Tanner "Detection Type" shows only index, unknown and xss

[djoker77]

Successfully raise an issue

Before you post your issue make sure it has not been answered yet and provide ⚠️ BASIC SUPPORT INFORMATION (as requested below) if you come to the conclusion it is a new issue.

• 🔍 Use the search function first
• 🧐 Check our Wiki and the discussions
• 📚 Consult the documentation of 💻 your Linux OS, 🐳 Docker, the 🦌 Elastic stack and the 🍯 T-Pot Readme.
• ⚙️ The Troubleshoot Section of the T-Pot Readme is a good starting point to collect a good set of information for the issue and / or to fix things on your own.
• ⚠️ Provide BASIC SUPPORT INFORMATION or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers.
  

⚠️ Basic support information (commands are expected to run as root)

We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.

• What OS are you T-Pot running on? Debian 12
• What T-Pot version are you currently using (only T-Pot 24.04.x is currently supported)? T-Pot 24.04
• What architecture are you running on (i.e. hardware, cloud, VM, etc.)? VM
• Review the ~/install_tpot.log, attach the log and highlight the errors.
• How long has your installation been running? fresh install
• Did you install upgrades, packages or use the update script? No
• Did you modify any scripts or configs? If yes, please attach the changes. Yes, deactivated every Honeypot except for Snare/Tanner, Tools were left as they were.
• What is the current container status (dps)? VM is currently shut down
• On Linux: What is the status of the T-Pot service (systemctl status tpot)? VM is currently shut down
  Hello everyone,
  I have a quick question about the results of the Snare/Tanner Honeypot. On the Kibana dashboard, I see that the Tanner Sensor only detected XSS attacks, while categorizing the rest as index or unknown. However, when I analyzed the log data, I found that other attack techniques were also conducted on the honeypot. Do you know why this is happening?
  I would greatly appreciate any feedback, as I am currently working on my bachelor's thesis and need to validate the results of the T-POT system. I am unsure why the results turned out this way. Maybe I did something wrong, but I didn't change anything besides the config file and added a custom Snare page for my use case. I also tried it with the default pages provided, same result. Any insights that I can include in my thesis would be extremely helpful.
  Thank you very much in advance and a nice weekend!

[t3chn0m4g3]

Please provide JSON examples from data/tanner/logs and a screenshot from the dashboard with the visualization(s) you are referring to with annotations of your expectations.

[djoker77]

Hi,
sure, in the picture above you can see the diagram i meant, the expectation was to see many more techniques such as SQLi, RFI/LFI or XXE. The example logs you can see here (some fields i blackened for security reasons) If you need some more, just let me know

[t3chn0m4g3]

Based on the logs you provided everything works as expected. All the logs you provided indicate type index for the detection field. In consequence Kibana will only display these types.

[djoker77]

Okey strange, do you know what could be the reason for this? Because I have also tried other attack techniques but tanner does not recognise them accordingly

[t3chn0m4g3]

At this point I recommend to open an upstream issue with the developers of snare / tanner. Once this is a confirmed and subsequently fixed issue we can update snare / tanner accordingly.

[djoker77]

All right, thank you very much for your time. Could you find more than just XSS-Attacks or. would Tanner normaly detect more attack types?