FAQs

Frequently Asked Questions.
Search, Scroll or Ask your Own.

How can I test/trigger HackerCam?

The StingBox HackerCam feature records a hackers keystrokes and then send those to you as a follow-up to the the initial alert that your StingBox HoneyPot has been probed.

To test this feature, you can pretend to be a hacker.  A typical network intruder will have run an NMap scan on your network to identify interesting targets and will see the custom hostname you have given your StingBox and that it has open ports to probe with a password cracker. Both activities that will trigger an initial StingBox Alert.

The next step would be for the hacker to SSH the StingBox. They will now know the IP address of the Stingbox.  You copy this next step using any SSH program like Putty for Windows or Termius for IOS.

You’ll enter (replace Xs with your StingBox IP address:

SSH root@XXX.XXX.XXX.XX

You’ll be prompted for a password and you can enter anything. Click enter and you will be seeing what a hacker would see who believes they have successfully gained root access to a machine on your network.

StingBox will mimic standard server responses to any standard Linux command. You can (pretend to) download a hacker kit from GitHub or type anything and hackercam will record it and send this in an alert as a link you can click to watch or share.

 

 

 

 

WebHook Alerts

To set up receiving alerts via Webhooks, you need to add the desired URL to which alerts will be sent on the “Alert Settings” page of your Dashboard

A request will be sent to the received URL every time any alert is triggered (according to the configured severity). The request will always be sent using the POST method, the body of which will contain JSON data about the alert. The request will always be sent only once, without repeats (if your server cannot process it). There are currently no restrictions on the protocol used, so you can use https or http. Here is an example of the JSON structure:

Field Detail:

  • severity: text information about the importance of the alert. The following are currently available: Info, Important, Critical
  • message: content message of alert
  • timestamp: time stamp at which the alert was triggered
  • stingbox_code: unique stingbox code
  • stingbox_name: the name of the stingbox (by default, it is equal to stingbox_code)
  • stingbox_software_version: version of the installed stingbox software
  • cef: messages in CEF format. More details can be found here

SysLog Alerts

Network professionals can now receive Stingbox alerts via Syslog. Currently, sending is performed only via the TCP protocol.

To set up receiving alerts using syslog, you need to configure your server to receive such logs using the TCP protocol. Next, go to the stingbox website and go to the alert methods management page. There you will see this new option at the bottom:

 To start receiving syslog alerts, you need to specify here the IP address of your server to which the alerts will be sent, as well as the port used. Follow the format specified in this field: <ip>:<port>

So if you did everything right and entered the correct address, you will receive alerts to this server. Here’s what such notifications look like:

Messages comply with the CEF format. This format implies the following data set:

CEF:Version – CEF version

|Device Vendor – StingBox

|Device Product – the code of your StingBox from which the message was received

|Device Version – your StingBox software version

|Signature ID – unique alert hash

|Name – this is the alert message itself

|Severity – message severity, from 0 (debug) to 7 (emergency)

More information on the CEF format can be found here: CEF WhitePaper  

 

I’d like to resell StingBox, do you have a program?

We work with MSPs, MSSPs, IT professionals, VARs, distributors, and solution providers in a variety of models – please email us at info@stingbox.com to start a conversation. We do not currently work with digital-only drop-shippers.

My StingBox is alerting me too often, how do I stop it?

You can change the alert settings from your dashboard. There are three categories of alert. Critical, Important and Informational. Each can be set with it’s own unique instructions for how and where to send alerts. You can also always disable any alert methods from your dashboard. You may also consider whitelisting specific IP addresses which cause excessive alerts (i.e. known vulnerability scanners)

How do I test my StingBox to make sure it is working?

Open up any web browser on your local network and enter ftp://YOURSTINGBOXIP into the url bar. Example (ftp://192.168.1.29). You can find your STINGBOXIP on your dashboard. This will generate an alert for an attempted FTP scan attempt.

Can StingBox really be helping me with such a low cost?

StingBox was designed to be a low cost solution to a tough problem, detecting if someone is snooping on your network. We are able to maintain low costs because of our Software as a Service model and our low cost hardware design.

If I have no alerts on my StingBox, am I guaranteed not to have been be hacked?

No, StingBox is a honeypot, not a 100% guarantee you have not been hacked. If an attacker stays on a single host on your network it is likely that stingbox will not detect the attacker (however, we may have detected the attacker when they were trying to compromise that first host). We suggest having endpoint security for the devices on your network in addition to the StingBox.

I’ve got a new device alert, what should I do?

If you recently connected a device to your network yourself (or someone on your network did – nothing to worry about as it was an expected new device connection. If you can’t figure out what the new device is on your network or why it was installed (i.e. someone you don’t know is using your Wi-Fi connection), you may want to block the device (i.e. on your router).

