diff --git a/docker/conpot/Dockerfile b/docker/conpot/Dockerfile new file mode 100644 index 00000000..97b1fc09 --- /dev/null +++ b/docker/conpot/Dockerfile @@ -0,0 +1,54 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Setup apt +RUN apk -U add bash \ + build-base \ + file \ + git \ + libev \ + libtool \ + libxslt \ + libxslt-dev \ + mariadb-dev \ + mariadb-client-libs \ + pkgconfig \ + python \ + python-dev \ + py-cffi && \ + +# Setup ConPot + git clone https://github.com/mushorg/conpot /opt/conpot/ && \ + cd /opt/conpot/ && \ + git checkout d97a68a054e4fe42ff90293188a5702ce8ab09a3 && \ + cp /root/dist/requirements.txt /opt/conpot/ && \ + python setup.py install && \ + cd / && \ + rm -rf /opt/conpot /tmp/* /var/tmp/* && \ + +# Setup user, groups and configs + addgroup -g 2000 conpot && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot && \ + mkdir -p /etc/conpot /var/log/conpot && \ + mv /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \ + mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/kamstrup_382/ && \ + +# Clean up + apk del build-base \ + file \ + git \ + libev \ + libtool \ + libxslt-dev \ + mariadb-dev \ + pkgconfig \ + python-dev \ + py-cffi && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Run supervisor upon container start +CMD ["/usr/bin/conpot", "--template", "kamstrup_382", "--logfile", "/var/log/conpot/conpot.log", "--config", "/etc/conpot/conpot.cfg"] diff --git a/docker/conpot/README.md b/docker/conpot/README.md new file mode 100644 index 00000000..2ef9f22c --- /dev/null +++ b/docker/conpot/README.md @@ -0,0 +1,28 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1706.svg)](https://microbadger.com/images/dtagdevsec/conpot:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1706.svg)](https://microbadger.com/images/dtagdevsec/conpot:1706 "Get your own image badge on microbadger.com") + +# conpot + +[ConPot](http://conpot.org/) is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the [Honeynet Project](https://www.honeynet.org/) and on the shoulders of a couple of very big giants. + +This repository contains the necessary files to create a *dockerized* version of conpot. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized conpot and will be used to setup the docker image. + +The `supervisord.conf` is used to start conpot under supervision of supervisord. + +Using systemd, copy the `systemd/conpot.service` to `/etc/systemd/system/conpot.service` and start using + +``` +systemctl enable conpot +systemctl start conpot +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/conpot/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# ConPot Dashboard + +![ConPot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/conpot/master/doc/dashboard.png) diff --git a/docker/conpot/dist/conpot.cfg b/docker/conpot/dist/conpot.cfg new file mode 100644 index 00000000..72fc3430 --- /dev/null +++ b/docker/conpot/dist/conpot.cfg @@ -0,0 +1,58 @@ +[common] +sensorid = conpot + +[session] +timeout = 30 + +[daemon] +user = conpot +group = conpot + +[json] +enabled = True +filename = /var/log/conpot/conpot.json + +[sqlite] +enabled = False + +[mysql] +enabled = False +device = /tmp/mysql.sock +host = localhost +port = 3306 +db = conpot +username = conpot +passphrase = conpot +socket = tcp ; tcp (sends to host:port), dev (sends to mysql device/socket file) + +[syslog] +enabled = False +device = /dev/log +host = localhost +port = 514 +facility = local0 +socket = dev ; udp (sends to host:port), dev (sends to device) + +[hpfriends] +enabled = False +host = hpfriends.honeycloud.net +port = 20000 +ident = 3Ykf9Znv +secret = 4nFRhpm44QkG9cvD +channels = ["conpot.events", ] + +[taxii] +enabled = False +host = taxiitest.mitre.org +port = 80 +inbox_path = /services/inbox/default/ +use_https = False + +[fetch_public_ip] +enabled = True +urls = ["http://whatismyip.akamai.com/", "http://wgetip.com/"] + +[change_mac_addr] +enabled = False +iface = eth0 +addr = 00:de:ad:be:ef:00 diff --git a/docker/conpot/dist/kamstrup_382/template.xml b/docker/conpot/dist/kamstrup_382/template.xml new file mode 100644 index 00000000..fb68a8a4 --- /dev/null +++ b/docker/conpot/dist/kamstrup_382/template.xml @@ -0,0 +1,516 @@ + + + + + + + conpot.protocols.kamstrup.usage_simulator.UsageSimulator + + + 0 + + + 0 + + + 0 + + + 71832712 + + + 0 + + + 228 + + + 229 + + + 224 + + + 511 + + + 422 + + + 144 + + + 1000 + + + 5499 + + + 895 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1258679 + + + 0 + + + 0 + + + 21000002 + + + 22201011 + + + 1000 + + + 0 + + + 0 + + + 34353 + + + 256 + + + 101110 + + + 340282366920938463463374607431768211455 + + + 1 + + + 0 + + + 0 + + + 30 + + + 30 + + + 30 + + + 99000 + + + 0 + + + 0 + + + 3820031751153221778937193183286 + + + 0 + + + 9441543881752250126 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 340282366920938463463374607431768211455 + + + 100 + + + 227691635558201180633139 + + + 60 + + + 0 + + + 0 + + + 46828625 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 315 + + + 433534329705531658 + + + 15085488 + + + 203513 + + + 140727 + + + 283 + + + 53011401 + + + 15085488 + + + 0 + + + 0 + + + 0 + + + '5.5 (E5)' + + + 'DISABLED' + + + '0.0.0.0' + + + '0.0.0.0' + + + '0.0.0.0' + + + '0.0.0.0' + + + '0.0.0.0' + + + '' + + + '192.168.254.111' + + + '192.168.254.112' + + + '0.0.0.0' + + + '00:13:EA:00:72:FA' + + + 'YES' + + + '192.168.201.101' + + + '192.168.201.254' + + + '255.255.255.0' + + + '192.168.200.1' + + + '192.168.200.254' + + + '255.255.255.0' + + + 'de_fra_lxg00.local.dom' + + + '192.168.254.201' + + + '50' + + + '0.0.0.0' + + + '50' + + + 'A1 06 A1 02 B7 34 12 00 00 03' + + + 'A1 06 A1 02 B7 34 12 00 00 03' + + + '1025' + + + '1027' + + + 'NO' + + + '800' + + + 'DISABLED' + + + '' + + + '4000' + + + '0 - none' + + + '3600' + + + '60' + + + '10' + + + 'Auto' + + + '115200,8,E,1' + + + '0 - None' + + + '0 - None' + + + + diff --git a/docker/conpot/dist/requirements.txt b/docker/conpot/dist/requirements.txt new file mode 100644 index 00000000..ca8e6871 --- /dev/null +++ b/docker/conpot/dist/requirements.txt @@ -0,0 +1,23 @@ +gevent>=1.0 +pysnmp==4.3.5 +pysmi==0.1.3 +lxml +bottle +jinja2 +beautifulsoup4 +requests +sphinx==1.5.5 +libtaxii>=1.1.0 +MySQL-python +xlrd +crc16 +enum +hpfeeds +modbus-tk +stix-validator +stix +cybox +bacpypes==0.13.8 +pyghmi +mixbox +modbus-tk diff --git a/docker/conpot/doc/dashboard.png b/docker/conpot/doc/dashboard.png new file mode 100644 index 00000000..3690cd10 Binary files /dev/null and b/docker/conpot/doc/dashboard.png differ diff --git a/docker/conpot/docker-compose.yml b/docker/conpot/docker-compose.yml new file mode 100644 index 00000000..b0f884bc --- /dev/null +++ b/docker/conpot/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2.1' + +networks: + conpot_local: + +services: + +# Conpot service + conpot: + container_name: conpot + restart: always + networks: + - conpot_local + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1706" + volumes: + - /data/conpot/log:/var/log/conpot diff --git a/docker/cowrie/Dockerfile b/docker/cowrie/Dockerfile new file mode 100644 index 00000000..64dfc49b --- /dev/null +++ b/docker/cowrie/Dockerfile @@ -0,0 +1,35 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Get and install dependencies & packages +RUN apk -U upgrade && \ + apk add git procps py-pip mpfr-dev openssl-dev mpc1-dev libffi-dev build-base python python-dev py-mysqldb py-setuptools gmp-dev && \ + +# Setup user + addgroup -g 2000 cowrie && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 cowrie && \ + +# Install cowrie from git + git clone https://github.com/micheloosterhof/cowrie.git /home/cowrie/cowrie/ && \ + cd /home/cowrie/cowrie && \ + pip install --no-cache-dir --upgrade cffi && \ + pip install --no-cache-dir -U -r requirements.txt && \ + +# Setup user, groups and configs + cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \ + cp /root/dist/userdb.txt /home/cowrie/cowrie/data/userdb.txt && \ + chown cowrie:cowrie -R /home/cowrie/* && \ + +# Clean up + rm -rf /root/* && \ + apk del git py-pip mpfr-dev mpc1-dev libffi-dev build-base py-mysqldb gmp-dev python-dev && \ + rm -rf /var/cache/apk/* + +# Start cowrie +ENV PYTHONPATH /home/cowrie/cowrie +WORKDIR /home/cowrie/cowrie +USER cowrie +CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "var/run/cowrie.pid", "cowrie"] diff --git a/docker/cowrie/LICENSE b/docker/cowrie/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/cowrie/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/cowrie/README.md b/docker/cowrie/README.md new file mode 100644 index 00000000..0661a00a --- /dev/null +++ b/docker/cowrie/README.md @@ -0,0 +1,32 @@ +# dockerized cowrie + + +[cowrie](http://www.micheloosterhof.com/cowrie/) is an extended fork of the medium interaction honeypot [kippo](https://github.com/desaster/kippo). + +This repository contains the necessary files to create a *dockerized* version of cowrie. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized cowrie and will be used to setup the docker image. + +The `cowrie.cfg` is tailored to fit the T-Pot environment. + +The `setup.sql` is also tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start cowrie under supervision of supervisord. + +Using systemd, copy the `systemd/cowrie.service` to `/etc/systemd/system/cowrie.service` and start using + +``` +systemctl enable cowrie +systemctl start cowrie +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/cowrie/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + + +# Cowrie Dashboard + +![Cowrie Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/cowrie/master/doc/dashboard.png) diff --git a/docker/cowrie/dist/cowrie.cfg b/docker/cowrie/dist/cowrie.cfg new file mode 100644 index 00000000..1a3a03fa --- /dev/null +++ b/docker/cowrie/dist/cowrie.cfg @@ -0,0 +1,472 @@ +# +# Cowrie configuration file (cowrie.cfg) +# + +# ============================================================================ +# General Honeypot Options +# ============================================================================ +[honeypot] + +# Sensor name is used to identify this Cowrie instance. Used by the database +# logging modules such as mysql. +# +# If not specified, the logging modules will instead use the IP address of the +# server as the sensor name. +# +# (default: not specified) +#sensor_name=t-pot + +# Hostname for the honeypot. Displayed by the shell prompt of the virtual +# environment +# +# (default: svr04) +hostname = ubuntu + + +# Directory where to save log files in. +# +# (default: log) +log_path = log + + +# Directory where to save downloaded artifacts in. +# +# (default: dl) +download_path = dl + + +# Directory for miscellaneous data files, such as the password database. +# +# (default: data_path) +data_path = data + + +# Directory where virtual file contents are kept in. +# +# This is only used by commands like 'cat' to display the contents of files. +# Adding files here is not enough for them to appear in the honeypot - the +# actual virtual filesystem is kept in filesystem_file (see below) +# +# (default: honeyfs) +contents_path = honeyfs + + +# File in the Python pickle format containing the virtual filesystem. +# +# This includes the filenames, paths, permissions for the Cowrie filesystem, +# but not the file contents. This is created by the bin/createfs utility from +# a real template linux installation. +# +# (default: fs.pickle) +filesystem_file = data/fs.pickle + + +# Directory for creating simple commands that only output text. +# +# The command must be placed under this directory with the proper path, such +# as: +# txtcmds/usr/bin/vi +# The contents of the file will be the output of the command when run inside +# the honeypot. +# +# In addition to this, the file must exist in the virtual filesystem +# +# (default: txtcmds) +txtcmds_path = txtcmds + + +# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. +# A value of 0 means no limit. If the file size is known to be too big from the start, +# the file will not be stored on disk at all. +# +# (default: 0) +#download_limit_size = 10485760 + + +# TTY logging will log a transcript of the complete terminal interaction in UML +# compatible format. +# (default: true) +ttylog = true + + + +# ============================================================================ +# Network Specific Options +# ============================================================================ + + +# IP address to bind to when opening outgoing connections. Used by wget and +# curl commands. +# +# (default: not specified) +#out_addr = 0.0.0.0 + + +# Fake address displayed as the address of the incoming connection. +# This doesn't affect logging, and is only used by honeypot commands such as +# 'w' and 'last' +# +# If not specified, the actual IP address is displayed instead (default +# behaviour). +# +# (default: not specified) +#fake_addr = 192.168.66.254 + + +# The IP address on which this machine is reachable on from the internet. +# Useful if you use portforwarding or other mechanisms. If empty, Cowrie +# will determine by itself. Used in 'netstat' output +# +#internet_facing_ip = 9.9.9.9 + + +# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) +# IP address is obtained by querying http://myip.threatstream.com +report_public_ip = true + + + +# ============================================================================ +# Authentication Specific Options +# ============================================================================ + + +# Class that implements the checklogin() method. +# +# Class must be defined in cowrie/core/auth.py +# Default is the 'UserDB' class which uses the password database. +# +# Alternatively the 'AuthRandom' class can be used, which will let +# a user login after a random number of attempts. +# It will also cache username/password combinations that allow login. +# +#auth_class = UserDB + +# When AuthRandom is used also set the +# auth_class_parameters: , , +# for example: 2, 5, 10 = allows access after randint(2,5) attempts +# and cache 10 combinations. +# +auth_class = AuthRandom +auth_class_parameters = 2, 5, 10 + + +# No authentication checking at all +# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method +# this allows the requested user in without any verification at all +# +# (default: false) +#auth_none_enabled = false + + + +# ============================================================================ +# Historical SSH Specific Options +# historical options in [honeypot] that have not yet been moved to [ssh] +# ============================================================================ + +# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +reported_ssh_port = 22 + + + +# ============================================================================ +# SSH Specific Options +# ============================================================================ +[ssh] + +# Enable SSH support +# (default: true) +enabled = true + + +# Public and private SSH key files. If these don't exist, they are created +# automatically. +rsa_public_key = etc/ssh_host_rsa_key.pub +rsa_private_key = etc/ssh_host_rsa_key +dsa_public_key = etc/ssh_host_dsa_key.pub +dsa_private_key = etc/ssh_host_dsa_key + +# SSH Version String +# +# Use these to disguise your honeypot from a simple SSH version scan +# Examples: +# SSH-2.0-OpenSSH_5.1p1 Debian-5 +# SSH-1.99-OpenSSH_4.3 +# SSH-1.99-OpenSSH_4.7 +# SSH-1.99-Sun_SSH_1.1 +# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 +# SSH-2.0-OpenSSH_4.3 +# SSH-2.0-OpenSSH_4.6 +# SSH-2.0-OpenSSH_5.1p1 Debian-5 +# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 +# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 +# SSH-2.0-OpenSSH_5.5p1 Debian-6 +# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 +# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 +# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 +# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 +# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 +# SSH-2.0-OpenSSH_5.9 +# +# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") +version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 + + +# IP addresses to listen for incoming SSH connections. +# +# (default: 0.0.0.0) = any IPv4 address +#listen_addr = 0.0.0.0 +# (use :: for listen to all IPv6 and IPv4 addresses) +#listen_addr = :: + + +# Port to listen for incoming SSH connections. +# +# (default: 2222) +#listen_port = 22 + + +# sftp_enabled enables the sftp subsystem +sftp_enabled = true + + +# Enable SSH direct-tcpip forwarding +# (default: true) +forwarding = true + + +# This enables redirecting forwarding requests to another address +# Useful for forwarding protocols to other honeypots +# (default: false) +forward_redirect = false + + +# Configure where to forward the data to. +# forward_redirect_ = : + +# Redirect http/https +forward_redirect_80 = 127.0.0.1:8000 +forward_redirect_443 = 127.0.0.1:8443 + +# To record SMTP traffic, install an SMTP honeypoint. +# (e.g https://github.com/awhitehatter/mailoney), run +# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 +forward_redirect_25 = 127.0.0.1:12525 +forward_redirect_587 = 127.0.0.1:12525 + + + +# ============================================================================ +# Telnet Specific Options +# ============================================================================ +[telnet] + +# Enable Telnet support, disabled by default +enabled = true + +# IP addresses to listen for incoming Telnet connections. +# +# (default: 0.0.0.0) = any IPv4 address +#listen_addr = 0.0.0.0 +# (use :: for listen to all IPv6 and IPv4 addresses) +#listen_addr = :: + + +# Port to listen for incoming Telnet connections. +# +# (default: 2223) +#listen_port = 23 + +# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +reported_port = 23 + + + +# ============================================================================ +# Database logging Specific Options +# ============================================================================ + +# XMPP Logging +# Log to an xmpp server. +# +#[database_xmpp] +#server = sensors.carnivore.it +#user = anonymous@sensors.carnivore.it +#password = anonymous +#muc = dionaea.sensors.carnivore.it +#signal_createsession = cowrie-events +#signal_connectionlost = cowrie-events +#signal_loginfailed = cowrie-events +#signal_loginsucceeded = cowrie-events +#signal_command = cowrie-events +#signal_clientversion = cowrie-events +#debug=true + + + +# ============================================================================ +# Output Plugins +# These provide an extensible mechanism to send audit log entries to third +# parties. The audit entries contain information on clients connecting to +# the honeypot. +# ============================================================================ + + +# JSON based logging module +# +[output_jsonlog] +logfile = log/cowrie.json + + +# Supports logging to Elasticsearch +# This is a simple early release +# +#[output_elasticsearch] +#host = localhost +#port = 9200 +#index = cowrie +#type = cowrie + + +# Send login attemp information to SANS DShield +# See https://isc.sans.edu/ssh.html +# You must signup for an api key. +# Once registered, find your details at: https://isc.sans.edu/myaccount.html +# +#[output_dshield] +#userid = userid_here +#auth_key = auth_key_here +#batch_size = 100 + + +# Local Syslog output module +# +# This sends log messages to the local syslog daemon. +# Facility can be: +# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. +# +# Format can be: +# text, cef +# +#[output_localsyslog] +#facility = USER +#format = text + + +# Text output +# This writes audit log entries to a text file +# +# Format can be: +# text, cef +# +[output_textlog] +logfile = log/cowrie-textlog.log +format = text + + +# MySQL logging module +# Database structure for this module is supplied in doc/sql/mysql.sql +# +# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev +# MySQL logging requires an extra Python module: pip install mysql-python +# +#[output_mysql] +#host = localhost +#database = cowrie +#username = cowrie +#password = secret +#port = 3306 +#debug = false + +# Rethinkdb output module +# Rethinkdb output module requires extra Python module: pip install rethinkdb + +#[output_rethinkdblog] +#host = 127.0.0.1 +#port = 28015 +#table = output +#password = +#db = cowrie + +# SQLite3 logging module +# +# Logging to SQLite3 database. To init the database, use the script +# doc/sql/sqlite3.sql: +# sqlite3 < doc/sql/sqlite3.sql +# +#[output_sqlite] +#db_file = cowrie.db + +# MongoDB logging module +# +# MongoDB logging requires an extra Python module: pip install pymongo +# +#[output_mongodb] +#connection_string = mongodb://username:password@host:port/database +#database = dbname + + +# Splunk SDK output module - Legacy. Requires Splunk API installed +# This sends logs directly to Splunk using the Python REST SDK +# +#[output_splunklegacy] +#host = localhost +#port = 8889 +#username = admin +#password = password +#index = cowrie + + +# Splunk HTTP Event Collector (HEC) output module +# Sends JSON directly to Splunk over HTTPS +# mandatory fields: url, token +# optional fields: index, source, sourcetype, host +# +#[output_splunk] +#url = https://localhost:8088/services/collector/event +#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 +#index = cowrie +#sourcetype = cowrie +#source = cowrie + + +# HPFeeds +# +#[output_hpfeeds] +#server = hpfeeds.mysite.org +#port = 10000 +#identifier = abc123 +#secret = secret +#debug=false + + +# VirusTotal output module +# You must signup for an api key. +# +#[output_virustotal] +#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +# + +#[output_slack] +# This will produce a _lot_ of messages - you have been warned.... +#channel = channel_that_events_should_be_posted_in +#token = slack_token_for_your_bot +##debug=true + + +# https://csirtg.io +# You must signup for an api key. +# +#[output_csirtg] +#username=wes +#feed=scanners +#description=random scanning activity +#token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + + +#[output_socketlog] +#address = 127.0.0.1:9000 +#timeout = 5 diff --git a/docker/cowrie/dist/userdb.txt b/docker/cowrie/dist/userdb.txt new file mode 100644 index 00000000..ca66dff4 --- /dev/null +++ b/docker/cowrie/dist/userdb.txt @@ -0,0 +1 @@ +root:0:password diff --git a/docker/cowrie/doc/dashboard.png b/docker/cowrie/doc/dashboard.png new file mode 100644 index 00000000..8104d947 Binary files /dev/null and b/docker/cowrie/doc/dashboard.png differ diff --git a/docker/cowrie/docker-compose.yml b/docker/cowrie/docker-compose.yml new file mode 100644 index 00000000..13a15323 --- /dev/null +++ b/docker/cowrie/docker-compose.yml @@ -0,0 +1,26 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.1' + +networks: + cowrie_local: + +services: + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + networks: + - cowrie_local + cap_add: + - NET_BIND_SERVICE + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie/downloads:/home/cowrie/cowrie/dl + - /data/cowrie/keys:/home/cowrie/cowrie/etc + - /data/cowrie/log:/home/cowrie/cowrie/log + - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty diff --git a/docker/dionaea/Dockerfile b/docker/dionaea/Dockerfile new file mode 100644 index 00000000..2a2527ee --- /dev/null +++ b/docker/dionaea/Dockerfile @@ -0,0 +1,110 @@ +FROM debian:stretch-slim +MAINTAINER MO +ENV DEBIAN_FRONTEND noninteractive + +# Include dist +ADD dist/ /root/dist/ + +# Install dependencies and packages +RUN apt-get update -y && \ + apt-get upgrade -y && \ + apt-get install -y --no-install-recommends \ + autoconf \ + automake \ + build-essential \ + ca-certificates \ + check \ + cython3 \ + git \ + libcurl4-openssl-dev \ + libemu-dev \ + libev-dev \ + libglib2.0-dev \ + libloudmouth1-dev \ + libnetfilter-queue-dev \ + libnl-3-dev \ + libpcap-dev \ + libssl-dev \ + libtool \ + libudns-dev \ + procps \ + python3 \ + python3-dev \ + python3-bson \ + python3-yaml && \ + +# Get and install dionaea + git clone https://github.com/dinotools/dionaea /root/dionaea/ && \ + cd /root/dionaea && \ +# git checkout 99e9cfc88cfa8f3715813b18ec7006bca2622d76 && \ + autoreconf -vi && \ + ./configure \ + --prefix=/opt/dionaea \ + --with-python=/usr/bin/python3 \ + --with-cython-dir=/usr/bin \ + --enable-ev \ + --with-ev-include=/usr/include \ + --with-ev-lib=/usr/lib \ + --with-emu-lib=/usr/lib/libemu \ + --with-emu-include=/usr/include \ + --with-nl-include=/usr/include/libnl3 \ + --with-nl-lib=/usr/lib \ + --enable-static && \ + make && \ + make install && \ + +# Setup user and groups + addgroup --gid 2000 dionaea && \ + adduser --system --no-create-home --shell /bin/bash --uid 2000 --disabled-password --disabled-login --gid 2000 dionaea && \ + +# Supply configs and set permissions + chown -R dionaea:dionaea /opt/dionaea/var && \ + rm -rf /opt/dionaea/etc/dionaea/* && \ + mv /root/dist/etc/* /opt/dionaea/etc/dionaea/ && \ + +# Setup runtime and clean up + apt-get purge -y \ + autoconf \ + automake \ + build-essential \ + ca-certificates \ + check \ + cython3 \ + git \ + libcurl4-openssl-dev \ + libemu-dev \ + libev-dev \ + libglib2.0-dev \ + libloudmouth1-dev \ + libnetfilter-queue-dev \ + libnl-3-dev \ + libpcap-dev \ + libssl-dev \ + libtool \ + libudns-dev \ + python3 \ + python3-dev \ + python3-bson \ + python3-yaml && \ + + apt-get install -y \ + ca-certificates \ + python3 \ + python3-bson \ + python3-yaml \ + libcurl3 \ + libemu2 \ + libev4 \ + libglib2.0-0 \ + libnetfilter-queue1 \ + libnl-3-200 \ + libpcap0.8 \ + libpython3.5 \ + libudns0 && \ + + apt-get autoremove --purge -y && \ + apt-get clean && \ + rm -rf /root/* /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Start dionaea +CMD ["/opt/dionaea/bin/dionaea", "-u", "dionaea", "-g", "dionaea", "-c", "/opt/dionaea/etc/dionaea/dionaea.cfg"] diff --git a/docker/dionaea/LICENSE b/docker/dionaea/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/dionaea/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/dionaea/README.md b/docker/dionaea/README.md new file mode 100644 index 00000000..4d51f0b3 --- /dev/null +++ b/docker/dionaea/README.md @@ -0,0 +1,29 @@ +# dockerized dionaea + + +[dionaea](https://github.com/DinoTools/dionaea) is a low interaction honeypot with focus on capturing malware. + +This repository contains the necessary files to create a *dockerized* version of dionaea. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized dionaea and will be used to setup the docker image. + +The `dionaea.conf` is tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start dionaea under supervision of supervisord. + +Using systemd, copy the `systemd/dionaea.service` to `/etc/systemd/system/dionaea.service` and start using + +``` +systemctl enable dionaea +systemctl start dionaea +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/dionaea/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# Dionaea Dashboard + +![Dionaea Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/dionaea/master/doc/dashboard.png) diff --git a/docker/dionaea/dist/etc/dionaea.cfg b/docker/dionaea/dist/etc/dionaea.cfg new file mode 100644 index 00000000..541d911f --- /dev/null +++ b/docker/dionaea/dist/etc/dionaea.cfg @@ -0,0 +1,66 @@ +[dionaea] +download.dir=/opt/dionaea/var/dionaea/binaries/ +modules=curl,python,emu +processors=filter_streamdumper,filter_emu + +listen.mode=getifaddrs +# listen.addresses=127.0.0.1 +# listen.interfaces=eth0,tap0 + +# Country +ssl.default.c=CN +# Common Name/domain name +ssl.default.cn= +# Organization +ssl.default.o= +# Organizational Unit +ssl.default.ou= + +[logging] +#default.filename=/opt/dionaea/var/dionaea/dionaea.log +#default.levels=all +#default.domains=* + +errors.filename=/opt/dionaea/var/dionaea/dionaea-errors.log +errors.levels=warning,error +errors.domains=* + +[processor.filter_streamdumper] +name=filter +config.allow.0.types=accept +config.allow.1.types=connect +config.allow.1.protocols=ftpctrl +config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient +next=streamdumper + +[processor.streamdumper] +name=streamdumper +config.path=/opt/dionaea/var/dionaea/bistreams/%Y-%m-%d/ + +[processor.filter_emu] +name=filter +config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld +next=emu + +[processor.emu] +name=emu +config.limits.files=3 +#512 * 1024 +config.limits.filesize=524288 +config.limits.sockets=3 +config.limits.sustain=120 +config.limits.idle=30 +config.limits.listen=30 +config.limits.cpu=120 +#// 1024 * 1024 * 1024 +config.limits.steps=1073741824 + +[module.nl] +# set to yes in case you are interested in the mac address of the remote (only works for lan) +lookup_ethernet_addr=yes + +[module.python] +imports=dionaea.log,dionaea.services,dionaea.ihandlers +sys_paths=default +service_configs=/opt/dionaea/etc/dionaea/services/*.yaml +ihandler_configs=/opt/dionaea/etc/dionaea/ihandlers/*.yaml diff --git a/docker/dionaea/dist/etc/ihandlers/cmdshell.yaml b/docker/dionaea/dist/etc/ihandlers/cmdshell.yaml new file mode 100644 index 00000000..4d4eb817 --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/cmdshell.yaml @@ -0,0 +1 @@ +- name: cmdshell diff --git a/docker/dionaea/dist/etc/ihandlers/emuprofile.yaml b/docker/dionaea/dist/etc/ihandlers/emuprofile.yaml new file mode 100644 index 00000000..70ae05ab --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/emuprofile.yaml @@ -0,0 +1 @@ +- name: emuprofile diff --git a/docker/dionaea/dist/etc/ihandlers/ftp.yaml b/docker/dionaea/dist/etc/ihandlers/ftp.yaml new file mode 100644 index 00000000..1df767f1 --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/ftp.yaml @@ -0,0 +1,10 @@ +# ftp client section +- name: ftp + config: + # host for active ftp via NAT + # * 0.0.0.0 - the initiating connection ip is used for active ftp + # * not 0.0.0.0 - gets resolved as hostname and used + active_host: "0.0.0.0" + + # ports for active ftp; string indicating a range + active_ports: 63001-64000 diff --git a/docker/dionaea/dist/etc/ihandlers/log_json.yaml b/docker/dionaea/dist/etc/ihandlers/log_json.yaml new file mode 100644 index 00000000..2994d557 --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/log_json.yaml @@ -0,0 +1,7 @@ +- name: log_json + config: + # Uncomment next line to flatten object lists to work with ELK + flat_data: true + handlers: + #- http://127.0.0.1:8080/ + - file:///opt/dionaea/var/log/dionaea.json diff --git a/docker/dionaea/dist/etc/ihandlers/log_sqlite.yaml b/docker/dionaea/dist/etc/ihandlers/log_sqlite.yaml new file mode 100644 index 00000000..57a919ff --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/log_sqlite.yaml @@ -0,0 +1,3 @@ +- name: log_sqlite + config: + file: /opt/dionaea/var/log/dionaea.sqlite diff --git a/docker/dionaea/dist/etc/ihandlers/store.yaml b/docker/dionaea/dist/etc/ihandlers/store.yaml new file mode 100644 index 00000000..88b8f6ba --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/store.yaml @@ -0,0 +1 @@ +- name: store diff --git a/docker/dionaea/dist/etc/ihandlers/tftp_download.yaml b/docker/dionaea/dist/etc/ihandlers/tftp_download.yaml new file mode 100644 index 00000000..cf348a22 --- /dev/null +++ b/docker/dionaea/dist/etc/ihandlers/tftp_download.yaml @@ -0,0 +1 @@ +- name: tftp_download diff --git a/docker/dionaea/dist/etc/services/epmap.yaml b/docker/dionaea/dist/etc/services/epmap.yaml new file mode 100644 index 00000000..d70085f8 --- /dev/null +++ b/docker/dionaea/dist/etc/services/epmap.yaml @@ -0,0 +1 @@ +- name: epmap diff --git a/docker/dionaea/dist/etc/services/ftp.yaml b/docker/dionaea/dist/etc/services/ftp.yaml new file mode 100644 index 00000000..c4d4398a --- /dev/null +++ b/docker/dionaea/dist/etc/services/ftp.yaml @@ -0,0 +1,5 @@ +- name: ftp + config: + root: /opt/dionaea/var/dionaea/roots/ftp + response_messages: + welcome_msg: 220 FTP server ready. diff --git a/docker/dionaea/dist/etc/services/http.yaml b/docker/dionaea/dist/etc/services/http.yaml new file mode 100644 index 00000000..9a22e39b --- /dev/null +++ b/docker/dionaea/dist/etc/services/http.yaml @@ -0,0 +1,17 @@ +- name: http + config: + root: "/opt/dionaea/var/dionaea/roots/www" + ports: + - 80 + ssl_ports: + - 443 + max_request_size: 32768 # maximum size in kbytes of the request (32MB) + global_headers: + - ["Server", "nginx"] + headers: + - filename_pattern: ".*\\.php" + headers: + - ["Content-Type", "text/html; charset=utf-8"] + - ["Content-Length", "{content_length}"] + - ["Connection", "{connection}"] + - ["X-Powered-By", "PHP/5.6"] diff --git a/docker/dionaea/dist/etc/services/mirror.yaml b/docker/dionaea/dist/etc/services/mirror.yaml new file mode 100644 index 00000000..160c7935 --- /dev/null +++ b/docker/dionaea/dist/etc/services/mirror.yaml @@ -0,0 +1 @@ +- name: mirror diff --git a/docker/dionaea/dist/etc/services/mongo.yaml b/docker/dionaea/dist/etc/services/mongo.yaml new file mode 100644 index 00000000..c93e2bba --- /dev/null +++ b/docker/dionaea/dist/etc/services/mongo.yaml @@ -0,0 +1 @@ +- name: mongo diff --git a/docker/dionaea/dist/etc/services/mqtt.yaml b/docker/dionaea/dist/etc/services/mqtt.yaml new file mode 100644 index 00000000..b8efd369 --- /dev/null +++ b/docker/dionaea/dist/etc/services/mqtt.yaml @@ -0,0 +1 @@ +- name: mqtt diff --git a/docker/dionaea/dist/etc/services/mssql.yaml b/docker/dionaea/dist/etc/services/mssql.yaml new file mode 100644 index 00000000..de1c2566 --- /dev/null +++ b/docker/dionaea/dist/etc/services/mssql.yaml @@ -0,0 +1 @@ +- name: mssql diff --git a/docker/dionaea/dist/etc/services/mysql.yaml b/docker/dionaea/dist/etc/services/mysql.yaml new file mode 100644 index 00000000..c539787d --- /dev/null +++ b/docker/dionaea/dist/etc/services/mysql.yaml @@ -0,0 +1,10 @@ +- name: mysql + config: + databases: + information_schema: + path: ":memory:" + # example how to extend this + # just provide a databasename and path to the database + # the database can be altered by attackers, so ... better use a copy +# psn: +# path: "/path/to/cc_info.sqlite" diff --git a/docker/dionaea/dist/etc/services/pptp.yaml b/docker/dionaea/dist/etc/services/pptp.yaml new file mode 100644 index 00000000..eaf9ef1c --- /dev/null +++ b/docker/dionaea/dist/etc/services/pptp.yaml @@ -0,0 +1,26 @@ +- name: pptp + config: +# Cisco PIX +# firmware_revision: 4608 +# hostname: +# vendor_name: Cisco Systems + +# DrayTek +# firmware: 1 +# hostname: Vigor +# vendor_name: DrayTek + +# Linux + firmware: 1 + hostname: local + vendor_name: linux + +# Windows +# firmware_revision: 0 +# hostname: +# vendor_name: Microsoft + +# MikroTik router +# firmware_revision: 1 +# hostname: MikroTik +# vendor_name: MikroTik diff --git a/docker/dionaea/dist/etc/services/sip.yaml b/docker/dionaea/dist/etc/services/sip.yaml new file mode 100644 index 00000000..a25a9fb0 --- /dev/null +++ b/docker/dionaea/dist/etc/services/sip.yaml @@ -0,0 +1,40 @@ +- name: sip + config: + udp_ports: + - 5060 + tcp_ports: + - 5060 + tls_ports: + - 5061 + users: "/opt/dionaea/var/dionaea/sipaccounts.sqlite" + rtp: + enable: true + # how to dump the rtp stream + # bistream = dump as bistream + modes: + - bistream + - pcap + pcap: + path: "var/dionaea/rtp/{personality}/%Y-%m-%d/" + filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap" + personalities: + default: + domain: "localhost" + name: "softphone" + personality: "generic" +# next-server: +# domain: "my-domain" +# name: "my server" +# personality: "generic" +# serve: ["10.0.0.1"] +# default_sdp: "default" +# handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"] + + actions: + bank-redirect: + do: "redirect" + params: + play-hello: + do: "play" + params: + file: "var/dionaea/.../file.ext" diff --git a/docker/dionaea/dist/etc/services/smb.yaml b/docker/dionaea/dist/etc/services/smb.yaml new file mode 100644 index 00000000..bc374c24 --- /dev/null +++ b/docker/dionaea/dist/etc/services/smb.yaml @@ -0,0 +1,57 @@ +- name: smb + config: + + ## Generic setting ## + + # 1:"Windows XP Service Pack 0/1", + # 2:"Windows XP Service Pack 2", + # 3:"Windows XP Service Pack 3", + # 4:"Windows 7 Service Pack 1", + # 5:"Linux Samba 4.3.11" + os_type: 4 + + # Additional config + primary_domain: WORKGROUP + oem_domain_name: WORKGROUP + server_name: WIN_SRV + + ## Windows 7 ## + native_os: Windows 7 Professional 7600 + native_lan_manager: Windows 7 Professional 6.1 + shares: + ADMIN$: + comment: Remote Admin + path: C:\\Windows + type: disktree + C$: + coment: Default Share + path: C:\\ + type: + - disktree + - special + IPC$: + comment: Remote IPC + type: ipc + Printer: + comment: Microsoft XPS Document Writer + type: printq + + ## Samba ## +# native_os: Windows 6.1 +# native_lan_manager: Samba 4.3.11 +# shares: +# admin: +# comment: Remote Admin +# path: \\home\\admin +# type: disktree +# share: +# coment: Default Share +# path: \\share +# type: disktree +# IPC$: +# comment: Remote IPC +# path: IPC Service +# type: ipc +# Printer: +# comment: Printer Drivers +# type: printq diff --git a/docker/dionaea/dist/etc/services/tftp.yaml b/docker/dionaea/dist/etc/services/tftp.yaml new file mode 100644 index 00000000..aa822332 --- /dev/null +++ b/docker/dionaea/dist/etc/services/tftp.yaml @@ -0,0 +1,3 @@ +- name: tftp + config: + root: /opt/dionaea/var/dionaea/roots/tftp diff --git a/docker/dionaea/dist/etc/services/upnp.yaml b/docker/dionaea/dist/etc/services/upnp.yaml new file mode 100644 index 00000000..40a48d24 --- /dev/null +++ b/docker/dionaea/dist/etc/services/upnp.yaml @@ -0,0 +1,28 @@ +- name: upnp + config: + root: /opt/dionaea/var/dionaea/roots/upnp + # maximum size in kbytes of the request (32MB) + max_request_size: 32768 + personality: + # default + cache: "CACHE-CONTROL: max-age=120\r\n" + st: "ST: upnp:rootdevice\r\n" + usn: "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n" + server: "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n" + location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n" + opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n" +# # Samsung TV +# cache: "CACHE-CONTROL: max-age=900\r\n" +# st: "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n" +# usn: "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n" +# server: "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n" +# location: "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n" +# opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n" +# +# # XBOX 360 +# cache: "CACHE-CONTROL: max-age=1800\r\n" +# st: "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n" +# usn: "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n" +# server: "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n" +# location: "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n" +# opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n" diff --git a/docker/dionaea/doc/dashboard.png b/docker/dionaea/doc/dashboard.png new file mode 100644 index 00000000..512449b8 Binary files /dev/null and b/docker/dionaea/doc/dashboard.png differ diff --git a/docker/dionaea/docker-compose.yml b/docker/dionaea/docker-compose.yml new file mode 100644 index 00000000..0194c38f --- /dev/null +++ b/docker/dionaea/docker-compose.yml @@ -0,0 +1,46 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.1' + +networks: + dionaea_local: + +services: + +# Dionaea service + dionaea: + container_name: dionaea + stdin_open: true + restart: always + networks: + - dionaea_local + cap_add: + - NET_BIND_SERVICE + ports: + - "20:20" + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900/udp" + - "3306:3306" + - "5060:5060" + - "5060:5060/udp" + - "5061:5061" + - "27017:27017" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp + - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp + - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www + - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp + - /data/dionaea:/opt/dionaea/var/dionaea + - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries + - /data/dionaea/log:/opt/dionaea/var/log + - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp diff --git a/docker/elasticpot/Dockerfile b/docker/elasticpot/Dockerfile new file mode 100644 index 00000000..b1c4bad0 --- /dev/null +++ b/docker/elasticpot/Dockerfile @@ -0,0 +1,30 @@ +FROM alpine +MAINTAINER MS/MO + +# Include dist +ADD dist/ /root/dist/ + +# Install packages +RUN apk -U upgrade && \ + apk add bash python3 git && \ + pip3 install --upgrade pip && \ + pip3 install bottle requests configparser datetime && \ + mkdir -p /opt && \ + cd /opt/ && \ + git clone https://github.com/schmalle/ElasticpotPY.git && \ + +# Setup user, groups and configs + addgroup -g 2000 elasticpot && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 elasticpot && \ + mv /root/dist/elasticpot.cfg /opt/ElasticpotPY/ && \ + mkdir /opt/ElasticpotPY/log && \ + +# Clean up + apk del git && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Start elasticpot +USER elasticpot +WORKDIR /opt/ElasticpotPY/ +CMD ["/usr/bin/python3","main.py"] diff --git a/docker/elasticpot/README.md b/docker/elasticpot/README.md new file mode 100644 index 00000000..c7fd9300 --- /dev/null +++ b/docker/elasticpot/README.md @@ -0,0 +1,27 @@ +# dockerized elasticpot + + +[elasticpot](https://github.com/schmalle/ElasticPot) elasticpot is a simple elastic search honeypot. + +This repository contains the necessary files to create a *dockerized* version of elasticpot. