Question 1

How do I set up Tango honeypot with Splunk?

Accepted Answer

Run the sensor.sh script on Ubuntu or CentOS to install Cowrie and Splunk Universal Forwarder, then install Splunk Enterprise on a server with the Tango app, configure the VirusTotal API key, and set up a listener on port 9997 as per the README.

Question 2

Tango vs MHN: which is better for threat intelligence?

Accepted Answer

Tango excels with deep Splunk integration for advanced analytics and customizable dashboards, while MHN (Modern Honey Network) offers a lighter, web-based management interface. Choose Tango if you're already using Splunk; MHN for simpler, standalone deployments.

Question 3

Can I use Tango without a VirusTotal API key?

Accepted Answer

Yes, but malware analysis features will be limited. Basic file download tracking works, but the File Analysis dashboard won't provide signature data from VirusTotal, reducing threat identification capabilities.

Question 4

What Linux distributions does Tango support?

Accepted Answer

Tango's installation scripts are tested on Ubuntu 14.04 and CentOS 7, as mentioned in the README. Other distributions might require manual adjustments to the setup process.

Question 5

How to export threat feeds from Tango?

Accepted Answer

In the Tango Splunk app, navigate to the Threat Feed dashboard to download feeds of IPs, URLs, domains, and file hashes. These can be manually integrated with other tools, though automation is planned for future updates.

Question 6

Does Tango support real-time alerting?

Accepted Answer

Tango focuses on post-attack analysis via Splunk dashboards rather than real-time alerts. While Splunk can be configured for alerts, Tango itself doesn't include built-in alerting mechanisms; it's designed for intelligence gathering and reporting.

Tango

What is Tango?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions