2017-10-13 18:58:14 +00:00
# Input section
input {
2019-06-03 10:22:07 +00:00
# Fatt
file {
path => ["/data/fatt/log/fatt.log"]
codec => json
type => "Fatt"
}
2017-10-13 18:58:14 +00:00
# Suricata
file {
path => ["/data/suricata/log/eve.json"]
codec => json
type => "Suricata"
}
# P0f
file {
path => ["/data/p0f/log/p0f.json"]
codec => json
type => "P0f"
}
2018-12-05 16:59:08 +00:00
# Adbhoney
file {
path => ["/data/adbhoney/log/adbhoney.json"]
codec => json
type => "Adbhoney"
}
2018-04-27 23:10:45 +00:00
# Ciscoasa
file {
path => ["/data/ciscoasa/log/ciscoasa.log"]
codec => plain
type => "Ciscoasa"
}
2020-01-16 15:13:58 +00:00
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
codec => json
type => "CitrixHoneypot"
}
2018-06-24 01:24:51 +00:00
# Conpot
2017-10-13 18:58:14 +00:00
file {
2018-03-25 18:35:32 +00:00
path => ["/data/conpot/log/*.json"]
2017-10-13 18:58:14 +00:00
codec => json
type => "ConPot"
}
# Cowrie
file {
path => ["/data/cowrie/log/cowrie.json"]
codec => json
type => "Cowrie"
}
# Dionaea
file {
path => ["/data/dionaea/log/dionaea.json"]
codec => json
type => "Dionaea"
}
2020-06-24 13:21:29 +00:00
# Dicompot
file {
path => ["/data/dicompot/log/dicompot.log"]
codec => json
type => "Dicompot"
}
2020-06-17 18:09:59 +00:00
# ElasticPot
2017-10-13 18:58:14 +00:00
file {
2020-06-17 18:09:59 +00:00
path => ["/data/elasticpot/log/elasticpot.json"]
2017-10-13 18:58:14 +00:00
codec => json
type => "ElasticPot"
}
2018-04-16 22:05:16 +00:00
# Glutton
file {
path => ["/data/glutton/log/glutton.log"]
codec => json
type => "Glutton"
}
2018-03-25 18:35:32 +00:00
# Heralding
file {
path => ["/data/heralding/log/auth.csv"]
type => "Heralding"
}
2019-03-10 18:15:59 +00:00
# Honeypy
file {
path => ["/data/honeypy/log/json.log"]
codec => json
type => "Honeypy"
}
2020-06-19 22:53:56 +00:00
# Honeysap
file {
path => ["/data/honeysap/log/honeysap-external.log"]
codec => json
type => "Honeysap"
}
2017-10-13 18:58:14 +00:00
# Honeytrap
file {
path => ["/data/honeytrap/log/attackers.json"]
codec => json
type => "Honeytrap"
}
2018-06-24 01:24:51 +00:00
# Mailoney
2017-10-13 18:58:14 +00:00
file {
path => ["/data/mailoney/log/commands.log"]
2020-01-22 12:17:30 +00:00
codec => json
2017-10-13 18:58:14 +00:00
type => "Mailoney"
}
2018-09-10 01:15:21 +00:00
# Medpot
file {
path => ["/data/medpot/log/medpot.log"]
codec => json
type => "Medpot"
}
2017-10-13 18:58:14 +00:00
# Rdpy
file {
path => ["/data/rdpy/log/rdpy.log"]
type => "Rdpy"
}
# Host NGINX
file {
2018-06-24 01:24:51 +00:00
path => ["/data/nginx/log/access.log"]
2017-10-13 18:58:14 +00:00
codec => json
type => "NGINX"
}
2018-06-24 01:24:51 +00:00
# Tanner
2018-05-28 21:46:51 +00:00
file {
path => ["/data/tanner/log/tanner_report.json"]
codec => json
type => "Tanner"
}
2017-10-13 18:58:14 +00:00
}
# Filter Section
filter {
2019-06-03 10:22:07 +00:00
# Fatt
if [type] == "Fatt" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"sourceIp" => "src_ip"
"destinationIp" => "dest_ip"
"sourcePort" => "src_port"
"destinationPort" => "dest_port"
2019-06-03 16:13:58 +00:00
"gquic" => "fatt_gquic"
"http" => "fatt_http"
"rdp" => "fatt_rdp"
"ssh" => "fatt_ssh"
"tls" => "fatt_tls"
2019-06-03 10:22:07 +00:00
}
}
}
2017-10-13 18:58:14 +00:00
# Suricata
if [type] == "Suricata" {
date {
match => [ "timestamp", "ISO8601" ]
}
translate {
refresh_interval => 86400
field => "[alert][signature_id]"
destination => "[alert][cve_id]"
dictionary_path => "/etc/listbot/cve.yaml"
2019-02-28 21:00:41 +00:00
# fallback => "-"
2017-10-13 18:58:14 +00:00
}