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized elasticpot and will be used to setup the docker image. + +The `supervisord.conf` is used to start elasticpot under supervision of supervisord. + +Using systemd, copy the `systemd/elasticpot.service` to `/etc/systemd/system/elasticpot.service` and start using + +``` +systemctl enable elasticpot +systemctl start elasticpot +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/elasticpot/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# ElasticPot Dashboard + +![ElasticPot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/elasticpot/master/doc/dashboard.png) diff --git a/docker/elasticpot/dist/elasticpot.cfg b/docker/elasticpot/dist/elasticpot.cfg new file mode 100644 index 00000000..fef4f781 --- /dev/null +++ b/docker/elasticpot/dist/elasticpot.cfg @@ -0,0 +1,31 @@ +# ElasticPot Config + +[MAIN] +# Manually set the externally accessible IP of the honeypot +ip = 192.168.1.1 + + +[ELASTICPOT] +# ID pf the elasticpot instance +nodeid = elasticpot-community-01 + +# Location of the json logfile +logfile = log/elasticpot.log + +# Set elasticpot = False to disable json logging and enable automatic attack submission to ews backend (soap) +elasticpot = True + + +[EWS] +# Note: Only relevant if "elasticpot = False" +# Username for ews submission +username = community-01-user + +# Token for ews submission +token = foth{a5maiCee8fineu7 + +# API endpoint for ews submission +rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage + +# Ignore certificate warnings +ignorecert = false diff --git a/docker/elasticpot/doc/dashboard.png b/docker/elasticpot/doc/dashboard.png new file mode 100644 index 00000000..a35384be Binary files /dev/null and b/docker/elasticpot/doc/dashboard.png differ diff --git a/docker/elasticpot/docker-compose.yml b/docker/elasticpot/docker-compose.yml new file mode 100644 index 00000000..825c7f78 --- /dev/null +++ b/docker/elasticpot/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.1' + +networks: + elasticpot_local: + +services: + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + networks: + - elasticpot_local + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot/log:/opt/ElasticpotPY/log diff --git a/docker/elk/LICENSE b/docker/elk/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/elk/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/elk/README.md b/docker/elk/README.md new file mode 100644 index 00000000..7fbc2f1a --- /dev/null +++ b/docker/elk/README.md @@ -0,0 +1,33 @@ +# dockerized elk stack + + +[elk](http://www.elasticsearch.org/overview/) is a stack combining elasticsearch, logstash and the kibana dashboard. It is used to structure and vizualize data in realtime. + +This repository contains the necessary files to create a *dockerized* version of the elk stack. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized elk stack and will be used to setup the docker image. + +Further, `elasticsearch.yml`, `logstash.conf`, `elkbase.tar.gz`, `elk.ico` and `kibana.svg`, are all tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start elk under supervision of supervisord. + +Using systemd, copy the `systemd/elk.service` to `/etc/systemd/system/elk.service` and start using + +``` +systemctl enable elk +systemctl start elk +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +Starting with T-Pot 16.10 you can simply access the kibana dashboard by browsing to ``https://:64297`` and enter your web user credentials. + +Note: The kibana dashboard can be customized to fit your needs. + +By default all data will be persistently stored in `/data/elk/`. Indexed events older than 90 days will be deleted. You can adjust this behavior in `/etc/crontab` to fit your needs, but be advised to provide enough RAM and free disk-space if you wish to do so. + +# T-Pot Dashboard + +![T-Pot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/elk/master/doc/dashboard.png) diff --git a/docker/elk/doc/dashboard.png b/docker/elk/doc/dashboard.png new file mode 100644 index 00000000..e3770543 Binary files /dev/null and b/docker/elk/doc/dashboard.png differ diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile new file mode 100644 index 00000000..61a3b1eb --- /dev/null +++ b/docker/elk/elasticsearch/Dockerfile @@ -0,0 +1,36 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Setup env and apt +RUN apk -U upgrade && \ + apk add bash curl openjdk8-jre procps wget && \ + +# Get and install packages + cd /root/dist/ && \ + mkdir -p /usr/share/elasticsearch/ && \ + wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.1.tar.gz && \ + tar xvfz elasticsearch-5.6.1.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \ + +# Add and move files + cd /root/dist/ && \ + mkdir -p /usr/share/elasticsearch/config && \ + cp elasticsearch.yml /usr/share/elasticsearch/config/ && \ + +# Setup user, groups and configs + addgroup -g 2000 elasticsearch && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 elasticsearch && \ + chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ && \ + +# Clean up + apk del wget && \ + rm -rf /root/* + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9200/_cat/health' + +# Start ELK +USER elasticsearch +CMD ["/usr/share/elasticsearch/bin/elasticsearch"] diff --git a/docker/elk/elasticsearch/dist/elasticsearch.yml b/docker/elk/elasticsearch/dist/elasticsearch.yml new file mode 100644 index 00000000..d1408f0a --- /dev/null +++ b/docker/elk/elasticsearch/dist/elasticsearch.yml @@ -0,0 +1,8 @@ +cluster.name: tpotcluster +node.name: "tpotcluster-node-01" +path: + logs: /data/elk/log + data: /data/elk/data +http.host: 0.0.0.0 +http.cors.enabled: true +http.cors.allow-origin: "*" diff --git a/docker/elk/head/Dockerfile b/docker/elk/head/Dockerfile new file mode 100644 index 00000000..3e6db58f --- /dev/null +++ b/docker/elk/head/Dockerfile @@ -0,0 +1,32 @@ +# Elasticsearch-head Dockerfile by MO +# +# VERSION 17.06 +FROM alpine +MAINTAINER MO + +# Setup env and apt +RUN apk -U upgrade && \ + apk add bash curl nodejs nodejs-npm git procps && \ + +# Get and install packages + mkdir -p /usr/src/app/ && \ + cd /usr/src/app/ && \ + git clone https://github.com/mobz/elasticsearch-head . && \ + npm install http-server && \ + sed -i 's/\"http\:\/\/localhost\:9200\"/\"https\:\/\/\\:64297\/es\/\"/' /usr/src/app/_site/app.js && \ + +# Setup user, groups and configs + addgroup -g 2000 head && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 head && \ + chown -R head:head /usr/src/app/ && \ + +# Clean up + apk del git + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9100' + +# Start elasticsearch-head +USER head +WORKDIR /usr/src/app +CMD ["node_modules/http-server/bin/http-server", "_site", "-p", "9100"] diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile new file mode 100644 index 00000000..fd7964b4 --- /dev/null +++ b/docker/elk/kibana/Dockerfile @@ -0,0 +1,52 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Setup env and apt +RUN apk -U upgrade && \ + apk add bash curl nodejs procps wget && \ + +# Get and install packages + cd /root/dist/ && \ + mkdir -p /usr/share/kibana/ && \ + wget https://artifacts.elastic.co/downloads/kibana/kibana-5.6.1-linux-x86_64.tar.gz && \ + tar xvfz kibana-5.6.1-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \ + +# Kibana's bundled node does not work in alpine + rm /usr/share/kibana/node/bin/node && \ + rm /usr/share/kibana/node/bin/npm && \ + ln -s /usr/bin/node /usr/share/kibana/node/bin/node && \ + ln -s /usr/bin/npm /usr/share/kibana/node/bin/npm && \ + +# Add and move files + cd /root/dist/ && \ + cp kibana.svg /usr/share/kibana/src/ui/public/images/kibana.svg && \ + cp kibana.svg /usr/share/kibana/src/ui/public/icons/kibana.svg && \ + cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon.ico && \ + cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-16x16.png && \ + cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-32x32.png && \ + cp create_kibana_index.js /usr/share/kibana/src/core_plugins/elasticsearch/lib/ && \ + cd / && \ + +# Setup user, groups and configs + sed -i 's/#server.basePath: ""/server.basePath: "\/kibana"/' /usr/share/kibana/config/kibana.yml && \ + sed -i 's/#kibana.defaultAppId: "discover"/kibana.defaultAppId: "dashboards"/' /usr/share/kibana/config/kibana.yml && \ + sed -i 's/#server.host: "localhost"/server.host: "0.0.0.0"/' /usr/share/kibana/config/kibana.yml && \ + sed -i 's/#elasticsearch.url: "http:\/\/localhost:9200"/elasticsearch.url: "http:\/\/elasticsearch:9200"/' /usr/share/kibana/config/kibana.yml && \ + /usr/share/kibana/bin/kibana 2>&1 | grep -m 1 "Optimization of bundles" && \ + addgroup -g 2000 kibana && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 kibana && \ + chown -R kibana:kibana /usr/share/kibana/ && \ + +# Clean up + apk del wget && \ + rm -rf /root/* + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:5601' + +# Start kibana +USER kibana +CMD ["/usr/share/kibana/bin/kibana"] diff --git a/docker/elk/kibana/dashboard/es_kibana.json b/docker/elk/kibana/dashboard/es_kibana.json new file mode 100644 index 00000000..0c54d6ae --- /dev/null +++ b/docker/elk/kibana/dashboard/es_kibana.json @@ -0,0 +1,176 @@ +{"_index":".kibana","_type":"index-pattern","_id":"logstash-*","_score":1,"_source":{"title":"logstash-*","timeFieldName":"@timestamp","fields":"[{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.coordinates\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":false,\"aggregatable\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.full.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dest_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.local_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dest_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dest_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.real_region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"geoip.real_region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"is_virtual\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"download_tries\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"src_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.asn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"end_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"operation_mode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"download_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.asn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.remote_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.nodeid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"honeypot.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"honeypot.nodeid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_session_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_by.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_session_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_caller\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"logsource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_caller.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"logsource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_module.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_by\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"mod\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dist\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_hits\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"app\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"mod.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_freq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"link.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"app.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dist.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"link\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_hits.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"uptime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_freq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_sig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"lang\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"params.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uptime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"lang.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_sig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"encCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"eventid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"keyAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"encCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"compCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"macCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ttylog\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"input\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ttylog.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"shasum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"isError\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"input.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"compCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"kexAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"shasum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"outfile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"kexAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"keyAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"eventid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"outfile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"macCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.redirect\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"smtp.helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.rcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.client.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"icmp_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"icmp_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"in_iface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.client.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.accept_encoding.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrtype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrtype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.issuerdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.accept_language\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.issuerdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"flow_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"app_proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.accept_encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rdata\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.http_content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.client.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.stored\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.rev\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.signature_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.server.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.client.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rdata.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.redirect.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"app_proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.magic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"in_iface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.sni\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.magic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.sni.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.accept_language.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.transport.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"login.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.transport\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"connection.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"body_bytes_sent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"remote_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"body_bytes_sent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"remote_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_refer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_refer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dst_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"sensorid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensorid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.authorization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.authorization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"logname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"euid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"logname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"euid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"remote_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"remote_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.notafter\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.notbefore\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.xff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.xff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"realm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"realm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":true,\"aggregatable\":true},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false}]","fieldFormatMap":"{\"src_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"src_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"alert.signature_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://doc.emergingthreats.net/bin/view/Main/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"os\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"event_type\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.version\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"src_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"status.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"event_type.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"os.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.version.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}}}"}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-DNS-RType-Top-10","_score":1,"_source":{"title":"Suricata - DNS RType","visState":"{\"title\":\"Suricata - DNS RType\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.rrtype.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-SSH-Server-Protocol-Version","_score":1,"_source":{"title":"Suricata - SSH Server Protocol Version","visState":"{\"title\":\"Suricata - SSH Server Protocol Version\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.server.proto_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Alert-Signature-by-Country","_score":1,"_source":{"title":"Suricata - Alert Signature by Country","visState":"{\"title\":\"Suricata - Alert Signature by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":false}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert.signature.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-DNS-Name-Top-10","_score":1,"_source":{"title":"Suricata - DNS Name - Top 10","visState":"{\"title\":\"Suricata - DNS Name - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.rrname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"DNS Name\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Fileinfo-Magic-Top-10","_score":1,"_source":{"title":"Suricata - Fileinfo Magic - Top 10","visState":"{\"title\":\"Suricata - Fileinfo Magic - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"fileinfo.magic.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-TLS-Issuer-Top-10","_score":1,"_source":{"title":"Suricata - TLS Issuer - Top 10","visState":"{\"title\":\"Suricata - TLS Issuer - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tls.issuerdn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Issuer\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Countries-Top-10","_score":1,"_source":{"title":"Suricata - Countries - Top 10","visState":"{\"title\":\"Suricata - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Events-by-Country-Histogram","_score":1,"_source":{"title":"Suricata - Events by Country Histogram","visState":"{\"title\":\"Suricata - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Hostname-Top-10","_score":1,"_source":{"title":"Suricata - HTTP Hostname - Top 10","visState":"{\"title\":\"Suricata - HTTP Hostname - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"HTTP Hostname\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Hostname-Pie-Top-10","_score":1,"_source":{"title":"Suricata - HTTP Hostname Pie - Top 10","visState":"{\"title\":\"Suricata - HTTP Hostname Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Method-Pie-Top-10","_score":1,"_source":{"title":"Suricata - HTTP Method Pie - Top 10","visState":"{\"title\":\"Suricata - HTTP Method Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.http_method.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Alert-Signature-Histogram-Top-10","_score":1,"_source":{"title":"Suricata - Alert Signature Histogram - Top 10","visState":"{\"title\":\"Suricata - Alert Signature Histogram - Top 10\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"alert.signature.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-SSH-Server-Software-Version-Top-10","_score":1,"_source":{"title":"Suricata - SSH Server Software Version - Top 10","visState":"{\"title\":\"Suricata - SSH Server Software Version - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.software_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SSH Server Version\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Alert-Category-Histogram-Top-10","_score":1,"_source":{"title":"Suricata - Alert Category Histogram - Top 10","visState":"{\"title\":\"Suricata - Alert Category Histogram - Top 10\",\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"overlap\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"alert.category.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-SSH-Server-Software-Version-Pie-Top-10","_score":1,"_source":{"title":"Suricata - SSH Server Software Version Pie - Top 10","visState":"{\"title\":\"Suricata - SSH Server Software Version Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.server.software_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-User-Agent-Pie-Top-10","_score":1,"_source":{"title":"Suricata - HTTP User Agent Pie - Top 10","visState":"{\"title\":\"Suricata - HTTP User Agent Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.http_user_agent.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Source-IP-Top-10","_score":1,"_source":{"title":"Suricata - Source IP - Top 10","visState":"{\"title\":\"Suricata - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-TLS-Server-Name-Indication-Top-10","_score":1,"_source":{"title":"Suricata - TLS Server Name Indication - Top 10","visState":"{\"title\":\"Suricata - TLS Server Name Indication - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tls.sni.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Server Name Indication\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-SSH-Client-Software-Version-Top-10","_score":1,"_source":{"title":"Suricata - SSH Client Software Version - Top 10","visState":"{\"title\":\"Suricata - SSH Client Software Version - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.software_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SSH Client Version\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Referrer-Top-10","_score":1,"_source":{"title":"Suricata - HTTP Referrer - Top 10","visState":"{\"title\":\"Suricata - HTTP Referrer - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.http_refer.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"HTTP Referrer\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Alert-Signature-Bar-Chart-Top-10","_score":1,"_source":{"title":"Suricata - Alert Signature Bar Chart - Top 10","visState":"{\"title\":\"Suricata - Alert Signature Bar Chart - Top 10\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"alert.signature.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Content-Type-Top-10","_score":1,"_source":{"title":"Suricata - HTTP Content Type - Top 10","visState":"{\"title\":\"Suricata - HTTP Content Type - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.http_content_type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-SSH-Client-Software-Version-Pie-Top-10","_score":1,"_source":{"title":"Suricata - SSH Client Software Version Pie - Top 10","visState":"{\"title\":\"Suricata - SSH Client Software Version Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.client.software_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-User-Agent-Top-10","_score":1,"_source":{"title":"Suricata - HTTP User Agent - Top 10","visState":"{\"title\":\"Suricata - HTTP User Agent - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.http_user_agent.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Protocol","_score":1,"_source":{"title":"Suricata - HTTP Protocol","visState":"{\"title\":\"Suricata - HTTP Protocol\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.protocol.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Map","_score":1,"_source":{"title":"Suricata - Map","visState":"{\"title\":\"Suricata - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"mapZoom\":2,\"mapCenter\":[0,-0.17578125],\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-ASN-Top-10","_score":1,"_source":{"title":"Suricata - ASN - Top 10","visState":"{\"title\":\"Suricata - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Destination-Ports-Histogram","_score":1,"_source":{"title":"Suricata - Destination Ports Histogram","visState":"{\"title\":\"Suricata - Destination Ports Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-DNS-Type-Top-10","_score":1,"_source":{"title":"Suricata - DNS Type","visState":"{\"title\":\"Suricata - DNS Type\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-TLS-Version","_score":1,"_source":{"title":"Suricata - TLS Version","visState":"{\"title\":\"Suricata - TLS Version\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Events-Histogram","_score":1,"_source":{"title":"Suricata - Events Histogram","visState":"{\"title\":\"Suricata - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-HTTP-Accept-Encoding","_score":1,"_source":{"title":"Suricata - HTTP Accept Encoding","visState":"{\"title\":\"Suricata - HTTP Accept Encoding\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.accept_encoding.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Destination-IP-Top-10","_score":1,"_source":{"title":"Suricata - Destination IP - Top 10","visState":"{\"title\":\"Suricata - Destination IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dest_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Alert-Signature-Top-10","_score":1,"_source":{"title":"Suricata - Alert Signature - Top 10","visState":"{\"title\":\"Suricata - Alert Signature - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Signature\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature_id\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Signature ID\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Map","_score":1,"_source":{"title":"Syslog - Map","visState":"{\"title\":\"Syslog - Map\",\"type\":\"tile_map\",\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"mapType\":\"Scaled Circle Markers\",\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Program-Top-10","_score":1,"_source":{"title":"Syslog - Program - Top 10","visState":"{\"title\":\"Syslog - Program - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"program.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Events-Histogram","_score":1,"_source":{"title":"Syslog - Events Histogram","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"3\",\"params\":{\"field\":\"program.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog - Events Histogram\",\"type\":\"line\"}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-SSH-Events-Histogram","_score":1,"_source":{"title":"Syslog - SSH Events Histogram","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"tags.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog - SSH Events Histogram\",\"type\":\"histogram\"}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Countries-Top-10","_score":1,"_source":{"title":"Syslog - Countries - Top 10","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true},\"title\":\"Syslog - Countries - Top 10\",\"type\":\"pie\"}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-ASN-Top-10","_score":1,"_source":{"title":"Syslog - ASN - Top 10","visState":"{\"title\":\"Syslog - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Events-by-Country-Histogram","_score":1,"_source":{"title":"Syslog - Events by Country Histogram","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"3\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog - Events by Country Histogram\",\"type\":\"line\"}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Source-IP-Top-10","_score":1,"_source":{"title":"Syslog - Source IP - Top 10","visState":"{\"title\":\"Syslog - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"search","_id":"Glastopf-Logs","_score":1,"_source":{"title":"Glastopf-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"Glastopf\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"ConPot-Logs","_score":1,"_source":{"title":"ConPot-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"ConPot\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"Cowrie-Logs","_score":1,"_source":{"title":"Cowrie-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"Cowrie\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"Dionaea-Logs","_score":1,"_source":{"title":"Dionaea-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"Dionaea\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"ElasticPot-Logs","_score":1,"_source":{"title":"ElasticPot-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"ElasticPot\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"Honeytrap-Logs","_score":1,"_source":{"title":"Honeytrap-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"Honeytrap\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"P0f-Logs","_score":1,"_source":{"title":"P0f-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"P0f\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"Suricata-Logs","_score":1,"_source":{"title":"Suricata-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"Suricata\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"NGINX-Logs","_score":1,"_source":{"title":"NGINX-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"NGINX\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"Syslog-Logs","_score":1,"_source":{"title":"Syslog-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type:\\\"Syslog\\\"\"}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"}}} +{"_index":".kibana","_type":"search","_id":"Honeypot-Logs","_score":1,"_source":{"title":"Honeypot-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"ConPot\\\" OR type:\\\"Cowrie\\\" OR type:\\\"Dionaea\\\" OR type:\\\"ElasticPot\\\" OR type:\\\"eMobility\\\" OR type:\\\"Glastopf\\\" OR type:\\\"Honeytrap\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"search","_id":"eMobility-Logs","_score":1,"_source":{"title":"eMobility-Logs","description":"","hits":0,"columns":["_source"],"sort":["@timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query_string\":{\"query\":\"type:\\\"eMobility\\\"\",\"analyze_wildcard\":true}}}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Events-Histogram","_score":1,"_source":{"title":"NGINX - Events Histogram","visState":"{\"title\":\"NGINX - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"config","_id":"5.2.2","_score":1,"_source":{"buildNum":14723,"defaultIndex":"logstash-*","format:number:defaultPattern":"0.[000]","discover:aggs:terms:size":20,"timelion:showTutorial":true,"dashboard:defaultDarkTheme":true}} +{"_index":".kibana","_type":"visualization","_id":"P0f-OS-Top-10","_score":1,"_source":{"title":"P0f - OS - Top 10","visState":"{\"title\":\"P0f - OS - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"P0f-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-HTTP-Status-Code-Pie-Top-10","_score":1,"_source":{"title":"NGINX - HTTP Status Code Pie - Top 10","visState":"{\"title\":\"NGINX - HTTP Status Code Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"status.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Events-by-Country-Histogram","_score":1,"_source":{"title":"NGINX - Events by Country Histogram","visState":"{\"title\":\"NGINX - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Top-Users-Histogram","_score":1,"_source":{"title":"NGINX - Top Users Histogram","visState":"{\"title\":\"NGINX - Top Users Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"remote_user.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-ASN-Top-10","_score":1,"_source":{"title":"NGINX - ASN - Top 10","visState":"{\"title\":\"NGINX - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-HTTP-Method-Pie-Top-10","_score":1,"_source":{"title":"NGINX - HTTP Method Pie - Top 10","visState":"{\"title\":\"NGINX - HTTP Method Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"request_method.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Source-IP-Top-10","_score":1,"_source":{"title":"NGINX - Source IP - Top 10","visState":"{\"title\":\"NGINX - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Map","_score":1,"_source":{"title":"NGINX - Map","visState":"{\"title\":\"NGINX - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Countries-Top-10","_score":1,"_source":{"title":"NGINX - Countries - Top 10","visState":"{\"title\":\"NGINX - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-HTTP-User-Agent-Pie-Top-10","_score":1,"_source":{"title":"NGINX - HTTP User Agent Pie - Top 10","visState":"{\"title\":\"NGINX - HTTP User Agent Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http_user_agent.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Events","_score":1,"_source":{"title":"Honeypot Events","visState":"{\"title\":\"Honeypot Events\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Source-IP-Top-10","_score":1,"_source":{"title":"Honeypot Source IP - Top 10","visState":"{\"title\":\"Honeypot Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Events-by-Country-Histogram","_score":1,"_source":{"title":"Honeypot Events by Country Histogram","visState":"{\"title\":\"Honeypot Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Map","_score":1,"_source":{"title":"Honeypot Map","visState":"{\"title\":\"Honeypot Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Destination-Ports-Histogram","_score":1,"_source":{"title":"Honeypot Destination Ports Histogram","visState":"{\"title\":\"Honeypot Destination Ports Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Countries-Top-10","_score":1,"_source":{"title":"Honeypot Countries - Top 10","visState":"{\"title\":\"Honeypot Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-by-Country-and-Port","_score":1,"_source":{"title":"Honeypot by Country and Port","visState":"{\"title\":\"Honeypot by Country and Port\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-Events-Histogram","_score":1,"_source":{"title":"Honeypot Events Histogram","visState":"{\"title\":\"Honeypot Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeypot-ASN-Top-10","_score":1,"_source":{"title":"Honeypot ASN - Top 10","visState":"{\"title\":\"Honeypot ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeypot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Events-Histogram","_score":1,"_source":{"title":"Honeytrap - Events Histogram","visState":"{\"title\":\"Honeytrap - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}},{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Destination-Ports-Top-10","_score":1,"_source":{"title":"Honeytrap - Destination Ports - Top 10","visState":"{\"title\":\"Honeytrap - Destination Ports - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Destination-Ports-Histogram","_score":1,"_source":{"title":"Honeytrap - Destination Ports Histogram","visState":"{\"title\":\"Honeytrap - Destination Ports Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Countries-Top-10","_score":1,"_source":{"title":"Honeytrap - Countries - Top 10","visState":"{\"title\":\"Honeytrap - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Source-IP-Top-10","_score":1,"_source":{"title":"Honeytrap - Source IP - Top 10","visState":"{\"title\":\"Honeytrap - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-ASN-Top-10","_score":1,"_source":{"title":"Honeytrap - ASN - Top 10","visState":"{\"title\":\"Honeytrap - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Map","_score":1,"_source":{"title":"Honeytrap - Map","visState":"{\"title\":\"Honeytrap - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Source-IP-Top-10","_score":1,"_source":{"title":"Glastopf - Source IP - Top 10","visState":"{\"title\":\"Glastopf - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Countries-Top-10","_score":1,"_source":{"title":"Glastopf - Countries - Top 10","visState":"{\"title\":\"Glastopf - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Map","_score":1,"_source":{"title":"Glastopf - Map","visState":"{\"title\":\"Glastopf - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Events-Histogram","_score":1,"_source":{"title":"Glastopf - Events Histogram","visState":"{\"title\":\"Glastopf - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastop-Source-IP-Top-10","_score":1,"_source":{"title":"Glastopf - Source IP - Top 10","visState":"{\"title\":\"Glastopf - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Events-by-Country-Histogram","_score":1,"_source":{"title":"Honeytrap - Events by Country Histogram","visState":"{\"title\":\"Honeytrap - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Events-by-Country-Histogram","_score":1,"_source":{"title":"Glastopf - Events by Country Histogram","visState":"{\"title\":\"Glastopf - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-ASN-Top-10","_score":1,"_source":{"title":"Glastopf - ASN - Top 10","visState":"{\"title\":\"Glastopf - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Events-by-Country-Histogram","_score":1,"_source":{"title":"Dionaea - Events by Country Histogram","visState":"{\"title\":\"Dionaea - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Transport","_score":1,"_source":{"title":"Dionaea - Transport","visState":"{\"title\":\"Dionaea - Transport\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.transport.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Destination-Ports-Histogram","_score":1,"_source":{"title":"Dionaea - Destination Ports - Histogram","visState":"{\"title\":\"Dionaea - Destination Ports - Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Map","_score":1,"_source":{"title":"Dionaea - Map","visState":"{\"title\":\"Dionaea - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Map","_score":1,"_source":{"title":"eMobility - Map","visState":"{\"title\":\"eMobility - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Countries-Top-10","_score":1,"_source":{"title":"eMobility - Countries - Top 10","visState":"{\"title\":\"eMobility - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Events-by-Country-Histogram","_score":1,"_source":{"title":"eMobility - Events by Country Histogram","visState":"{\"title\":\"eMobility - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Events-Histogram","_score":1,"_source":{"title":"eMobility - Events Histogram","visState":"{\"title\":\"eMobility - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\"}}],\"listeners\":{}}","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-ASN-Top-10","_score":1,"_source":{"title":"eMobility - ASN - Top 10","visState":"{\"title\":\"eMobility - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-ASN-Top-10","_score":1,"_source":{"title":"ElasticPot - ASN - Top 10","visState":"{\"title\":\"ElasticPot - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Countries-Top-10","_score":1,"_source":{"title":"ElasticPot - Countries - Top 10","visState":"{\"title\":\"ElasticPot - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Events-Histogram","_score":1,"_source":{"title":"ElasticPot - Events Histogram","visState":"{\"title\":\"ElasticPot - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Events-by-Country-Histogram","_score":1,"_source":{"title":"ElasticPot - Events by Country Histogram","visState":"{\"title\":\"ElasticPot - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Source-IP-Top-10","_score":1,"_source":{"title":"ElasticPot - Source IP - Top 10","visState":"{\"title\":\"ElasticPot - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Protocol","_score":1,"_source":{"title":"Dionaea - Protocol","visState":"{\"title\":\"Dionaea - Protocol\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.protocol.