Having spent so much time consuming the amazing OSINT produced by researchers across the internet, I felt like it was time to give something back – BeeSting is my nickname for a honeypot network I’ve been building – the goal of the project is to provide another open-source threat intelligence feed for the community as a whole.
Check it out now at https://beesting.tools (or https://beesting.tools/json if you’re a computer).
The honeypot network is developed using a combination of open-source utilities to host simulated services, inspect received traffic and evaluate the packets. Data from all nodes is sent via syslog to a centralized receiver – processes running on this node inspect the messages, parse out and normalize data then store the events in a MongoDB backend. This backend is utilized to generate the feeds linked above on a periodic basis.
Indicators are tagged based on a variety of aspects – strings present in the alerts they generate in tools such as Snort/Suricata, ports they are sending/receiving on, specific flags in the packets, traffic generation patterns, etc. The project is relatively new soon and still rapidly evolving as I expand the event parsing capabilities and add additional honey-services feeding the network.
I’ll be writing more about this process in the future but don’t let that stop you from ingesting more intelligence right now!
Attacker's Mindset 