Does StingBox stop hackers?

No. StingBox HoneyPots are designed to detect network intruders, similar to a building alarm system which does not stop burglars but only detects them. Detection informs and enables response. Improving detection is a critical part of a complete, Protection, Detection and Response plan which can stop hackers from winning this battle. 

Has StingBox been penetration tested?

No. StingBox HoneyPots are designed to detect network intruders, similar to a building alarm system which does not stop burglars but only detects them. Detection informs and enables response. Improving detection is a critical part of a complete, Protection, Detection and Response plan which can stop hackers from winning this battle. 

What information does StingBox collect? Where is it Stored?

StingBox collects and stores

-Attack sessions from attackers (what they typed, how they interacted with the honeypot)
-IP address of your external network interface
-Open ports on your external network interface
-Names and MAC addresses of devices on your network which StingBox discovers with a network scan

This information is sent over an encrypted channel back to StingBox’s cloud servers so you can review this information on your dashboard.

Does the StingBox device support Power over Ethernet (PoE)?

No, but we have tested an inexpensive adapter that we can recommend. POE Texas’ Adapter can be purchased directly at POETexas.com or from Amazon.
Note: It’s important to order the Micro USB version. This adapter has also changed connectors since our initial purchase. You may want to consider the UCTronics adapter below. One of two of these POE Texas adapters we tested failed after 9 months. The other is still running since May of 2000. Full disclosure: The adapter failed while powering an alternative StingBox platform we were testing. The platform still works, but the POE doesn’t. This isn’t a sufficient data set to say for certain that the power supply was the cause of its failure.
There are several other manufacturers on Amazon 7/2022
Update. StingBox customers are giving positive reviews of this POE splitter from UCTronics

Can one Stingbox have multiple IPs?

StingBox virtual currently does not support multiple network interfaces. If this is a feature you would like, please email support@stingbox.com with the request so we can track demand for this feature.

Do I have to put a unit on each VLAN?

No, as long as the StingBox is reachable by attackers, it will perform its honeypot functions. You may choose to deploy multiple StingBox on different segments of your network to create more possible points of detection.

Does StingBox scan across VLAN’s?

Stingbox has support for multiple VLANS with a single subscription. Simply specify the IP ranges on your dashboard and the sting box will do device discovery on all of your VLANS.

Static IP Instructions

 

You can assign an IP to StingBox by changing a file named “eth0.txt.unset” on the SD card of your StingBox.
This file will only be on your SD card if your StingBox is running software version 1.59 or greater.
If you have an older StingBox, you can obtain this by simply connecting your StingBox to a DHCP network for 10 minutes to download and install the update.

Instructions for setting the IP on a physical StingBox can be found in the “eth0.txt.unset” file or below:

Very Important: After you change the file according to instructions below, you will need to allow StingBox to boot with the new settings you have added. Then, you must wait 10 minutes to give StingBox time to load and connect. Then you must unplug power and reboot again. 

Using a text editor, hash the DHCP section below and unhash the Static IP section. You must know and properly configure your desired IP address, netmask, gateway and nameserver.

Save the file, and rename it from eth0.txt.unset to eth0.txt

*************************************************************************

#configuration for DHCP

auto eth0
iface eth0 inet dhcp

#configuration for Static IP. Uncomment (remove the # from the 6 lines below to use, and add # to the two lines above)

#auto eth0
#iface eth0 inet static
# address 192.168.0.158
# netmask 255.255.255.0
# gateway 192.168.0.1
# dns-nameservers 8.8.8.8

#To have the stingbox use this file to configure the network adapter
#You must rename the file from eth0.txt.unset to eth0.txt
#once this change is made, do not delete eth0.txt
#after changing this file, unplug and plug back in your stingbox (wait 3 minutes) and then unplug and plug back in your stingbox.

 

 

Why do you have a subscription model? I’d like to purchase a StingBox without a Subscription, is that possible?

We only offer StingBox through a subscription. Our subscription model makes StingBox a sustainable business. StingBox is a cloud-delivered subscription service with an optional hardware component. We continually add capabilities and features to StingBox (discovery scanning, open port alerts, hackercam, etc) and our dashboard and alerting services. Additionally, we provide extensive support for our customers. DIY honeypots information can be found here https://www.techtarget.com/whatis/feature/How-to-build-a-honeypot-to-increase-network-security

Why isn’t the StingBox detecting some of the devices/hosts on my network?

StingBox does a best-effort scan of your network using ping and arp-scaning approaches every 5 minutes. Please make sure you have waited 5 minutes for the StingBox to scan your network. Your network may be in different segments and, by default StingBox is only able to scan the segment upon which it connected. You may configure custom discovery scanning ranges on your dashboard.

Have other questions? email us support@stingbox.com