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Events-Histogram","_score":1,"_source":{"title":"Dionaea - Events Histogram","visState":"{\"title\":\"Dionaea - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Destination-Ports-Top-10","_score":1,"_source":{"title":"Dionaea - Destination Ports - Top 10","visState":"{\"title\":\"Dionaea - Destination Ports - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Source-IP-Top-10","_score":1,"_source":{"title":"Dionaea - Source IP - Top 10","visState":"{\"title\":\"Dionaea - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Type","_score":1,"_source":{"title":"Dionaea - Type","visState":"{\"title\":\"Dionaea - Type\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-ASN-Top-10","_score":1,"_source":{"title":"Dionaea - ASN - Top 10","visState":"{\"title\":\"Dionaea - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Countries-Top-10","_score":1,"_source":{"title":"Dionaea - Countries - Top 10","visState":"{\"title\":\"Dionaea - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Map","_score":1,"_source":{"title":"ElasticPot - Map","visState":"{\"title\":\"ElasticPot - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Source-IP-Top-10","_score":1,"_source":{"title":"eMobility - Source IP - Top 10","visState":"{\"title\":\"eMobility - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Query-Top-10","_score":1,"_source":{"title":"ElasticPot - Query - Top 10","visState":"{\"title\":\"ElasticPot - Query - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"honeypot.query.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Destination-Ports-Histogram-Incoming","_score":1,"_source":{"title":"Cowrie - Destination Ports Histogram Incoming","visState":"{\"title\":\"Cowrie - Destination Ports Histogram Incoming\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"dest_port:2222\",\"analyze_wildcard\":true}}},\"label\":\"SSH\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"dest_port:2223\",\"analyze_wildcard\":true}}},\"label\":\"Telnet\"}]}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Cipher-Suites-Top-10","_score":1,"_source":{"title":"Cowrie - Encryption Ciphers - Top 10","visState":"{\"title\":\"Cowrie - Encryption Ciphers - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encCS.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-ASN-Top-10","_score":1,"_source":{"title":"Cowrie - ASN - Top 10","visState":"{\"title\":\"Cowrie - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Passwords-Top-10","_score":1,"_source":{"title":"Cowrie - Passwords - Top 10","visState":"{\"title\":\"Cowrie - Passwords - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Destination-Ports-Histogram","_score":1,"_source":{"title":"Cowrie - Destination Ports Histogram","visState":"{\"title\":\"Cowrie - Destination Ports Histogram\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Source-IP-Top-10","_score":1,"_source":{"title":"Cowrie - Source IP - Top 10","visState":"{\"title\":\"Cowrie - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Events-by-Country-Histogram","_score":1,"_source":{"title":"Cowrie - Events by Country Histogram","visState":"{\"title\":\"Cowrie - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Events-Histogram","_score":1,"_source":{"title":"Cowrie - Events Histogram","visState":"{\"title\":\"Cowrie - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"session.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Input-Top-10","_score":1,"_source":{"title":"Cowrie - Input - Top 10","visState":"{\"title\":\"Cowrie - Input - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"input.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command Line Input\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Version-Table-Top-10","_score":1,"_source":{"title":"Cowrie - Version Table - Top 10","visState":"{\"title\":\"Cowrie - Version Table - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SSH Version\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Map","_score":1,"_source":{"title":"Cowrie - Map","visState":"{\"title\":\"Cowrie - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Countries-Top-10","_score":1,"_source":{"title":"Cowrie - Countries - Top 10","visState":"{\"title\":\"Cowrie - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Usernames-Top-10","_score":1,"_source":{"title":"Cowrie - Usernames - Top 10","visState":"{\"title\":\"Cowrie - Usernames - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Version-Pie-Top-10","_score":1,"_source":{"title":"Cowrie - Version Pie - Top 10","visState":"{\"title\":\"Cowrie - Version Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Response-Top-10","_score":1,"_source":{"title":"ConPot - Response - Top 10","visState":"{\"title\":\"ConPot - Response - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Countries-Top-10","_score":1,"_source":{"title":"ConPot - Countries - Top 10","visState":"{\"title\":\"ConPot - Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Protocol","_score":1,"_source":{"title":"ConPot - Protocol","visState":"{\"title\":\"ConPot - Protocol\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data_type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Map","_score":1,"_source":{"title":"ConPot - Map","visState":"{\"title\":\"ConPot - Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Event-Type","_score":1,"_source":{"title":"ConPot - Event Type","visState":"{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"event_type.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true},\"title\":\"ConPot - Event Type\",\"type\":\"pie\"}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Events-by-Country-Histogram","_score":1,"_source":{"title":"ConPot - Events by Country Histogram","visState":"{\"title\":\"ConPot - Events by Country Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Input-Top-10","_score":1,"_source":{"title":"ConPot - Input - Top 10","visState":"{\"title\":\"ConPot - Input - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Input\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Syslog","_score":1,"_source":{"title":"Syslog","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Syslog-Events-Histogram\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Syslog-SSH-Events-Histogram\",\"panelIndex\":2,\"row\":4,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Syslog-Countries-Top-10\",\"panelIndex\":3,\"row\":7,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Syslog-Events-by-Country-Histogram\",\"panelIndex\":4,\"row\":10,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Syslog-Program-Top-10\",\"panelIndex\":6,\"row\":7,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Syslog-Logs\",\"panelIndex\":7,\"row\":26,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Syslog-Map\",\"panelIndex\":8,\"row\":13,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Syslog-ASN-Top-10\",\"panelIndex\":9,\"row\":20,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Syslog-Source-IP-Top-10\",\"panelIndex\":10,\"row\":20,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Syslog-Username-Tagcloud\",\"panelIndex\":11,\"row\":7,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":true,"timeTo":"now","timeFrom":"now-24h","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Honeytrap","_score":1,"_source":{"title":"Honeytrap","hits":0,"description":"","panelsJSON":"[{\"id\":\"Honeytrap-Event-Counter\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":3,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"Honeytrap-Events-Histogram\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":9,\"size_y\":3,\"col\":4,\"row\":1},{\"id\":\"Honeytrap-Heatmap\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":12,\"size_y\":5,\"col\":1,\"row\":10},{\"id\":\"Honeytrap-Destination-Ports-Histogram\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":9,\"size_y\":3,\"col\":4,\"row\":4},{\"id\":\"Honeytrap-Countries-Top-10\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":3,\"size_y\":3,\"col\":1,\"row\":7},{\"id\":\"Honeytrap-Events-by-Country-Histogram\",\"type\":\"visualization\",\"panelIndex\":6,\"size_x\":9,\"size_y\":3,\"col\":4,\"row\":7},{\"id\":\"Honeytrap-Destination-Ports-Top-10\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":3,\"size_y\":3,\"col\":1,\"row\":4},{\"id\":\"Honeytrap-Map\",\"type\":\"visualization\",\"panelIndex\":8,\"size_x\":12,\"size_y\":8,\"col\":1,\"row\":15},{\"id\":\"Honeytrap-Source-IP-Top-10\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":6,\"size_y\":5,\"col\":1,\"row\":23},{\"id\":\"Honeytrap-ASN-Top-10\",\"type\":\"visualization\",\"panelIndex\":10,\"size_x\":6,\"size_y\":5,\"col\":7,\"row\":23},{\"id\":\"Honeytrap-Logs\",\"type\":\"search\",\"panelIndex\":11,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":28,\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"ConPot","_score":1,"_source":{"title":"ConPot","hits":0,"description":"","panelsJSON":"[{\"id\":\"ConPot-Event-Counter\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":3,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"ConPot-Events-Histogram\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":9,\"size_y\":3,\"col\":4,\"row\":1},{\"id\":\"ConPot-Countries-Top-10\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":4},{\"id\":\"ConPot-Event-Type\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":4,\"size_y\":3,\"col\":5,\"row\":4},{\"id\":\"ConPot-Protocol\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":4,\"size_y\":3,\"col\":9,\"row\":4},{\"id\":\"ConPot-Events-by-Country-Histogram\",\"type\":\"visualization\",\"panelIndex\":6,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":7},{\"id\":\"ConPot-Input-Top-10\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":6,\"size_y\":5,\"col\":1,\"row\":10},{\"id\":\"ConPot-Response-Top-10\",\"type\":\"visualization\",\"panelIndex\":8,\"size_x\":6,\"size_y\":5,\"col\":7,\"row\":10},{\"id\":\"ConPot-Map\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":15},{\"id\":\"ConPot-Source-IP-Top-10\",\"type\":\"visualization\",\"panelIndex\":10,\"size_x\":6,\"size_y\":5,\"col\":1,\"row\":22},{\"id\":\"ConPot-ASN-Top-10\",\"type\":\"visualization\",\"panelIndex\":11,\"size_x\":6,\"size_y\":5,\"col\":7,\"row\":22},{\"id\":\"ConPot-Logs\",\"type\":\"search\",\"panelIndex\":12,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":27,\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-ASN-Top-10","_score":1,"_source":{"title":"ConPot - ASN - Top 10","visState":"{\"title\":\"ConPot - ASN - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.number.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ASN\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"AS\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Events-Histogram","_score":1,"_source":{"title":"ConPot - Events Histogram","visState":"{\"title\":\"ConPot - Events Histogram\",\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"square root\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Access Count\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"NGINX","_score":1,"_source":{"title":"NGINX","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"NGINX-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"NGINX-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"NGINX-HTTP-Method-Pie-Top-10\",\"panelIndex\":3,\"row\":7,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"NGINX-HTTP-Status-Code-Pie-Top-10\",\"panelIndex\":4,\"row\":7,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"NGINX-HTTP-User-Agent-Pie-Top-10\",\"panelIndex\":5,\"row\":7,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"NGINX-Username-Tagcloud\",\"panelIndex\":6,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"NGINX-ASN-Top-10\",\"panelIndex\":7,\"row\":16,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"id\":\"NGINX-Source-IP-Top-10\",\"panelIndex\":8,\"row\":16,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"id\":\"NGINX-Map\",\"panelIndex\":9,\"row\":10,\"size_x\":12,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"NGINX-Logs\",\"panelIndex\":10,\"row\":21,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":5,\"id\":\"NGINX-Top-Users-Histogram\",\"panelIndex\":12,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"NGINX-Events-by-Country-Histogram\",\"panelIndex\":13,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"NGINX-Countries-Top-10\",\"type\":\"visualization\",\"panelIndex\":14,\"size_x\":3,\"size_y\":3,\"col\":10,\"row\":7}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Ports-Pie","_score":1,"_source":{"title":"Cowrie - Ports Pie","visState":"{\"title\":\"Cowrie - Ports Pie\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"filters\",\"schema\":\"segment\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"dest_port:2222\",\"analyze_wildcard\":true}}},\"label\":\"SSH\"},{\"input\":{\"query\":{\"query_string\":{\"query\":\"dest_port:2223\",\"analyze_wildcard\":true}}},\"label\":\"Telnet\"}]}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Welcome-to-T-Pot","_score":1,"_source":{"title":"Welcome to T-Pot","visState":"{\"title\":\"Welcome to T-Pot\",\"type\":\"markdown\",\"params\":{\"markdown\":\"# Welcome to your shiny new T-Pot 17.06 Alpha installation!\\n\\nBefore you get started tell `Kibana` what installation type you have chosen for T-Pot.\\n\\nYou can now click the `Load Saved Dashboard` button in the **upper right corner** to load your desired dashboard.\\n\\nMake sure to click the `Save Dashboard` button and save your dashboard as `Default`.\\n\\nIf you do not want to see this reminder any longer, just click on the `(X)` in the **upper right corner** of this visualization and save the dashboard one more time.\"},\"aggs\":[],\"listeners\":{}}","uiStateJSON":"{}","description":"","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Source-IP-Top-10","_score":1,"_source":{"title":"ConPot - Source IP - Top 10","visState":"{\"title\":\"ConPot - Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"dashboard","_id":">T-Pot-Industrial","_score":1,"_source":{"title":">T-Pot - Industrial","hits":0,"description":"","panelsJSON":"[{\"col\":7,\"id\":\"Honeytrap-Event-Counter\",\"panelIndex\":5,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Suricata-Event-Counter\",\"panelIndex\":6,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-Histogram\",\"panelIndex\":7,\"row\":6,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Honeypot-Destination-Ports-Histogram\",\"type\":\"visualization\",\"panelIndex\":8,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":9},{\"id\":\"P0f-OS-Top-10\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":12},{\"id\":\"Honeypot-Events\",\"type\":\"visualization\",\"panelIndex\":10,\"size_x\":4,\"size_y\":3,\"col\":5,\"row\":12},{\"id\":\"Honeypot-Countries-Top-10\",\"type\":\"visualization\",\"panelIndex\":11,\"size_x\":4,\"size_y\":3,\"col\":9,\"row\":12},{\"id\":\"Honeypot-Events-by-Country-Histogram\",\"type\":\"visualization\",\"panelIndex\":16,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":15},{\"id\":\"Honeypot-Map\",\"type\":\"visualization\",\"panelIndex\":17,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":21},{\"id\":\"Honeypot-by-Country-and-Port\",\"type\":\"visualization\",\"panelIndex\":18,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":28},{\"id\":\"Honeypot-Source-IP-Top-10\",\"type\":\"visualization\",\"panelIndex\":19,\"size_x\":3,\"size_y\":5,\"col\":1,\"row\":31},{\"id\":\"Honeypot-ASN-Top-10\",\"type\":\"visualization\",\"panelIndex\":20,\"size_x\":4,\"size_y\":5,\"col\":4,\"row\":31},{\"id\":\"Suricata-Alert-Signature-Top-10\",\"type\":\"visualization\",\"panelIndex\":21,\"size_x\":5,\"size_y\":5,\"col\":8,\"row\":31},{\"id\":\"Honeypot-Logs\",\"type\":\"search\",\"panelIndex\":22,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":36,\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]},{\"id\":\"Suricata-Alert-Category-Histogram-Top-10\",\"type\":\"visualization\",\"panelIndex\":25,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":18},{\"id\":\"Welcome-to-T-Pot\",\"type\":\"visualization\",\"panelIndex\":26,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"ConPot-Event-Counter\",\"type\":\"visualization\",\"panelIndex\":27,\"size_x\":3,\"size_y\":2,\"col\":1,\"row\":4},{\"id\":\"eMobility-Event-Counter\",\"type\":\"visualization\",\"panelIndex\":28,\"size_x\":3,\"size_y\":2,\"col\":4,\"row\":4}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":">T-Pot-Everything","_score":1,"_source":{"title":">T-Pot - Everything","hits":0,"description":"","panelsJSON":"[{\"col\":4,\"id\":\"Cowrie-Event-Counter\",\"panelIndex\":1,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Dionaea-Event-Counter\",\"panelIndex\":2,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"ElasticPot-Event-Counter\",\"panelIndex\":3,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Glastopf-Event-Counter\",\"panelIndex\":4,\"row\":6,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Honeytrap-Event-Counter\",\"panelIndex\":5,\"row\":6,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Suricata-Event-Counter\",\"panelIndex\":6,\"row\":6,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-Histogram\",\"panelIndex\":7,\"row\":8,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Destination-Ports-Histogram\",\"panelIndex\":8,\"row\":11,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"P0f-OS-Top-10\",\"panelIndex\":9,\"row\":14,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Honeypot-Events\",\"panelIndex\":10,\"row\":14,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Honeypot-Countries-Top-10\",\"panelIndex\":11,\"row\":14,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Username-Tagcloud\",\"panelIndex\":12,\"row\":17,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cowrie-Password-Tagcloud\",\"panelIndex\":13,\"row\":17,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Dionaea-Username-Tagcloud\",\"panelIndex\":14,\"row\":17,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Dionaea-Password-Tagcloud\",\"panelIndex\":15,\"row\":17,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-by-Country-Histogram\",\"panelIndex\":16,\"row\":20,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Map\",\"panelIndex\":17,\"row\":26,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-by-Country-and-Port\",\"panelIndex\":18,\"row\":33,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Source-IP-Top-10\",\"panelIndex\":19,\"row\":36,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Honeypot-ASN-Top-10\",\"panelIndex\":20,\"row\":36,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":8,\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":21,\"row\":36,\"size_x\":5,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Honeypot-Logs\",\"panelIndex\":22,\"row\":41,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"ConPot-Event-Counter\",\"panelIndex\":23,\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Alert-Category-Histogram-Top-10\",\"panelIndex\":25,\"row\":23,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Welcome-to-T-Pot\",\"panelIndex\":26,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"eMobility-Event-Counter\",\"type\":\"visualization\",\"panelIndex\":27,\"size_x\":3,\"size_y\":2,\"col\":1,\"row\":6}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{\"P-23\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}}}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Cowrie","_score":1,"_source":{"title":"Cowrie","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Cowrie-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Cowrie-Events-Histogram\",\"panelIndex\":22,\"row\":1,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Cipher-Suites-Top-10\",\"panelIndex\":24,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Cowrie-Countries-Top-10\",\"panelIndex\":28,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Events-by-Country-Histogram\",\"panelIndex\":29,\"row\":14,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Cowrie-Version-Pie-Top-10\",\"panelIndex\":31,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":3,\"id\":\"Cowrie-Unique-Session-Counter\",\"panelIndex\":33,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Username-Tagcloud-Large\",\"panelIndex\":34,\"row\":7,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Cowrie-Password-Tagcloud-Large\",\"panelIndex\":35,\"row\":7,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Map\",\"panelIndex\":36,\"row\":20,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Input-Top-10\",\"panelIndex\":37,\"row\":27,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Cowrie-Source-IP-Top-10\",\"panelIndex\":38,\"row\":27,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Cowrie-ASN-Top-10\",\"panelIndex\":39,\"row\":27,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Cowrie-Logs\",\"panelIndex\":40,\"row\":32,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Cowrie-Destination-Ports-Histogram\",\"panelIndex\":41,\"row\":17,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cowrie-Destination-Ports-Histogram-Incoming\",\"panelIndex\":42,\"row\":11,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Ports-Pie\",\"panelIndex\":43,\"row\":11,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Suricata","_score":1,"_source":{"title":"Suricata","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Suricata-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Suricata-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Destination-Ports-Histogram\",\"panelIndex\":3,\"row\":4,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Alert-Category-Histogram-Top-10\",\"panelIndex\":4,\"row\":7,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Suricata-Countries-Top-10\",\"panelIndex\":9,\"row\":13,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Suricata-Fileinfo-Magic-Top-10\",\"panelIndex\":12,\"row\":13,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-HTTP-Content-Type-Top-10\",\"panelIndex\":14,\"row\":10,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Suricata-HTTP-Hostname-Pie-Top-10\",\"panelIndex\":15,\"row\":10,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Suricata-HTTP-Method-Pie-Top-10\",\"panelIndex\":16,\"row\":10,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Suricata-HTTP-User-Agent-Pie-Top-10\",\"panelIndex\":18,\"row\":10,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Suricata-SSH-Client-Software-Version-Pie-Top-10\",\"panelIndex\":19,\"row\":13,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-TLS-Version\",\"panelIndex\":20,\"row\":13,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Events-by-Country-Histogram\",\"panelIndex\":22,\"row\":16,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Map\",\"panelIndex\":23,\"row\":19,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Suricata-Source-IP-Top-10\",\"panelIndex\":24,\"row\":26,\"size_x\":4,\"size_y\":6,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Suricata-ASN-Top-10\",\"panelIndex\":25,\"row\":26,\"size_x\":4,\"size_y\":6,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":26,\"row\":26,\"size_x\":4,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Suricata-Logs\",\"panelIndex\":27,\"row\":32,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":true,"timeTo":"now","timeFrom":"now-24h","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Glastopf","_score":1,"_source":{"title":"Glastopf","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Glastopf-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Glastopf-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Glastopf-Countries-Top-10\",\"panelIndex\":3,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Glastopf-Map\",\"panelIndex\":5,\"row\":7,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Glastop-Source-IP-Top-10\",\"panelIndex\":6,\"row\":14,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Glastopf-ASN-Top-10\",\"panelIndex\":7,\"row\":14,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Glastopf-Logs\",\"panelIndex\":8,\"row\":19,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"id\":\"Glastopf-Events-by-Country-Histogram\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":8,\"size_y\":3,\"col\":5,\"row\":4}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"eMobility","_score":1,"_source":{"title":"eMobility","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"eMobility-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"eMobility-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"eMobility-Countries-Top-10\",\"panelIndex\":3,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"eMobility-Events-by-Country-Histogram\",\"panelIndex\":4,\"row\":4,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"eMobility-Map\",\"panelIndex\":5,\"row\":7,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"eMobility-Source-IP-Top-10\",\"panelIndex\":6,\"row\":14,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":7,\"id\":\"eMobility-ASN-Top-10\",\"panelIndex\":7,\"row\":14,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"eMobility-Logs\",\"panelIndex\":8,\"row\":20,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":true,"timeTo":"now","timeFrom":"now-24h","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"ElasticPot","_score":1,"_source":{"title":"ElasticPot","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"ElasticPot-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"ElasticPot-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ElasticPot-Countries-Top-10\",\"panelIndex\":3,\"row\":4,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"ElasticPot-Events-by-Country-Histogram\",\"panelIndex\":4,\"row\":4,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ElasticPot-Map\",\"panelIndex\":5,\"row\":12,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ElasticPot-Source-IP-Top-10\",\"panelIndex\":6,\"row\":19,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ElasticPot-ASN-Top-10\",\"panelIndex\":7,\"row\":19,\"size_x\":6,\"size_y\":6,\"type\":\"visualization\"},{\"id\":\"ElasticPot-Logs\",\"type\":\"search\",\"panelIndex\":8,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":25,\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]},{\"id\":\"ElasticPot-Query-Top-10\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":12,\"size_y\":5,\"col\":1,\"row\":7}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Dionaea","_score":1,"_source":{"title":"Dionaea","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Dionaea-Event-Counter\",\"panelIndex\":1,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Dionaea-Events-Histogram\",\"panelIndex\":2,\"row\":1,\"size_x\":9,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Dionaea-Destination-Ports-Top-10\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":3,\"size_y\":3,\"col\":1,\"row\":11},{\"id\":\"Dionaea-Protocol\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":4},{\"id\":\"Dionaea-Transport\",\"type\":\"visualization\",\"panelIndex\":5,\"size_x\":4,\"size_y\":3,\"col\":5,\"row\":4},{\"id\":\"Dionaea-Type\",\"type\":\"visualization\",\"panelIndex\":6,\"size_x\":4,\"size_y\":3,\"col\":9,\"row\":4},{\"id\":\"Dionaea-Username-Tagcloud-Large\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":6,\"size_y\":4,\"col\":1,\"row\":7},{\"id\":\"Dionaea-Password-Tagcloud-Large\",\"type\":\"visualization\",\"panelIndex\":8,\"size_x\":6,\"size_y\":4,\"col\":7,\"row\":7},{\"id\":\"Dionaea-Destination-Ports-Histogram\",\"type\":\"visualization\",\"panelIndex\":9,\"size_x\":9,\"size_y\":3,\"col\":4,\"row\":11},{\"id\":\"Dionaea-Events-by-Country-Histogram\",\"type\":\"visualization\",\"panelIndex\":10,\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":14},{\"id\":\"Dionaea-Map\",\"type\":\"visualization\",\"panelIndex\":11,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":17},{\"id\":\"Dionaea-ASN-Top-10\",\"type\":\"visualization\",\"panelIndex\":12,\"size_x\":6,\"size_y\":5,\"col\":7,\"row\":24},{\"id\":\"Dionaea-Source-IP-Top-10\",\"type\":\"visualization\",\"panelIndex\":13,\"size_x\":6,\"size_y\":5,\"col\":1,\"row\":24},{\"id\":\"Dionaea-Logs\",\"type\":\"search\",\"panelIndex\":14,\"size_x\":12,\"size_y\":7,\"col\":1,\"row\":29,\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Password-Tagcloud-Large","_score":1,"_source":{"title":"Dionaea - Password Tagcloud - Large","visState":"{\"title\":\"Dionaea - Password Tagcloud - Large\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":18,\"maxFontSize\":72,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"login.password.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Username-Tagcloud-Large","_score":1,"_source":{"title":"Dionaea - Username Tagcloud - Large","visState":"{\"title\":\"Dionaea - Username Tagcloud - Large\",\"type\":\"tagcloud\",\"params\":{\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"fromDegree\":0,\"maxFontSize\":72,\"minFontSize\":18,\"orientations\":1,\"spiral\":\"rectangular\",\"textScale\":\"sqrt\",\"timeInterval\":500,\"toDegree\":0,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"login.username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Username-Tagcloud","_score":1,"_source":{"title":"Syslog - Username Tagcloud","visState":"{\"title\":\"Syslog - Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"fromDegree\":0,\"maxFontSize\":72,\"minFontSize\":18,\"orientations\":1,\"spiral\":\"archimedean\",\"textScale\":\"linear\",\"timeInterval\":500,\"toDegree\":0,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Username-Tagcloud","_score":1,"_source":{"title":"NGINX - Username Tagcloud","visState":"{\"title\":\"NGINX - Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":18,\"maxFontSize\":72,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"remote_user.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ElasticPot-Event-Counter","_score":1,"_source":{"title":"ElasticPot - Event Counter","visState":"{\"title\":\"ElasticPot - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ElasticPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Honeytrap-Event-Counter","_score":1,"_source":{"title":"Honeytrap - Event Counter","visState":"{\"title\":\"Honeytrap - Event Counter\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"36\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Honeytrap-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Glastopf-Event-Counter","_score":1,"_source":{"title":"Glastopf - Event Counter","visState":"{\"title\":\"Glastopf - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Glastopf-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Event-Counter","_score":1,"_source":{"title":"Dionaea - Event Counter","visState":"{\"title\":\"Dionaea - Event Counter\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"36\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Event-Counter","_score":1,"_source":{"title":"Cowrie - Event Counter","visState":"{\"title\":\"Cowrie - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Username-Tagcloud-Large","_score":1,"_source":{"title":"Cowrie - Username Tagcloud - Large","visState":"{\"title\":\"Cowrie - Username Tagcloud - Large\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Password-Tagcloud-Large","_score":1,"_source":{"title":"Cowrie - Password Tagcloud - Large","visState":"{\"title\":\"Cowrie - Password Tagcloud - Large\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"square root\",\"orientation\":\"right angled\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Unique-Session-Counter","_score":1,"_source":{"title":"Cowrie - Unique Session Counter","visState":"{\"title\":\"Cowrie - Unique Session Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"session.keyword\",\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"eMobility-Event-Counter","_score":1,"_source":{"title":"eMobility - Event Counter","visState":"{\"title\":\"eMobility - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"eMobility-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Suricata-Event-Counter","_score":1,"_source":{"title":"Suricata - Event Counter","visState":"{\"title\":\"Suricata - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Suricata-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"ConPot-Event-Counter","_score":1,"_source":{"title":"ConPot - Event Counter","visState":"{\"title\":\"ConPot - Event Counter\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"36\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"ConPot-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Syslog-Event-Counter","_score":1,"_source":{"title":"Syslog - Event Counter","visState":"{\"title\":\"Syslog - Event Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"36\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Syslog-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"NGINX-Event-Counter","_score":1,"_source":{"title":"NGINX - Event Counter","visState":"{\"title\":\"NGINX - Event Counter\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"36\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"_\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"NGINX-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Username-Tagcloud","_score":1,"_source":{"title":"Cowrie - Username Tagcloud","visState":"{\"title\":\"Cowrie - Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"hideLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Cowrie-Password-Tagcloud","_score":1,"_source":{"title":"Cowrie - Password Tagcloud","visState":"{\"title\":\"Cowrie - Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Cowrie-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Username-Tagcloud","_score":1,"_source":{"title":"Dionaea - Username Tagcloud","visState":"{\"title\":\"Dionaea - Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"login.username.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"visualization","_id":"Dionaea-Password-Tagcloud","_score":1,"_source":{"title":"Dionaea - Password Tagcloud","visState":"{\"title\":\"Dionaea - Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"login.password.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","uiStateJSON":"{}","description":"","savedSearchId":"Dionaea-Logs","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"Default","_score":1,"_source":{"title":">T-Pot - Standard","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Cowrie-Event-Counter\",\"panelIndex\":1,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":3,\"id\":\"Dionaea-Event-Counter\",\"panelIndex\":2,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":5,\"id\":\"ElasticPot-Event-Counter\",\"panelIndex\":3,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Glastopf-Event-Counter\",\"panelIndex\":4,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Honeytrap-Event-Counter\",\"panelIndex\":5,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":11,\"id\":\"Suricata-Event-Counter\",\"panelIndex\":6,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-Histogram\",\"panelIndex\":7,\"row\":5,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Destination-Ports-Histogram\",\"panelIndex\":8,\"row\":8,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"P0f-OS-Top-10\",\"panelIndex\":9,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Honeypot-Events\",\"panelIndex\":10,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Honeypot-Countries-Top-10\",\"panelIndex\":11,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Username-Tagcloud\",\"panelIndex\":12,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cowrie-Password-Tagcloud\",\"panelIndex\":13,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Dionaea-Username-Tagcloud\",\"panelIndex\":14,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Dionaea-Password-Tagcloud\",\"panelIndex\":15,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-by-Country-Histogram\",\"panelIndex\":16,\"row\":17,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Map\",\"panelIndex\":17,\"row\":23,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-by-Country-and-Port\",\"panelIndex\":18,\"row\":30,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Source-IP-Top-10\",\"panelIndex\":19,\"row\":33,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Honeypot-ASN-Top-10\",\"panelIndex\":20,\"row\":33,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":8,\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":21,\"row\":33,\"size_x\":5,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Honeypot-Logs\",\"panelIndex\":22,\"row\":38,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Suricata-Alert-Category-Histogram-Top-10\",\"panelIndex\":23,\"row\":20,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Welcome-to-T-Pot\",\"panelIndex\":24,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{\"P-19\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} +{"_index":".kibana","_type":"dashboard","_id":"8597f3e0-0b65-11e7-bac3-31d280639e29","_score":1,"_source":{"title":"Default","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Cowrie-Event-Counter\",\"panelIndex\":1,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":3,\"id\":\"Dionaea-Event-Counter\",\"panelIndex\":2,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":5,\"id\":\"ElasticPot-Event-Counter\",\"panelIndex\":3,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Glastopf-Event-Counter\",\"panelIndex\":4,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Honeytrap-Event-Counter\",\"panelIndex\":5,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":11,\"id\":\"Suricata-Event-Counter\",\"panelIndex\":6,\"row\":4,\"size_x\":2,\"size_y\":1,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-Histogram\",\"panelIndex\":7,\"row\":5,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Destination-Ports-Histogram\",\"panelIndex\":8,\"row\":8,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"P0f-OS-Top-10\",\"panelIndex\":9,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"Honeypot-Events\",\"panelIndex\":10,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"Honeypot-Countries-Top-10\",\"panelIndex\":11,\"row\":11,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Cowrie-Username-Tagcloud\",\"panelIndex\":12,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Cowrie-Password-Tagcloud\",\"panelIndex\":13,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Dionaea-Username-Tagcloud\",\"panelIndex\":14,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Dionaea-Password-Tagcloud\",\"panelIndex\":15,\"row\":14,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Events-by-Country-Histogram\",\"panelIndex\":16,\"row\":17,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Map\",\"panelIndex\":17,\"row\":23,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-by-Country-and-Port\",\"panelIndex\":18,\"row\":30,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Honeypot-Source-IP-Top-10\",\"panelIndex\":19,\"row\":33,\"size_x\":3,\"size_y\":5,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Honeypot-ASN-Top-10\",\"panelIndex\":20,\"row\":33,\"size_x\":4,\"size_y\":5,\"type\":\"visualization\"},{\"col\":8,\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":21,\"row\":33,\"size_x\":5,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"_source\"],\"id\":\"Honeypot-Logs\",\"panelIndex\":22,\"row\":38,\"size_x\":12,\"size_y\":7,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":1,\"id\":\"Suricata-Alert-Category-Histogram-Top-10\",\"panelIndex\":23,\"row\":20,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Welcome-to-T-Pot\",\"panelIndex\":24,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"}]","optionsJSON":"{\"darkTheme\":true}","uiStateJSON":"{\"P-19\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-20\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-21\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}}} diff --git a/docker/elk/kibana/dashboard/kibana-patterns.json b/docker/elk/kibana/dashboard/kibana-patterns.json new file mode 100644 index 00000000..96af768e --- /dev/null +++ b/docker/elk/kibana/dashboard/kibana-patterns.json @@ -0,0 +1 @@ +{"title":"logstash-*","timeFieldName":"@timestamp","fields":"[{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.area_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.coordinates\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":false,\"aggregatable\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.full.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dest_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.local_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dest_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dest_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.real_region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"geoip.real_region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"is_virtual\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"download_tries\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"src_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.asn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"end_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"operation_mode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"attack_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"download_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proxy_connection.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"geoip.asn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"geoip.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"attack_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proxy_connection.remote_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.nodeid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"honeypot.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"honeypot.query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"honeypot.nodeid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_session_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_by.