}
# P0f
if [type] == "P0f" {
date {
match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"server_port" => "dest_port"
"server_ip" => "dest_ip"
"client_port" => "src_port"
"client_ip" => "src_ip"
}
}
}
2018-12-05 16:59:08 +00:00
# Adbhoney
if [type] == "Adbhoney" {
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["unixtime"]
}
}
2018-04-27 23:10:45 +00:00
# Ciscoasa
if [type] == "Ciscoasa" {
kv {
remove_char_key => " '{}"
remove_char_value => "'{}"
value_split => ":"
field_split => ","
}
date {
match => [ "timestamp", "ISO8601" ]
}
2018-05-09 16:43:37 +00:00
mutate {
add_field => {
"dest_ip" => "${MY_EXTIP}"
}
}
2018-04-27 23:10:45 +00:00
}
2020-01-16 15:13:58 +00:00
# CitrixHoneypot
if [type] == "CitrixHoneypot" {
grok {
match => {
2020-01-16 18:04:29 +00:00
"message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ]
2020-01-16 15:13:58 +00:00
}
}
date {
match => [ "asctime", "ISO8601" ]
remove_field => ["asctime"]
remove_field => ["message"]
}
mutate {
add_field => {
"dest_port" => "443"
2020-01-16 18:04:29 +00:00
}
rename => {
"levelname" => "level"
2020-01-16 15:13:58 +00:00
}
}
}
2020-01-16 18:04:29 +00:00
2017-10-13 18:58:14 +00:00
# Conpot
if [type] == "ConPot" {
date {
match => [ "timestamp", "ISO8601" ]
}
2018-09-10 01:15:21 +00:00
mutate {
rename => {
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
}
}
2017-10-13 18:58:14 +00:00
}
# Cowrie
if [type] == "Cowrie" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
}
}
}
# Dionaea
if [type] == "Dionaea" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
}
gsub => [
"src_ip", "::ffff:", "",
"dest_ip", "::ffff:", ""
]
}
if [credentials] {
mutate {
add_field => {
2018-11-19 11:33:00 +00:00
"username" => "%{[credentials][username]}"
"password" => "%{[credentials][password]}"
2017-10-13 18:58:14 +00:00
}
remove_field => "[credentials]"
}
}
}
2020-06-24 13:21:29 +00:00
# Dicompot
if [type] == "Dicompot" {
date {
match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
remove_field => ["time"]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[Address][IP]" => "src_ip"
"[Address][Port]" => "src_port"
"[Address][Zone]" => "zone"
"AETitle" => "aetitle"
"Command" => "input"
"Files" => "files"
"Identifier" => "identifier"
"Matches" => "matches"
"Status" => "session"
"Version" => "version"
}
}
if [Address] {
mutate {
remove_field => "[Address]"
}
}
}
2017-10-13 18:58:14 +00:00
# ElasticPot
if [type] == "ElasticPot" {
date {
match => [ "timestamp", "ISO8601" ]
}
2020-06-17 18:09:59 +00:00
mutate {
rename => {
"content_type" => "http.http_content_type"
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
"message" => "event_type"
"request" => "request_method"
"user_agent" => "http_user_agent"
"url" => "http.url"
}
}
2017-10-13 18:58:14 +00:00
}
2018-04-16 22:05:16 +00:00
# Glutton
if [type] == "Glutton" {
date {
match => [ "ts", "UNIX" ]
remove_field => ["ts"]
}
}
2018-03-25 18:35:32 +00:00
# Heralding
if [type] == "Heralding" {
2018-06-24 01:24:51 +00:00
csv {
columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
2018-03-25 18:35:32 +00:00
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
}
2020-06-19 22:53:56 +00:00
# Honeypy
2019-03-10 18:15:59 +00:00
if [type] == "Honeypy" {
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
remove_field => ["date"]
remove_field => ["time"]
remove_field => ["millisecond"]
}
}
2020-06-19 22:53:56 +00:00
# Honeysap
if [type] == "Honeysap" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[data][error_msg]" => "event_type"
"service" => "sensor"
