application/json" -H "api-key: {your api-key}"

Click here For more information about the STINGAR API.

Kibana

Kibana is a powerful tool that lets you analyze elasticsearch data and use resulting datasets to generate visualizations. To access STINGAR's implementation of Kibana, use the following URL in any browser:

{your hostname}/kibana

STINGAR User Interface: Attack Analysis Page

The STINGAR user interface includes a page that lists all honeypot events and allows you to select and interrogate each one. You may filter the list of events using a number of search criteria.

Attack Analysis Page

The Attack analysis column headers allow sorting of the data on the page.

The Attack Severity column shows a color indicator of the type of attack to allow quick identification of the attack types.

Attack Severity