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_session_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_caller\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"logsource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_caller.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"logsource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"pam_module.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"pam_by\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"mod\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dist\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_hits\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"app\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"mod.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_freq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"link.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"app.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dist.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"link\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_hits.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"uptime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_freq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_sig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"lang\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"params.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uptime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"lang.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"raw_sig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"raw_mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"encCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"eventid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"keyAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"encCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"compCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"macCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ttylog\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"input\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ttylog.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"shasum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"isError\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"input.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"compCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"kexAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"shasum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"outfile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"kexAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"keyAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"eventid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"outfile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"macCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.redirect\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"smtp.helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.rcode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.client.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"icmp_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"icmp_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"in_iface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.client.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.accept_encoding.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrtype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrtype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.issuerdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.accept_language\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.issuerdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rrname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"flow_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"fileinfo.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"app_proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.accept_encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rdata\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.http_content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.client.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.stored\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.rev\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.signature_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ssh.server.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.client.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ssh.server.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dns.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dns.rdata.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.redirect.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"app_proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.magic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"in_iface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tls.sni\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"alert.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"alert.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"fileinfo.magic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.sni.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.accept_language.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.transport.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"login.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"login.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.transport\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"connection.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"src_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"ftp.commands.arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"body_bytes_sent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"remote_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"body_bytes_sent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http_referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"remote_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"request_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"request_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_refer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.http_refer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"dst_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"sensorid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"dst_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"sensorid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"data_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.authorization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.authorization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"logname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"euid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"logname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"euid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"remote_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"remote_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.notafter\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"tls.notbefore\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"http.xff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"http.xff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"realm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true,\"searchable\":true,\"aggregatable\":true},{\"name\":\"realm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"searchable\":true,\"aggregatable\":false},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":true,\"aggregatable\":true},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"searchable\":false,\"aggregatable\":false}]","fieldFormatMap":"{\"src_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"src_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"alert.signature_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://doc.emergingthreats.net/bin/view/Main/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"os\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"event_type\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.version\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"src_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"status.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"event_type.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"os.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.version.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}}}"} diff --git a/docker/elk/kibana/dist/create_kibana_index.js b/docker/elk/kibana/dist/create_kibana_index.js new file mode 100644 index 00000000..7eaf9468 --- /dev/null +++ b/docker/elk/kibana/dist/create_kibana_index.js @@ -0,0 +1,38 @@ +'use strict'; + +var _setup_error = require('./setup_error'); + +var _setup_error2 = _interopRequireDefault(_setup_error); + +function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } + +module.exports = function (server, mappings) { + var _server$plugins$elast = server.plugins.elasticsearch.getCluster('admin'); + + const callWithInternalUser = _server$plugins$elast.callWithInternalUser; + + const index = server.config().get('kibana.index'); + + function handleError(message) { + return function (err) { + throw new _setup_error2.default(server, message, err); + }; + } + + return callWithInternalUser('indices.create', { + index: index, + body: { + settings: { + number_of_shards: 1, + number_of_replicas: 0, + 'index.mapper.dynamic': false + }, + mappings + } + }).catch(handleError('Unable to create Kibana index "<%= kibana.index %>"')).then(function () { + return callWithInternalUser('cluster.health', { + waitForStatus: 'yellow', + index: index + }).catch(handleError('Waiting for Kibana index "<%= kibana.index %>" to come online failed.')); + }); +}; diff --git a/docker/elk/kibana/dist/elk.ico b/docker/elk/kibana/dist/elk.ico new file mode 100644 index 00000000..a40c2372 Binary files /dev/null and b/docker/elk/kibana/dist/elk.ico differ diff --git a/docker/elk/kibana/dist/kibana.svg b/docker/elk/kibana/dist/kibana.svg new file mode 100644 index 00000000..ed37c357 --- /dev/null +++ b/docker/elk/kibana/dist/kibana.svg @@ -0,0 +1,64 @@ + + + + + +Created by potrace 1.11, written by Peter Selinger 2001-2013 + + + image/svg+xml + + + + + + + diff --git a/docker/elk/kibana/elkbase.tgz b/docker/elk/kibana/elkbase.tgz new file mode 100644 index 00000000..81c535b4 Binary files /dev/null and b/docker/elk/kibana/elkbase.tgz differ diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile new file mode 100644 index 00000000..6646858f --- /dev/null +++ b/docker/elk/logstash/Dockerfile @@ -0,0 +1,38 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Setup env and apt +RUN apk -U upgrade && \ + apk add bash curl git libc6-compat libzmq openjdk8-jre procps wget && \ + +# Get and install packages + git clone https://github.com/dtag-dev-sec/listbot /etc/listbot && \ + cd /root/dist/ && \ + mkdir -p /usr/share/logstash/ && \ + wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.1.tar.gz && \ + wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz && \ + tar xvfz logstash-5.6.1.tar.gz --strip-components=1 -C /usr/share/logstash/ && \ + /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \ + /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \ + tar xvfz GeoLite2-ASN.tar.gz --strip-components=1 -C /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/ && \ + +# Add and move files + cd /root/dist/ && \ + cp update.sh /usr/bin/ && \ + chmod u+x /usr/bin/update.sh && \ + mkdir -p /etc/logstash/conf.d && \ + cp logstash.conf /etc/logstash/conf.d/ && \ + cp elasticsearch-template-es5x.json /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.0-java/lib/logstash/outputs/elasticsearch/ && \ + +# Clean up + apk del wget && \ + rm -rf /root/* + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' + +# Start logstash +CMD update.sh && /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf diff --git a/docker/elk/logstash/dist/elasticsearch-template-es5x.json b/docker/elk/logstash/dist/elasticsearch-template-es5x.json new file mode 100644 index 00000000..17bf366f --- /dev/null +++ b/docker/elk/logstash/dist/elasticsearch-template-es5x.json @@ -0,0 +1,48 @@ +{ + "template" : "logstash-*", + "version" : 50001, + "settings" : { + "index.refresh_interval" : "5s", + "index.number_of_shards" : "1", + "index.number_of_replicas" : "0" + }, + "mappings" : { + "_default_" : { + "_all" : {"enabled" : true, "norms" : false}, + "dynamic_templates" : [ { + "message_field" : { + "path_match" : "message", + "match_mapping_type" : "string", + "mapping" : { + "type" : "text", + "norms" : false + } + } + }, { + "string_fields" : { + "match" : "*", + "match_mapping_type" : "string", + "mapping" : { + "type" : "text", "norms" : false, + "fields" : { + "keyword" : { "type": "keyword", "ignore_above": 256 } + } + } + } + } ], + "properties" : { + "@timestamp": { "type": "date", "include_in_all": false }, + "@version": { "type": "keyword", "include_in_all": false }, + "geoip" : { + "dynamic": true, + "properties" : { + "ip": { "type": "ip" }, + "location" : { "type" : "geo_point" }, + "latitude" : { "type" : "half_float" }, + "longitude" : { "type" : "half_float" } + } + } + } + } + } +} diff --git a/docker/elk/logstash/dist/gen_cve_map.sh b/docker/elk/logstash/dist/gen_cve_map.sh new file mode 100755 index 00000000..b27b815e --- /dev/null +++ b/docker/elk/logstash/dist/gen_cve_map.sh @@ -0,0 +1,32 @@ +#!/bin/bash +myURL="https://rules.emergingthreats.net/open/suricata-4.0/rules/sid-msg.map" +myRULESFILE="sid-msg.map" +myCVEMAP="cve.yaml" + +# Clear cve map +rm $myCVEMAP + +# Download SID map from ET if server offers newer file +wget -N $myURL +myRULESCOUNT=$(wc -l < $myRULESFILE) + +# Just extract rules with CVE ID, for proper matching we also need SID +let i=0 +let j=0 +while read -r myRULE +do + (( ++i )) + echo -ne "Processing rules, please be patient ($i / $myRULESCOUNT)\r" + myCVE=$(echo $myRULE | grep -o -E "(cve,|CVE-|CAN-)([0-9]{4}-([0-9]{4}|[0-9]{5}))" | tr a-z A-Z | tr ",|-" " " | awk '{ print $1"-"$2"-"$3 }') + if [ "$myCVE" != "" ] + then + mySID=$(echo $myRULE | awk '{ print $1 }') + echo \"$mySID\": \"$myCVE\" >> $myCVEMAP + (( ++j )) + fi +done < "$myRULESFILE" +echo +echo "Done. $j CVE IDs have been mapped." + +# Clean up +rm $myRULESFILE diff --git a/docker/elk/logstash/dist/gen_iprep_map.sh b/docker/elk/logstash/dist/gen_iprep_map.sh new file mode 100755 index 00000000..9ca5ec11 --- /dev/null +++ b/docker/elk/logstash/dist/gen_iprep_map.sh @@ -0,0 +1,127 @@ +#!/bin/bash +myIPREPMAP="iprep.yaml" +myRED="" +myGREEN="" +myBLUE="" +myWHITE="" + +# Prepare for new files +rm -rf *.raw *.yaml.tmp iprep.yaml + +### Define repeating commands as functions +# Download only if host is up, file is newer and follow redirects +fuCURL () { +local myFILE=$1 +local myURL=$2 +local myHOST=$(echo $2 | cut -d "/" -f3) + + echo -n "[ Now checking host ] [$myBLUE $myHOST $myWHITE] " + curl --connect-timeout 5 -IsS $myHOST 2>&1>/dev/null + if [ $? -eq 0 ]; + then + echo "[$myGREEN OK $myWHITE]" + echo -n "[ Now downloading ] [$myBLUE $myURL $myWHITE] " + curl -fLso $myFILE -z $myFILE $myURL + if [ $? -eq 0 ]; + then + echo "[$myGREEN OK $myWHITE]" + else + echo "[$myRED ERROR $myWHITE]" + fi + else + echo "[$myRED ERROR $myWHITE]" + fi +} + +# Only match lines with CIDR addresses, unzip if necessary +# Duplicates will be eliminated for the final translation map! +fuMATCHCIDR () { +local myFILE=$1 + + if [ -f $myFILE ]; + then + myZIP=$(file $myFILE | grep -c "Zip") + if [ "$myZIP" == "1" ] + then + unzip -p $myFILE | grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}/\d{1,2}\b" | xargs -I '{}' prips '{}' + else + grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}/\d{1,2}\b" $myFILE | xargs -I '{}' prips '{}' + fi + fi +} + +# Only match lines with IPv4 addresses, unzip if necessary +# Duplicates will be eliminated for the final translation map! +fuMATCHIP () { +local myFILE=$1 + + if [ -f $myFILE ]; + then + myZIP=$(file $myFILE | grep -c "Zip") + if [ "$myZIP" == "1" ] + then + unzip -p $myFILE | grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" + else + grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" $myFILE + fi + fi +} + +### Define download function +fuDOWNLOAD () { +local myURL=$1 +local myTAG=$2 +local myTMPFILE="$3.tmp" +local myYAMLFILE="$3.raw" + + fuCURL $myTMPFILE $myURL + fuMATCHCIDR $myTMPFILE | awk '{ print "\""$1"\": \"" "'"$myTAG"'" "\"" }' > $myYAMLFILE + fuMATCHIP $myTMPFILE | awk '{ print "\""$1"\": \"" "'"$myTAG"'" "\"" }' >> $myYAMLFILE + mySIZE=$(wc -l < $myYAMLFILE) + if [ "$mySIZE" != "0" ] + then + echo "[ Control output ] [$myBLUE $(head -n 1 $myYAMLFILE) $myWHITE]" + else + echo "[ Control output ] [$myRED EMPTY FILE $myWHITE]" + fi +} + +# Download reputation lists +fuDOWNLOAD "https://reputation.alienvault.com/reputation.generic" "bad reputation" "alienvault" +fuDOWNLOAD "https://www.badips.com/get/list/any/2" "known attacker" "badips" +fuDOWNLOAD "http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt" "C2 server" "bambenek" +fuDOWNLOAD "https://lists.blocklist.de/lists/all.txt" "known attacker" "blocklist" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset" "form spammer" "firehol_botscout" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset" "known attacker" "firehol_cruzit" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset" "known atttacker" "firehol_mwdomainlist" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset" "anonymizer" "firehol_proxylists" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset" "anonymizer" "firehol_proxyrss" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset" "anonymizer" "firehol_proxyspy" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset" "anonymizer" "firehol_web_proxies" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset" "anonymizer" "firehol_socks_proxy" +fuDOWNLOAD "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset" "anonymizer" "firehol_sslproxies" +fuDOWNLOAD "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" "known attacker" "rulez" +fuDOWNLOAD "http://cinsscore.com/list/ci-badguys.txt" "known attacker" "cinsscore" +fuDOWNLOAD "https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt" "compromised" "et_compromised" +fuDOWNLOAD "http://blocklist.greensnow.co/greensnow.txt" "known attacker" "greensnow" +fuDOWNLOAD "http://www.nothink.org/blacklist/blacklist_malware_irc.txt" "malware" "nothink" +fuDOWNLOAD "http://cybersweat.shop/iprep/iprep_ramnode.txt" "known attacker" "cybersweat" +fuDOWNLOAD "http://spys.me/proxy.txt" "anonymizer" "spys" +fuDOWNLOAD "http://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt" "ransomware" "ransomwaretracker" +fuDOWNLOAD "https://report.cs.rutgers.edu/DROP/attackers" "known attacker" "rutgers" +fuDOWNLOAD "http://sblam.com/blacklist.txt" "form spammer" "sblam" +fuDOWNLOAD "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" "C2 server" "sslbl" +fuDOWNLOAD "http://www.talosintelligence.com/feeds/ip-filter.blf" "bad reputation" "talos" +fuDOWNLOAD "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" "tor exit node" "torexit" +fuDOWNLOAD "https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv" "tor exit node" "torip" +fuDOWNLOAD "https://www.turris.cz/greylist-data/greylist-latest.csv" "bad reputation" "turris" +fuDOWNLOAD "https://zeustracker.abuse.ch/blocklist.php?download=badips" "malware" "zeustracker" +fuDOWNLOAD "https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt" "mass scanner" "maltrail_mass_scanner" +fuDOWNLOAD "https://myip.ms/files/blacklist/general/full_blacklist_database.zip" "bot, crawler" "myip" + +# Generate logstash translation map for ip reputation lookup +echo -n "[ Building translation map ] " +cat *.raw > $myIPREPMAP.tmp +# Remove duplicates +sort -u $myIPREPMAP.tmp > $myIPREPMAP +echo "[$myGREEN DONE $myWHITE]" diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf new file mode 100644 index 00000000..e4412f74 --- /dev/null +++ b/docker/elk/logstash/dist/logstash.conf @@ -0,0 +1,416 @@ +# Input section +input { + +# Suricata + file { + path => ["/data/suricata/log/eve.json"] + codec => json + type => "Suricata" + } + +# P0f + file { + path => ["/data/p0f/log/p0f.json"] + codec => json + type => "P0f" + } + +# Conpot + file { + path => ["/data/conpot/log/conpot.json"] + codec => json + type => "ConPot" + } + +# Cowrie + file { + path => ["/data/cowrie/log/cowrie.json"] + codec => json + type => "Cowrie" + } + +# Dionaea + file { + path => ["/data/dionaea/log/dionaea.json"] + codec => json + type => "Dionaea" + } + +# Elasticpot + file { + path => ["/data/elasticpot/log/elasticpot.log"] + codec => json + type => "ElasticPot" + } + +# eMobility + file { + path => ["/data/emobility/log/centralsystemEWS.log"] + type => "eMobility" + } + +# Glastopf + file { + path => ["/data/glastopf/log/glastopf.log"] + type => "Glastopf" + } + +# Honeytrap + file { + path => ["/data/honeytrap/log/attackers.json"] + codec => json + type => "Honeytrap" + } + +# Mailoney + file { + path => ["/data/mailoney/log/commands.log"] + type => "Mailoney" + } + +# Rdpy + file { + path => ["/data/rdpy/log/rdpy.log"] + type => "Rdpy" + } + +# Host Syslog + file { + path => ["/data/host/log/auth.log"] + codec => plain + type => "Syslog" + } + +# Host NGINX + file { + path => ["/data/host/log/nginx/access.log"] + codec => json + type => "NGINX" + } + +# Vnclowpot + file { + path => ["/data/vnclowpot/log/vnclowpot.log"] + type => "Vnclowpot" + } +} + +# Filter Section +filter { + +# Suricata + if [type] == "Suricata" { + date { + match => [ "timestamp", "ISO8601" ] + } + translate { + refresh_interval => 86400 + field => "[alert][signature_id]" + destination => "[alert][cve_id]" + dictionary_path => "/etc/listbot/cve.yaml" + } + } + +# P0f + if [type] == "P0f" { + date { + match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ] + remove_field => ["timestamp"] + } + mutate { + rename => { + "server_port" => "dest_port" + "server_ip" => "dest_ip" + "client_port" => "src_port" + "client_ip" => "src_ip" + } + } + } + +# Conpot + if [type] == "ConPot" { + date { + match => [ "timestamp", "ISO8601" ] + } + } + +# Cowrie + if [type] == "Cowrie" { + date { + match => [ "timestamp", "ISO8601" ] + } + mutate { + rename => { + "dst_port" => "dest_port" + "dst_ip" => "dest_ip" + } + } + } + +# Dionaea + if [type] == "Dionaea" { + date { + match => [ "timestamp", "ISO8601" ] + } + mutate { + rename => { + "dst_port" => "dest_port" + "dst_ip" => "dest_ip" + } + gsub => [ + "src_ip", "::ffff:", "", + "dest_ip", "::ffff:", "" + ] + } + if [credentials] { + mutate { + add_field => { + "login.username" => "%{[credentials][username]}" + "login.password" => "%{[credentials][password]}" + } + remove_field => "[credentials]" + } + } + } + +# ElasticPot + if [type] == "ElasticPot" { + date { + match => [ "timestamp", "ISO8601" ] + } + } + +# eMobility + if [type] == "eMobility" { + grok { + match => [ "message", "\A%{IP:src_ip}\.%{POSINT:src_port:integer}\|%{IP:dest_ip}\.%{POSINT:dest_port:integer}:%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424SD}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{URIPROTO:http_method}\|%{URIPATH:http_uri}\|%{TIMESTAMP_ISO8601:timestamp}" ] + } + date { + match => [ "timestamp", "ISO8601" ] + } + } + +# Glastopf + if [type] == "Glastopf" { + grok { + match => [ "message", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{NOTSPACE}%{SPACE}%{IP:src_ip}%{SPACE}%{WORD}%{SPACE}%{URIPROTO:http_method}%{SPACE}%{NOTSPACE:http_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{HOSTNAME}:%{NUMBER:dest_port:integer}" ] + } + date { + match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ] + remove_field => ["timestamp"] + } + } + +# Honeytrap + if [type] == "Honeytrap" { + date { + match => [ "timestamp", "ISO8601" ] + } + mutate { + rename => { + "[attack_connection][local_port]" => "dest_port" + "[attack_connection][local_ip]" => "dest_ip" + "[attack_connection][remote_port]" => "src_port" + "[attack_connection][remote_ip]" => "src_ip" + } + } + } + +# Mailoney + if [type] == "Mailoney" { + grok { + match => [ "message", "\A%{NAGIOSTIME}\[%{IPV4:src_ip}:%{INT:src_port:integer}] %{GREEDYDATA:smtp_input}" ] + } + mutate { + add_field => { + "dest_port" => "25" + } + } + date { + match => [ "nagios_epoch", "UNIX" ] + remove_field => ["nagios_epoch"] + } + } + +# Rdpy + if [type] == "Rdpy" { + grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } } + date { + match => [ "timestamp", "ISO8601" ] + remove_field => ["timestamp"] + } + mutate { + add_field => { + "dest_port" => "3389" + } + } + } + +# Syslog + if [type] == "Syslog" { + grok { + match => { + "message" => ["%{SYSLOGPAMSESSION}", "%{CRONLOG}", "%{SYSLOGLINE}"] + } + overwrite => "message" + } + date { + match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] + remove_field => ["timestamp"] + } + date { + match => ["timestamp8601", "ISO8601"] + remove_field => ["timestamp8601"] + } + grok { + match => { "message" => "Connection closed by %{IP:src_ip}" } + add_tag => [ "ssh_connection_closed" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Received disconnect from %{IP:src_ip}" } + add_tag => [ "ssh_connection_disconnect" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2" } + add_tag => [ "ssh_failed_password" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Did not receive identification string from %{IP:src_ip}" } + add_tag => [ "ssh_no_id" ] + tag_on_failure => [] + } + grok { + match => { "message" => "User %{USERNAME:username} from %{IP:src_ip} not allowed because not listed in AllowUsers" } + add_tag => [ "ssh_user_not_allowed" ] + tag_on_failure => [] + } + grok { + match => { "message" => "authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"} + add_tag => [ "ssh_auth_failure" ] + tag_on_failure => [] + } + grok { + match => { "message" => "pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=%{NOTSPACE:tty} ruser= rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"} + add_tag => [ "ssh_auth_failure" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} + add_tag => [ "ssh_failed_password" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} + add_tag => [ "ssh_accepted_password" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Accepted publickey for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} + add_tag => [ "ssh_accepted_pubkey" ] + tag_on_failure => [] + } + grok { + match => { "message" => "Accepted keyboard-interactive/pam for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} + add_tag => [ "ssh_accepted_interactive" ] + tag_on_failure => [] + } + } + +# NGINX + if [type] == "NGINX" { + date { + match => [ "timestamp", "ISO8601" ] + } + } + +# Vnclowpot + if [type] == "Vnclowpot" { + grok { + match => [ "message", "\A%{NOTSPACE}%{SPACE}%{TIME}%{SPACE}%{IPV4:src_ip}:%{INT:src_port}%{SPACE}%{NOTSPACE:vnc_handshake}" ] + } + date { + match => [ "timestamp", "yyyy/MM/dd HH:mm:ss" ] + remove_field => ["timestamp"] + } + mutate { + add_field => { + "dest_port" => "5900" + } + } + } + +# Drop if parse fails +if "_grokparsefailure" in [tags] { drop {} } + +# Add geo coordinates / ASN info / IP rep. + if [src_ip] { + geoip { + cache_size => 10000 + source => "src_ip" + database => "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/GeoLite2-City.mmdb" + } + geoip { + cache_size => 10000 + source => "src_ip" + database => "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/GeoLite2-ASN.mmdb" + } + translate { + refresh_interval => 86400 + field => "src_ip" + destination => "ip_rep" + dictionary_path => "/etc/listbot/iprep.yaml" + } + } + +# In some rare conditions dest_port, src_port is indexed as string, forcing integer for now + if [dest_port] { + mutate { + convert => { "dest_port" => "integer" } + } + } + if [src_port] { + mutate { + convert => { "src_port" => "integer" } + } + } + +# Add T-Pot hostname and external IP + if [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" { + mutate { + add_field => { + "t-pot_ip_ext" => "${MY_EXTIP}" + "t-pot_ip_int" => "${MY_INTIP}" + "t-pot_hostname" => "${MY_HOSTNAME}" + } + } + } + +} + +# Output section +output { + elasticsearch { + hosts => ["elasticsearch:9200"] + } + + if [type] == "Suricata" { + file { + file_mode => 0760 + path => "/data/suricata/log/suricata_ews.log" + } + } + # Debug output + #if [type] == "XYZ" { + # stdout { + # codec => rubydebug + # } + #} + # Debug output + #stdout { + # codec => rubydebug + #} + +} diff --git a/docker/elk/logstash/dist/update.sh b/docker/elk/logstash/dist/update.sh new file mode 100644 index 00000000..16251a55 --- /dev/null +++ b/docker/elk/logstash/dist/update.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Let's ensure normal operation on exit or if interrupted ... +function fuCLEANUP { + exit 0 +} +trap fuCLEANUP EXIT + +# Download updated translation maps +cd /etc/listbot +git pull +cd / diff --git a/docker/ews/Dockerfile b/docker/ews/Dockerfile new file mode 100644 index 00000000..02044f3e --- /dev/null +++ b/docker/ews/Dockerfile @@ -0,0 +1,32 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Install packages +RUN apk -U upgrade && \ + apk add build-base git libssl1.0 openssl-dev python-dev py-cffi py-ipaddress py-lxml py-mysqldb py-pip py-pysqlite py-requests py-setuptools && \ + pip install pyOpenSSL==16.2.0 && \ + +# Setup ewsposter + git clone https://github.com/rep/hpfeeds /opt/hpfeeds && \ + cd /opt/hpfeeds && \ + python setup.py install && \ + git clone https://github.com/vorband/ewsposter /opt/ewsposter && \ + mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \ + +# Setup user and groups + addgroup -g 2000 ews && \ + adduser -S -H -u 2000 -D -g 2000 ews && \ + +# Supply configs + mv /root/dist/ews.cfg /opt/ewsposter/ && \ + +# Clean up + apk del build-base git openssl-dev python-dev py-pip py-setuptools && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Run ewsposter +CMD sleep 10 && /usr/bin/python /opt/ewsposter/ews.py -l 60 diff --git a/docker/ews/README.md b/docker/ews/README.md new file mode 100644 index 00000000..8255a020 --- /dev/null +++ b/docker/ews/README.md @@ -0,0 +1,14 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/ewsposter:1706.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ewsposter:1706.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1706 "Get your own image badge on microbadger.com") + +# dockerized ewsposter + + +[ewsposter](https://github.com/dtag-dev-sec/ews) is a python application that collects information from multiple honeypot sources and posts it to central collection services like the DTAG early warning system and hpfeeds. + +This dockerized version is part of the **[T-Pot community honeypot](http://github.com/dtag-dev-sec/tpotce)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized ewsposter and will be used to setup the docker image. + +The `ews.cfg` is tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start ewsposter under supervision of supervisord. diff --git a/docker/ews/dist/ews.cfg b/docker/ews/dist/ews.cfg new file mode 100644 index 00000000..2f1dbf34 --- /dev/null +++ b/docker/ews/dist/ews.cfg @@ -0,0 +1,98 @@ +[MAIN] +homedir = /opt/ewsposter/ +spooldir = /opt/ewsposter/spool/ +logdir = /opt/ewsposter/log/ +del_malware_after_send = false +send_malware = false +sendlimit = 500 +contact = your_email_address +proxy = +ip = + +[EWS] +ews = true +username = community-01-user +token = foth{a5maiCee8fineu7 +rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage +rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage +ignorecert = false + +[HPFEED] +hpfeed = false +host = 0.0.0.0 +port = 0 +channels = 0 +ident = 0 +secret= 0 + +[EWSJSON] +json = false +jsondir = /data/ews/json/ + +[GLASTOPFV3] +glastopfv3 = true +nodeid = glastopfv3-community-01 +sqlitedb = /data/glastopf/db/glastopf.db +malwaredir = /data/glastopf/data/files/ + +[GLASTOPFV2] +glastopfv2 = false +nodeid = +mysqlhost = +mysqldb = +mysqluser = +mysqlpw = +malwaredir = + +[KIPPO] +kippo = false +nodeid = +mysqlhost = +mysqldb = +mysqluser = +mysqlpw = +malwaredir = + +[COWRIE] +cowrie = true +nodeid = cowrie-community-01 +logfile = /data/cowrie/log/cowrie.json + +[DIONAEA] +dionaea = true +nodeid = dionaea-community-01 +malwaredir = /data/dionaea/binaries/ +sqlitedb = /data/dionaea/log/dionaea.sqlite + +[HONEYTRAP] +honeytrap = true +nodeid = honeytrap-community-01 +newversion = true +payloaddir = /data/honeytrap/attacks/ +attackerfile = /data/honeytrap/log/attacker.log + +[RDPDETECT] +rdpdetect = false +nodeid = +iptableslog = +targetip = + +[EMOBILITY] +eMobility = true +nodeid = emobility-community-01 +logfile = /data/emobility/log/centralsystemEWS.log + +[CONPOT] +conpot = true +nodeid = conpot-community-01 +logfile = /data/conpot/log/conpot.json + +[ELASTICPOT] +elasticpot = true +nodeid = elasticpot-community-01 +logfile = /data/elasticpot/log/elasticpot.log + +[SURICATA] +suricata = true +nodeid = suricata-community-01 +logfile = /data/suricata/log/suricata_ews.log diff --git a/docker/glastopf/Dockerfile b/docker/glastopf/Dockerfile new file mode 100644 index 00000000..5e1cd6d7 --- /dev/null +++ b/docker/glastopf/Dockerfile @@ -0,0 +1,50 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Install packages +RUN apk -U upgrade && \ + apk add autoconf bash bind-tools build-base cython git libffi libffi-dev make py-asn1 \ + py-cffi py-chardet py-chardet py-cparser py-cryptography py-dateutil \ + py-enum34 py-idna py-ipaddress py-jinja2 py-lxml py-mysqldb py-openssl \ + py-pip py-requests py-setuptools python python-dev && \ + apk -U add --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \ + py-beautifulsoup4 php7 php7-dev py-cssselect py-gevent py-greenlet py-mongo \ + py-sqlalchemy py-webob && \ + +# Install php sandbox from git + git clone https://github.com/glastopf/BFR.git /opt/BFR && \ + cd /opt/BFR && \ + phpize7 && \ + ./configure \ + --with-php-config=/usr/bin/php-config7 \ + --enable-bfr && \ + make && \ + make install && \ + cd / && \ + rm -rf /opt/BFR /tmp/* /var/tmp/* && \ + echo "zend_extension = "$(find /usr -name bfr.so) >> /etc/php7/php.ini && \ + +# Install glastopf from git + git clone https://github.com/mushorg/glastopf.git /opt/glastopf && \ + cd /opt/glastopf && \ + python setup.py install && \ + cd / && \ + rm -rf /opt/glastopf /tmp/* /var/tmp/* && \ + +# Setup user, groups and configs + addgroup -g 2000 glastopf && \ + adduser -S -H -u 2000 -D -g 2000 glastopf && \ + mkdir -p /opt/glastopf && \ + mv /root/dist/glastopf.cfg /opt/glastopf/ && \ + +# Clean up + apk del autoconf build-base git libffi-dev php7-dev python-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Set workdir and start glastopf +WORKDIR /opt/glastopf/ +CMD ["glastopf-runner"] diff --git a/docker/glastopf/README.md b/docker/glastopf/README.md new file mode 100644 index 00000000..c8a323c5 --- /dev/null +++ b/docker/glastopf/README.md @@ -0,0 +1,31 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/glastopf:1706.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glastopf:1706.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1706 "Get your own image badge on microbadger.com") + +# dockerized glastopf v3 + + +[glastopf](https://github.com/glastopf/glastopf) is a python web application honeypot. + +This repository contains the necessary files to create a *dockerized* version of glastopf v3. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized glastopf and will be used to setup the docker image. + +The `glastopf.cfg` is tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start glastopf under supervision of supervisord. + +Using systemd, copy the `systemd/glastopf.service` to `/etc/systemd/system/glastopf.service` and start using + +``` +systemctl enable glastopf +systemctl start glastopf +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/glastopf/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# Glastopf Dashboard + +![Glastopf Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/glastopf/master/doc/dashboard.png) diff --git a/docker/glastopf/dist/glastopf.cfg b/docker/glastopf/dist/glastopf.cfg new file mode 100644 index 00000000..3fc2fd4f --- /dev/null +++ b/docker/glastopf/dist/glastopf.cfg @@ -0,0 +1,106 @@ +[webserver] +host = 0.0.0.0 +port = 80 +uid = glastopf +gid = glastopf +proxy_enabled = False + +[ssl] +enabled = False +certfile = +keyfile = + +#Generic logging for general monitoring +[logging] +consolelog_enabled = True +filelog_enabled = True +logfile = log/glastopf.log + +[dork-db] +enabled = True +pattern = rfi +# Extracts dorks from a online dorks service operated by The Honeynet Project +# This service is down until further notice! +mnem_service = False + +[hpfeed] +enabled = False +host = hpfriends.honeycloud.net +port = 20000 +secret = 3wis3l2u5l7r3cew +# channels comma separated +chan_events = glastopf.events +chan_files = glastopf.files +ident = x8yer@hp1 + +[main-database] +#If disabled a sqlite database will be created (db/glastopf.db) +#to be used as dork storage. +enabled = True +#mongodb or sqlalchemy connection string, ex: +#mongodb://localhost:27017/glastopf +#mongodb://james:bond@localhost:27017/glastopf +#mysql://james:bond@somehost.com/glastopf +connection_string = sqlite:///db/glastopf.db + +[surfcertids] +enabled = False +host = localhost +port = 5432 +user = +password = +database = idsserver + +[syslog] +enabled = False +socket = /dev/log + +[mail] +enabled = False +# an email notification will be sent only if a specified matched pattern is identified. +# Use the wildcard char *, to be notified every time +patterns = rfi,lfi +user = +pwd = +mail_from = +mail_to = +smtp_host = smtp.gmail.com +smtp_port = 587 + +[taxii] +enabled = False +host = taxiitest.mitre.org +port = 80 +inbox_path = /services/inbox/default/ +use_https = False +use_auth_basic = False +auth_basic_username = your_username +auth_basic_password = your_password +use_auth_certificate = False +auth_certificate_keyfile = full_path_to_keyfile +auth_certificate_certfile = full_path_to_certfile +include_contact_info = False +contact_name = ... +contact_email = ... + +[logstash] +enabled = False +host = localhost +port = 5659 +handler = AMQP/TCP/UDP + +[misc] +# set webserver banner +banner = Apache/2.0.48 + +[surface] +#https://www.google.com/webmasters/ +google_meta = +#http://www.bing.com/toolbox/webmaster +bing_meta = + +[sensor] +sensorid = None + +[profiler] +enabled = False diff --git a/docker/glastopf/doc/dashboard.png b/docker/glastopf/doc/dashboard.png new file mode 100644 index 00000000..7b4ed365 Binary files /dev/null and b/docker/glastopf/doc/dashboard.png differ diff --git a/docker/glastopf/docker-compose.yml b/docker/glastopf/docker-compose.yml new file mode 100644 index 00000000..b50fbf89 --- /dev/null +++ b/docker/glastopf/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2.1' + +networks: + glastopf_local: + +services: + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + networks: + - glastopf_local + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf/db:/opt/glastopf/db + - /data/glastopf/log:/opt/glastopf/log diff --git a/docker/honeytrap/Dockerfile b/docker/honeytrap/Dockerfile new file mode 100644 index 00000000..799be0ac --- /dev/null +++ b/docker/honeytrap/Dockerfile @@ -0,0 +1,44 @@ +FROM debian:stretch-slim +MAINTAINER MO + +ENV DEBIAN_FRONTEND noninteractive + +# Include dist +ADD dist/ /root/dist/ + +# Setup apt +RUN apt-get update -y && \ + apt-get dist-upgrade -y && \ + +# Install packages + apt-get install -y autoconf build-essential git iptables libnetfilter-queue1 libnetfilter-queue-dev \ + libjson-c-dev libtool libpq5 libpq-dev netbase procps wget && \ + +# Install honeytrap from source + cd /root/ && \ + git clone https://github.com/armedpot/honeytrap && \ + cd /root/honeytrap/ && \ + autoreconf -vfi && \ + ./configure \ + --with-stream-mon=nfq \ + --with-logattacker \ + --with-logjson \ + --prefix=/opt/honeytrap && \ + make && \ + make install && \ + make clean && \ + +# Setup user, groups and configs + addgroup --gid 2000 honeytrap && \ + adduser --system --no-create-home --shell /bin/bash --uid 2000 --disabled-password --disabled-login --gid 2000 honeytrap && \ + mkdir -p /opt/honeytrap/etc/honeytrap/ /opt/honeytrap/var/attacks /opt/honeytrap/var/downloads /opt/honeytrap/var/log && \ + mv /root/dist/honeytrap.conf /opt/honeytrap/etc/honeytrap/ && \ + +# Clean up + rm -rf /root/* && \ + apt-get purge -y autoconf build-essential git libnetfilter-queue-dev libpq-dev && \ + apt-get autoremove -y --purge && \ + apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Start honeytrap +CMD ["/opt/honeytrap/sbin/honeytrap", "-D", "-C", "/opt/honeytrap/etc/honeytrap/honeytrap.conf", "-t", "5", "-u", "honeytrap", "-g", "honeytrap"] diff --git a/docker/honeytrap/LICENSE b/docker/honeytrap/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/honeytrap/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/honeytrap/README.md b/docker/honeytrap/README.md new file mode 100644 index 00000000..0457ebdf --- /dev/null +++ b/docker/honeytrap/README.md @@ -0,0 +1,35 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/honeytrap:1706.svg)](https://microbadger.com/images/dtagdevsec/honeytrap:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/honeytrap:1706.svg)](https://microbadger.com/images/dtagdevsec/honeytrap:1706 "Get your own image badge on microbadger.com") + +# dockerized honeytrap + + +[honeytrap](https://github.com/armedpot/honeytrap) is a low-interaction honeypot daemon for observing attacks against network services. In contrast to other honeypots, which often focus on malware collection, honeytrap aims for catching the initial exploit – It collects and further processes attack traces. + +This repository contains the necessary files to create a *dockerized* version of honeytrap. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. +For this setup, honeytrap is configured to use the logattacker module only. + +The `Dockerfile` contains the blueprint for the dockerized honeytrap and will be used to setup the docker image. + +The `honeytrap.conf` is tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start honeytrap under supervision of supervisord. + +In case you want to run the dockerized honeytrap independently, you must modify the config files to match your environment and rebuild the docker image. + +Using systemd, copy the `systemd/honeytrap.service` to `/etc/systemd/system/honeytrap.service` and start using + +``` +systemctl enable honeytrap +systemctl start honeytrap +``` + +This will make sure that the docker container is started with the appropriate rights and iptables forwards are implemented. Further, it autostarts during boot. +In the T-Pot setup, some ports are excluded as they need to be reserved for other honeypot daemons running in parallel. + +By default all data will be stored in `/data/honeytrap/` until the honeypot service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# Honeytrap Dashboard + +![Honeytrap Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/honeytrap/master/doc/dashboard.png) diff --git a/docker/honeytrap/dist/honeytrap.conf b/docker/honeytrap/dist/honeytrap.conf new file mode 100644 index 00000000..72b1d212 --- /dev/null +++ b/docker/honeytrap/dist/honeytrap.conf @@ -0,0 +1,143 @@ +/* + * honeytrap 1.0.1 configuration file template -- please adjust + * (c) Tillmann Werner + */ + +// log to this file +logfile = "/opt/honeytrap/var/log/honeytrap.log" + +// store process ID in this file +pidfile = "/var/run/honeytrap.pid" + +/* where to look for default responses + * these are sent for connections handled in "normal mode" */ +response_dir = "/opt/honeytrap/etc/honeytrap/responses" + +// replace rfc1918 IP addresses with attacking IP address +replace_private_ips = "no" + +// bind dynamic servers to a specific address +//bind_address = "127.0.0.1" + +/* put network interface into promiscuous mode + * (only availabel when compiled with --with-stream-mon=pcap) */ +//promisc = "on" + +/* the user and group under which honeytrap should run + * should be set to non-root */ +user = "honeytrap" +group = "honeytrap" + +// do not read more than 20 MB - used to prevent DoS attacks +read_limit = "20971520" + + +/* ----- plugin stuff below ----- */ + +/* where to look for plugins + needs to be set before loading plugins */ +plugin_dir = "/opt/honeytrap/etc/honeytrap/plugins" + + +// include a plugin via plugin-[ModuleName] = "" + +// plugin-magicPE = "" +plugin-ftpDownload = "" +plugin-tftpDownload = "" +plugin-b64Decode = "" +plugin-deUnicode = "" +plugin-vncDownload = "" + + +// store attacks on disk +plugin-SaveFile = { + attacks_dir = "/opt/honeytrap/var/attacks" + downloads_dir = "/opt/honeytrap/var/downloads" +} + + +// plugin for shellcode detection and emulation +/* +plugin-cpuEmu = { + execute_shellcode = "no" + createprocess_cmd = "/bin/sh -c \"cd /opt/honeytrap-libemu/.wine/drive_c/windows/system32; WINEPREFIX='/opt/honeytrap-libemu/.wine/' WINEDEBUG='-all' wine 'c:\\windows\\system32\\cmd_orig.exe'\"" +} +*/ + + + +// scan downloaded samples with ClamAV engine +/* +plugin-ClamAV = { + temp_dir = "/tmp" + clamdb_path = "/var/lib/clamav" +} +*/ + + +// calculate locality sensitive hashes +/* +plugin-SpamSum = { + md5sum_sigfile = "/opt/honeytrap/md5sum.sigs" + spamsum_sigfile = "/opt/honeytrap/spamsum.sigs" +} +*/ + +plugin-logAttacker = { logfile = "/opt/honeytrap/var/log/attacker.log" } + +// log attack details in JSON format +plugin-logJSON = { logfile = "/opt/honeytrap/var/log/attackers.json" } + + +// store attacks in PostgeSQL database +/* +plugin-SavePostgres = { + db_host = "localhost" + db_name = "some_db" + db_user = "some_user" + db_pass = "some_pass" +// db_port = "some_port" // defaults to 5432/tcp if not set +} +*/ + + +// invoke an external program (f.e. wget) to download files via http +/* +plugin-httpDownload = { + http_program = "/usr/bin/wget" + http_options = "-q -t1 -T1 -O-" +} +*/ + + +// submit downloaded malware samples to the mwcollect alliance +/* +plugin-submitMWserv = { + mwserv_url = "https://submission-url/" + guid = "your-guid" + maintainer = "your-maintainer" + secret = "your-secret" + timeout = "120" +} +*/ + +/* ----- port mode configuration below ----- */ + +// default port configuration (ignore, normal or mirror) +// ignore: just ignore connection attempts +// normal: send a default response +// mirror: mirror connections back to the initiator (use with caution!) +portconf_default = "normal" + +// explicit port configuration +/* portconf = { + // ignore connection requests on these ports + ignore = { + protocol = "tcp" + port = "22" + } +} +*/ + +// include a file +//include = "ports.conf" diff --git a/docker/honeytrap/doc/dashboard.png b/docker/honeytrap/doc/dashboard.png new file mode 100644 index 00000000..52256f32 Binary files /dev/null and b/docker/honeytrap/doc/dashboard.png differ diff --git a/docker/honeytrap/docker-compose.yml b/docker/honeytrap/docker-compose.yml new file mode 100644 index 00000000..f5329e1e --- /dev/null +++ b/docker/honeytrap/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2.1' + +networks: + honeytrap_local: + +services: + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log diff --git a/docker/mailoney/Dockerfile b/docker/mailoney/Dockerfile new file mode 100644 index 00000000..7a2af93a --- /dev/null +++ b/docker/mailoney/Dockerfile @@ -0,0 +1,35 @@ +FROM alpine +MAINTAINER MO + +# Install packages +RUN apk -U upgrade && \ + apk add autoconf automake bash build-base git libtool procps py-pip python python-dev && \ + +# Install libemu + git clone https://github.com/buffer/libemu /root/libemu/ && \ + cd /root/libemu/ && \ + autoreconf -vi && \ + ./configure && \ + make && \ + make install && \ + +# Install libemu python wrapper + pip install pylibemu && \ + +# Install mailoney from git + git clone https://github.com/awhitehatter/mailoney /opt/mailoney && \ + +# Setup user, groups and configs + addgroup -g 2000 mailoney && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 mailoney && \ + chown -R mailoney:mailoney /opt/mailoney && \ + +# Clean up + apk del autoconf automake build-base git py-pip python-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Set workdir and start glastopf +USER mailoney +WORKDIR /opt/mailoney/ +CMD ["/usr/bin/python","mailoney.py","-i","0.0.0.0","-p","2525","-s","mailserver","-t","schizo_open_relay"] diff --git a/docker/mailoney/README.md b/docker/mailoney/README.md new file mode 100644 index 00000000..ec1cb4ea --- /dev/null +++ b/docker/mailoney/README.md @@ -0,0 +1,4 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/mailoney:1706.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/mailoney:1706.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1706 "Get your own image badge on microbadger.com") + +# mailoney +Dockerized mailoney for use in T-Pot diff --git a/docker/mailoney/docker-compose.yml b/docker/mailoney/docker-compose.yml new file mode 100644 index 00000000..e58178b5 --- /dev/null +++ b/docker/mailoney/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.1' + +networks: + mailoney_local: + +services: + +# Mailoney service + mailoney: + container_name: mailoney + restart: always + networks: + - mailoney_local + ports: + - "25:2525" + image: "dtagdevsec/mailoney:1706" +# volumes: +# - /data/mailoney/log:/opt/mailoney/logs diff --git a/docker/netdata/Dockerfile b/docker/netdata/Dockerfile new file mode 100644 index 00000000..10d530e1 --- /dev/null +++ b/docker/netdata/Dockerfile @@ -0,0 +1,31 @@ +FROM alpine +MAINTAINER MO + +# Install packages +RUN apk -U upgrade && \ + apk add alpine-sdk autoconf automake bash curl gawk gcc iw jq libmnl-dev libuuid linux-headers lm_sensors make musl-dev netcat-openbsd util-linux-dev pkgconf python py-requests py-yaml zlib-dev && \ + +# Install netdata + cd /root && \ + git clone https://github.com/firehol/netdata && \ + cd netdata && \ + ./netdata-installer.sh --dont-wait --dont-start-it && \ + sed -i "s/#local:/local:/" /etc/netdata/python.d/elasticsearch.conf && \ + sed -i "s/# host: '127.0.0.1'/host: '127.0.0.1'/" /etc/netdata/python.d/elasticsearch.conf && \ + sed -i "s/port: '9200'/port: '64298'/" /etc/netdata/python.d/elasticsearch.conf && \ + sed -i "s/# cluster_health: True/cluster_health: True/" /etc/netdata/python.d/elasticsearch.conf && \ + sed -i "s/# cluster_stats: True/cluster_stats: True/" /etc/netdata/python.d/elasticsearch.conf && \ + sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /etc/netdata/health_alarm_notify.conf && \ + cd / && \ + +# Clean up + apk del alpine-sdk autoconf automake gcc libmnl-dev linux-headers make musl-dev pkgconf util-linux-dev zlib-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:64301' + +# Start netdata +WORKDIR / +CMD ["/usr/sbin/netdata","-D","-s","/host","-i","127.0.0.1","-p","64301"] diff --git a/docker/netdata/LICENSE b/docker/netdata/LICENSE new file mode 100644 index 00000000..9cecc1d4 --- /dev/null +++ b/docker/netdata/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/netdata/README.md b/docker/netdata/README.md new file mode 100644 index 00000000..28031ae9 --- /dev/null +++ b/docker/netdata/README.md @@ -0,0 +1,25 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/netdata:1706.svg)](https://microbadger.com/images/dtagdevsec/netdata:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/netdata:1706.svg)](https://microbadger.com/images/dtagdevsec/netdata:1706 "Get your own image badge on microbadger.com") + +# dockerized netdata + + +[netdata](http://my-netdata.io/) netdata is a system for distributed real-time performance and health monitoring. It provides unparalleled insights, in real-time, of everything happening on the system it runs (including applications such as web, or database servers), using modern interactive web dashboards. netdata is fast and efficient, designed to permanently run on all systems (physical & virtual servers, containers, IoT devices), without disrupting their core function. + +This repository contains the necessary files to create a *dockerized* version of netdata. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized netdata and will be used to setup the docker image. + +Using systemd, copy the `systemd/netdata.service` to `/etc/systemd/system/netdata.service` and start using + +``` +systemctl enable netdata +systemctl start netdata +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +# Netdata Dashboard + +![Netdata Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/netdata/master/doc/dashboard.png) diff --git a/docker/netdata/doc/dashboard.png b/docker/netdata/doc/dashboard.png new file mode 100644 index 00000000..ceffb0d9 Binary files /dev/null and b/docker/netdata/doc/dashboard.png differ diff --git a/docker/netdata/docker-compose.yml b/docker/netdata/docker-compose.yml new file mode 100644 index 00000000..47967290 --- /dev/null +++ b/docker/netdata/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2.1' + +services: + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + command: ["/usr/sbin/netdata","-D","-s","/host","-p","19999"] diff --git a/docker/p0f/Dockerfile b/docker/p0f/Dockerfile new file mode 100644 index 00000000..d681ba99 --- /dev/null +++ b/docker/p0f/Dockerfile @@ -0,0 +1,27 @@ +FROM alpine +MAINTAINER MO + +# Add source +ADD . /opt/p0f + +# Install packages +RUN apk -U upgrade && \ + apk add bash build-base git jansson-dev libpcap-dev procps && \ + +# Setup user, groups and configs + addgroup -g 2000 p0f && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 p0f && \ + +# Download and compile p0f + cd /opt/p0f && \ + ./build.sh && \ + +# Clean up + apk del build-base git jansson-dev libpcap-dev && \ + apk add jansson libpcap && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Start suricata +WORKDIR /opt/p0f +CMD /bin/bash -c "exec /opt/p0f/p0f -u p0f -j -o /var/log/p0f/p0f.json -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])" diff --git a/docker/p0f/Makefile b/docker/p0f/Makefile new file mode 100644 index 00000000..a9f4ae8a --- /dev/null +++ b/docker/p0f/Makefile @@ -0,0 +1,21 @@ +# +# p0f - make wrapper +# ------------------ +# +# Copyright (C) 2012 by Michal Zalewski +# +# Distributed under the terms and conditions of GNU LGPL. +# + +all: + @./build.sh all + +debug: + @./build.sh debug + +clean: + @./build.sh clean + +publish: + @./build.sh publish + diff --git a/docker/p0f/README.md b/docker/p0f/README.md new file mode 100644 index 00000000..e409c077 --- /dev/null +++ b/docker/p0f/README.md @@ -0,0 +1,4 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/p0f:1706.svg)](https://microbadger.com/images/dtagdevsec/p0f:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/p0f:1706.svg)](https://microbadger.com/images/dtagdevsec/p0f:1706 "Get your own image badge on microbadger.com") + +# dockerized p0f + diff --git a/docker/p0f/alloc-inl.h b/docker/p0f/alloc-inl.h new file mode 100644 index 00000000..7dd17d63 --- /dev/null +++ b/docker/p0f/alloc-inl.h @@ -0,0 +1,485 @@ +/* + p0f - error-checking, memory-zeroing alloc routines + --------------------------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_ALLOC_INL_H +#define _HAVE_ALLOC_INL_H + +#include +#include + +#include "config.h" +#include "types.h" +#include "debug.h" + +#define ALLOC_CHECK_SIZE(_s) do { \ + if ((_s) > MAX_ALLOC) \ + ABORT("Bad alloc request: %u bytes", (_s)); \ + } while (0) + +#define ALLOC_CHECK_RESULT(_r,_s) do { \ + if (!(_r)) \ + ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + } while (0) + +#define ALLOC_MAGIC 0xFF00 +#define ALLOC_MAGIC_F 0xFE00 + +#define ALLOC_C(_ptr) (((u16*)(_ptr))[-3]) +#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) + +#define CHECK_PTR(_p) do { \ + if ((_p) && ALLOC_C(_p) != ALLOC_MAGIC) {\ + if (ALLOC_C(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Bad alloc canary."); \ + } \ + } while (0) + + +#define CHECK_PTR_EXPR(_p) ({ \ + typeof (_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + }) + +#ifdef CHECK_UAF +# define CP(_p) CHECK_PTR_EXPR(_p) +#else +# define CP(_p) (_p) +#endif /* ^CHECK_UAF */ + +#ifdef ALIGN_ACCESS +# define ALLOC_OFF 8 +#else +# define ALLOC_OFF 6 +#endif /* ^ALIGN_ACCESS */ + + +static inline void* DFL_ck_alloc(u32 size) { + void* ret; + + if (!size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF; + + ALLOC_C(ret) = ALLOC_MAGIC; + ALLOC_S(ret) = size; + + return memset(ret, 0, size); +} + + +static inline void* DFL_ck_realloc(void* orig, u32 size) { + void* ret; + u32 old_size = 0; + + if (!size) { + + if (orig) { + + CHECK_PTR(orig); + + /* Catch pointer issues sooner. */ + +#ifdef DEBUG_BUILD + memset(orig - ALLOC_OFF, 0xFF, ALLOC_S(orig) + ALLOC_OFF); +#endif /* DEBUG_BUILD */ + + free(orig - ALLOC_OFF); + + } + + return NULL; + + } + + if (orig) { + + CHECK_PTR(orig); + +#ifndef DEBUG_BUILD + ALLOC_C(orig) = ALLOC_MAGIC_F; +#endif /* !DEBUG_BUILD */ + + old_size = ALLOC_S(orig); + orig -= ALLOC_OFF; + + ALLOC_CHECK_SIZE(old_size); + + } + + ALLOC_CHECK_SIZE(size); + +#ifndef DEBUG_BUILD + + ret = realloc(orig, size + ALLOC_OFF); + ALLOC_CHECK_RESULT(ret, size); + +#else + + /* Catch pointer issues sooner: force relocation and make sure that the + original buffer is wiped. */ + + ret = malloc(size + ALLOC_OFF); + ALLOC_CHECK_RESULT(ret, size); + + if (orig) { + + memcpy(ret + ALLOC_OFF, orig + ALLOC_OFF, MIN(size, old_size)); + memset(orig, 0xFF, old_size + ALLOC_OFF); + + ALLOC_C(orig + ALLOC_OFF) = ALLOC_MAGIC_F; + + free(orig); + + } + +#endif /* ^!DEBUG_BUILD */ + + ret += ALLOC_OFF; + + ALLOC_C(ret) = ALLOC_MAGIC; + ALLOC_S(ret) = size; + + if (size > old_size) + memset(ret + old_size, 0, size - old_size); + + return ret; +} + + +static inline void* DFL_ck_realloc_kb(void* orig, u32 size) { + +#ifndef DEBUG_BUILD + + if (orig) { + + CHECK_PTR(orig); + + if (ALLOC_S(orig) >= size) return orig; + + size = ((size >> 10) + 1) << 10; + } + +#endif /* !DEBUG_BUILD */ + + return DFL_ck_realloc(orig, size); +} + + +static inline u8* DFL_ck_strdup(u8* str) { + void* ret; + u32 size; + + if (!str) return NULL; + + size = strlen((char*)str) + 1; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF; + + ALLOC_C(ret) = ALLOC_MAGIC; + ALLOC_S(ret) = size; + + return memcpy(ret, str, size); +} + + +static inline void* DFL_ck_memdup(void* mem, u32 size) { + void* ret; + + if (!mem || !size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF; + + ALLOC_C(ret) = ALLOC_MAGIC; + ALLOC_S(ret) = size; + + return memcpy(ret, mem, size); +} + + +static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { + u8* ret; + + if (!mem || !size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF + 1); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF; + + ALLOC_C(ret) = ALLOC_MAGIC; + ALLOC_S(ret) = size; + + memcpy(ret, mem, size); + ret[size] = 0; + + return ret; +} + + +static inline void DFL_ck_free(void* mem) { + + if (mem) { + + CHECK_PTR(mem); + +#ifdef DEBUG_BUILD + + /* Catch pointer issues sooner. */ + memset(mem - ALLOC_OFF, 0xFF, ALLOC_S(mem) + ALLOC_OFF); + +#endif /* DEBUG_BUILD */ + + ALLOC_C(mem) = ALLOC_MAGIC_F; + + free(mem - ALLOC_OFF); + + } + +} + +#ifndef DEBUG_BUILD + +/* Non-debugging mode - straightforward aliasing. */ + +#define ck_alloc DFL_ck_alloc +#define ck_realloc DFL_ck_realloc +#define ck_realloc_kb DFL_ck_realloc_kb +#define ck_strdup DFL_ck_strdup +#define ck_memdup DFL_ck_memdup +#define ck_memdup_str DFL_ck_memdup_str +#define ck_free DFL_ck_free + +#else + +/* Debugging mode - include additional structures and support code. */ + +#define ALLOC_BUCKETS 4096 +#define ALLOC_TRK_CHUNK 256 + +struct TRK_obj { + void *ptr; + char *file, *func; + u32 line; +}; + + +extern struct TRK_obj* TRK[ALLOC_BUCKETS]; +extern u32 TRK_cnt[ALLOC_BUCKETS]; + +#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) + +/* Adds a new entry to the list of allocated objects. */ + +static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, + u32 line) { + + u32 i, bucket; + + if (!ptr) return; + + bucket = TRKH(ptr); + + for (i = 0; i < TRK_cnt[bucket]; i++) + + if (!TRK[bucket][i].ptr) { + + TRK[bucket][i].ptr = ptr; + TRK[bucket][i].file = (char*)file; + TRK[bucket][i].func = (char*)func; + TRK[bucket][i].line = line; + return; + + } + + /* No space available. */ + + if (!(i % ALLOC_TRK_CHUNK)) { + + TRK[bucket] = DFL_ck_realloc(TRK[bucket], + (TRK_cnt[bucket] + ALLOC_TRK_CHUNK) * sizeof(struct TRK_obj)); + + } + + TRK[bucket][i].ptr = ptr; + TRK[bucket][i].file = (char*)file; + TRK[bucket][i].func = (char*)func; + TRK[bucket][i].line = line; + + TRK_cnt[bucket]++; + +} + + +/* Removes entry from the list of allocated objects. */ + +static inline void TRK_free_buf(void* ptr, const char* file, const char* func, + u32 line) { + + u32 i, bucket; + + if (!ptr) return; + + bucket = TRKH(ptr); + + for (i = 0; i < TRK_cnt[bucket]; i++) + + if (TRK[bucket][i].ptr == ptr) { + + TRK[bucket][i].ptr = 0; + return; + + } + + WARN("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", + func, file, line); + +} + + +/* Does a final report on all non-deallocated objects. */ + +static inline void TRK_report(void) { + + u32 i, bucket; + + fflush(0); + + for (bucket = 0; bucket < ALLOC_BUCKETS; bucket++) + for (i = 0; i < TRK_cnt[bucket]; i++) + if (TRK[bucket][i].ptr) + WARN("ALLOC: Memory never freed, created in %s (%s:%u)", + TRK[bucket][i].func, TRK[bucket][i].file, TRK[bucket][i].line); + +} + + +/* Simple wrappers for non-debugging functions: */ + +static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, + u32 line) { + + void* ret = DFL_ck_alloc(size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_realloc(orig, size); + TRK_free_buf(orig, file, func, line); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_realloc_kb(void* orig, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_realloc_kb(orig, size); + TRK_free_buf(orig, file, func, line); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, + u32 line) { + + void* ret = DFL_ck_strdup(str); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_memdup(mem, size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_memdup_str(mem, size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void TRK_ck_free(void* ptr, const char* file, + const char* func, u32 line) { + + TRK_free_buf(ptr, file, func, line); + DFL_ck_free(ptr); + +} + +/* Alias user-facing names to tracking functions: */ + +#define ck_alloc(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + +#define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_realloc_kb(_p1, _p2) \ + TRK_ck_realloc_kb(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_strdup(_p1) \ + TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) + +#define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_free(_p1) \ + TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) + +#endif /* ^!DEBUG_BUILD */ + +#define alloc_printf(_str...) ({ \ + u8* _tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char*)_tmp, _len + 1, _str); \ + _tmp; \ + }) + +#endif /* ! _HAVE_ALLOC_INL_H */ diff --git a/docker/p0f/api.c b/docker/p0f/api.c new file mode 100644 index 00000000..f4bbfb55 --- /dev/null +++ b/docker/p0f/api.c @@ -0,0 +1,106 @@ +/* + p0f - API query code + -------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#define _FROM_API + +#include +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "p0f.h" +#include "api.h" +#include "process.h" +#include "readfp.h" + +/* Process API queries. */ + +void handle_query(struct p0f_api_query* q, struct p0f_api_response* r) { + + struct host_data* h; + + memset(r, 0, sizeof(struct p0f_api_response)); + + r->magic = P0F_RESP_MAGIC; + + if (q->magic != P0F_QUERY_MAGIC) { + + WARN("Query with bad magic (0x%x).", q->magic); + + r->status = P0F_STATUS_BADQUERY; + + return; + + } + + switch (q->addr_type) { + + case P0F_ADDR_IPV4: + case P0F_ADDR_IPV6: + h = lookup_host(q->addr, q->addr_type); + break; + + default: + + WARN("Query with unknown address type %u.\n", q->addr_type); + r->status = P0F_STATUS_BADQUERY; + return; + + } + + if (!h) { + r->status = P0F_STATUS_NOMATCH; + return; + } + + r->status = P0F_STATUS_OK; + r->first_seen = h->first_seen; + r->last_seen = h->last_seen; + r->total_conn = h->total_conn; + + if (h->last_name_id != -1) { + + strncpy((char*)r->os_name, (char*)fp_os_names[h->last_name_id], + P0F_STR_MAX + 1); + + if (h->last_flavor) + strncpy((char*)r->os_flavor, (char*)h->last_flavor, P0F_STR_MAX + 1); + + } + + if (h->http_name_id != -1) { + + strncpy((char*)r->http_name, (char*)fp_os_names[h->http_name_id], + P0F_STR_MAX + 1); + + if (h->http_flavor) + strncpy((char*)r->http_flavor, (char*)h->http_flavor, P0F_STR_MAX + 1); + + } + + if (h->link_type) + strncpy((char*)r->link_type, (char*)h->link_type, P0F_STR_MAX + 1); + + if (h->language) + strncpy((char*)r->language, (char*)h->language, P0F_STR_MAX + 1); + + r->bad_sw = h->bad_sw; + r->last_nat = h->last_nat; + r->last_chg = h->last_chg; + r->up_mod_days = h->up_mod_days; + r->distance = h->distance; + r->os_match_q = h->last_quality; + + if (h->last_up_min != -1) r->uptime_min = h->last_up_min; + +} diff --git a/docker/p0f/api.h b/docker/p0f/api.h new file mode 100644 index 00000000..5d537f55 --- /dev/null +++ b/docker/p0f/api.h @@ -0,0 +1,79 @@ +/* + p0f - API query code + -------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_API_H +#define _HAVE_API_H + +#include "types.h" + +#define P0F_QUERY_MAGIC 0x50304601 +#define P0F_RESP_MAGIC 0x50304602 + +#define P0F_STATUS_BADQUERY 0x00 +#define P0F_STATUS_OK 0x10 +#define P0F_STATUS_NOMATCH 0x20 + +#define P0F_ADDR_IPV4 0x04 +#define P0F_ADDR_IPV6 0x06 + +#define P0F_STR_MAX 31 + +#define P0F_MATCH_FUZZY 0x01 +#define P0F_MATCH_GENERIC 0x02 + +/* Keep these structures aligned to avoid architecture-specific padding. */ + +struct p0f_api_query { + + u32 magic; /* Must be P0F_QUERY_MAGIC */ + u8 addr_type; /* P0F_ADDR_* */ + u8 addr[16]; /* IP address (big endian left align) */ + +} __attribute__((packed)); + +struct p0f_api_response { + + u32 magic; /* Must be P0F_RESP_MAGIC */ + u32 status; /* P0F_STATUS_* */ + + u32 first_seen; /* First seen (unix time) */ + u32 last_seen; /* Last seen (unix time) */ + u32 total_conn; /* Total connections seen */ + + u32 uptime_min; /* Last uptime (minutes) */ + u32 up_mod_days; /* Uptime modulo (days) */ + + u32 last_nat; /* NAT / LB last detected (unix time) */ + u32 last_chg; /* OS chg last detected (unix time) */ + + s16 distance; /* System distance */ + + u8 bad_sw; /* Host is lying about U-A / Server */ + u8 os_match_q; /* Match quality */ + + u8 os_name[P0F_STR_MAX + 1]; /* Name of detected OS */ + u8 os_flavor[P0F_STR_MAX + 1]; /* Flavor of detected OS */ + + u8 http_name[P0F_STR_MAX + 1]; /* Name of detected HTTP app */ + u8 http_flavor[P0F_STR_MAX + 1]; /* Flavor of detected HTTP app */ + + u8 link_type[P0F_STR_MAX + 1]; /* Link type */ + + u8 language[P0F_STR_MAX + 1]; /* Language */ + +} __attribute__((packed)); + +#ifdef _FROM_P0F + +void handle_query(struct p0f_api_query* q, struct p0f_api_response* r); + +#endif /* _FROM_API */ + +#endif /* !_HAVE_API_H */ diff --git a/docker/p0f/build.sh b/docker/p0f/build.sh new file mode 100755 index 00000000..6eed574a --- /dev/null +++ b/docker/p0f/build.sh @@ -0,0 +1,357 @@ +#!/bin/bash +# +# p0f - build script +# ------------------ +# +# Copyright (C) 2012 by Michal Zalewski +# +# Distributed under the terms and conditions of GNU LGPL. +# + +PROGNAME="p0f" +VERSION="3.09b" + +test "$CC" = "" && CC="gcc" + +BASIC_CFLAGS="-Wall -Wno-format -I/usr/local/include/ \ + -I/opt/local/include/ -DVERSION=\"$VERSION\" $CFLAGS" + +BASIC_LDFLAGS="-L/usr/local/lib/ -L/opt/local/lib $LDFLAGS" + +USE_CFLAGS="-fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2 -g -ggdb \ + $BASIC_CFLAGS" + +USE_LDFLAGS="-Wl,-z,relro -pie $BASIC_LDFLAGS" + +if [ "$OSTYPE" = "cygwin" ]; then + USE_LIBS="-lwpcap $LIBS" +elif [ "$OSTYPE" = "solaris" ]; then + USE_LIBS="-lsocket -lnsl $LIBS" +else + USE_LIBS="-lpcap -ljansson $LIBS" +fi + +OBJFILES="api.c process.c fp_tcp.c fp_mtu.c fp_http.c readfp.c" + +echo "Welcome to the build script for $PROGNAME $VERSION!" +echo "Copyright (C) 2012 by Michal Zalewski " +echo + +if [ "$#" -gt "1" ]; then + + echo "[-] Please specify one build target at a time." + exit 1 + +fi + +if [ "$1" = "clean" -o "$1" = "publish" ]; then + + echo "[*] Cleaning up build environment..." + rm -f -- "$PROGNAME" *.exe *.o a.out *~ core core.[1-9][0-9]* *.stackdump COMPILER-WARNINGS 2>/dev/null + + ( cd tools && make clean ) &>/dev/null + + if [ "$1" = "publish" ]; then + + if [ ! "`basename -- \"$PWD\"`" = "$PROGNAME" ]; then + echo "[-] Invalid working directory." + exit 1 + fi + + if [ ! "$HOSTNAME" = "raccoon" ]; then + echo "[-] You are not my real dad!" + exit 1 + fi + + TARGET="/var/www/lcamtuf/p0f3/$PROGNAME-devel.tgz" + + echo "[*] Creating $TARGET..." + + cd .. + rm -rf "$PROGNAME-$VERSION" + cp -pr "$PROGNAME" "$PROGNAME-$VERSION" + tar cfvz "$TARGET" "$PROGNAME-$VERSION" + + fi + + echo "[+] All done!" + + exit 0 + +elif [ "$1" = "all" -o "$1" = "" ]; then + + echo "[+] Configuring production build." + BASIC_CFLAGS="$BASIC_CFLAGS -O3" + USE_CFLAGS="$USE_CFLAGS -O3" + +elif [ "$1" = "debug" ]; then + + echo "[+] Configuring debug build." + BASIC_CFLAGS="$BASIC_CFLAGS -DDEBUG_BUILD=1" + USE_CFLAGS="$USE_CFLAGS -DDEBUG_BUILD=1" + +else + + echo "[-] Unrecognized build target '$1', sorry." + exit 1 + +fi + +rm -f COMPILER-WARNINGS 2>/dev/null + +echo -n "[*] Checking for a sane build environment... " + +if ls -ld ./ | grep -q '^d.......w'; then + + echo "FAIL (bad permissions)" + echo + echo "Duuude, don't build stuff in world-writable directories." + echo + exit 1 + +fi + +TMP=".build-$$" + +rm -f "$TMP" 2>/dev/null + +if [ -f "$TMP" ]; then + + echo "FAIL (can't delete)" + echo + echo "Check directory permissions and try again." + echo + exit 1 + +fi + +touch "$TMP" 2>/dev/null + +if [ ! -f "$TMP" ]; then + + echo "FAIL (can't create)" + echo + echo "Check directory permissions and try again." + echo + exit 1 + +fi + +if [ ! -s "$PROGNAME.c" ]; then + + echo "FAIL (no source)" + echo + echo "I'm no doctor, but I think the source code is missing from CWD." + echo + exit 1 + +fi + +echo "OK" + +echo -n "[*] Checking for working GCC... " + +rm -f "$TMP" || exit 1 + +echo "int main() { return 0; }" >"$TMP.c" || exit 1 +$CC $BASIC_CFLAGS $BASIC_LDFLAGS "$TMP.c" -o "$TMP" &>"$TMP.log" + +if [ ! -x "$TMP" ]; then + + echo "FAIL" + echo + echo "Your compiler can't produce working binaries. You need a functioning install of" + echo "GCC and libc (including development headers) to continue. If you have these," + echo "try setting CC, CFLAGS, and LDFLAGS appropriately." + echo + echo "Output from an attempt to execute GCC:" + cat "$TMP.log" | head -10 + echo + rm -f "$TMP" "$TMP.log" "$TMP.c" + exit 1 + +fi + +echo "OK" + +echo -n "[*] Checking for *modern* GCC... " + +rm -f "$TMP" "$TMP.c" "$TMP.log" || exit 1 + +echo "int main() { return 0; }" >"$TMP.c" || exit 1 +$CC $USE_CFLAGS $USE_LDFLAGS "$TMP.c" -o "$TMP" &>"$TMP.log" + +if [ ! -x "$TMP" ]; then + + echo "FAIL (but we can live with it)" + USE_CFLAGS="$BASIC_CFLAGS" + USE_LDFLAGS="$BASIC_LDFLAGS" + +else + + echo "OK" + +fi + +echo -n "[*] Checking if memory alignment is required... " + +rm -f "$TMP" "$TMP.c" "$TMP.log" || exit 1 + +echo -e "#include \"types.h\"\nvolatile u8 tmp[6]; int main() { printf(\"%d\x5cn\", *(u32*)(tmp+1)); return 0; }" >"$TMP.c" || exit 1 +$CC $USE_CFLAGS $USE_LDFLAGS "$TMP.c" -o "$TMP" &>"$TMP.log" + +if [ ! -x "$TMP" ]; then + + echo "FAIL" + echo + echo "Well, something went horribly wrong, sorry. Here's the output from GCC:" + echo + cat "$TMP.log" + echo + echo "Sorry! You may want to ping about this." + echo + rm -f "$TMP.log" + exit 1 + +else + + ulimit -c 0 &>/dev/null + ./"$TMP" &>/dev/null + + if [ "$?" = "0" ]; then + + echo "nope" + + else + + echo "yes" + USE_CFLAGS="$USE_CFLAGS -DALIGN_ACCESS=1" + + fi + +fi + + +echo -n "[*] Checking for working libpcap... " + +rm -f "$TMP" "$TMP.c" "$TMP.log" || exit 1 + +echo -e "#include \nint main() { char i[PCAP_ERRBUF_SIZE]; pcap_lookupdev(i); return 0; }" >"$TMP.c" || exit 1 +$CC $USE_CFLAGS $USE_LDFLAGS "$TMP.c" -o "$TMP" $USE_LIBS &>"$TMP.log" + +if [ ! -x "$TMP" ]; then + echo "FAIL" + echo + + if [ "$OSTYPE" = "cygwin" ]; then + + echo "You need a functioning install of winpcap. Download both of those:" + echo + echo " Main library : http://www.winpcap.org/install/default.htm" + echo " Developer tools : http://www.winpcap.org/devel.htm" + echo + echo "Under cygwin, copy the contents of wpdpack/include to /usr/include/, and" + echo "wpdpack/lib to /lib/. At that point, you should be able to build p0f." + echo + + else + + echo "You need a functioning installation of libpcap (including development headers)." + echo "You can download it from here:" + echo + echo " http://www.tcpdump.org/#latest-release" + echo + + fi + + echo "If you have the library installed at an unorthodox location, try setting CFLAGS" + echo "and LDFLAGS to point us in the right direction." + echo + echo "Output from an attempt to compile sample program:" + cat "$TMP.log" | head -10 + echo + rm -f "$TMP" "$TMP.log" "$TMP.c" + exit 1 + +fi + +echo "OK" + +echo -n "[*] Checking for working BPF... " + +rm -f "$TMP" "$TMP.c" "$TMP.log" || exit 1 + +echo -e "#include \n#include \nint main() { return 0; }" >"$TMP.c" || exit 1 +$CC $USE_CFLAGS $USE_LDFLAGS "$TMP.c" -o "$TMP" $USE_LIBS &>"$TMP.log" + +if [ ! -x "$TMP" ]; then + + rm -f "$TMP" "$TMP.c" "$TMP.log" || exit 1 + + echo -e "#include \n#include \nint main() { return 0; }" >"$TMP.c" || exit 1 + $CC $USE_CFLAGS $USE_LDFLAGS "$TMP.c" -o "$TMP" $USE_LIBS &>"$TMP.log" + + if [ ! -x "$TMP" ]; then + echo "FAIL" + echo + echo "Could not find a working version of pcap-bpf.h or net/bpf.h on your system." + echo "If it's available in a non-standard directory, set CFLAGS accordingly; if it" + echo "lives under a different name, you may need to edit the source and recompile." + echo + + rm -f "$TMP" "$TMP.log" "$TMP.c" + exit 1 + + fi + + USE_CFLAGS="$USE_CFLAGS -DNET_BPF=1" + +fi + +echo "OK" + +rm -f "$TMP" "$TMP.log" "$TMP.c" || exit 1 + +echo "[+] Okay, you seem to be good to go. Fingers crossed!" + +echo -n "[*] Compiling $PROGNAME... " + +rm -f "$PROGNAME" || exit 1 + +$CC $USE_CFLAGS $USE_LDFLAGS "$PROGNAME.c" $OBJFILES -o "$PROGNAME" $USE_LIBS &>"$TMP.log" + +if [ ! -x "$PROGNAME" ]; then + + echo "FAIL" + echo + echo "Well, something went horribly wrong, sorry. Here's the output from GCC:" + echo + cat "$TMP.log" + echo + echo "Sorry! You may want to ping about this." + echo + rm -f "$TMP.log" + exit 1 + +fi + +if [ -s "$TMP.log" ]; then + + echo "OK (see COMPILER-WARNINGS)" + mv "$TMP.log" COMPILER-WARNINGS + + test "$1" = "debug" && cat COMPILER-WARNINGS + +else + + rm -f "$TMP.log" + echo "OK" + +fi + +echo +echo "Well, that's it. Be sure to review README. If you run into any problems, you" +echo "can reach the author at ." +echo + +exit 0 diff --git a/docker/p0f/config.h b/docker/p0f/config.h new file mode 100644 index 00000000..3408dd10 --- /dev/null +++ b/docker/p0f/config.h @@ -0,0 +1,271 @@ +/* + p0f - vaguely configurable bits + ------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_CONFIG_H +#define _HAVE_CONFIG_H + +#include "types.h" + +/******************************************** + * Things you may reasonably want to change * + ********************************************/ + +/* Default location of p0f.fp: */ + +#ifndef FP_FILE +# define FP_FILE "p0f.fp" +#endif /* !FP_FILE */ + +/* Initial permissions on log files: */ + +#ifndef LOG_MODE +# define LOG_MODE 0600 +#endif /* !LOG_MODE */ + +/* Initial permissions on API sockets: */ + +#ifndef API_MODE +# define API_MODE 0666 +#endif /* !API_MODE */ + +/* Default connection and host cache sizes (adjustable via -m): */ + +#ifndef MAX_HOSTS +# define MAX_CONN 1000 +# define MAX_HOSTS 10000 +#endif /* !MAX_HOSTS */ + +/* Default connection and host time limits (adjustable via -t): */ + +#ifndef HOST_IDLE_LIMIT +# define CONN_MAX_AGE 30 /* seconds */ +# define HOST_IDLE_LIMIT 120 /* minutes */ +#endif /* !HOST_IDLE_LIMIT */ + +/* Default number of API connections permitted (adjustable via -c): */ + +#ifndef API_MAX_CONN +# define API_MAX_CONN 20 +#endif /* !API_MAX_CONN */ + +/* Maximum TTL distance for non-fuzzy signature matching: */ + +#ifndef MAX_DIST +# define MAX_DIST 35 +#endif /* !MAX_DIST */ + +/* Detect use-after-free, at the expense of some performance cost: */ + +#define CHECK_UAF 1 + +/************************ + * Really obscure stuff * + ************************/ + +/* Maximum allocator request size (keep well under INT_MAX): */ + +#define MAX_ALLOC 0x40000000 + +/* Percentage of host entries / flows to prune when limits exceeded: */ + +#define KILL_PERCENT 10 + +/* PCAP snapshot length: */ + +#define SNAPLEN 65535 + +/* Maximum request, response size to keep per flow: */ + +#define MAX_FLOW_DATA 8192 + +/* Maximum number of TCP options we will process (< 256): */ + +#define MAX_TCP_OPT 24 + +/* Minimum and maximum frequency for timestamp clock (Hz). Note that RFC + 1323 permits 1 - 1000 Hz . At 1000 Hz, the 32-bit counter overflows + after about 50 days. */ + +#define MIN_TSCALE 0.7 +#define MAX_TSCALE 1500 + +/* Minimum and maximum interval (ms) for measuring timestamp progrssion. This + is used to make sure the timestamps are fresh enough to be of any value, + and that the measurement is not affected by network performance too + severely. */ + +#define MIN_TWAIT 25 +#define MAX_TWAIT (1000 * 60 * 10) + +/* Time window in which to tolerate timestamps going back slightly or + otherwise misbehaving during NAT checks (ms): */ + +#define TSTAMP_GRACE 100 + +/* Maximum interval between packets used for TS-based NAT checks (ms): */ + +#define MAX_NAT_TS (1000 * 60 * 60 * 24) + +/* Minimum port drop to serve as a NAT detection signal: */ + +#define MIN_PORT_DROP 64 + +/* Threshold before letting NAT detection make a big deal out of TTL change + for remote hosts (this is to account for peering changes): */ + +#define SMALL_TTL_CHG 2 + +/* The distance up to which the system is considered to be local, and therefore + the SMALL_TTL_CHG threshold should not be taken account: */ + +#define LOCAL_TTL_LIMIT 5 + +/* The distance past which the system is considered to be really distant, + and therefore, changes within SMALL_TTL_CHG should be completely ignored: */ + +#define NEAR_TTL_LIMIT 9 + +/* Number of packet scores to keep for NAT detection (< 256): */ + +#define NAT_SCORES 32 + +/* Number of hash buckets for p0f.fp signatures: */ + +#define SIG_BUCKETS 64 + +/* Number of hash buckets for active connections: */ + +#define FLOW_BUCKETS 256 + +/* Number of hash buckets for host data: */ + +#define HOST_BUCKETS 1024 + +/* Cache expiration interval (every n packets received): */ + +#define EXPIRE_INTERVAL 50 + +/* Non-alphanumeric chars to permit in OS names. This is to allow 'sys' syntax + to be used unambiguously, yet allow some freedom: */ + +#define NAME_CHARS " ./-_!?