"source_port" => "src_port"
"source_ip" => "src_ip"
"target_port" => "dest_port"
"target_ip" => "dest_ip"
}
remove_field => "event"
remove_field => "return_code"
}
if [data] {
mutate {
remove_field => "[data]"
}
}
}
2017-10-13 18:58:14 +00:00
# Honeytrap
if [type] == "Honeytrap" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"[attack_connection][local_port]" => "dest_port"
"[attack_connection][local_ip]" => "dest_ip"
"[attack_connection][remote_port]" => "src_port"
"[attack_connection][remote_ip]" => "src_ip"
}
}
}
# Mailoney
if [type] == "Mailoney" {
2020-01-22 12:17:30 +00:00
date {
match => [ "timestamp", "ISO8601" ]
2017-10-13 18:58:14 +00:00
}
mutate {
add_field => {
"dest_port" => "25"
}
}
}
2018-09-10 01:15:21 +00:00
# Medpot
if [type] == "Medpot" {
mutate {
add_field => {
"dest_port" => "2575"
"dest_ip" => "${MY_EXTIP}"
}
}
date {
2018-09-11 07:59:14 +00:00
match => [ "timestamp", "ISO8601" ]
2018-09-10 01:15:21 +00:00
}
}
2017-10-13 18:58:14 +00:00
# Rdpy
if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
}
mutate {
add_field => {
"dest_port" => "3389"
}
}
}
# NGINX
if [type] == "NGINX" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
2018-06-24 01:24:51 +00:00
# Tanner
2018-05-28 21:46:51 +00:00
if [type] == "Tanner" {
date {
match => [ "timestamp", "ISO8601" ]
}
2018-05-29 12:05:07 +00:00
mutate {
rename => {
"[peer][ip]" => "src_ip"
"[peer][port]" => "src_port"
}
add_field => {
"dest_port" => "80"
}
}
2018-05-28 21:46:51 +00:00
}
2017-10-13 18:58:14 +00:00
# Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} }
# Add geo coordinates / ASN info / IP rep.
if [src_ip] {
geoip {
cache_size => 10000
source => "src_ip"
2020-01-31 14:21:55 +00:00
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb"
2018-06-24 01:24:51 +00:00
}
2017-10-13 18:58:14 +00:00
geoip {
cache_size => 10000
source => "src_ip"
2020-01-31 14:21:55 +00:00
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-ASN.mmdb"
2018-06-24 01:24:51 +00:00
}
2017-10-13 18:58:14 +00:00
translate {
refresh_interval => 86400
field => "src_ip"
destination => "ip_rep"
dictionary_path => "/etc/listbot/iprep.yaml"
}
2018-06-24 01:24:51 +00:00
}
2017-10-13 18:58:14 +00:00
2018-08-28 10:41:11 +00:00
# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
2017-10-13 18:58:14 +00:00
if [dest_port] {
mutate {
convert => { "dest_port" => "integer" }
}
}
if [src_port] {
mutate {
convert => { "src_port" => "integer" }
}
}
2018-08-28 10:41:11 +00:00
if [status] {
mutate {
convert => { "status" => "integer" }
}
}
2017-10-13 18:58:14 +00:00
# Add T-Pot hostname and external IP
2020-06-19 22:53:56 +00:00
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
2017-10-13 18:58:14 +00:00
mutate {
add_field => {
"t-pot_ip_ext" => "${MY_EXTIP}"
"t-pot_ip_int" => "${MY_INTIP}"
"t-pot_hostname" => "${MY_HOSTNAME}"
}
}
}
}
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
2020-06-23 21:40:38 +00:00
# With ILM in place we need to set the daily index manually, if not => FUBAR
index => "logstash-%{+YYYY.MM.dd}"
2018-08-24 17:07:00 +00:00
# document_type => "doc"
2017-10-13 18:58:14 +00:00
}
2019-03-19 11:08:23 +00:00
#if [type] == "Suricata" {
# file {
2019-05-08 11:16:48 +00:00
# file_mode => 0770
2019-03-19 11:08:23 +00:00
# path => "/data/suricata/log/suricata_ews.log"
# }
#}
2017-10-13 18:58:14 +00:00
# Debug output
2020-01-16 15:13:58 +00:00
#if [type] == "CitrixHoneypot" {
2018-05-29 12:06:20 +00:00
# stdout {
# codec => rubydebug
# }
#}
2017-10-13 18:58:14 +00:00
# Debug output
#stdout {
# codec => rubydebug
#}
}