()" + +/* Special window size and MSS used by p0f-sendsyn, and detected by p0f: */ + +#define SPECIAL_MSS 1331 +#define SPECIAL_WIN 1337 + +/* Maximum length of an HTTP URL line we're willing to entertain. The same + limit is also used for the first line of a response: */ + +#define HTTP_MAX_URL 1024 + +/* Maximum number of HTTP headers: */ + +#define HTTP_MAX_HDRS 32 + +/* Maximum length of a header name: */ + +#define HTTP_MAX_HDR_NAME 32 + +/* Maximum length of a header value: */ + +#define HTTP_MAX_HDR_VAL 1024 + +/* Maximum length of a header value for display purposes: */ + +#define HTTP_MAX_SHOW 200 + +/* Maximum HTTP 'Date' progression jitter to overlook (s): */ + +#define HTTP_MAX_DATE_DIFF 10 + +#ifdef _FROM_FP_HTTP + +#include "fp_http.h" + +/* Headers that should be tagged as optional by the HTTP fingerprinter in any + generated signatures: */ + +static struct http_id req_optional[] = { + { "Cookie", 0 }, + { "Referer", 0 }, + { "Origin", 0 }, + { "Range", 0 }, + { "If-Modified-Since", 0 }, + { "If-None-Match", 0 }, + { "Via", 0 }, + { "X-Forwarded-For", 0 }, + { "Authorization", 0 }, + { "Proxy-Authorization", 0 }, + { "Cache-Control", 0 }, + { 0, 0 } +}; + +static struct http_id resp_optional[] = { + { "Set-Cookie", 0 }, + { "Last-Modified", 0 }, + { "ETag", 0 }, + { "Content-Length", 0 }, + { "Content-Disposition", 0 }, + { "Cache-Control", 0 }, + { "Expires", 0 }, + { "Pragma", 0 }, + { "Location", 0 }, + { "Refresh", 0 }, + { "Content-Range", 0 }, + { "Vary", 0 }, + { 0, 0 } +}; + +/* Common headers that are expected to be present at all times, and deserve + a special mention if absent in a signature: */ + +static struct http_id req_common[] = { + { "Host", 0 }, + { "User-Agent", 0 }, + { "Connection", 0 }, + { "Accept", 0 }, + { "Accept-Encoding", 0 }, + { "Accept-Language", 0 }, + { "Accept-Charset", 0 }, + { "Keep-Alive", 0 }, + { 0, 0 } +}; + +static struct http_id resp_common[] = { + { "Content-Type", 0 }, + { "Connection", 0 }, + { "Keep-Alive", 0 }, + { "Accept-Ranges", 0 }, + { "Date", 0 }, + { 0, 0 } +}; + +/* Headers for which values change depending on the context, and therefore + should not be included in proposed signatures. This is on top of the + "optional" header lists, which already implies skipping the value. */ + +static struct http_id req_skipval[] = { + { "Host", 0 }, + { "User-Agent", 0 }, + { 0, 0 } +}; + +static struct http_id resp_skipval[] = { + { "Date", 0 }, + { "Content-Type", 0 }, + { "Server", 0 }, + { 0, 0 } +}; + +#endif /* _FROM_FP_HTTP */ + +#endif /* ! _HAVE_CONFIG_H */ diff --git a/docker/p0f/debug.h b/docker/p0f/debug.h new file mode 100644 index 00000000..0b7da14e --- /dev/null +++ b/docker/p0f/debug.h @@ -0,0 +1,54 @@ +/* + p0f - debug / error handling macros + ----------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_DEBUG_H +#define _HAVE_DEBUG_H + +#include "types.h" +#include "config.h" + +#ifdef DEBUG_BUILD +# define DEBUG(x...) fprintf(stderr, x) +#else +# define DEBUG(x...) do {} while (0) +#endif /* ^DEBUG_BUILD */ + +#define ERRORF(x...) fprintf(stderr, x) +#define SAYF(x...) printf(x) + +#define WARN(x...) do { \ + ERRORF("[!] WARNING: " x); \ + ERRORF("\n"); \ + } while (0) + +#define FATAL(x...) do { \ + ERRORF("[-] PROGRAM ABORT : " x); \ + ERRORF("\n Location : %s(), %s:%u\n\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + exit(1); \ + } while (0) + +#define ABORT(x...) do { \ + ERRORF("[-] PROGRAM ABORT : " x); \ + ERRORF("\n Location : %s(), %s:%u\n\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + abort(); \ + } while (0) + +#define PFATAL(x...) do { \ + ERRORF("[-] SYSTEM ERROR : " x); \ + ERRORF("\n Location : %s(), %s:%u\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + perror(" OS message "); \ + ERRORF("\n"); \ + exit(1); \ + } while (0) + +#endif /* ! _HAVE_DEBUG_H */ diff --git a/docker/p0f/docs/COPYING b/docker/p0f/docs/COPYING new file mode 100644 index 00000000..4b973132 --- /dev/null +++ b/docker/p0f/docs/COPYING @@ -0,0 +1,498 @@ + + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + diff --git a/docker/p0f/docs/ChangeLog b/docker/p0f/docs/ChangeLog new file mode 100644 index 00000000..db0f358a --- /dev/null +++ b/docker/p0f/docs/ChangeLog @@ -0,0 +1,128 @@ +Version 3.09b: +-------------- + + - Fixed a likely only cosmetic bug with a one-byte overread of the pcap + packet buffer, which would cause an error under ASAN. Spotted by + Xavid Pretzer. + + - Added a new signature for Chrome. + + - Updated another signature for Chrome. + +Version 3.08b: +-------------- + + - An awful fix for a packet loss bug (probably kernel or libpcap-related) + with some VMs. + + - Improvement to avoid warnings with -r. + +Version 3.07b: +-------------- + +Bug fixes: + + - Improvement to API handling to avoid FATAL() on short API reads & writes. + + - Minor bug fix to IP parsing in one of the companion utilities. + +Improvements: + + - New signatures. + +Version 3.06b: +-------------- + +Bug fixes: + + - Made os_match_q actually functional in api.c (thanks to Anthony Howe). + + - Fixed api.c struct packing issue (thanks to Tomoyuki Murakami). + + - Improved logic around the vlan behavior (thanks to Anthony Howe). + +Version 3.05b: +-------------- + +Bug fixes: + + - Cleaned up hash.h to avoid pointless OOB reads, alignment issues. + + - Fixed divide-by-zero in MSS calculations + +Version 3.04b: +-------------- + +Bug fixes: + + - Fixed a realloc bug (not normally triggered in p0f) + +Version 3.03b: +-------------- + +Bug fixes: + + - Potential NULL ptr in p0f-client on some 64-bit systems. + +Version 3.02b: +-------------- + +Bug fixes: + + - Cygwin compile issue fixed. + +Improvements: + + - New signatures. + +Version 3.01b (2012-01-17): +--------------------------- + +Bug fixes: + + - 'Date' comparisons for server sigs now work as expected. + + - Bad TS reading now allowed on initial SYN (improves uptime detection). + +Improvements: + + - New signatures. + + - Solaris support (in theory). + +Version 3.00b (2012-01-17): +--------------------------- + +Bug fixes: + + - Alignment-related SIGBUS non-x86 fixed. + + - Cache expiration algorithm now works as expected. + + - p0f -L no longer leads to NULL ptr when no interfaces visible. + + - Greppable output format no longer mixes up cli and srv fields. + + - Added '|' to banned characters in reported header values. + +Improvements: + + - Multiple new HTTP and TCP signatures. + + - Improved MSS/MTU matching to account for peer MTU. + + - New HTTP fingerprinting logic with optional headers (? prefix). + + - Memory leak detection added (but nothing found). + + - API now indicates the value of 'generic' / 'fuzzy' fields and several + other parameters. + + - General style improvements. + + - Delay added to p0f-sendsyn to aid with packet ordering. + +Version 3.00-rc0 (2012-01-10): +------------------------------ + + - Initial public release, complete rewrite. diff --git a/docker/p0f/docs/README b/docker/p0f/docs/README new file mode 100644 index 00000000..2ed40677 --- /dev/null +++ b/docker/p0f/docs/README @@ -0,0 +1,916 @@ + ============================= + p0f v3: passive fingerprinter + ============================= + + http://lcamtuf.coredump.cx/p0f3.shtml + + Copyright (C) 2012 by Michal Zalewski + + +--------------- +1. What's this? +--------------- + +P0f is a tool that utilizes an array of sophisticated, purely passive traffic +fingerprinting mechanisms to identify the players behind any incidental TCP/IP +communications (often as little as a single normal SYN) without interfering in +any way. + +Some of its capabilities include: + + - Highly scalable and extremely fast identification of the operating system + and software on both endpoints of a vanilla TCP connection - especially in + settings where NMap probes are blocked, too slow, unreliable, or would + simply set off alarms, + + - Measurement of system uptime and network hookup, distance (including + topology behind NAT or packet filters), and so on. + + - Automated detection of connection sharing / NAT, load balancing, and + application-level proxying setups. + + - Detection of dishonest clients / servers that forge declarative statements + such as X-Mailer or User-Agent. + +The tool can be operated in the foreground or as a daemon, and offers a simple +real-time API for third-party components that wish to obtain additional +information about the actors they are talking to. + +Common uses for p0f include reconnaissance during penetration tests; routine +network monitoring; detection of unauthorized network interconnects in corporate +environments; providing signals for abuse-prevention tools; and miscellanous +forensics. + +A snippet of typical p0f output may look like this: + +.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (syn) ]- +| +| client = 1.2.3.4 +| os = Windows XP +| dist = 8 +| params = none +| raw_sig = 4:120+8:0:1452:65535,0:mss,nop,nop,sok:df,id+:0 +| +`---- + +.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (syn+ack) ]- +| +| server = 4.3.2.1 +| os = Linux 3.x +| dist = 0 +| params = none +| raw_sig = 4:64+0:0:1460:mss*10,0:mss,nop,nop,sok:df:0 +| +`---- + +.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (mtu) ]- +| +| client = 1.2.3.4 +| link = DSL +| raw_mtu = 1492 +| +`---- + +.-[ 1.2.3.4/1524 -> 4.3.2.1/80 (uptime) ]- +| +| client = 1.2.3.4 +| uptime = 0 days 11 hrs 16 min (modulo 198 days) +| raw_freq = 250.00 Hz +| +`---- + +A live demonstration can be seen here: + +http://lcamtuf.coredump.cx/p0f3/ + +-------------------- +2. How does it work? +-------------------- + +A vast majority of metrics used by p0f were invented specifically for this tool, +and include data extracted from IPv4 and IPv6 headers, TCP headers, the dynamics +of the TCP handshake, and the contents of application-level payloads. + +For TCP/IP, the tool fingerprints the client-originating SYN packet and the +first SYN+ACK response from the server, paying attention to factors such as the +ordering of TCP options, the relation between maximum segment size and window +size, the progression of TCP timestamps, and the state of about a dozen possible +implementation quirks (e.g. non-zero values in "must be zero" fields). + +The metrics used for application-level traffic vary from one module to another; +where possible, the tool relies on signals such as the ordering or syntax of +HTTP headers or SMTP commands, rather than any declarative statements such as +User-Agent. Application-level fingerprinting modules currently support HTTP. +Before the tool leaves "beta", I want to add SMTP and FTP. Other protocols, +such as FTP, POP3, IMAP, SSH, and SSL, may follow. + +The list of all the measured parameters is reviewed in section 5 later on. +Some of the analysis also happens on a higher level: inconsistencies in the +data collected from various sources, or in the data from the same source +obtained over time, may be indicative of address translation, proxying, or +just plain trickery. For example, a system where TCP timestamps jump back +and forth, or where TTLs and MTUs change subtly, is probably a NAT device. + +------------------------------- +3. How do I compile and use it? +------------------------------- + +To compile p0f, try running './build.sh'; if that fails, you will be probably +given some tips about the probable cause. If the tips are useless, send me a +mean-spirited mail. + +It is also possible to build a debug binary ('./build.sh debug'), in which case, +verbose packet parsing and signature matching information will be written to +stderr. This is useful when troubleshooting problems, but that's about it. + +The tool should compile cleanly under any reasonably new version of Linux, +FreeBSD, OpenBSD, MacOS X, and so forth. You can also builtdit on Windows using +cygwin and winpcap. I have not tested it on all possible varieties of un*x, but +if there are issues, they should be fairly superficial. + +Once you have the binary compiled, you should be aware of the following +command-line options: + + -f fname - reads fingerprint database (p0f.fp) from the specified location. + See section 5 for more information about the contents of this + file. + + The default location is ./p0f.fp. If you want to install p0f, you + may want to change FP_FILE in config.h to /etc/p0f.fp. + + -i iface - asks p0f to listen on a specific network interface. On un*x, you + should reference the interface by name (e.g., eth0). On Windows, + you can use adapter index instead (0, 1, 2...). + + Multiple -i parameters are not supported; you need to run + separate instances of p0f for that. On Linux, you can specify + 'any' to access a pseudo-device that combines the traffic on + all other interfaces; the only limitation is that libpcap will + not recognize VLAN-tagged frames in this mode, which may be + an issue in some of the more exotic setups. + + If you do not specify an interface, libpcap will probably pick + the first working interface in your system. + + -L - lists all available network interfaces, then quits. Particularly + useful on Windows, where the system-generated interface names + are impossible to memorize. + + -r fname - instead of listening for live traffic, reads pcap captures from + the specified file. The data can be collected with tcpdump or any + other compatible tool. Make sure that snapshot length (-s + option in tcpdump) is large enough not to truncate packets; the + default may be too small. + + As with -i, only one -r option can be specified at any given + time. + + -o fname - appends grep-friendly log data to the specified file. The log + contains all observations made by p0f about every matching + connection, and may grow large; plan accordingly. + + Only one instance of p0f should be writing to a particular file + at any given time; where supported, advisory locking is used to + avoid problems. + + -s fname - listens for API queries on the specified filesystem socket. This + allows other programs to ask p0f about its current thoughts about + a particular host. More information about the API protocol can be + found in section 4 below. + + Only one instance of p0f can be listening on a particular socket + at any given time. The mode is also incompatible with -r. + + -d - runs p0f in daemon mode: the program will fork into background + and continue writing to the specified log file or API socket. It + will continue running until killed, until the listening interface + is shut down, or until some other fatal error is encountered. + + This mode requires either -o or -s to be specified. + + To continue capturing p0f debug output and error messages (but + not signatures), redirect stderr to another non-TTY destination, + e.g.: + + ./p0f -o /var/log/p0f.log -d 2>>/var/log/p0f.error + + Note that if -d is specified and stderr points to a TTY, error + messages will be lost. + + -u user - causes p0f to drop privileges, switching to the specified user + and chroot()ing itself to said user's home directory. + + This mode is *highly* advisable (but not required) on un*x + systems, especially in daemon mode. See section 7 for more info. + +More arcane settings (you probably don't need to touch these): + + -j - Log in JSON format. + + -l - Line buffered mode for logging to output file. + + -p - puts the interface specified with -i in promiscuous mode. If + supported by the firmware, the card will also process frames not + addressed to it. + + -S num - sets the maximum number of simultaneous API connections. The + default is 20; the upper cap is 100. + + -m c,h - sets the maximum number of connections (c) and hosts (h) to be + tracked at the same time (default: c = 1,000, h = 10,000). Once + the limit is reached, the oldest 10% entries gets pruned to make + room for new data. + + This setting effectively controls the memory footprint of p0f. + The cost of tracking a single host is under 400 bytes; active + connections have a worst-case footprint of about 18 kB. High + limits have some CPU impact, too, by the virtue of complicating + data lookups in the cache. + + NOTE: P0f tracks connections only until the handshake is done, + and if protocol-level fingerprinting is possible, until few + initial kilobytes of data have been exchanged. This means that + most connections are dropped from the cache in under 5 seconds; + consequently, the 'c' variable can be much lower than the real + number of parallel connections happening on the wire. + + -t c,h - sets the timeout for collecting signatures for any connection + (c); and for purging idle hosts from in-memory cache (h). The + first parameter is given in seconds, and defaults to 30 s; the + second one is in minutes, and defaults to 120 min. + + The first value must be just high enough to reliably capture + SYN, SYN+ACK, and the initial few kB of traffic. Low-performance + sites may want to increase it slightly. + + The second value governs for how long API queries about a + previously seen host can be made; and what's the maximum interval + between signatures to still trigger NAT detection and so on. + Raising it is usually not advisable; lowering it to 5-10 minutes + may make sense for high-traffic servers, where it is possible to + see several unrelated visitors subsequently obtaining the same + dynamic IP from their ISP. + +Well, that's about it. You probably need to run the tool as root. Some of the +most common use cases: + +# ./p0f -i eth0 + +# ./p0f -i eth0 -d -u p0f-user -o /var/log/p0f.log + +# ./p0f -r some_capture.cap + +The greppable log format (-o) uses pipe ('|') as a delimiter, with name=value +pairs describing the signature in a manner very similar to the pretty-printed +output generated on stdout: + +[2012/01/04 10:26:14] mod=mtu|cli=1.2.3.4/1234|srv=4.3.2.1/80|subj=cli|link=DSL|raw_mtu=1492 + +The 'mod' parameter identifies the subsystem that generated the entry; the +'cli' and 'srv' parameters always describe the direction in which the TCP +session is established; and 'subj' describes which of these two parties is +actually being fingerprinted. + +Command-line options may be followed by a single parameter containing a +pcap-style traffic filtering rule. This allows you to reject some of the less +interesting packets for performance or privacy reasons. Simple examples include: + + 'dst net 10.0.0.0/8 and port 80' + + 'not src host 10.1.2.3' + + 'port 22 or port 443' + +You can read more about the supported syntax by doing 'man pcap-fiter'; if +that fails, try this URL: + + http://www.manpagez.com/man/7/pcap-filter/ + +Filters work both for online capture (-i) and for previously collected data +produced by any other tool (-r). + +------------- +4. API access +------------- + +The API allows other applications running on the same system to get p0f's +current opinion about a particular host. This is useful for integrating it with +spam filters, web apps, and so on. + +Clients are welcome to connect to the unix socket specified with -s using the +SOCK_STREAM protocol, and may issue any number of fixed-length queries. The +queries will be answered in the order they are received. + +Note that there is no response caching, nor any software limits in place on p0f +end, so it is your responsibility to write reasonably well-behaved clients. + +Queries have exactly 21 bytes. The format is: + + - Magic dword (0x50304601), in native endian of the platform. + + - Address type byte: 4 for IPv4, 6 for IPv6. + + - 16 bytes of address data, network endian. IPv4 addresses should be + aligned to the left. + +To such a query, p0f responds with: + + - Another magic dword (0x50304602), native endian. + + - Status dword: 0x00 for 'bad query', 0x10 for 'OK', and 0x20 for 'no match'. + + - Host information, valid only if status is 'OK' (byte width in square + brackets): + + [4] first_seen - unix time (seconds) of first observation of the host. + + [4] last_seen - unix time (seconds) of most recent traffic. + + [4] total_conn - total number of connections seen. + + [4] uptime_min - calculated system uptime, in minutes. Zero if not known. + + [4] up_mod_days - uptime wrap-around interval, in days. + + [4] last_nat - time of the most recent detection of IP sharing (NAT, + load balancing, proxying). Zero if never detected. + + [4] last_chg - time of the most recent individual OS mismatch (e.g., + due to multiboot or IP reuse). + + [2] distance - system distance (derived from TTL; -1 if no data). + + [1] bad_sw - p0f thinks the User-Agent or Server strings aren't + accurate. The value of 1 means OS difference (possibly + due to proxying), while 2 means an outright mismatch. + + NOTE: If User-Agent is not present at all, this value + stays at 0. + + [1] os_match_q - OS match quality: 0 for a normal match; 1 for fuzzy + (e.g., TTL or DF difference); 2 for a generic signature; + and 3 for both. + + [32] os_name - NUL-terminated name of the most recent positively matched + OS. If OS not known, os_name[0] is NUL. + + NOTE: If the host is first seen using an known system and + then switches to an unknown one, this field is not + reset. + + [32] os_flavor - OS version. May be empty if no data. + + [32] http_name - most recent positively identified HTTP application + (e.g. 'Firefox'). + + [32] http_flavor - version of the HTTP application, if any. + + [32] link_type - network link type, if recognized. + + [32] language - system language, if recognized. + +A simple reference implementation of an API client is provided in p0f-client.c. +Implementations in C / C++ may reuse api.h from p0f source code, too. + +Developers using the API should be aware of several important constraints: + + - The maximum number of simultaneous API connections is capped to 20. The + limit may be adjusted with the -S parameter, but rampant parallelism may + lead to poorly controlled latency; consider a single query pipeline, + possibly with prioritization and caching. + + - The maximum number of hosts and connections tracked at any given time is + subject to configurable limits. You should look at your traffic stats and + see if the defaults are suitable. + + You should also keep in mind that whenever you are subject to an ongoing + DDoS or SYN spoofing DoS attack, p0f may end up dropping entries faster + than you could query for them. It's that or running out of memory, so + don't fret. + + - Cache entries with no activity for more than 120 minutes will be dropped + even if the cache is nearly empty. The timeout is adjustable with -t, but + you should not use the API to obtain ancient data; if you routinely need to + go back hours or days, parse the logs instead of wasting RAM. + +----------------------- +5. Fingerprint database +----------------------- + +Whenever p0f obtains a fingerprint from the observed traffic, it defers to +the data read from p0f.fp to identify the operating system and obtain some +ancillary data needed for other analysis tasks. The fingerprint database is a +simple text file where lines starting with ; are ignored. + +== Module specification == + +The file is split into sections based on the type of traffic the fingerprints +apply to. Section identifiers are enclosed in square brackets, like so: + +[module:direction] + + module - the name of the fingerprinting module (e.g. 'tcp' or 'http'). + + direction - the direction of fingerprinted traffic: 'request' (from client to + server) or 'response' (from server to client). + + For the TCP module, 'client' matches the initial SYN; and + 'server' matches SYN+ACK. + +The 'direction' part is omitted for MTU signatures, as they work equally well +both ways. + +== Signature groups == + +The actual signatures must be preceeded by an 'label' line, describing the +fingerprinted software: + +label = type:class:name:flavor + + type - some signatures in p0f.fp offer broad, last-resort matching for + less researched corner cases. The goal there is to give an + answer slightly better than "unknown", but less precise than + what the user may be expecting. + + Normal, reasonably specific signatures that can't be radically + improved should have their type specified as 's'; while generic, + last-resort ones should be tagged with 'g'. + + Note that generic signatures are considered only if no specific + matches are found in the database. + + class - the tool needs to distinguish between OS-identifying signatures + (only one of which should be matched for any given host) and + signatures that just identify user applications (many of which + may be seen concurrently). + + To assist with this, OS-specific signatures should specify the + OS architecture family here (e.g., 'win', 'unix', 'cisco'); while + application-related sigs (NMap, MSIE, Apache) should use a + special value of '!'. + + Most TCP signatures are OS-specific, and should have OS family + defined. Other signatures, such as HTTP, should use '!' unless + the fingerprinted component is deeply intertwined with the + platform (e.g., Windows Update). + + NOTE: To avoid variations (e.g. 'win' and 'windows' or 'unix' + and 'linux'), all classes need to be pre-registered using a + 'classes' directive, seen near the beginning of p0f.fp. + + name - a human-readable short name for what the fingerprint actually + helps identify - say, 'Linux', 'Sendmail', or 'NMap'. The tool + doesn't care about the exact value, but requires consistency - so + don't switch between 'Internet Explorer' and 'MSIE', or 'MacOS' + and 'Mac OS'. + + flavor - anything you want to say to further qualify the observation. Can + be the version of the identified software, or a description of + what the application seems to be doing (e.g. 'SYN scan' for NMap). + + NOTE: Don't be too specific: if you have a signature for Apache + 2.2.16, but have no reason to suspect that other recent versions + behave in a radically different way, just say '2.x'. + +P0f uses labels to group similar signatures that may be plausibly generated by +the same system or application, and should not be considered a strong signal for +NAT detection. + +To further assist the tool in deciding which OS and application combinations are +reasonable, and which ones are indicative of foul play, any 'label' line for +applications (class '!') should be followed by a comma-delimited list of OS +names or @-prefixed OS architecture classes on which this software is known to +be used on. For example: + +label = s:!:Uncle John's Networked ls Utility:2.3.0.1 +sys = Linux,FreeBSD,OpenBSD + +...or: + +label = s:!:Mom's Homestyle Browser:1.x +sys = @unix,@win + +The label can be followed by any number of module-specific signatures; all of +them will be linked to the most recent label, and will be reported the same +way. + +All sections except for 'name' are omitted for [mtu] signatures, which do not +convey any OS-specific information, and just describe link types. + +== MTU signatures == + +Many operating systems derive the maximum segment size specified in TCP options +from the MTU of their network interface; that value, in turn, normally depends +on the design of the link-layer protocol. A different MTU is associated with +PPPoE, a different one with IPSec, and a different one with Juniper VPN. + +The format of the signatures in the [mtu] section is exceedingly simple, +consisting just of a description and a list of values: + +label = Ethernet +sig = 1500 + +These will be matched for any wildcard MSS TCP packets (see below) not generated +by userspace TCP tools. + +== TCP signatures == + +For TCP traffic, signature layout is as follows: + +sig = ver:ittl:olen:mss:wsize,scale:olayout:quirks:pclass + + ver - signature for IPv4 ('4'), IPv6 ('6'), or both ('*'). + + NEW SIGNATURES: P0f documents the protocol observed on the wire, + but you should replace it with '*' unless you have observed some + actual differences between IPv4 and IPv6 traffic, or unless the + software supports only one of these versions to begin with. + + ittl - initial TTL used by the OS. Almost all operating systems use + 64, 128, or 255; ancient versions of Windows sometimes used + 32, and several obscure systems sometimes resort to odd values + such as 60. + + NEW SIGNATURES: P0f will usually suggest something, using the + format of 'observed_ttl+distance' (e.g. 54+10). Consider using + traceroute to check that the distance is accurate, then sum up + the values. If initial TTL can't be guessed, p0f will output + 'nnn+?', and you need to use traceroute to estimate the '?'. + + A handful of userspace tools will generate random TTLs. In these + cases, determine maximum initial TTL and then add a - suffix to + the value to avoid confusion. + + olen - length of IPv4 options or IPv6 extension headers. Usually zero + for normal IPv4 traffic; always zero for IPv6 due to the + limitations of libpcap. + + NEW SIGNATURES: Copy p0f output literally. + + mss - maximum segment size, if specified in TCP options. Special value + of '*' can be used to denote that MSS varies depending on the + parameters of sender's network link, and should not be a part of + the signature. In this case, MSS will be used to guess the + type of network hookup according to the [mtu] rules. + + NEW SIGNATURES: Use '*' for any commodity OSes where MSS is + around 1300 - 1500, unless you know for sure that it's fixed. + If the value is outside that range, you can probably copy it + literally. + + wsize - window size. Can be expressed as a fixed value, but many + operating systems set it to a multiple of MSS or MTU, or a + multiple of some random integer. P0f automatically detects these + cases, and allows notation such as 'mss*4', 'mtu*4', or '%8192' + to be used. Wilcard ('*') is possible too. + + NEW SIGNATURES: Copy p0f output literally. If frequent variations + are seen, look for obvious patterns. If there are no patterns, + '*' is a possible alternative. + + scale - window scaling factor, if specified in TCP options. Fixed value + or '*'. + + NEW SIGNATURES: Copy literally, unless the value varies randomly. + Many systems alter between 2 or 3 scaling factors, in which case, + it's better to have several 'sig' lines, rather than a wildcard. + + olayout - comma-delimited layout and ordering of TCP options, if any. This + is one of the most valuable TCP fingerprinting signals. Supported + values: + + eol+n - explicit end of options, followed by n bytes of padding + nop - no-op option + mss - maximum segment size + ws - window scaling + sok - selective ACK permitted + sack - selective ACK (should not be seen) + ts - timestamp + ?n - unknown option ID n + + NEW SIGNATURES: Copy this string literally. + + quirks - comma-delimited properties and quirks observed in IP or TCP + headers: + + df - "don't fragment" set (probably PMTUD); ignored for IPv6 + id+ - DF set but IPID non-zero; ignored for IPv6 + id- - DF not set but IPID is zero; ignored for IPv6 + ecn - explicit congestion notification support + 0+ - "must be zero" field not zero; ignored for IPv6 + flow - non-zero IPv6 flow ID; ignored for IPv4 + + seq- - sequence number is zero + ack+ - ACK number is non-zero, but ACK flag not set + ack- - ACK number is zero, but ACK flag set + uptr+ - URG pointer is non-zero, but URG flag not set + urgf+ - URG flag used + pushf+ - PUSH flag used + + ts1- - own timestamp specified as zero + ts2+ - non-zero peer timestamp on initial SYN + opt+ - trailing non-zero data in options segment + exws - excessive window scaling factor (> 14) + bad - malformed TCP options + + If a signature scoped to both IPv4 and IPv6 contains quirks valid + for just one of these protocols, such quirks will be ignored for + on packets using the other protocol. For example, any combination + of 'df', 'id+', and 'id-' is always matched by any IPv6 packet. + + NEW SIGNATURES: Copy literally. + + pclass - payload size classification: '0' for zero, '+' for non-zero, + '*' for any. The packets we fingerprint right now normally have + no payloads, but some corner cases exist. + + NEW SIGNATURES: Copy literally. + +NOTE: The TCP module allows some fuzziness when an exact match can't be found: +'df' and 'id+' quirks are allowed to disappear; 'id-' or 'ecn' may appear; and +TTLs can change. + +To gather new SYN ('request') signatures, simply connect to the fingerprinted +system, and p0f will provide you with the necessary data. To gather SYN+ACK +('response') signatures, you should use the bundled p0f-sendsyn utility while p0f +is running in the background; creating them manually is not advisable. + +== HTTP signatures == + +A special directive should appear at the beginning of the [http:request] +section, structured the following way: + +ua_os = Linux,Windows,iOS=[iPad],iOS=[iPhone],Mac OS X,... + +This list should specify OS names that should be looked for within the +User-Agent string if the string is otherwise deemed to be honest. This input +is not used for fingerprinting, but aids NAT detection in some useful ways. + +The names have to match the names used in 'sig' specifiers across p0f.fp. If a +particular name used by p0f differs from what typically appears in User-Agent, +the name=[string] syntax may be used to define any number of aliases. + +Other than that, HTTP signatures for GET and HEAD requests have the following +layout: + +sig = ver:horder:habsent:expsw + + ver - 0 for HTTP/1.0, 1 for HTTP/1.1, or '*' for any. + + NEW SIGNATURES: Copy the value literally, unless you have a + specific reason to do otherwise. + + horder - comma-separated, ordered list of headers that should appear in + matching traffic. Substrings to match within each of these + headers may be specified using a name=[value] notation. + + The signature will be matched even if other headers appear in + between, as long as the list itself is matched in the specified + sequence. + + Headers that usually do appear in the traffic, but may go away + (e.g. Accept-Language if the user has no languages defined, or + Referer if no referring site exists) should be prefixed with '?', + e.g. "?Referer". P0f will accept their disappearance, but will + not allow them to appear at any other location. + + NEW SIGNATURES: Review the list and remove any headers that + appear to be irrelevant to the fingerprinted software, and mark + transient ones with '?'. Remove header values that do not add + anything to the signature, or are request- or user-specific. + In particular, pay attention to Accept, Accept-Language, and + Accept-Charset, as they are highly specific to request type + and user settings. + + P0f automatically removes some headers, prefixes others with '?', + and inhibits the value of fields such as 'Referer' or 'Cookie' - + but this is not a substitute for manual review. + + NOTE: Server signatures may differ depending on the request + (HTTP/1.1 versus 1.0, keep-alive versus one-shot, etc) and on the + returned resource (e.g., CGI versus static content). Play around, + browse to several URLs, also try curl and wget. + + habsent - comma-separated list of headers that must *not* appear in + matching traffic. This is particularly useful for noting the + absence of standard headers (e.g. 'Host'), or for differentiating + between otherwise very similar signatures. + + NEW SIGNATURES: P0f will automatically highlight the absence of + any normally present headers; other entries may be added where + necessary. + + expsw - expected substring in 'User-Agent' or 'Server'. This is not + used to match traffic, and merely serves to detect dishonest + software. If you want to explicitly match User-Agent, you need + to do this in the 'horder' section, e.g.: + + User-Agent=[Firefox] + +Any of these sections sections except for 'ver' may be blank. + +There are many protocol-level quirks that p0f could be detecting - for example, +the use of non-standard newlines, or missing or extra spacing between header +field names and values. There is also some information to be gathered from +responses to OPTIONS or POST. That said, it does not seem to be worth the +effort: the protocol is so verbose, and implemented so arbitrarily, that we are +getting more than enough information just with a simple GET / HEAD fingerprint. + +== SMTP signatures == + + *** NOT IMPLEMENTED YET *** + +== FTP signatures == + + *** NOT IMPLEMENTED YET *** + +---------------- +6. NAT detection +---------------- + +In addition to fairly straightforward measurements of intrinsic properties of +a single TCP session, p0f also tries to compare signatures across sessions to +detect client-side connection sharing (NAT, HTTP proxies) or server-side load +balancing. + +This is done in two steps: the first significant deviation usually prompts a +"host change" entry (which may be also indicative of multi-boot, address reuse, +or other one-off events); and a persistent pattern of changes prompts an +"ip sharing" notification later on. + +All of these messages are accompanied by a set of reason codes: + + os_sig - the OS detected right now doesn't match the OS detected earlier + on. + + sig_diff - no definite OS detection data available, but protocol-level + characteristics have changed drastically (e.g., different + TCP option layout). + + app_vs_os - the application detected running on the host is not supposed + to work on the host's operating system. + + x_known - the signature progressed from known to unknown, or vice versa. + +The following additional codes are specific to TCP: + + tstamp - TCP timestamps went back or jumped forward. + + ttl - TTL values have changed. + + port - source port number has decreased. + + mtu - system MTU has changed. + + fuzzy - the precision with which a TCP signature is matched has + changed. + +The following code is also issued by the HTTP module: + + via - data explicitly includes Via / X-Forwarded-For. + + us_vs_os - OS fingerprint doesn't match User-Agent data, and the + User-Agent value otherwise looks honest. + + app_srv_lb - server application signatures change, suggesting load + balancing. + + date - server-advertised date changes inconsistently. + +Different reasons have different weights, balanced to keep p0f very sensitive +even to very homogenous environments behind NAT. If you end up seeing false +positives or other detection problems in your environment, please let me know! + +----------- +7. Security +----------- + +You should treat the output from this tool as advisory; the fingerprinting can +be gambled with some minor effort, and it's also possible to evade it altogether +(e.g. with excessive IP fragmentation or bad TCP checksums). Plan accordingly. + +P0f should to be reasonably secure to operate as a daemon. That said, un*x +users should employ the -u option to drop privileges and chroot() when running +the tool continuously. This greatly minimizes the consequences of any mishaps - +and mishaps in C just tend to happen. + +To make this step meaningful, the user you are running p0f as should be +completely unprivileged, and should have an empty, read-only home directory. For +example, you can do: + +# useradd -d /var/empty/p0f -M -r -s /bin/nologin p0f-user +# mkdir -p -m 755 /var/empty/p0f + +Please don't put the p0f binary itself, or any other valuable assets, inside +that user's home directory; and certainly do not use any generic locations such +as / or /bin/ in lieu of a proper home. + +P0f running in the background should be fairly difficult to DoS, especially +compared to any real TCP services it will be watching. Nevertheless, there are +so many deployment-specific factors at play that you should always preemptively +stress-test your setup, and see how it behaves. + +Other than that, let's talk filesystem security. When using the tool in the +API mode (-s), the listening socket is always re-created created with 666 +permissions, so that applications running as other uids can query it at will. +If you want to preserve the privacy of captured traffic in a multi-user system, +please ensure that the socket is created in a directory with finer-grained +permissions; or change API_MODE in config.h. + +The default file mode for binary log data (-o) is 600, on the account that +others probably don't need access to historical data; if you need to share logs, +you can pre-create the file or change LOG_MODE in config.h. + +Don't build p0f, and do not store its source, binary, configuration files, logs, +or query sockets in world-writable locations such as /tmp (or any +subdirectories created therein). + +Last but not least, please do not attempt to make p0f setuid, or otherwise +grant it privileges higher than these of the calling user. Neither the tool +itself, nor the third-party components it depends on, are designed to keep rogue +less-privileged callers at bay. If you use /etc/sudoers to list p0f as the only +program that user X should be able to run as root, that user will probably be +able to compromise your system. The same goes for many other uses of sudo, by +the way. + +-------------- +8. Limitations +-------------- + +Here are some of the known issues you may run into: + +== General == + +1) RST, ACK, and other experimental fingerprinting modes offered in p0f v2 are + no longer supported in v3. This is because they proved to have very low + specificity. The consequence is that you can no longer fingerprint + "connection refused" responses. + +2) API queries or daemon execution are not supported when reading offline pcaps. + While there may be some fringe use cases for that, offline pcaps use a + much simpler event loop, and so supporting these features would require some + extra effort. + +3) P0f needs to observe at least about 25 milliseconds worth of qualifying + traffic to estimate system uptime. This means that if you're testing it over + loopback or LAN, you may need to let it see more than one connection. + + Systems with extremely slow timestamp clocks may need longer acquisition + periods (up to several seconds); very fast clocks (over 1.5 kHz) are rejected + completely on account of being prohibited by the RFC. Almost all OSes are + between 100 Hz and 1 kHz, which should work fine. + +4) Some systems vary SYN+ACK responses based on the contents of the initial SYN, + sometimes removing TCP options not supported by the other endpoint. + Unfortunately, there is no easy way to account for this, so several SYN+ACK + signatures may be required per system. The bundled p0f-sendsyn utility helps + with collecting them. + + Another consequence of this is that you will sometimes see server uptime only + if your own system has RFC1323 timestamps enabled. Linux does that since + version 2.2; on Windows, you need version 7 or newer. Client uptimes are not + affected. + +== Windows port == + +1) API sockets do not work on Windows. This is due to a limitation of winpcap; + see live_event_loop(...) in p0f.c for more info. + +2) The chroot() jail (-u) on Windows doesn't offer any real security. This is + due to the limitations of cygwin. + +3) The p0f-sendsyn utility doesn't work because of the limited capabilities of + Windows raw sockets (this should be relatively easy to fix if there are any + users who care). + +--------------------------- +9. Acknowledgments and more +--------------------------- + +P0f is made possible thanks to the contributions of several good souls, +including: + + Phil Ames + Jannich Brendle + Matthew Dempsky + Jason DePriest + Dalibor Dukic + Mark Martinec + Damien Miller + Josh Newton + Nibbler + Bernhard Rabe + Chris John Riley + Sebastian Roschke + Peter Valchev + Jeff Weisberg + Anthony Howe + Tomoyuki Murakami + Michael Petch + +If you wish to help, the most immediate way to do so is to simply gather new +signatures, especially from less popular or older platforms (servers, networking +equipment, portable / embedded / specialty OSes, etc). + +Problems? Suggestions? Complaints? Compliments? You can reach the author at +. The author is very lonely and appreciates your mail. diff --git a/docker/p0f/docs/TODO b/docker/p0f/docs/TODO new file mode 100644 index 00000000..be390ee2 --- /dev/null +++ b/docker/p0f/docs/TODO @@ -0,0 +1,26 @@ +Signatures: + + - More SYN sigs, + + - A lot more SYN+ACK signatures, + + - A lot more server signatures - maybe write a tool. + +Modules: + + - SMTP + + - FTP + + - POP3 + + - IMAP + + - SSH + + - SSL + +Misc: + + - Manpage. + diff --git a/docker/p0f/docs/existential-notes.txt b/docker/p0f/docs/existential-notes.txt new file mode 100644 index 00000000..35cbba4e --- /dev/null +++ b/docker/p0f/docs/existential-notes.txt @@ -0,0 +1,29 @@ +----------------------------- +Some random food for thought: +----------------------------- + +1) If you run p0f on any reasonably popular server, you will probably see quite + a few systems that seem to be leaking memory in TCP headers (e.g. ACK number + or second timestamp set on SYN packets, URG pointer without URG flag, etc). + You will also see HTTP traffic with non-stripped Proxy-Authorization headers + and other hilarious abnormalities. + + Unfortunately, pinpointing the sources of many of these leaks is pretty hard; + they often trace to proprietary corporate proxies and firewalls, and unless + it's *your* proxy or firewall, you won't be finding out more. If you wish to + put some investigative effort into this, there are quite a few bugs waiting + to be tracked down, though :-) + +2) After some hesitation, I decided *against* the inclusion of encrypted traffic + classification features into p0f. Timing, packet size, and direction + information lets you, for example, reliably differentiate between interactive + SSH sessions and SFTP uploads or downloads; automated and human password + entry attemps; or failed and successful auth. + + The same goes for SSL: you can tell normal HTTPS browsing from file uploads, + from attempts to smuggle, say, PPP over SSL. In the end, however, it seems + like stretch to cram it into p0f; one day, I might improve my ancient 'fl0p' + tool, instead: + + http://lcamtuf.coredump.cx/soft/fl0p-devel.tgz + diff --git a/docker/p0f/docs/extra-sigs.txt b/docker/p0f/docs/extra-sigs.txt new file mode 100644 index 00000000..5635110e --- /dev/null +++ b/docker/p0f/docs/extra-sigs.txt @@ -0,0 +1,73 @@ +These need to be investigated: + +# AVM FritzBox 7112 w/ BusyBox Linux - sendsyn response +4:64+0:0:1460:mss*4,0:mss:df:0 +4:64+0:0:1460:mss*4,1:mss,nop,ws:df:0 +4:64+0:0:1460:mss*4,1:mss,nop,nop,sok,nop,ws:df:0 +4:64+0:0:1460:mss*4,1:mss,sok,ts,nop,ws:df:0 +4:64+0:0:1460:mss*4,1:mss,nop,nop,ts,nop,ws:df:0 +4:64+0:0:1460:mss*4,0:mss,nop,nop,sok:df:0 +4:64+0:0:1460:mss*4,0:mss,sok,ts:df:0 +4:64+0:0:1460:mss*4,0:mss,nop,nop,ts:df:0 + +# LaCIE Network storage - sendsyn response +4:64+0:0:1460:mss*4,0:mss,nop,nop,sok:df:0 +4:64+0:0:1460:mss*4,0:mss,sok,ts:df:0 +4:64+0:0:1460:mss*4,0:mss,nop,nop,ts:df:0 + +# HP LaserJet printer CP1515 - sendsyn response +4:64+0:0:*:mss*7,0:mss,nop,nop,sok::0 +4:64+0:0:*:mss*7,0:mss,nop,nop,sok,nop,nop,ts::0 +4:64+0:0:*:mss*7,0:mss,nop,nop,ts::0 + +# HP LaserJet printer CP1515 - http response +1:Server,Transfer-Encoding=[chunked],Content-Type,?Expires,?Cache-Control:Connection,Keep-Alive,Accept-Ranges,Date:Virata-EmWeb/R6_2_1 +1:Server,?Content-Length,Content-Type,?ETag,?Last-Modified,?Cache-Control:Connection,Keep-Alive,Accept-Ranges,Date:Virata-EmWeb/R6_2_1 +1:Server,Transfer-Encoding=[chunked],Content-Type,?Expires,?Cache-Control:Connection,Keep-Alive,Accept-Ranges,Date:Virata-EmWeb/R6_2_1 + +Cherokee 1.0.8-5: +1:Connection=[Keep-Alive],Keep-Alive=[timeout=15],Date,Server,?Content-Length,Content-Type,?Cache-Control,?Pragma:Accept-Ranges:Cherokee/1.0.8 (Debian GNU/Linux) + +AOLserver 4.5.1-12: +1:MIME-Version=[1.0],Date,Server,Content-Type,?Content-Length,Connection=[close]:Keep-Alive,Accept-Ranges:AOLserver/4.5.1 + +BOA 0.94.14rc21-3.1: +1:Date,Server,Accept-Ranges=[bytes],Connection=[close],Content-Type:Keep-Alive:Boa/0.94.14rc21 + +Yaws 1.88-2: +1:Connection=[close],Server,Date,?Content-Length,Content-Type:Keep-Alive,Accept-Ranges:Yaws/1.88 Yet Another Web Server + +Ocsigen 1.3.3-1squeeze1: +1:accept-ranges=[none],cache-control=[no-cache],content-type=[text/html; charset=iso-8859-1],date=[Wed, 18 Jan 2012 09:32:55 GMT],expires=[0],server=[Ocsigen],transfer-encoding=[chunked]:Content-Type,Connection,Keep-Alive,Accept-Ranges,Date: + +dhttpd 1.02a-18: +0:Date,Server,Content-type=[text/html]:Content-Type,Connection,Keep-Alive,Accept-Ranges:dhttpd/1.02a + +thttpd 2.25b-11: +1:Server,Content-Type,Date,?Last-Modified,Accept-Ranges=[bytes],Connection=[close]:Keep-Alive:thttpd/2.25b 29dec2003 + +------------ + +uhttpd version 7 (running on OpenWrt): +0::Content-Type,Connection,Keep-Alive,Accept-Ranges,Date: + +Cherokee 1.0.8-5: +0:Connection=[close],Date,Server,Content-Type:Keep-Alive,Accept-Ranges:Cherokee/1.0.8 (Debian GNU/Linux) + +AOLserver 4.5.1-12: +0:MIME-Version=[1.0],Date,Server,Content-Type,?Content-Length,Connection=[close]:Keep-Alive,Accept-Ranges:AOLserver/4.5.1 + +BOA 0.94.14rc21-3.1: +0:Date,Server,Accept-Ranges=[bytes],Connection=[close],?Last-Modified,Content-Type:Keep-Alive:Boa/0.94.14rc21 + +Ocsigen 1.3.3-1squeeze1: +1:accept-ranges=[none],cache-control=[no-cache],content-type=[text/html; charset=iso-8859-1],date=[Tue, 17 Jan 2012 22:46:08 GMT],expires=[0],server=[Ocsigen]:Content-Type,Connection,Keep-Alive,Accept-Ranges,Date: + +dhttpd 1.02a-18: +0:Date,Server,Content-type=[text/html]:Content-Type,Connection,Keep-Alive,Accept-Ranges:dhttpd/1.02a + +Yaws 1.88-2: +1:Connection=[Keep-Alive],Server,Date,?Last-Modified,Etag=["2nu+xcAAGwK"],?Content-Length,Content-Type:Keep-Alive,Accept-Ranges:Yaws/1.88 Yet Another Web Server + +thttpd 2.25b-11: +0:Server,Content-Type,Date,?Last-Modified,Accept-Ranges=[bytes],Connection=[close]:Keep-Alive:thttpd/2.25b 29dec2003 diff --git a/docker/p0f/fp_http.c b/docker/p0f/fp_http.c new file mode 100644 index 00000000..f6faa531 --- /dev/null +++ b/docker/p0f/fp_http.c @@ -0,0 +1,1415 @@ +/* + p0f - HTTP fingerprinting + ------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#define _FROM_FP_HTTP +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "process.h" +#include "readfp.h" +#include "p0f.h" +#include "tcp.h" +#include "hash.h" + +#include "fp_http.h" +#include "languages.h" + +static u8** hdr_names; /* List of header names by ID */ +static u32 hdr_cnt; /* Number of headers registered */ + +static u32* hdr_by_hash[SIG_BUCKETS]; /* Hashed header names */ +static u32 hbh_cnt[SIG_BUCKETS]; /* Number of headers in bucket */ + +/* Signatures aren't bucketed due to the complex matching used; but we use + Bloom filters to go through them quickly. */ + +static struct http_sig_record* sigs[2]; +static u32 sig_cnt[2]; + +static struct ua_map_record* ua_map; /* Mappings between U-A and OS */ +static u32 ua_map_cnt; + +#define SLOF(_str) (u8*)_str, strlen((char*)_str) + + +/* Ghetto Bloom filter 4-out-of-64 bitmask generator for adding 32-bit header + IDs to a set. We expect around 10 members in a set. */ + +static inline u64 bloom4_64(u32 val) { + u32 hash = hash32(&val, 4, hash_seed); + u64 ret; + ret = (1LL << (hash & 63)); + ret ^= (1LL << ((hash >> 8) & 63)); + ret ^= (1LL << ((hash >> 16) & 63)); + ret ^= (1LL << ((hash >> 24) & 63)); + return ret; +} + + +/* Look up or register new header */ + +static s32 lookup_hdr(u8* name, u32 len, u8 create) { + + u32 bucket = hash32(name, len, hash_seed) % SIG_BUCKETS; + + u32* p = hdr_by_hash[bucket]; + u32 i = hbh_cnt[bucket]; + + while (i--) { + if (!memcmp(hdr_names[*p], name, len) /* ASAN won't like this... */ && + !hdr_names[*p][len]) return *p; + p++; + } + + /* Not found! */ + + if (!create) return -1; + + hdr_names = DFL_ck_realloc(hdr_names, (hdr_cnt + 1) * sizeof(u8*)); + hdr_names[hdr_cnt] = DFL_ck_memdup_str(name, len); + + hdr_by_hash[bucket] = DFL_ck_realloc(hdr_by_hash[bucket], + (hbh_cnt[bucket] + 1) * 4); + + hdr_by_hash[bucket][hbh_cnt[bucket]++] = hdr_cnt++; + + return hdr_cnt - 1; + +} + + +/* Pre-register essential headers. */ + +void http_init(void) { + u32 i; + + /* Do not change - other code depends on the ordering of first 6 entries. */ + + lookup_hdr(SLOF("User-Agent"), 1); /* 0 */ + lookup_hdr(SLOF("Server"), 1); /* 1 */ + lookup_hdr(SLOF("Accept-Language"), 1); /* 2 */ + lookup_hdr(SLOF("Via"), 1); /* 3 */ + lookup_hdr(SLOF("X-Forwarded-For"), 1); /* 4 */ + lookup_hdr(SLOF("Date"), 1); /* 5 */ + +#define HDR_UA 0 +#define HDR_SRV 1 +#define HDR_AL 2 +#define HDR_VIA 3 +#define HDR_XFF 4 +#define HDR_DAT 5 + + i = 0; + while (req_optional[i].name) { + req_optional[i].id = lookup_hdr(SLOF(req_optional[i].name), 1); + i++; + } + + i = 0; + while (resp_optional[i].name) { + resp_optional[i].id = lookup_hdr(SLOF(resp_optional[i].name), 1); + i++; + } + + i = 0; + while (req_skipval[i].name) { + req_skipval[i].id = lookup_hdr(SLOF(req_skipval[i].name), 1); + i++; + } + + i = 0; + while (resp_skipval[i].name) { + resp_skipval[i].id = lookup_hdr(SLOF(resp_skipval[i].name), 1); + i++; + } + + i = 0; + while (req_common[i].name) { + req_common[i].id = lookup_hdr(SLOF(req_common[i].name), 1); + i++; + } + + i = 0; + while (resp_common[i].name) { + resp_common[i].id = lookup_hdr(SLOF(resp_common[i].name), 1); + i++; + } + +} + + +/* Find match for a signature. */ + +static void http_find_match(u8 to_srv, struct http_sig* ts, u8 dupe_det) { + + struct http_sig_record* gmatch = NULL; + struct http_sig_record* ref = sigs[to_srv]; + u32 cnt = sig_cnt[to_srv]; + + while (cnt--) { + + struct http_sig* rs = ref->sig; + u32 ts_hdr = 0, rs_hdr = 0; + + if (rs->http_ver != -1 && rs->http_ver != ts->http_ver) goto next_sig; + + /* Check that all the headers listed for the p0f.fp signature (probably) + appear in the examined traffic. */ + + if ((ts->hdr_bloom4 & rs->hdr_bloom4) != rs->hdr_bloom4) goto next_sig; + + /* Confirm the ordering and values of headers (this is relatively + slow, hence the Bloom filter first). */ + + while (rs_hdr < rs->hdr_cnt) { + + u32 orig_ts = ts_hdr; + + while (rs->hdr[rs_hdr].id != ts->hdr[ts_hdr].id && + ts_hdr < ts->hdr_cnt) ts_hdr++; + + if (ts_hdr == ts->hdr_cnt) { + + if (!rs->hdr[rs_hdr].optional) goto next_sig; + + /* If this is an optional header, check that it doesn't appear + anywhere else. */ + + for (ts_hdr = 0; ts_hdr < ts->hdr_cnt; ts_hdr++) + if (rs->hdr[rs_hdr].id == ts->hdr[ts_hdr].id) goto next_sig; + + ts_hdr = orig_ts; + rs_hdr++; + continue; + + } + + if (rs->hdr[rs_hdr].value && + (!ts->hdr[ts_hdr].value || + !strstr((char*)ts->hdr[ts_hdr].value, + (char*)rs->hdr[rs_hdr].value))) goto next_sig; + + ts_hdr++; + rs_hdr++; + + } + + /* Check that the headers forbidden in p0f.fp don't appear in the traffic. + We first check if they seem to appear in ts->hdr_bloom4, and only if so, + we do a full check. */ + + for (rs_hdr = 0; rs_hdr < rs->miss_cnt; rs_hdr++) { + + u64 miss_bloom4 = bloom4_64(rs->miss[rs_hdr]); + + if ((ts->hdr_bloom4 & miss_bloom4) != miss_bloom4) continue; + + /* Okay, possible instance of a banned header - scan list... */ + + for (ts_hdr = 0; ts_hdr < ts->hdr_cnt; ts_hdr++) + if (rs->miss[rs_hdr] == ts->hdr[ts_hdr].id) goto next_sig; + + } + + /* When doing dupe detection, we want to allow a signature with additional + banned headers to precede one with fewer, or with a different set. */ + + if (dupe_det) { + + if (rs->miss_cnt > ts->miss_cnt) goto next_sig; + + for (rs_hdr = 0; rs_hdr < rs->miss_cnt; rs_hdr++) { + + for (ts_hdr = 0; ts_hdr < ts->miss_cnt; ts_hdr++) + if (rs->miss[rs_hdr] == ts->miss[ts_hdr]) break; + + /* One of the reference headers doesn't appear in current sig! */ + + if (ts_hdr == ts->miss_cnt) goto next_sig; + + } + + + } + + /* Whoa, a match. */ + + if (!ref->generic) { + + ts->matched = ref; + + if (rs->sw && ts->sw && !strstr((char*)ts->sw, (char*)rs->sw)) + ts->dishonest = 1; + + return; + + } else if (!gmatch) gmatch = ref; + +next_sig: + + ref = ref + 1; + + } + + /* A generic signature is the best we could find. */ + + if (!dupe_det && gmatch) { + + ts->matched = gmatch; + + if (gmatch->sig->sw && ts->sw && !strstr((char*)ts->sw, + (char*)gmatch->sig->sw)) ts->dishonest = 1; + + } + +} + + +/* Register new HTTP signature. */ + +void http_register_sig(u8 to_srv, u8 generic, s32 sig_class, u32 sig_name, + u8* sig_flavor, u32 label_id, u32* sys, u32 sys_cnt, + u8* val, u32 line_no) { + + struct http_sig* hsig; + struct http_sig_record* hrec; + + u8* nxt; + + hsig = DFL_ck_alloc(sizeof(struct http_sig)); + + sigs[to_srv] = DFL_ck_realloc(sigs[to_srv], sizeof(struct http_sig_record) * + (sig_cnt[to_srv] + 1)); + + hrec = &sigs[to_srv][sig_cnt[to_srv]]; + + if (val[1] != ':') FATAL("Malformed signature in line %u.", line_no); + + /* http_ver */ + + switch (*val) { + case '0': break; + case '1': hsig->http_ver = 1; break; + case '*': hsig->http_ver = -1; break; + default: FATAL("Bad HTTP version in line %u.", line_no); + } + + val += 2; + + /* horder */ + + while (*val != ':') { + + u32 id; + u8 optional = 0; + + if (hsig->hdr_cnt >= HTTP_MAX_HDRS) + FATAL("Too many headers listed in line %u.", line_no); + + nxt = val; + + if (*nxt == '?') { optional = 1; val++; nxt++; } + + while (isalnum(*nxt) || *nxt == '-' || *nxt == '_') nxt++; + + if (val == nxt) + FATAL("Malformed header name in line %u.", line_no); + + id = lookup_hdr(val, nxt - val, 1); + + hsig->hdr[hsig->hdr_cnt].id = id; + hsig->hdr[hsig->hdr_cnt].optional = optional; + + if (!optional) hsig->hdr_bloom4 |= bloom4_64(id); + + val = nxt; + + if (*val == '=') { + + if (val[1] != '[') + FATAL("Missing '[' after '=' in line %u.", line_no); + + val += 2; + nxt = val; + + while (*nxt && *nxt != ']') nxt++; + + if (val == nxt || !*nxt) + FATAL("Malformed signature in line %u.", line_no); + + hsig->hdr[hsig->hdr_cnt].value = DFL_ck_memdup_str(val, nxt - val); + + val = nxt + 1; + + } + + hsig->hdr_cnt++; + + if (*val == ',') val++; else if (*val != ':') + FATAL("Malformed signature in line %u.", line_no); + + } + + val++; + + /* habsent */ + + while (*val != ':') { + + u32 id; + + if (hsig->miss_cnt >= HTTP_MAX_HDRS) + FATAL("Too many headers listed in line %u.", line_no); + + nxt = val; + while (isalnum(*nxt) || *nxt == '-' || *nxt == '_') nxt++; + + if (val == nxt) + FATAL("Malformed header name in line %u.", line_no); + + id = lookup_hdr(val, nxt - val, 1); + + hsig->miss[hsig->miss_cnt] = id; + + val = nxt; + + hsig->miss_cnt++; + + if (*val == ',') val++; else if (*val != ':') + FATAL("Malformed signature in line %u.", line_no); + + } + + val++; + + /* exp_sw */ + + if (*val) { + + if (strchr((char*)val, ':')) + FATAL("Malformed signature in line %u.", line_no); + + hsig->sw = DFL_ck_strdup(val); + + } + + http_find_match(to_srv, hsig, 1); + + if (hsig->matched) + FATAL("Signature in line %u is already covered by line %u.", + line_no, hsig->matched->line_no); + + hrec->class_id = sig_class; + hrec->name_id = sig_name; + hrec->flavor = sig_flavor; + hrec->label_id = label_id; + hrec->sys = sys; + hrec->sys_cnt = sys_cnt; + hrec->line_no = line_no; + hrec->generic = generic; + + hrec->sig = hsig; + + sig_cnt[to_srv]++; + +} + + +/* Register new HTTP signature. */ + +void http_parse_ua(u8* val, u32 line_no) { + + u8* nxt; + + while (*val) { + + u32 id; + u8* name = NULL; + + nxt = val; + while (*nxt && (isalnum(*nxt) || strchr(NAME_CHARS, *nxt))) nxt++; + + if (val == nxt) + FATAL("Malformed system name in line %u.", line_no); + + id = lookup_name_id(val, nxt - val); + + val = nxt; + + if (*val == '=') { + + if (val[1] != '[') + FATAL("Missing '[' after '=' in line %u.", line_no); + + val += 2; + nxt = val; + + while (*nxt && *nxt != ']') nxt++; + + if (val == nxt || !*nxt) + FATAL("Malformed signature in line %u.", line_no); + + name = DFL_ck_memdup_str(val, nxt - val); + + val = nxt + 1; + + } + + ua_map = DFL_ck_realloc(ua_map, (ua_map_cnt + 1) * + sizeof(struct ua_map_record)); + + ua_map[ua_map_cnt].id = id; + + if (!name) ua_map[ua_map_cnt].name = fp_os_names[id]; + else ua_map[ua_map_cnt].name = name; + + ua_map_cnt++; + + if (*val == ',') val++; + + } + +} + + +/* Dump a HTTP signature. */ + +static u8* dump_sig(u8 to_srv, struct http_sig* hsig) { + + u32 i; + u8 had_prev = 0; + struct http_id* list; + + u8 tmp[HTTP_MAX_SHOW + 1]; + u32 tpos; + + static u8* ret; + u32 rlen = 0; + + u8* val; + +#define RETF(_par...) do { \ + s32 _len = snprintf(NULL, 0, _par); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + ret = DFL_ck_realloc_kb(ret, rlen + _len + 1); \ + snprintf((char*)ret + rlen, _len + 1, _par); \ + rlen += _len; \ + } while (0) + + RETF("%u:", hsig->http_ver); + + for (i = 0; i < hsig->hdr_cnt; i++) { + + if (hsig->hdr[i].id >= 0) { + + u8 optional = 0; + + /* Check the "optional" list. */ + + list = to_srv ? req_optional : resp_optional; + + while (list->name) { + if (list->id == hsig->hdr[i].id) break; + list++; + } + + if (list->name) optional = 1; + + RETF("%s%s%s", had_prev ? "," : "", optional ? "?" : "", + hdr_names[hsig->hdr[i].id]); + had_prev = 1; + + if (!(val = hsig->hdr[i].value)) continue; + + /* Next, make sure that the value is not on the ignore list. */ + + if (optional) continue; + + list = to_srv ? req_skipval : resp_skipval; + + while (list->name) { + if (list->id == hsig->hdr[i].id) break; + list++; + } + + if (list->name) continue; + + /* Looks like it's not on the list, so let's output a cleaned-up version + up to HTTP_MAX_SHOW. */ + + tpos = 0; + + while (tpos < HTTP_MAX_SHOW && val[tpos] >= 0x20 && val[tpos] < 0x80 && + val[tpos] != ']' && val[tpos] != '|') { + + tmp[tpos] = val[tpos]; + tpos++; + + } + + tmp[tpos] = 0; + + if (!tpos) continue; + + RETF("=[%s]", tmp); + + } else { + + RETF("%s%s", had_prev ? "," : "", hsig->hdr[i].name); + had_prev = 1; + + if (!(val = hsig->hdr[i].value)) continue; + + tpos = 0; + + while (tpos < HTTP_MAX_SHOW && val[tpos] >= 0x20 && val[tpos] < 0x80 && + val[tpos] != ']') { tmp[tpos] = val[tpos]; tpos++; } + + tmp[tpos] = 0; + + if (!tpos) continue; + + RETF("=[%s]", tmp); + + } + + } + + RETF(":"); + + list = to_srv ? req_common : resp_common; + had_prev = 0; + + while (list->name) { + + for (i = 0; i < hsig->hdr_cnt; i++) + if (hsig->hdr[i].id == list->id) break; + + if (i == hsig->hdr_cnt) { + RETF("%s%s", had_prev ? "," : "", list->name); + had_prev = 1; + } + + list++; + + } + + RETF(":"); + + if ((val = hsig->sw)) { + + tpos = 0; + + while (tpos < HTTP_MAX_SHOW && val[tpos] >= 0x20 && val[tpos] < 0x80 && + val[tpos] != ']') { tmp[tpos] = val[tpos]; tpos++; } + + tmp[tpos] = 0; + + if (tpos) RETF("%s", tmp); + + } + + return ret; + + +} + + +/* Dump signature flags. */ + +static u8* dump_flags(struct http_sig* hsig, struct http_sig_record* m) { + + static u8* ret; + u32 rlen = 0; + + RETF(""); + + if (hsig->dishonest) RETF(" dishonest"); + if (!hsig->sw) RETF(" anonymous"); + if (m && m->generic) RETF(" generic"); + +#undef RETF + + if (*ret) return ret + 1; else return (u8*)"none"; + +} + + +/* Score signature differences. For unknown signatures, the presumption is that + they identify apps, so the logic is quite different from TCP. */ + +static void score_nat(u8 to_srv, struct packet_flow* f) { + + struct http_sig_record* m = f->http_tmp.matched; + struct host_data* hd; + struct http_sig* ref; + + u8 score = 0, diff_already = 0; + u16 reason = 0; + + if (to_srv) { + + hd = f->client; + ref = hd->http_req_os; + + } else { + + hd = f->server; + ref = hd->http_resp; + + /* If the signature is for a different port, don't read too much into it. */ + + if (hd->http_resp_port != f->srv_port) ref = NULL; + + } + + if (!m) { + + /* No match. The user is probably running another app; this is only of + interest if a server progresses from known to unknown. We can't + compare two unknown server sigs with that much confidence. */ + + if (!to_srv && ref && ref->matched) { + + DEBUG("[#] HTTP server signature changed from known to unknown.\n"); + score += 4; + reason |= NAT_TO_UNK; + + } + + goto header_check; + + } + + if (m->class_id == -1) { + + /* Got a match for an application signature. Make sure it runs on the + OS we have on file... */ + + verify_tool_class(to_srv, f, m->sys, m->sys_cnt); + + /* ...and check for inconsistencies in server behavior. */ + + if (!to_srv && ref && ref->matched) { + + if (ref->matched->name_id != m->name_id) { + + DEBUG("[#] Name on the matched HTTP server signature changes.\n"); + score += 8; + reason |= NAT_APP_LB; + + } else if (ref->matched->label_id != m->label_id) { + + DEBUG("[#] Label on the matched HTTP server signature changes.\n"); + score += 2; + reason |= NAT_APP_LB; + + } + + } + + } else { + + /* Ooh, spiffy: a match for an OS signature! There will be about two uses + for this code, ever. */ + + if (ref && ref->matched) { + + if (ref->matched->name_id != m->name_id) { + + DEBUG("[#] Name on the matched HTTP OS signature changes.\n"); + score += 8; + reason |= NAT_OS_SIG; + diff_already = 1; + + } else if (ref->matched->name_id != m->label_id) { + + DEBUG("[#] Label on the matched HTTP OS signature changes.\n"); + score += 2; + reason |= NAT_OS_SIG; + + } + + } else if (ref) { + + DEBUG("[#] HTTP OS signature changed from unknown to known.\n"); + score += 4; + reason |= NAT_TO_UNK; + + } + + /* If we haven't pointed out anything major yet, also complain if the + signature doesn't match host data. */ + + if (!diff_already && hd->last_name_id != m->name_id) { + + DEBUG("[#] Matched HTTP OS signature different than host data.\n"); + score += 4; + reason |= NAT_OS_SIG; + + } + + } + + /* If we have determined that U-A looks legit, but the OS doesn't match, + that's a clear sign of trouble. */ + + if (to_srv && m->class_id == -1 && f->http_tmp.sw && !f->http_tmp.dishonest) { + + u32 i; + + for (i = 0; i < ua_map_cnt; i++) + if (strstr((char*)f->http_tmp.sw, (char*)ua_map[i].name)) break; + + if (i != ua_map_cnt) { + + if (ua_map[i].id != hd->last_name_id) { + + DEBUG("[#] Otherwise plausible User-Agent points to another OS.\n"); + score += 4; + reason |= NAT_APP_UA; + + if (!hd->bad_sw) hd->bad_sw = 1; + + } else { + + DEBUG("[#] User-Agent OS value checks out.\n"); + hd->bad_sw = 0; + + } + + } + + } + + +header_check: + + /* Okay, some last-resort checks. This is obviously concerning: */ + + if (f->http_tmp.via) { + DEBUG("[#] Explicit use of Via or X-Forwarded-For.\n"); + score += 8; + reason |= NAT_APP_VIA; + } + + /* Last but not least, see what happened to 'Date': */ + + if (ref && !to_srv && ref->date && f->http_tmp.date) { + + s64 recv_diff = ((s64)f->http_tmp.recv_date) - ref->recv_date; + s64 hdr_diff = ((s64)f->http_tmp.date) - ref->date; + + if (hdr_diff < -HTTP_MAX_DATE_DIFF || + hdr_diff > recv_diff + HTTP_MAX_DATE_DIFF) { + + DEBUG("[#] HTTP 'Date' distance too high (%lld in %lld sec).\n", + hdr_diff, recv_diff); + score += 4; + reason |= NAT_APP_DATE; + + } else { + + DEBUG("[#] HTTP 'Date' distance seems fine (%lld in %lld sec).\n", + hdr_diff, recv_diff); + + } + + } + + add_nat_score(to_srv, f, reason, score); + +} + + +/* Look up HTTP signature, create an observation. */ + +static void fingerprint_http(u8 to_srv, struct packet_flow* f) { + + struct http_sig_record* m; + u8* lang = NULL; + + http_find_match(to_srv, &f->http_tmp, 0); + + start_observation(to_srv ? "http request" : "http response", 4, to_srv, f); + + if ((m = f->http_tmp.matched)) { + + OBSERVF((m->class_id < 0) ? "app" : "os", "%s%s%s", + fp_os_names[m->name_id], m->flavor ? " " : "", + m->flavor ? m->flavor : (u8*)""); + + } else add_observation_field("app", NULL); + + if (f->http_tmp.lang && isalpha(f->http_tmp.lang[0]) && + isalpha(f->http_tmp.lang[1]) && !isalpha(f->http_tmp.lang[2])) { + + u8 lh = LANG_HASH(f->http_tmp.lang[0], f->http_tmp.lang[1]); + u8 pos = 0; + + while (languages[lh][pos]) { + if (f->http_tmp.lang[0] == languages[lh][pos][0] && + f->http_tmp.lang[1] == languages[lh][pos][1]) break; + pos += 2; + } + + if (!languages[lh][pos]) add_observation_field("lang", NULL); + else add_observation_field("lang", + (lang = (u8*)languages[lh][pos + 1])); + + } else add_observation_field("lang", (u8*)"none"); + + add_observation_field("params", dump_flags(&f->http_tmp, m)); + + add_observation_field("raw_sig", dump_sig(to_srv, &f->http_tmp)); + + score_nat(to_srv, f); + + /* Save observations needed to score future responses. */ + + if (!to_srv) { + + /* For server response, always store the signature. */ + + ck_free(f->server->http_resp); + f->server->http_resp = ck_memdup(&f->http_tmp, sizeof(struct http_sig)); + + f->server->http_resp->hdr_cnt = 0; + f->server->http_resp->sw = NULL; + f->server->http_resp->lang = NULL; + f->server->http_resp->via = NULL; + + f->server->http_resp_port = f->srv_port; + + if (lang) f->server->language = lang; + + if (m) { + + if (m->class_id != -1) { + + /* If this is an OS signature, update host record. */ + + f->server->last_class_id = m->class_id; + f->server->last_name_id = m->name_id; + f->server->last_flavor = m->flavor; + f->server->last_quality = (m->generic * P0F_MATCH_GENERIC); + + } else { + + /* Otherwise, record app data. */ + + f->server->http_name_id = m->name_id; + f->server->http_flavor = m->flavor; + + if (f->http_tmp.dishonest) f->server->bad_sw = 2; + + } + + } + + } else { + + if (lang) f->client->language = lang; + + if (m) { + + if (m->class_id != -1) { + + /* Client request - only OS sig is of any note. */ + + ck_free(f->client->http_req_os); + f->client->http_req_os = ck_memdup(&f->http_tmp, + sizeof(struct http_sig)); + + f->client->http_req_os->hdr_cnt = 0; + f->client->http_req_os->sw = NULL; + f->client->http_req_os->lang = NULL; + f->client->http_req_os->via = NULL; + + f->client->last_class_id = m->class_id; + f->client->last_name_id = m->name_id; + f->client->last_flavor = m->flavor; + + f->client->last_quality = (m->generic * P0F_MATCH_GENERIC); + + } else { + + /* Record app data for the API. */ + + f->client->http_name_id = m->name_id; + f->client->http_flavor = m->flavor; + + if (f->http_tmp.dishonest) f->client->bad_sw = 2; + + } + + } + + } + +} + + + +/* Free up any allocated strings in http_sig. */ + +void free_sig_hdrs(struct http_sig* h) { + + u32 i; + + for (i = 0; i < h->hdr_cnt; i++) { + if (h->hdr[i].name) ck_free(h->hdr[i].name); + if (h->hdr[i].value) ck_free(h->hdr[i].value); + } + +} + + +/* Parse HTTP date field. */ + +static u32 parse_date(u8* str) { + struct tm t; + + if (!strptime((char*)str, "%a, %d %b %Y %H:%M:%S %Z", &t)) { + DEBUG("[#] Invalid 'Date' field ('%s').\n", str); + return 0; + } + + return mktime(&t); + +} + + +/* Parse name=value pairs into a signature. */ + +static u8 parse_pairs(u8 to_srv, struct packet_flow* f, u8 can_get_more) { + + u32 plen = to_srv ? f->req_len : f->resp_len; + + u32 off; + + /* Try to parse name: value pairs. */ + + while ((off = f->http_pos) < plen) { + + u8* pay = to_srv ? f->request : f->response; + + u32 nlen, vlen, vstart; + s32 hid; + u32 hcount; + + /* Empty line? Dispatch for fingerprinting! */ + + if (pay[off] == '\r' || pay[off] == '\n') { + + f->http_tmp.recv_date = get_unix_time(); + + fingerprint_http(to_srv, f); + + /* If this is a request, flush the collected signature and prepare + for parsing the response. If it's a response, just shut down HTTP + parsing on this flow. */ + + if (to_srv) { + + f->http_req_done = 1; + f->http_pos = 0; + + free_sig_hdrs(&f->http_tmp); + memset(&f->http_tmp, 0, sizeof(struct http_sig)); + + return 1; + + } else { + + f->in_http = -1; + return 0; + + } + + } + + /* Looks like we're getting a header value. See if we have room for it. */ + + if ((hcount = f->http_tmp.hdr_cnt) >= HTTP_MAX_HDRS) { + + DEBUG("[#] Too many HTTP headers in a %s.\n", to_srv ? "request" : + "response"); + + f->in_http = -1; + return 0; + + } + + /* Try to extract header name. */ + + nlen = 0; + + while ((isalnum(pay[off]) || pay[off] == '-' || pay[off] == '_') && + off < plen && nlen <= HTTP_MAX_HDR_NAME) { + + off++; + nlen++; + + } + + if (off == plen) { + + if (!can_get_more) { + + DEBUG("[#] End of HTTP %s before end of headers.\n", + to_srv ? "request" : "response"); + f->in_http = -1; + + } + + return can_get_more; + + } + + /* Empty, excessively long, or non-':'-followed header name? */ + + if (!nlen || pay[off] != ':' || nlen > HTTP_MAX_HDR_NAME) { + + DEBUG("[#] Invalid HTTP header encountered (len = %u, char = 0x%02x).\n", + nlen, pay[off]); + + f->in_http = -1; + return 0; + + } + + /* At this point, header name starts at f->http_pos, and has nlen bytes. + Skip ':' and a subsequent whitespace next. */ + + off++; + + if (off < plen && isblank(pay[off])) off++; + + vstart = off; + vlen = 0; + + /* Find the next \n. */ + + while (off < plen && vlen <= HTTP_MAX_HDR_VAL && pay[off] != '\n') { + + off++; + vlen++; + + } + + if (vlen > HTTP_MAX_HDR_VAL) { + DEBUG("[#] HTTP %s header value length exceeded.\n", + to_srv ? "request" : "response"); + f->in_http = -1; + return -1; + } + + if (off == plen) { + + if (!can_get_more) { + DEBUG("[#] End of HTTP %s before end of headers.\n", + to_srv ? "request" : "response"); + f->in_http = -1; + } + + return can_get_more; + + } + + /* If party is using \r\n terminators, go back one char. */ + + if (pay[off - 1] == '\r') vlen--; + + /* Header value starts at vstart, and has vlen bytes (may be zero). Record + this in the signature. */ + + hid = lookup_hdr(pay + f->http_pos, nlen, 0); + + f->http_tmp.hdr[hcount].id = hid; + + if (hid < 0) { + + /* Header ID not found, store literal value. */ + + f->http_tmp.hdr[hcount].name = ck_memdup_str(pay + f->http_pos, nlen); + + } else { + + /* Found - update Bloom filter. */ + + f->http_tmp.hdr_bloom4 |= bloom4_64(hid); + + } + + /* If there's a value, store that too. For U-A and Server, also update + 'sw'; and for requests, collect Accept-Language. */ + + if (vlen) { + + u8* val = ck_memdup_str(pay + vstart, vlen); + + f->http_tmp.hdr[hcount].value = val; + + if (to_srv) { + + switch (hid) { + case HDR_UA: f->http_tmp.sw = val; break; + case HDR_AL: f->http_tmp.lang = val; break; + case HDR_VIA: + case HDR_XFF: f->http_tmp.via = val; break; + } + + } else { + + switch (hid) { + + case HDR_SRV: f->http_tmp.sw = val; break; + case HDR_DAT: f->http_tmp.date = parse_date(val); break; + case HDR_VIA: + case HDR_XFF: f->http_tmp.via = val; break; + + } + + } + + } + + /* Moving on... */ + + f->http_tmp.hdr_cnt++; + f->http_pos = off + 1; + + } + + if (!can_get_more) { + DEBUG("[#] End of HTTP %s before end of headers.\n", + to_srv ? "request" : "response"); + f->in_http = -1; + } + + return can_get_more; + +} + + +/* Examine request or response; returns 1 if more data needed and plausibly can + be read. Note that the buffer is always NUL-terminated. */ + +u8 process_http(u8 to_srv, struct packet_flow* f) { + + /* Already decided this flow is not worth tracking? */ + + if (f->in_http < 0) return 0; + + if (to_srv) { + + u8* pay = f->request; + u8 can_get_more = (f->req_len < MAX_FLOW_DATA); + u32 off; + + /* Request done, but pending response? */ + + if (f->http_req_done) return 1; + + if (!f->in_http) { + + u8 chr; + u8* sig_at; + + /* Ooh, new flow! */ + + if (f->req_len < 15) return can_get_more; + + /* Scan until \n, or until binary data spotted. */ + + off = f->http_pos; + + /* We only care about GET and HEAD requests at this point. */ + + if (!off && strncmp((char*)pay, "GET /", 5) && + strncmp((char*)pay, "HEAD /", 6)) { + DEBUG("[#] Does not seem like a GET / HEAD request.\n"); + f->in_http = -1; + return 0; + } + + while (off < f->req_len && off < HTTP_MAX_URL && + (chr = pay[off]) != '\n') { + + if (chr != '\r' && (chr < 0x20 || chr > 0x7f)) { + + DEBUG("[#] Not HTTP - character 0x%02x encountered.\n", chr); + + f->in_http = -1; + return 0; + } + + off++; + + } + + /* Newline too far or too close? */ + + if (off == HTTP_MAX_URL || off < 14) { + + DEBUG("[#] Not HTTP - newline offset %u.\n", off); + + f->in_http = -1; + return 0; + + } + + /* Not enough data yet? */ + + if (off == f->req_len) { + + f->http_pos = off; + + if (!can_get_more) { + + DEBUG("[#] Not HTTP - no opening line found.\n"); + f->in_http = -1; + + } + + return can_get_more; + + } + + sig_at = pay + off - 8; + if (pay[off - 1] == '\r') sig_at--; + + /* Bad HTTP/1.x signature? */ + + if (strncmp((char*)sig_at, "HTTP/1.", 7)) { + + DEBUG("[#] Not HTTP - bad signature.\n"); + + f->in_http = -1; + return 0; + + } + + f->http_tmp.http_ver = (sig_at[7] == '1'); + + f->in_http = 1; + f->http_pos = off + 1; + + DEBUG("[#] HTTP detected.\n"); + + } + + return parse_pairs(1, f, can_get_more); + + } else { + + u8* pay = f->response; + u8 can_get_more = (f->resp_len < MAX_FLOW_DATA); + u32 off; + + /* Response before request? Bail out. */ + + if (!f->in_http || !f->http_req_done) { + f->in_http = -1; + return 0; + } + + if (!f->http_gotresp1) { + + u8 chr; + + if (f->resp_len < 13) return can_get_more; + + /* Scan until \n, or until binary data spotted. */ + + off = f->http_pos; + + while (off < f->resp_len && off < HTTP_MAX_URL && + (chr = pay[off]) != '\n') { + + if (chr != '\r' && (chr < 0x20 || chr > 0x7f)) { + + DEBUG("[#] Invalid HTTP response - character 0x%02x encountered.\n", + chr); + f->in_http = -1; + return 0; + + } + + off++; + + } + + /* Newline too far or too close? */ + + if (off == HTTP_MAX_URL || off < 13) { + + DEBUG("[#] Invalid HTTP response - newline offset %u.\n", off); + + f->in_http = -1; + return 0; + + } + + /* Not enough data yet? */ + + if (off == f->resp_len) { + + f->http_pos = off; + + if (!can_get_more) { + + DEBUG("[#] Invalid HTTP response - no opening line found.\n"); + f->in_http = -1; + + } + + return can_get_more; + + } + + /* Bad HTTP/1.x signature? */ + + if (strncmp((char*)pay, "HTTP/1.", 7)) { + + DEBUG("[#] Invalid HTTP response - bad signature.\n"); + + f->in_http = -1; + return 0; + + } + + f->http_tmp.http_ver = (pay[7] == '1'); + + f->http_pos = off + 1; + + DEBUG("[#] HTTP response starts correctly.\n"); + + + } + + return parse_pairs(0, f, can_get_more); + + } + +} diff --git a/docker/p0f/fp_http.h b/docker/p0f/fp_http.h new file mode 100644 index 00000000..c5dbfe69 --- /dev/null +++ b/docker/p0f/fp_http.h @@ -0,0 +1,104 @@ +/* + p0f - HTTP fingerprinting + ------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_FP_HTTP_H +#define _HAVE_FP_HTTP_H + +#include "types.h" + +/* A structure used for looking up various headers internally in fp_http.c: */ + +struct http_id { + char* name; + u32 id; +}; + +/* Another internal structure for UA -> OS maps: */ + +struct ua_map_record { + u8* name; + u32 id; +}; + +/* HTTP header field: */ + +struct http_hdr { + s32 id; /* Lookup ID (-1 = none) */ + u8* name; /* Text name (NULL = use lookup ID) */ + u8* value; /* Value, if any */ + u8 optional; /* Optional header? */ +}; + +/* Request / response signature collected from the wire: */ + +struct http_sig { + + s8 http_ver; /* HTTP version (-1 = any) */ + + struct http_hdr hdr[HTTP_MAX_HDRS]; /* Mandatory / discovered headers */ + u32 hdr_cnt; + + u64 hdr_bloom4; /* Bloom filter for headers */ + + u32 miss[HTTP_MAX_HDRS]; /* Missing headers */ + u32 miss_cnt; + + u8* sw; /* Software string (U-A or Server) */ + u8* lang; /* Accept-Language */ + u8* via; /* Via or X-Forwarded-For */ + + u32 date; /* Parsed 'Date' */ + u32 recv_date; /* Actual receipt date */ + + /* Information used for matching with p0f.fp: */ + + struct http_sig_record* matched; /* NULL = no match */ + u8 dishonest; /* "sw" looks forged? */ + +}; + +/* Record for a HTTP signature read from p0f.fp: */ + +struct http_sig_record { + + s32 class_id; /* OS class ID (-1 = user) */ + s32 name_id; /* OS name ID */ + u8* flavor; /* Human-readable flavor string */ + + u32 label_id; /* Signature label ID */ + + u32* sys; /* OS class / name IDs for user apps */ + u32 sys_cnt; /* Length of sys */ + + u32 line_no; /* Line number in p0f.fp */ + + u8 generic; /* Generic signature? */ + + struct http_sig* sig; /* Actual signature data */ + +}; + +/* Register new HTTP signature. */ + +struct packet_flow; + +void http_parse_ua(u8* val, u32 line_no); + +void http_register_sig(u8 to_srv, u8 generic, s32 sig_class, u32 sig_name, + u8* sig_flavor, u32 label_id, u32* sys, u32 sys_cnt, + u8* val, u32 line_no); + +u8 process_http(u8 to_srv, struct packet_flow* f); + +void free_sig_hdrs(struct http_sig* h); + +void http_init(void); + +#endif /* _HAVE_FP_HTTP_H */ diff --git a/docker/p0f/fp_mtu.c b/docker/p0f/fp_mtu.c new file mode 100644 index 00000000..17e677c4 --- /dev/null +++ b/docker/p0f/fp_mtu.c @@ -0,0 +1,92 @@ +/* + p0f - MTU matching + ------------------ + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include + +#include +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "process.h" +#include "readfp.h" +#include "p0f.h" +#include "tcp.h" + +#include "fp_mtu.h" + +static struct mtu_sig_record* sigs[SIG_BUCKETS]; +static u32 sig_cnt[SIG_BUCKETS]; + + +/* Register a new MTU signature. */ + +void mtu_register_sig(u8* name, u8* val, u32 line_no) { + + u8* nxt = val; + s32 mtu; + u32 bucket; + + while (isdigit(*nxt)) nxt++; + + if (nxt == val || *nxt) FATAL("Malformed MTU value in line %u.", line_no); + + mtu = atol((char*)val); + + if (mtu <= 0 || mtu > 65535) FATAL("Malformed MTU value in line %u.", line_no); + + bucket = mtu % SIG_BUCKETS; + + sigs[bucket] = DFL_ck_realloc(sigs[bucket], (sig_cnt[bucket] + 1) * + sizeof(struct mtu_sig_record)); + + sigs[bucket][sig_cnt[bucket]].mtu = mtu; + sigs[bucket][sig_cnt[bucket]].name = name; + + sig_cnt[bucket]++; + +} + + + +void fingerprint_mtu(u8 to_srv, struct packet_data* pk, struct packet_flow* f) { + + u32 bucket, i, mtu; + + if (!pk->mss || f->sendsyn) return; + + start_observation("mtu", 2, to_srv, f); + + if (pk->ip_ver == IP_VER4) mtu = pk->mss + MIN_TCP4; + else mtu = pk->mss + MIN_TCP6; + + bucket = (mtu) % SIG_BUCKETS; + + for (i = 0; i < sig_cnt[bucket]; i++) + if (sigs[bucket][i].mtu == mtu) break; + + if (i == sig_cnt[bucket]) add_observation_field("link", NULL); + else { + + add_observation_field("link", sigs[bucket][i].name); + + if (to_srv) f->client->link_type = sigs[bucket][i].name; + else f->server->link_type = sigs[bucket][i].name; + + } + + OBSERVF("raw_mtu", "%u", mtu); + +} diff --git a/docker/p0f/fp_mtu.h b/docker/p0f/fp_mtu.h new file mode 100644 index 00000000..d77418f2 --- /dev/null +++ b/docker/p0f/fp_mtu.h @@ -0,0 +1,34 @@ +/* + p0f - MTU matching + ------------------ + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_FP_MTU_H +#define _HAVE_FP_MTU_H + +#include "types.h" + +/* Record for a TCP signature read from p0f.fp: */ + +struct mtu_sig_record { + + u8* name; + u16 mtu; + +}; + +#include "process.h" + +struct packet_data; +struct packet_flow; + +void mtu_register_sig(u8* name, u8* val, u32 line_no); + +void fingerprint_mtu(u8 to_srv, struct packet_data* pk, struct packet_flow* f); + +#endif /* _HAVE_FP_MTU_H */ diff --git a/docker/p0f/fp_tcp.c b/docker/p0f/fp_tcp.c new file mode 100644 index 00000000..7ca35fde --- /dev/null +++ b/docker/p0f/fp_tcp.c @@ -0,0 +1,1341 @@ +/* + p0f - TCP/IP packet matching + ---------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include + +#include +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "process.h" +#include "hash.h" +#include "tcp.h" +#include "readfp.h" +#include "p0f.h" + +#include "fp_tcp.h" + +/* TCP signature buckets: */ + +static struct tcp_sig_record* sigs[2][SIG_BUCKETS]; +static u32 sig_cnt[2][SIG_BUCKETS]; + + +/* Figure out what the TTL distance might have been for an unknown sig. */ + +static u8 guess_dist(u8 ttl) { + if (ttl <= 32) return 32 - ttl; + if (ttl <= 64) return 64 - ttl; + if (ttl <= 128) return 128 - ttl; + return 255 - ttl; +} + + +/* Figure out if window size is a multiplier of MSS or MTU. We don't take window + scaling into account, because neither do TCP stack developers. */ + +static s16 detect_win_multi(struct tcp_sig* ts, u8* use_mtu, u16 syn_mss) { + + u16 win = ts->win; + s32 mss = ts->mss, mss12 = mss - 12; + + if (!win || mss < 100 || ts->win_type != WIN_TYPE_NORMAL) + return -1; + +#define RET_IF_DIV(_div, _use_mtu, _desc) do { \ + if ((_div) && !(win % (_div))) { \ + *use_mtu = (_use_mtu); \ + DEBUG("[#] Window size %u is a multiple of %s [%u].\n", win, _desc, _div); \ + return win / (_div); \ + } \ + } while (0) + + RET_IF_DIV(mss, 0, "MSS"); + + /* Some systems will sometimes subtract 12 bytes when timestamps are in use. */ + + if (ts->ts1) RET_IF_DIV(mss12, 0, "MSS - 12"); + + /* Some systems use MTU on the wrong interface, so let's check for the most + common case. */ + + RET_IF_DIV(1500 - MIN_TCP4, 0, "MSS (MTU = 1500, IPv4)"); + RET_IF_DIV(1500 - MIN_TCP4 - 12, 0, "MSS (MTU = 1500, IPv4 - 12)"); + + if (ts->ip_ver == IP_VER6) { + + RET_IF_DIV(1500 - MIN_TCP6, 0, "MSS (MTU = 1500, IPv6)"); + RET_IF_DIV(1500 - MIN_TCP6 - 12, 0, "MSS (MTU = 1500, IPv6 - 12)"); + + } + + /* Some systems use MTU instead of MSS: */ + + RET_IF_DIV(mss + MIN_TCP4, 1, "MTU (IPv4)"); + RET_IF_DIV(mss + ts->tot_hdr, 1, "MTU (actual size)"); + if (ts->ip_ver == IP_VER6) RET_IF_DIV(mss + MIN_TCP6, 1, "MTU (IPv6)"); + RET_IF_DIV(1500, 1, "MTU (1500)"); + + /* On SYN+ACKs, some systems use of the peer: */ + + if (syn_mss) { + + RET_IF_DIV(syn_mss, 0, "peer MSS"); + RET_IF_DIV(syn_mss - 12, 0, "peer MSS - 12"); + + } + +#undef RET_IF_DIV + + return -1; + +} + + + +/* See if any of the p0f.fp signatures matches the collected data. */ + +static void tcp_find_match(u8 to_srv, struct tcp_sig* ts, u8 dupe_det, + u16 syn_mss) { + + struct tcp_sig_record* fmatch = NULL; + struct tcp_sig_record* gmatch = NULL; + + u32 bucket = ts->opt_hash % SIG_BUCKETS; + u32 i; + + u8 use_mtu = 0; + s16 win_multi = detect_win_multi(ts, &use_mtu, syn_mss); + + CP(sigs[to_srv][bucket]); + + for (i = 0; i < sig_cnt[to_srv][bucket]; i++) { + + struct tcp_sig_record* ref = sigs[to_srv][bucket] + i; + struct tcp_sig* refs = CP(ref->sig); + + u8 fuzzy = 0; + u32 ref_quirks = refs->quirks; + + if (ref->sig->opt_hash != ts->opt_hash) continue; + + /* If the p0f.fp signature has no IP version specified, we need + to remove IPv6-specific quirks from it when matching IPv4 + packets, and vice versa. */ + + if (refs->ip_ver == -1) + ref_quirks &= ((ts->ip_ver == IP_VER4) ? ~(QUIRK_FLOW) : + ~(QUIRK_DF | QUIRK_NZ_ID | QUIRK_ZERO_ID)); + + if (ref_quirks != ts->quirks) { + + u32 deleted = (ref_quirks ^ ts->quirks) & ref_quirks, + added = (ref_quirks ^ ts->quirks) & ts->quirks; + + /* If there is a difference in quirks, but it amounts to 'df' or 'id+' + disappearing, or 'id-' or 'ecn' appearing, allow a fuzzy match. */ + + if (fmatch || (deleted & ~(QUIRK_DF | QUIRK_NZ_ID)) || + (added & ~(QUIRK_ZERO_ID | QUIRK_ECN))) continue; + + fuzzy = 1; + + } + + /* Fixed parameters. */ + + if (refs->opt_eol_pad != ts->opt_eol_pad || + refs->ip_opt_len != ts->ip_opt_len) continue; + + /* TTL matching, with a provision to allow fuzzy match. */ + + if (ref->bad_ttl) { + + if (refs->ttl < ts->ttl) continue; + + } else { + + if (refs->ttl < ts->ttl || refs->ttl - ts->ttl > MAX_DIST) fuzzy = 1; + + } + + /* Simple wildcards. */ + + if (refs->mss != -1 && refs->mss != ts->mss) continue; + if (refs->wscale != -1 && refs->wscale != ts->wscale) continue; + if (refs->pay_class != -1 && refs->pay_class != ts->pay_class) continue; + + /* Window size. */ + + if (ts->win_type != WIN_TYPE_NORMAL) { + + /* Comparing two p0f.fp signatures. */ + + if (refs->win_type != ts->win_type || refs->win != ts->win) continue; + + } else { + + /* Comparing real-world stuff. */ + + switch (refs->win_type) { + + case WIN_TYPE_NORMAL: + + if (refs->win != ts->win) continue; + break; + + case WIN_TYPE_MOD: + + if (ts->win % refs->win) continue; + break; + + case WIN_TYPE_MSS: + + if (use_mtu || refs->win != win_multi) continue; + break; + + case WIN_TYPE_MTU: + + if (!use_mtu || refs->win != win_multi) continue; + break; + + /* WIN_TYPE_ANY */ + + } + + } + + /* Got a match? If not fuzzy, return. If fuzzy, keep looking. */ + + if (!fuzzy) { + + if (!ref->generic) { + + ts->matched = ref; + ts->fuzzy = 0; + ts->dist = refs->ttl - ts->ttl; + return; + + } else if (!gmatch) gmatch = ref; + + } else if (!fmatch) fmatch = ref; + + } + + /* OK, no definitive match so far... */ + + if (dupe_det) return; + + /* If we found a generic signature, and nothing better, let's just use + that. */ + + if (gmatch) { + + ts->matched = gmatch; + ts->fuzzy = 0; + ts->dist = gmatch->sig->ttl - ts->ttl; + return; + + } + + /* No fuzzy matching for userland tools. */ + + if (fmatch && fmatch->class_id == -1) return; + + /* Let's try to guess distance if no match; or if match TTL out of + range. */ + + if (!fmatch || fmatch->sig->ttl < ts->ttl || + (!fmatch->bad_ttl && fmatch->sig->ttl - ts->ttl > MAX_DIST)) + ts->dist = guess_dist(ts->ttl); + else + ts->dist = fmatch->sig->ttl - ts->ttl; + + /* Record the outcome. */ + + ts->matched = fmatch; + + if (fmatch) ts->fuzzy = 1; + +} + + +/* Parse TCP-specific bits and register a signature read from p0f.fp. This + function is too long. */ + +void tcp_register_sig(u8 to_srv, u8 generic, s32 sig_class, u32 sig_name, + u8* sig_flavor, u32 label_id, u32* sys, u32 sys_cnt, + u8* val, u32 line_no) { + + s8 ver, win_type, pay_class; + u8 opt_layout[MAX_TCP_OPT]; + u8 opt_cnt = 0, bad_ttl = 0; + + s32 ittl, olen, mss, win, scale, opt_eol_pad = 0; + u32 quirks = 0, bucket, opt_hash; + + u8* nxt; + + struct tcp_sig* tsig; + struct tcp_sig_record* trec; + + /* IP version */ + + switch (*val) { + case '4': ver = IP_VER4; break; + case '6': ver = IP_VER6; break; + case '*': ver = -1; break; + default: FATAL("Unrecognized IP version in line %u.", line_no); + } + + if (val[1] != ':') FATAL("Malformed signature in line %u.", line_no); + + val += 2; + + /* Initial TTL (possibly ttl+dist or ttl-) */ + + nxt = val; + while (isdigit(*nxt)) nxt++; + + if (*nxt != ':' && *nxt != '+' && *nxt != '-') + FATAL("Malformed signature in line %u.", line_no); + + ittl = atol((char*)val); + if (ittl < 1 || ittl > 255) FATAL("Bogus initial TTL in line %u.", line_no); + val = nxt + 1; + + if (*nxt == '-' && nxt[1] == ':') { + + bad_ttl = 1; + val += 2; + + } else if (*nxt == '+') { + + s32 ittl_add; + + nxt++; + while (isdigit(*nxt)) nxt++; + if (*nxt != ':') FATAL("Malformed signature in line %u.", line_no); + + ittl_add = atol((char*)val); + + if (ittl_add < 0 || ittl + ittl_add > 255) + FATAL("Bogus initial TTL in line %u.", line_no); + + ittl += ittl_add; + val = nxt + 1; + + } + + /* Length of IP options */ + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ':') FATAL("Malformed signature in line %u.", line_no); + + olen = atol((char*)val); + if (olen < 0 || olen > 255) + FATAL("Bogus IP option length in line %u.", line_no); + + val = nxt + 1; + + /* MSS */ + + if (*val == '*' && val[1] == ':') { + + mss = -1; + val += 2; + + } else { + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ':') FATAL("Malformed signature in line %u.", line_no); + + mss = atol((char*)val); + if (mss < 0 || mss > 65535) FATAL("Bogus MSS in line %u.", line_no); + val = nxt + 1; + + } + + /* window size, followed by comma */ + + if (*val == '*' && val[1] == ',') { + + win_type = WIN_TYPE_ANY; + win = 0; + val += 2; + + } else if (*val == '%') { + + win_type = WIN_TYPE_MOD; + + val++; + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ',') FATAL("Malformed signature in line %u.", line_no); + + win = atol((char*)val); + if (win < 2 || win > 65535) FATAL("Bogus '%%' value in line %u.", line_no); + val = nxt + 1; + + } else if (!strncmp((char*)val, "mss*", 4) || + !strncmp((char*)val, "mtu*", 4)) { + + win_type = (val[1] == 's') ? WIN_TYPE_MSS : WIN_TYPE_MTU; + + val += 4; + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ',') FATAL("Malformed signature in line %u.", line_no); + + win = atol((char*)val); + if (win < 1 || win > 1000) + FATAL("Bogus MSS/MTU multiplier in line %u.", line_no); + + val = nxt + 1; + + } else { + + win_type = WIN_TYPE_NORMAL; + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ',') FATAL("Malformed signature in line %u.", line_no); + + win = atol((char*)val); + if (win < 0 || win > 65535) FATAL("Bogus window size in line %u.", line_no); + val = nxt + 1; + + } + + /* Window scale */ + + if (*val == '*' && val[1] == ':') { + + scale = -1; + val += 2; + + } else { + + nxt = val; + while (isdigit(*nxt)) nxt++; + if (*nxt != ':') FATAL("Malformed signature in line %u.", line_no); + + scale = atol((char*)val); + if (scale < 0 || scale > 255) + FATAL("Bogus window scale in line %u.", line_no); + + val = nxt + 1; + + } + + /* Option layout */ + + memset(opt_layout, 0, sizeof(opt_layout)); + + while (*val != ':') { + + if (opt_cnt >= MAX_TCP_OPT) + FATAL("Too many TCP options in line %u.", line_no); + + if (!strncmp((char*)val, "eol", 3)) { + + opt_layout[opt_cnt++] = TCPOPT_EOL; + val += 3; + + if (*val != '+') + FATAL("Malformed EOL option in line %u.", line_no); + + val++; + nxt = val; + while (isdigit(*nxt)) nxt++; + + if (!*nxt) FATAL("Truncated options in line %u.", line_no); + + if (*nxt != ':') + FATAL("EOL must be the last option in line %u.", line_no); + + opt_eol_pad = atol((char*)val); + + if (opt_eol_pad < 0 || opt_eol_pad > 255) + FATAL("Bogus EOL padding in line %u.", line_no); + + val = nxt; + + } else if (!strncmp((char*)val, "nop", 3)) { + + opt_layout[opt_cnt++] = TCPOPT_NOP; + val += 3; + + } else if (!strncmp((char*)val, "mss", 3)) { + + opt_layout[opt_cnt++] = TCPOPT_MAXSEG; + val += 3; + + } else if (!strncmp((char*)val, "ws", 2)) { + + opt_layout[opt_cnt++] = TCPOPT_WSCALE; + val += 2; + + } else if (!strncmp((char*)val, "sok", 3)) { + + opt_layout[opt_cnt++] = TCPOPT_SACKOK; + val += 3; + + } else if (!strncmp((char*)val, "sack", 4)) { + + opt_layout[opt_cnt++] = TCPOPT_SACK; + val += 4; + + } else if (!strncmp((char*)val, "ts", 2)) { + + opt_layout[opt_cnt++] = TCPOPT_TSTAMP; + val += 2; + + } else if (*val == '?') { + + s32 optno; + + val++; + nxt = val; + while (isdigit(*nxt)) nxt++; + + if (*nxt != ':' && *nxt != ',') + FATAL("Malformed '?' option in line %u.", line_no); + + optno = atol((char*)val); + + if (optno < 0 || optno > 255) + FATAL("Bogus '?' option in line %u.", line_no); + + opt_layout[opt_cnt++] = optno; + + val = nxt; + + } else { + + FATAL("Unrecognized TCP option in line %u.", line_no); + + } + + if (*val == ':') break; + + if (*val != ',') + FATAL("Malformed TCP options in line %u.", line_no); + + val++; + + } + + val++; + + opt_hash = hash32(opt_layout, opt_cnt, hash_seed); + + /* Quirks */ + + while (*val != ':') { + + if (!strncmp((char*)val, "df", 2)) { + + if (ver == IP_VER6) + FATAL("'df' is not valid for IPv6 in line %d.", line_no); + + quirks |= QUIRK_DF; + val += 2; + + } else if (!strncmp((char*)val, "id+", 3)) { + + if (ver == IP_VER6) + FATAL("'id+' is not valid for IPv6 in line %d.", line_no); + + quirks |= QUIRK_NZ_ID; + val += 3; + + } else if (!strncmp((char*)val, "id-", 3)) { + + if (ver == IP_VER6) + FATAL("'id-' is not valid for IPv6 in line %d.", line_no); + + quirks |= QUIRK_ZERO_ID; + val += 3; + + } else if (!strncmp((char*)val, "ecn", 3)) { + + quirks |= QUIRK_ECN; + val += 3; + + } else if (!strncmp((char*)val, "0+", 2)) { + + if (ver == IP_VER6) + FATAL("'0+' is not valid for IPv6 in line %d.", line_no); + + quirks |= QUIRK_NZ_MBZ; + val += 2; + + } else if (!strncmp((char*)val, "flow", 4)) { + + if (ver == IP_VER4) + FATAL("'flow' is not valid for IPv4 in line %d.", line_no); + + quirks |= QUIRK_FLOW; + val += 4; + + } else if (!strncmp((char*)val, "seq-", 4)) { + + quirks |= QUIRK_ZERO_SEQ; + val += 4; + + } else if (!strncmp((char*)val, "ack+", 4)) { + + quirks |= QUIRK_NZ_ACK; + val += 4; + + } else if (!strncmp((char*)val, "ack-", 4)) { + + quirks |= QUIRK_ZERO_ACK; + val += 4; + + } else if (!strncmp((char*)val, "uptr+", 5)) { + + quirks |= QUIRK_NZ_URG; + val += 5; + + } else if (!strncmp((char*)val, "urgf+", 5)) { + + quirks |= QUIRK_URG; + val += 5; + + } else if (!strncmp((char*)val, "pushf+", 6)) { + + quirks |= QUIRK_PUSH; + val += 6; + + } else if (!strncmp((char*)val, "ts1-", 4)) { + + quirks |= QUIRK_OPT_ZERO_TS1; + val += 4; + + } else if (!strncmp((char*)val, "ts2+", 4)) { + + quirks |= QUIRK_OPT_NZ_TS2; + val += 4; + + } else if (!strncmp((char*)val, "opt+", 4)) { + + quirks |= QUIRK_OPT_EOL_NZ; + val += 4; + + } else if (!strncmp((char*)val, "exws", 4)) { + + quirks |= QUIRK_OPT_EXWS; + val += 4; + + } else if (!strncmp((char*)val, "bad", 3)) { + + quirks |= QUIRK_OPT_BAD; + val += 3; + + } else { + + FATAL("Unrecognized quirk in line %u.", line_no); + + } + + if (*val == ':') break; + + if (*val != ',') + FATAL("Malformed quirks in line %u.", line_no); + + val++; + + } + + val++; + + /* Payload class */ + + if (!strcmp((char*)val, "*")) pay_class = -1; + else if (!strcmp((char*)val, "0")) pay_class = 0; + else if (!strcmp((char*)val, "+")) pay_class = 1; + else FATAL("Malformed payload class in line %u.", line_no); + + /* Phew, okay, we're done. Now, create tcp_sig... */ + + tsig = DFL_ck_alloc(sizeof(struct tcp_sig)); + + tsig->opt_hash = opt_hash; + tsig->opt_eol_pad = opt_eol_pad; + + tsig->quirks = quirks; + + tsig->ip_opt_len = olen; + tsig->ip_ver = ver; + tsig->ttl = ittl; + + tsig->mss = mss; + tsig->win = win; + tsig->win_type = win_type; + tsig->wscale = scale; + tsig->pay_class = pay_class; + + /* No need to set ts1, recv_ms, match, fuzzy, dist */ + + tcp_find_match(to_srv, tsig, 1, 0); + + if (tsig->matched) + FATAL("Signature in line %u is already covered by line %u.", + line_no, tsig->matched->line_no); + + /* Everything checks out, so let's register it. */ + + bucket = opt_hash % SIG_BUCKETS; + + sigs[to_srv][bucket] = DFL_ck_realloc(sigs[to_srv][bucket], + (sig_cnt[to_srv][bucket] + 1) * sizeof(struct tcp_sig_record)); + + trec = sigs[to_srv][bucket] + sig_cnt[to_srv][bucket]; + + sig_cnt[to_srv][bucket]++; + + trec->generic = generic; + trec->class_id = sig_class; + trec->name_id = sig_name; + trec->flavor = sig_flavor; + trec->label_id = label_id; + trec->sys = sys; + trec->sys_cnt = sys_cnt; + trec->line_no = line_no; + trec->sig = tsig; + trec->bad_ttl = bad_ttl; + + /* All done, phew. */ + +} + + +/* Convert struct packet_data to a simplified struct tcp_sig representation + suitable for signature matching. Compute hashes. */ + +static void packet_to_sig(struct packet_data* pk, struct tcp_sig* ts) { + + ts->opt_hash = hash32(pk->opt_layout, pk->opt_cnt, hash_seed); + + ts->quirks = pk->quirks; + ts->opt_eol_pad = pk->opt_eol_pad; + ts->ip_opt_len = pk->ip_opt_len; + ts->ip_ver = pk->ip_ver; + ts->ttl = pk->ttl; + ts->mss = pk->mss; + ts->win = pk->win; + ts->win_type = WIN_TYPE_NORMAL; /* Keep as-is. */ + ts->wscale = pk->wscale; + ts->pay_class = !!pk->pay_len; + ts->tot_hdr = pk->tot_hdr; + ts->ts1 = pk->ts1; + ts->recv_ms = get_unix_time_ms(); + ts->matched = NULL; + ts->fuzzy = 0; + ts->dist = 0; + +}; + + +/* Dump unknown signature. */ + +static u8* dump_sig(struct packet_data* pk, struct tcp_sig* ts, u16 syn_mss) { + + static u8* ret; + u32 rlen = 0; + + u8 win_mtu; + s16 win_m; + u32 i; + u8 dist = guess_dist(pk->ttl); + +#define RETF(_par...) do { \ + s32 _len = snprintf(NULL, 0, _par); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + ret = DFL_ck_realloc_kb(ret, rlen + _len + 1); \ + snprintf((char*)ret + rlen, _len + 1, _par); \ + rlen += _len; \ + } while (0) + + if (dist > MAX_DIST) { + + RETF("%u:%u+?:%u:", pk->ip_ver, pk->ttl, pk->ip_opt_len); + + } else { + + RETF("%u:%u+%u:%u:", pk->ip_ver, pk->ttl, dist, pk->ip_opt_len); + + } + + /* Detect a system echoing back MSS from p0f-sendsyn queries, suggest using + a wildcard in such a case. */ + + if (pk->mss == SPECIAL_MSS && pk->tcp_type == (TCP_SYN|TCP_ACK)) RETF("*:"); + else RETF("%u:", pk->mss); + + win_m = detect_win_multi(ts, &win_mtu, syn_mss); + + if (win_m > 0) RETF("%s*%u", win_mtu ? "mtu" : "mss", win_m); + else RETF("%u", pk->win); + + RETF(",%u:", pk->wscale); + + for (i = 0; i < pk->opt_cnt; i++) { + + switch (pk->opt_layout[i]) { + + case TCPOPT_EOL: + RETF("%seol+%u", i ? "," : "", pk->opt_eol_pad); break; + + case TCPOPT_NOP: + RETF("%snop", i ? "," : ""); break; + + case TCPOPT_MAXSEG: + RETF("%smss", i ? "," : ""); break; + + case TCPOPT_WSCALE: + RETF("%sws", i ? "," : ""); break; + + case TCPOPT_SACKOK: + RETF("%ssok", i ? "," : ""); break; + + case TCPOPT_SACK: + RETF("%ssack", i ? "," : ""); break; + + case TCPOPT_TSTAMP: + RETF("%sts", i ? "," : ""); break; + + default: + RETF("%s?%u", i ? "," : "", pk->opt_layout[i]); + + } + + } + + RETF(":"); + + if (pk->quirks) { + + u8 sp = 0; + +#define MAYBE_CM(_str) do { \ + if (sp) RETF("," _str); else RETF(_str); \ + sp = 1; \ + } while (0) + + if (pk->quirks & QUIRK_DF) MAYBE_CM("df"); + if (pk->quirks & QUIRK_NZ_ID) MAYBE_CM("id+"); + if (pk->quirks & QUIRK_ZERO_ID) MAYBE_CM("id-"); + if (pk->quirks & QUIRK_ECN) MAYBE_CM("ecn"); + if (pk->quirks & QUIRK_NZ_MBZ) MAYBE_CM("0+"); + if (pk->quirks & QUIRK_FLOW) MAYBE_CM("flow"); + + if (pk->quirks & QUIRK_ZERO_SEQ) MAYBE_CM("seq-"); + if (pk->quirks & QUIRK_NZ_ACK) MAYBE_CM("ack+"); + if (pk->quirks & QUIRK_ZERO_ACK) MAYBE_CM("ack-"); + if (pk->quirks & QUIRK_NZ_URG) MAYBE_CM("uptr+"); + if (pk->quirks & QUIRK_URG) MAYBE_CM("urgf+"); + if (pk->quirks & QUIRK_PUSH) MAYBE_CM("pushf+"); + + if (pk->quirks & QUIRK_OPT_ZERO_TS1) MAYBE_CM("ts1-"); + if (pk->quirks & QUIRK_OPT_NZ_TS2) MAYBE_CM("ts2+"); + if (pk->quirks & QUIRK_OPT_EOL_NZ) MAYBE_CM("opt+"); + if (pk->quirks & QUIRK_OPT_EXWS) MAYBE_CM("exws"); + if (pk->quirks & QUIRK_OPT_BAD) MAYBE_CM("bad"); + +#undef MAYBE_CM + + } + + if (pk->pay_len) RETF(":+"); else RETF(":0"); + + return ret; + +} + + +/* Dump signature-related flags. */ + +static u8* dump_flags(struct packet_data* pk, struct tcp_sig* ts) { + + static u8* ret; + u32 rlen = 0; + + RETF(""); + + if (ts->matched) { + + if (ts->matched->generic) RETF(" generic"); + if (ts->fuzzy) RETF(" fuzzy"); + if (ts->matched->bad_ttl) RETF(" random_ttl"); + + } + + if (ts->dist > MAX_DIST) RETF(" excess_dist"); + if (pk->tos) RETF(" tos:0x%02x", pk->tos); + + if (*ret) return ret + 1; else return (u8*)"none"; + +#undef RETF + +} + + +/* Compare current signature with historical data, draw conclusions. This + is called only for OS sigs. */ + +static void score_nat(u8 to_srv, struct tcp_sig* sig, struct packet_flow* f) { + + struct host_data* hd; + struct tcp_sig* ref; + u8 score = 0, diff_already = 0; + u16 reason = 0; + s32 ttl_diff; + + if (to_srv) { + + hd = f->client; + ref = hd->last_syn; + + } else { + + hd = f->server; + ref = hd->last_synack; + + } + + + if (!ref) { + + /* No previous signature of matching type at all. We can perhaps still check + if class / name is the same as on file, as that data might have been + obtained from other types of sigs. */ + + if (sig->matched && hd->last_class_id != -1) { + + if (hd->last_name_id != sig->matched->name_id) { + + DEBUG("[#] New TCP signature different OS type than host data.\n"); + + reason |= NAT_OS_SIG; + score += 8; + + } + + } + + goto log_and_update; + + } + + /* We have some previous data. */ + + if (!sig->matched || !ref->matched) { + + /* One or both of the signatures are unknown. Let's see if they differ. + The scoring here isn't too strong, because we don't know if the + unrecognized signature isn't originating from userland tools. */ + + if ((sig->quirks ^ ref->quirks) & ~(QUIRK_ECN|QUIRK_DF|QUIRK_NZ_ID| + QUIRK_ZERO_ID)) { + + DEBUG("[#] Non-fuzzy quirks changed compared to previous sig.\n"); + + reason |= NAT_UNK_DIFF; + score += 2; + + } else if (to_srv && sig->opt_hash != ref->opt_hash) { + + /* We only match option layout for SYNs; it may change on SYN+ACK, + and the user may have gaps in SYN+ACK sigs if he ignored our + advice on using p0f-sendsyn. */ + + DEBUG("[#] SYN option layout changed compared to previous sig.\n"); + + reason |= NAT_UNK_DIFF; + score += 1; + + } + + /* Progression from known to unknown is also of interest for SYNs. */ + + if (to_srv && sig->matched != ref->matched) { + + DEBUG("[#] SYN signature changed from %s.\n", + sig->matched ? "unknown to known" : "known to unknown"); + + score += 1; + reason |= NAT_TO_UNK; + + } + + } else { + + /* Both signatures known! */ + + if (ref->matched->name_id != sig->matched->name_id) { + + DEBUG("[#] TCP signature different OS type on previous sig.\n"); + score += 8; + reason |= NAT_OS_SIG; + + diff_already = 1; + + } else if (to_srv) { + + /* SYN signatures match superficially, but... */ + + if (ref->matched->label_id != sig->matched->label_id) { + + /* SYN label changes are a weak but useful signal. SYN+ACK signatures + may need less intuitive groupings, so we don't check that. */ + + DEBUG("[#] SYN signature label different on previous sig.\n"); + score += 2; + reason |= NAT_OS_SIG; + + } else if (ref->matched->line_no != sig->matched->line_no) { + + /* Change in line number is an extremely weak but still noteworthy + signal. */ + + DEBUG("[#] SYN signature changes within the same label.\n"); + score += 1; + reason |= NAT_OS_SIG; + + } else if (sig->fuzzy != ref->fuzzy) { + + /* Fuzziness change on a perfectly matched signature? */ + + DEBUG("[#] SYN signature fuzziness changes.\n"); + score += 1; + reason |= NAT_FUZZY; + + } + + } + + } + + /* Unless the signatures are already known to differ radically, mismatch + between host data and current sig is of additional note. */ + + if (!diff_already && sig->matched && hd->last_class_id != -1 && + hd->last_name_id != sig->matched->name_id) { + + DEBUG("[#] New OS signature different OS type than host data.\n"); + score += 8; + reason |= NAT_OS_SIG; + diff_already = 1; + + } + + /* TTL differences in absence of major signature mismatches is also + interesting, unless the signatures are tagged as "bad TTL", or unless + the difference is barely 1 and the host is distant. */ + +#define ABS(_x) ((_x) < 0 ? -(_x) : (_x)) + + ttl_diff = ((s16)sig->ttl) - ref->ttl; + + if (!diff_already && ttl_diff && (!sig->matched || !sig->matched->bad_ttl) && + (!ref->matched || !ref->matched->bad_ttl) && (sig->dist <= NEAR_TTL_LIMIT || + ttl_diff > 1)) { + + DEBUG("[#] Signature TTL differs by %d (dist = %u).\n", ttl_diff, sig->dist); + + if (sig->dist > LOCAL_TTL_LIMIT && ABS(ttl_diff) <= SMALL_TTL_CHG) + score += 1; else score += 4; + + reason |= NAT_TTL; + + } + + /* Source port going back frequently is of some note, although it will happen + spontaneously every now and then. Require the drop to be by at least + few dozen, to account for simple case of several simultaneously opened + connections arriving in odd order. */ + + if (to_srv && hd->last_port && f->cli_port < hd->last_port && + hd->last_port - f->cli_port >= MIN_PORT_DROP) { + + DEBUG("[#] Source port drops from %u to %u.\n", hd->last_port, f->cli_port); + + score += 1; + reason |= NAT_PORT; + + } + + /* Change of MTU is always sketchy. */ + + if (sig->mss != ref->mss) { + + DEBUG("[#] MSS for signature changed from %u to %u.\n", ref->mss, sig->mss); + + score += 1; + reason |= NAT_MSS; + + } + + /* Check timestamp progression to possibly adjust current score. Don't rate + on TS alone, because some systems may be just randomizing that. */ + + if (score && sig->ts1 && ref->ts1) { + + u64 ms_diff = sig->recv_ms - ref->recv_ms; + + /* Require a timestamp within the last day; if the apparent TS progression + is much higher than 1 kHz, complain. */ + + if (ms_diff < MAX_NAT_TS) { + + u64 use_ms = (ms_diff < TSTAMP_GRACE) ? TSTAMP_GRACE : ms_diff; + u64 max_ts = use_ms * MAX_TSCALE / 1000; + + u32 ts_diff = sig->ts1 - ref->ts1; + + if (ts_diff > max_ts && (ms_diff >= TSTAMP_GRACE || ~ts_diff > max_ts)) { + + DEBUG("[#] Dodgy timestamp progression across signatures (%d " + "in %llu ms).\n", ts_diff, ms_diff); + score += 4; + reason |= NAT_TS; + + } else { + + DEBUG("[#] Timestamp consistent across signatures (%d in %llu ms), " + "reducing score.\n", ts_diff, ms_diff); + score /= 2; + + } + + } else DEBUG("[#] Timestamps available, but with bad interval (%llu ms).\n", + ms_diff); + + } + +log_and_update: + + add_nat_score(to_srv, f, reason, score); + + /* Update some of the essential records. */ + + if (sig->matched) { + + hd->last_class_id = sig->matched->class_id; + hd->last_name_id = sig->matched->name_id; + hd->last_flavor = sig->matched->flavor; + + hd->last_quality = (sig->fuzzy * P0F_MATCH_FUZZY) | + (sig->matched->generic * P0F_MATCH_GENERIC); + + } + + hd->last_port = f->cli_port; + +} + + +/* Fingerprint SYN or SYN+ACK. */ + +struct tcp_sig* fingerprint_tcp(u8 to_srv, struct packet_data* pk, + struct packet_flow* f) { + + struct tcp_sig* sig; + struct tcp_sig_record* m; + + sig = ck_alloc(sizeof(struct tcp_sig)); + packet_to_sig(pk, sig); + + /* Detect packets generated by p0f-sendsyn; they require special + handling to provide the user with response fingerprints, but not + interfere with NAT scores and such. */ + + if (pk->tcp_type == TCP_SYN && pk->win == SPECIAL_WIN && + pk->mss == SPECIAL_MSS) f->sendsyn = 1; + + if (to_srv) + start_observation(f->sendsyn ? "sendsyn probe" : "syn", 4, 1, f); + else + start_observation(f->sendsyn ? "sendsyn response" : "syn+ack", 4, 0, f); + + tcp_find_match(to_srv, sig, 0, f->syn_mss); + + if ((m = sig->matched)) { + + OBSERVF((m->class_id == -1 || f->sendsyn) ? "app" : "os", "%s%s%s", + fp_os_names[m->name_id], m->flavor ? " " : "", + m->flavor ? m->flavor : (u8*)""); + + } else { + + add_observation_field("os", NULL); + + } + + if (m && m->bad_ttl) { + + OBSERVF("dist", "<= %u", sig->dist); + + } else { + + if (to_srv) f->client->distance = sig->dist; + else f->server->distance = sig->dist; + + OBSERVF("dist", "%u", sig->dist); + + } + + add_observation_field("params", dump_flags(pk, sig)); + + add_observation_field("raw_sig", dump_sig(pk, sig, f->syn_mss)); + + if (pk->tcp_type == TCP_SYN) f->syn_mss = pk->mss; + + /* That's about as far as we go with non-OS signatures. */ + + if (m && m->class_id == -1) { + verify_tool_class(to_srv, f, m->sys, m->sys_cnt); + ck_free(sig); + return NULL; + } + + if (f->sendsyn) { + ck_free(sig); + return NULL; + } + + score_nat(to_srv, sig, f); + + return sig; + +} + + +/* Perform uptime detection. This is the only FP function that gets called not + only on SYN or SYN+ACK, but also on ACK traffic. */ + +void check_ts_tcp(u8 to_srv, struct packet_data* pk, struct packet_flow* f) { + + u32 ts_diff; + u64 ms_diff; + + u32 freq; + u32 up_min, up_mod_days; + + double ffreq; + + if (!pk->ts1 || f->sendsyn) return; + + /* If we're getting SYNs very rapidly, last_syn may be changing too quickly + to be of any use. Perhaps lock into an older value? */ + + if (to_srv) { + + if (f->cli_tps || !f->client->last_syn || !f->client->last_syn->ts1) + return; + + ms_diff = get_unix_time_ms() - f->client->last_syn->recv_ms; + ts_diff = pk->ts1 - f->client->last_syn->ts1; + + } else { + + if (f->srv_tps || !f->server->last_synack || !f->server->last_synack->ts1) + return; + + ms_diff = get_unix_time_ms() - f->server->last_synack->recv_ms; + ts_diff = pk->ts1 - f->server->last_synack->ts1; + + } + + /* Wait at least 25 ms, and not more than 10 minutes, for at least 5 + timestamp ticks. Allow the timestamp to go back slightly within + a short window, too - we may be receiving packets a bit out of + order. */ + + if (ms_diff < MIN_TWAIT || ms_diff > MAX_TWAIT) return; + + if (ts_diff < 5 || (ms_diff < TSTAMP_GRACE && (~ts_diff) / 1000 < + MAX_TSCALE / TSTAMP_GRACE)) return; + + if (ts_diff > ~ts_diff) ffreq = ~ts_diff * -1000.0 / ms_diff; + else ffreq = ts_diff * 1000.0 / ms_diff; + + if (ffreq < MIN_TSCALE || ffreq > MAX_TSCALE) { + + /* Allow bad reading on SYN, as this may be just an artifact of IP + sharing or OS change. */ + + if (pk->tcp_type != TCP_SYN) { + + if (to_srv) f->cli_tps = -1; else f->srv_tps = -1; + + } + + DEBUG("[#] Bad %s TS frequency: %.02f Hz (%d ticks in %llu ms).\n", + to_srv ? "client" : "server", ffreq, ts_diff, ms_diff); + + return; + + } + + freq = ffreq; + + /* Round the frequency neatly. */ + + switch (freq) { + + case 0: freq = 1; break; + case 1 ... 10: break; + case 11 ... 50: freq = (freq + 3) / 5 * 5; break; + case 51 ... 100: freq = (freq + 7) / 10 * 10; break; + case 101 ... 500: freq = (freq + 33) / 50 * 50; break; + default: freq = (freq + 67) / 100 * 100; break; + + } + + if (to_srv) f->cli_tps = freq; else f->srv_tps = freq; + + up_min = pk->ts1 / freq / 60; + up_mod_days = 0xFFFFFFFF / (freq * 60 * 60 * 24); + + start_observation("uptime", 2, to_srv, f); + + if (to_srv) { + + f->client->last_up_min = up_min; + f->client->up_mod_days = up_mod_days; + + } else { + + f->server->last_up_min = up_min; + f->server->up_mod_days = up_mod_days; + + } + + OBSERVF("uptime", "%u days %u hrs %u min (modulo %u days)", + (up_min / 60 / 24), (up_min / 60) % 24, up_min % 60, + up_mod_days); + + OBSERVF("raw_freq", "%.02f Hz", ffreq); + +} diff --git a/docker/p0f/fp_tcp.h b/docker/p0f/fp_tcp.h new file mode 100644 index 00000000..0c6bb441 --- /dev/null +++ b/docker/p0f/fp_tcp.h @@ -0,0 +1,95 @@ +/* + p0f - TCP/IP packet matching + ---------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_FP_TCP_H +#define _HAVE_FP_TCP_H + +#include "types.h" + +/* Simplified data for signature matching and NAT detection: */ + +struct tcp_sig { + + u32 opt_hash; /* Hash of opt_layout & opt_cnt */ + u32 quirks; /* Quirks */ + + u8 opt_eol_pad; /* Amount of padding past EOL */ + u8 ip_opt_len; /* Length of IP options */ + + s8 ip_ver; /* -1 = any, IP_VER4, IP_VER6 */ + + u8 ttl; /* Actual TTL */ + + s32 mss; /* Maximum segment size (-1 = any) */ + u16 win; /* Window size */ + u8 win_type; /* WIN_TYPE_* */ + s16 wscale; /* Window scale (-1 = any) */ + + s8 pay_class; /* -1 = any, 0 = zero, 1 = non-zero */ + + u16 tot_hdr; /* Total header length */ + u32 ts1; /* Own timestamp */ + u64 recv_ms; /* Packet recv unix time (ms) */ + + /* Information used for matching with p0f.fp: */ + + struct tcp_sig_record* matched; /* NULL = no match */ + u8 fuzzy; /* Approximate match? */ + u8 dist; /* Distance */ + +}; + +/* Methods for matching window size in tcp_sig: */ + +#define WIN_TYPE_NORMAL 0x00 /* Literal value */ +#define WIN_TYPE_ANY 0x01 /* Wildcard (p0f.fp sigs only) */ +#define WIN_TYPE_MOD 0x02 /* Modulo check (p0f.fp sigs only) */ +#define WIN_TYPE_MSS 0x03 /* Window size MSS multiplier */ +#define WIN_TYPE_MTU 0x04 /* Window size MTU multiplier */ + +/* Record for a TCP signature read from p0f.fp: */ + +struct tcp_sig_record { + + u8 generic; /* Generic entry? */ + s32 class_id; /* OS class ID (-1 = user) */ + s32 name_id; /* OS name ID */ + u8* flavor; /* Human-readable flavor string */ + + u32 label_id; /* Signature label ID */ + + u32* sys; /* OS class / name IDs for user apps */ + u32 sys_cnt; /* Length of sys */ + + u32 line_no; /* Line number in p0f.fp */ + + u8 bad_ttl; /* TTL is generated randomly */ + + struct tcp_sig* sig; /* Actual signature data */ + +}; + +#include "process.h" + +struct packet_data; +struct packet_flow; + +void tcp_register_sig(u8 to_srv, u8 generic, s32 sig_class, u32 sig_name, + u8* sig_flavor, u32 label_id, u32* sys, u32 sys_cnt, + u8* val, u32 line_no); + +struct tcp_sig* fingerprint_tcp(u8 to_srv, struct packet_data* pk, + struct packet_flow* f); + +void fingerprint_sendsyn(struct packet_data* pk); + +void check_ts_tcp(u8 to_srv, struct packet_data* pk, struct packet_flow* f); + +#endif /* _HAVE_FP_TCP_H */ diff --git a/docker/p0f/hash.h b/docker/p0f/hash.h new file mode 100644 index 00000000..a207821b --- /dev/null +++ b/docker/p0f/hash.h @@ -0,0 +1,98 @@ +/* + p0f - a port of lookup3 + ----------------------- + + The hash32() function is a modified copy of lookup3, a good non-cryptosafe + seeded hashing function developed by Bob Jenkins. + + Bob's original code is public domain; so is this variant. + + */ + +#ifndef _HAVE_HASH_H +#define _HAVE_HASH_H + +#include "types.h" + +#define ROL32(_x, _r) (((_x) << (_r)) | ((_x) >> (32 - (_r)))) + +static inline u32 hash32(const void* key, u32 len, u32 seed) { + + u32 a, b, c; + const u8* k = key; + + a = b = c = 0xdeadbeef + len + seed; + + while (len > 12) { + + a += RD32p(k); + b += RD32p(k + 4); + c += RD32p(k + 8); + + a -= c; a ^= ROL32(c, 4); c += b; + b -= a; b ^= ROL32(a, 6); a += c; + c -= b; c ^= ROL32(b, 8); b += a; + a -= c; a ^= ROL32(c, 16); c += b; + b -= a; b ^= ROL32(a, 19); a += c; + c -= b; c ^= ROL32(b, 4); b += a; + + len -= 12; + k += 12; + + } + + switch (len) { + + case 12: c += RD32p(k + 8); + b += RD32p(k+ 4); + a += RD32p(k); break; + + case 11: c += (RD16p(k + 8) << 8) | k[10]; + b += RD32p(k + 4); + a += RD32p(k); break; + + case 10: c += RD16p(k + 8); + b += RD32p(k + 4); + a += RD32p(k); break; + + case 9: c += k[8]; + b += RD32p(k + 4); + a += RD32p(k); break; + + case 8: b += RD32p(k + 4); + a += RD32p(k); break; + + case 7: b += (RD16p(k + 4) << 8) | k[6] ; + a += RD32p(k); break; + + case 6: b += RD16p(k + 4); + a += RD32p(k); break; + + case 5: b += k[4]; + a += RD32p(k); break; + + case 4: a += RD32p(k); break; + + case 3: a += (RD16p(k) << 8) | k[2]; break; + + case 2: a += RD16p(k); break; + + case 1: a += k[0]; break; + + case 0: return c; + + } + + c ^= b; c -= ROL32(b, 14); + a ^= c; a -= ROL32(c, 11); + b ^= a; b -= ROL32(a, 25); + c ^= b; c -= ROL32(b, 16); + a ^= c; a -= ROL32(c, 4); + b ^= a; b -= ROL32(a, 14); + c ^= b; c -= ROL32(b, 24); + + return c; + +} + +#endif /* !_HAVE_HASH_H */ diff --git a/docker/p0f/languages.h b/docker/p0f/languages.h new file mode 100644 index 00000000..1b822567 --- /dev/null +++ b/docker/p0f/languages.h @@ -0,0 +1,282 @@ +/* + p0f - ISO 639-1 languages + ------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_LANGUAGES_H +#define _HAVE_LANGUAGES_H + +#include "types.h" + +#define MAX_LANG 3 + +#define LANG_HASH(_b0, _b1) (((_b0) * (_b1) ^ (_b1)) & 0xff) + +static char* languages[256][MAX_LANG * 2 + 1] = { + + /* 0x00 */ { 0 }, + /* 0x01 */ { "ro", "Romanian", 0 }, + /* 0x02 */ { "sw", "Swahili", 0 }, + /* 0x03 */ { "ne", "Nepali", 0 }, + /* 0x04 */ { "nl", "Dutch", "sn", "Shona", 0 }, + /* 0x05 */ { 0 }, + /* 0x06 */ { "ln", "Lingala", 0 }, + /* 0x07 */ { 0 }, + /* 0x08 */ { "en", "English", "ie", "Interlingue", 0 }, + /* 0x09 */ { "bg", "Bulgarian", "ha", "Hausa", 0 }, + /* 0x0a */ { "cs", "Czech", "ko", "Korean", 0 }, + /* 0x0b */ { 0 }, + /* 0x0c */ { "gv", "Manx", 0 }, + /* 0x0d */ { 0 }, + /* 0x0e */ { 0 }, + /* 0x0f */ { "vi", "Vietnamese", 0 }, + /* 0x10 */ { "mt", "Maltese", 0 }, + /* 0x11 */ { "bo", "Tibetan", "de", "German", "pa", "Panjabi", 0 }, + /* 0x12 */ { 0 }, + /* 0x13 */ { "lg", "Ganda", 0 }, + /* 0x14 */ { 0 }, + /* 0x15 */ { 0 }, + /* 0x16 */ { 0 }, + /* 0x17 */ { "tk", "Turkmen", 0 }, + /* 0x18 */ { "gl", "Galician", "yo", "Yoruba", 0 }, + /* 0x19 */ { 0 }, + /* 0x1a */ { "sc", "Sardinian", 0 }, + /* 0x1b */ { 0 }, + /* 0x1c */ { "or", "Oriya", 0 }, + /* 0x1d */ { 0 }, + /* 0x1e */ { "fr", "French", 0 }, + /* 0x1f */ { 0 }, + /* 0x20 */ { "ae", "Avestan", "am", "Amharic", "mh", "Marshallese", 0 }, + /* 0x21 */ { 0 }, + /* 0x22 */ { "hr", "Croatian", "sg", "Sango", 0 }, + /* 0x23 */ { "ps", "Pushto", "to", "Tonga", 0 }, + /* 0x24 */ { "kj", "Kuanyama", "kv", "Komi", 0 }, + /* 0x25 */ { "li", "Limburgan", "ng", "Ndonga", 0 }, + /* 0x26 */ { 0 }, + /* 0x27 */ { 0 }, + /* 0x28 */ { 0 }, + /* 0x29 */ { "lu", "Luba-Katanga", 0 }, + /* 0x2a */ { "nn", "Norwegian Nynorsk", 0 }, + /* 0x2b */ { 0 }, + /* 0x2c */ { "es", "Spanish", "gn", "Guarani", "pl", "Polish", 0 }, + /* 0x2d */ { 0 }, + /* 0x2e */ { "om", "Oromo", 0 }, + /* 0x2f */ { 0 }, + /* 0x30 */ { 0 }, + /* 0x31 */ { 0 }, + /* 0x32 */ { 0 }, + /* 0x33 */ { 0 }, + /* 0x34 */ { 0 }, + /* 0x35 */ { 0 }, + /* 0x36 */ { 0 }, + /* 0x37 */ { 0 }, + /* 0x38 */ { 0 }, + /* 0x39 */ { 0 }, + /* 0x3a */ { "lb", "Luxembourgish", "se", "Northern Sami", 0 }, + /* 0x3b */ { 0 }, + /* 0x3c */ { 0 }, + /* 0x3d */ { 0 }, + /* 0x3e */ { 0 }, + /* 0x3f */ { 0 }, + /* 0x40 */ { "ab", "Abkhazian", "ar", "Arabic", "az", "Azerbaijani", 0 }, + /* 0x41 */ { 0 }, + /* 0x42 */ { "si", "Sinhala", 0 }, + /* 0x43 */ { "ba", "Bashkir", 0 }, + /* 0x44 */ { "sr", "Serbian", 0 }, + /* 0x45 */ { "vo", "Volapuk", 0 }, + /* 0x46 */ { 0 }, + /* 0x47 */ { 0 }, + /* 0x48 */ { "kl", "Kalaallisut", "th", "Thai", 0 }, + /* 0x49 */ { 0 }, + /* 0x4a */ { "cu", "Church Slavic", 0 }, + /* 0x4b */ { "ja", "Japanese", 0 }, + /* 0x4c */ { 0 }, + /* 0x4d */ { 0 }, + /* 0x4e */ { 0 }, + /* 0x4f */ { "fy", "Western Frisian", 0 }, + /* 0x50 */ { "ch", "Chamorro", 0 }, + /* 0x51 */ { "hy", "Armenian", 0 }, + /* 0x52 */ { 0 }, + /* 0x53 */ { 0 }, + /* 0x54 */ { "ht", "Haitian", 0 }, + /* 0x55 */ { "fo", "Faroese", 0 }, + /* 0x56 */ { "fj", "Fijian", 0 }, + /* 0x57 */ { 0 }, + /* 0x58 */ { "gd", "Scottish Gaelic", "ig", "Igbo", "is", "Icelandic", 0 }, + /* 0x59 */ { 0 }, + /* 0x5a */ { 0 }, + /* 0x5b */ { "bi", "Bislama", "za", "Zhuang", 0 }, + /* 0x5c */ { "eu", "Basque", 0 }, + /* 0x5d */ { 0 }, + /* 0x5e */ { 0 }, + /* 0x5f */ { 0 }, + /* 0x60 */ { "id", "Indonesian", 0 }, + /* 0x61 */ { 0 }, + /* 0x62 */ { "ks", "Kashmiri", 0 }, + /* 0x63 */ { 0 }, + /* 0x64 */ { "cr", "Cree", 0 }, + /* 0x65 */ { 0 }, + /* 0x66 */ { "ga", "Irish", "gu", "Gujarati", 0 }, + /* 0x67 */ { 0 }, + /* 0x68 */ { "st", "Southern Sotho", "ur", "Urdu", 0 }, + /* 0x69 */ { 0 }, + /* 0x6a */ { "ce", "Chechen", "kg", "Kongo", 0 }, + /* 0x6b */ { 0 }, + /* 0x6c */ { 0 }, + /* 0x6d */ { "he", "Hebrew", 0 }, + /* 0x6e */ { "dv", "Dhivehi", 0 }, + /* 0x6f */ { "ru", "Russian", "ts", "Tsonga", 0 }, + /* 0x70 */ { 0 }, + /* 0x71 */ { 0 }, + /* 0x72 */ { "bn", "Bengali", 0 }, + /* 0x73 */ { 0 }, + /* 0x74 */ { "sv", "Swedish", "ug", "Uighur", 0 }, + /* 0x75 */ { "bs", "Bosnian", 0 }, + /* 0x76 */ { "wa", "Walloon", 0 }, + /* 0x77 */ { "ho", "Hiri Motu", 0 }, + /* 0x78 */ { "ii", "Sichuan Yi", 0 }, + /* 0x79 */ { 0 }, + /* 0x7a */ { "sk", "Slovak", 0 }, + /* 0x7b */ { 0 }, + /* 0x7c */ { 0 }, + /* 0x7d */ { 0 }, + /* 0x7e */ { "nb", "Norwegian Bokmal", 0 }, + /* 0x7f */ { 0 }, + /* 0x80 */ { 0 }, + /* 0x81 */ { 0 }, + /* 0x82 */ { "co", "Corsican", 0 }, + /* 0x83 */ { 0 }, + /* 0x84 */ { "lt", "Lithuanian", "ms", "Malay", 0 }, + /* 0x85 */ { "da", "Danish", 0 }, + /* 0x86 */ { 0 }, + /* 0x87 */ { "ny", "Nyanja", 0 }, + /* 0x88 */ { "ik", "Inupiaq", "iu", "Inuktitut", "sd", "Sindhi", 0 }, + /* 0x89 */ { "rw", "Kinyarwanda", 0 }, + /* 0x8a */ { "ki", "Kikuyu", 0 }, + /* 0x8b */ { 0 }, + /* 0x8c */ { "uk", "Ukrainian", 0 }, + /* 0x8d */ { "la", "Latin", 0 }, + /* 0x8e */ { "nr", "South Ndebele", "oc", "Occitan", 0 }, + /* 0x8f */ { 0 }, + /* 0x90 */ { "ml", "Malayalam", 0 }, + /* 0x91 */ { 0 }, + /* 0x92 */ { "ku", "Kurdish", "rn", "Rundi", 0 }, + /* 0x93 */ { 0 }, + /* 0x94 */ { "kn", "Kannada", 0 }, + /* 0x95 */ { "ta", "Tamil", 0 }, + /* 0x96 */ { 0 }, + /* 0x97 */ { 0 }, + /* 0x98 */ { 0 }, + /* 0x99 */ { "pi", "Pali", 0 }, + /* 0x9a */ { "sm", "Samoan", 0 }, + /* 0x9b */ { "tw", "Twi", 0 }, + /* 0x9c */ { "nd", "North Ndebele", "oj", "Ojibwa", "tl", "Tagalog", 0 }, + /* 0x9d */ { 0 }, + /* 0x9e */ { 0 }, + /* 0x9f */ { 0 }, + /* 0xa0 */ { "aa", "Afar", "ay", "Aymara", 0 }, + /* 0xa1 */ { "te", "Telugu", 0 }, + /* 0xa2 */ { 0 }, + /* 0xa3 */ { 0 }, + /* 0xa4 */ { "eo", "Esperanto", 0 }, + /* 0xa5 */ { 0 }, + /* 0xa6 */ { 0 }, + /* 0xa7 */ { 0 }, + /* 0xa8 */ { "ia", "Interlingua", "xh", "Xhosa", 0 }, + /* 0xa9 */ { 0 }, + /* 0xaa */ { "jv", "Javanese", 0 }, + /* 0xab */ { 0 }, + /* 0xac */ { 0 }, + /* 0xad */ { "ty", "Tahitian", 0 }, + /* 0xae */ { "os", "Ossetian", 0 }, + /* 0xaf */ { 0 }, + /* 0xb0 */ { "et", "Estonian", 0 }, + /* 0xb1 */ { 0 }, + /* 0xb2 */ { "cy", "Welsh", "so", "Somali", "sq", "Albanian", 0 }, + /* 0xb3 */ { 0 }, + /* 0xb4 */ { "pt", "Portuguese", 0 }, + /* 0xb5 */ { 0 }, + /* 0xb6 */ { "tn", "Tswana", 0 }, + /* 0xb7 */ { "zu", "Zulu", 0 }, + /* 0xb8 */ { "bh", "Bihari", "mn", "Mongolian", "uz", "Uzbek", 0 }, + /* 0xb9 */ { 0 }, + /* 0xba */ { 0 }, + /* 0xbb */ { "lo", "Lao", 0 }, + /* 0xbc */ { "ee", "Ewe", "mg", "Malagasy", 0 }, + /* 0xbd */ { 0 }, + /* 0xbe */ { "lv", "Latvian", 0 }, + /* 0xbf */ { "fi", "Finnish", 0 }, + /* 0xc0 */ { "af", "Afrikaans", "an", "Aragonese", "av", "Avaric", 0 }, + /* 0xc1 */ { "hi", "Hindi", 0 }, + /* 0xc2 */ { "ff", "Fulah", "nv", "Navajo", 0 }, + /* 0xc3 */ { 0 }, + /* 0xc4 */ { 0 }, + /* 0xc5 */ { 0 }, + /* 0xc6 */ { 0 }, + /* 0xc7 */ { "fa", "Persian", 0 }, + /* 0xc8 */ { "yi", "Yiddish", 0 }, + /* 0xc9 */ { 0 }, + /* 0xca */ { "kw", "Cornish", 0 }, + /* 0xcb */ { "tg", "Tajik", 0 }, + /* 0xcc */ { 0 }, + /* 0xcd */ { 0 }, + /* 0xce */ { 0 }, + /* 0xcf */ { "be", "Belarusian", "na", "Nauru", 0 }, + /* 0xd0 */ { "qu", "Quechua", "sh", "Serbo-Croatian", 0 }, + /* 0xd1 */ { 0 }, + /* 0xd2 */ { "dz", "Dzongkha", "kk", "Kazakh", 0 }, + /* 0xd3 */ { 0 }, + /* 0xd4 */ { "cv", "Chuvash", "kr", "Kanuri", 0 }, + /* 0xd5 */ { 0 }, + /* 0xd6 */ { "br", "Breton", 0 }, + /* 0xd7 */ { "bm", "Bambara", 0 }, + /* 0xd8 */ { 0 }, + /* 0xd9 */ { 0 }, + /* 0xda */ { "ss", "Swati", "tr", "Turkish", 0 }, + /* 0xdb */ { 0 }, + /* 0xdc */ { "mi", "Maori", 0 }, + /* 0xdd */ { "no", "Norwegian", 0 }, + /* 0xde */ { 0 }, + /* 0xdf */ { 0 }, + /* 0xe0 */ { "ak", "Akan", "as", "Assamese", "it", "Italian", 0 }, + /* 0xe1 */ { 0 }, + /* 0xe2 */ { "ca", "Catalan", "km", "Central Khmer", 0 }, + /* 0xe3 */ { 0 }, + /* 0xe4 */ { "mk", "Macedonian", "tt", "Tatar", 0 }, + /* 0xe5 */ { 0 }, + /* 0xe6 */ { 0 }, + /* 0xe7 */ { "rm", "Romansh", 0 }, + /* 0xe8 */ { "io", "Ido", "sl", "Slovenian", 0 }, + /* 0xe9 */ { 0 }, + /* 0xea */ { "hz", "Herero", "ka", "Georgian", "ky", "Kirghiz", 0 }, + /* 0xeb */ { "ve", "Venda", 0 }, + /* 0xec */ { 0 }, + /* 0xed */ { 0 }, + /* 0xee */ { 0 }, + /* 0xef */ { 0 }, + /* 0xf0 */ { "el", "Modern Greek", 0 }, + /* 0xf1 */ { 0 }, + /* 0xf2 */ { "sa", "Sanskrit", 0 }, + /* 0xf3 */ { 0 }, + /* 0xf4 */ { 0 }, + /* 0xf5 */ { 0 }, + /* 0xf6 */ { "wo", "Wolof", 0 }, + /* 0xf7 */ { 0 }, + /* 0xf8 */ { "mr", "Marathi", "zh", "Chinese", 0 }, + /* 0xf9 */ { 0 }, + /* 0xfa */ { "su", "Sundanese", 0 }, + /* 0xfb */ { 0 }, + /* 0xfc */ { "my", "Burmese", 0 }, + /* 0xfd */ { "hu", "Hungarian", "ti", "Tigrinya", 0 }, + /* 0xfe */ { 0 }, + /* 0xff */ { 0 } + +}; + +#endif /* !_HAVE_LANGUAGES_H */ + diff --git a/docker/p0f/p0f.c b/docker/p0f/p0f.c new file mode 100644 index 00000000..d87f3e52 --- /dev/null +++ b/docker/p0f/p0f.c @@ -0,0 +1,1289 @@ +/* + p0f - main entry point and all the pcap / unix socket innards + ------------------------------------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#define _GNU_SOURCE +#define _FROM_P0F + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#ifdef NET_BPF +# include +#else +# include +#endif /* !NET_BPF */ + +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "process.h" +#include "readfp.h" +#include "api.h" +#include "tcp.h" +#include "fp_http.h" +#include "p0f.h" + +#ifndef PF_INET6 +# define PF_INET6 10 +#endif /* !PF_INET6 */ + +#ifndef O_NOFOLLOW +# define O_NOFOLLOW 0 +#endif /* !O_NOFOLLOW */ + +#ifndef O_LARGEFILE +# define O_LARGEFILE 0 +#endif /* !O_LARGEFILE */ + +static json_t *json_record = NULL; + +static u8 *use_iface, /* Interface to listen on */ + *orig_rule, /* Original filter rule */ + *switch_user, /* Target username */ + *log_file, /* Binary log file name */ + *api_sock, /* API socket file name */ + *fp_file; /* Location of p0f.fp */ + +u8* read_file; /* File to read pcap data from */ + +static u32 + api_max_conn = API_MAX_CONN; /* Maximum number of API connections */ + +u32 + max_conn = MAX_CONN, /* Connection entry count limit */ + max_hosts = MAX_HOSTS, /* Host cache entry count limit */ + conn_max_age = CONN_MAX_AGE, /* Maximum age of a connection entry */ + host_idle_limit = HOST_IDLE_LIMIT; /* Host cache idle timeout */ + +static struct api_client *api_cl; /* Array with API client state */ + +static s32 null_fd = -1, /* File descriptor of /dev/null */ + api_fd = -1; /* API socket descriptor */ + +static FILE* lf; /* Log file stream */ + +static u8 stop_soon; /* Ctrl-C or so pressed? */ + +u8 daemon_mode; /* Running in daemon mode? */ +u8 json_mode; /* Log in JSON? */ +u8 line_buffered_mode; /* Line Buffered Mode? */ + +static u8 set_promisc; /* Use promiscuous mode? */ + +static pcap_t *pt; /* PCAP capture thingy */ + +s32 link_type; /* PCAP link type */ + +u32 hash_seed; /* Hash seed */ + +static u8 obs_fields; /* No of pending observation fields */ + +/* Memory allocator data: */ + +#ifdef DEBUG_BUILD +struct TRK_obj* TRK[ALLOC_BUCKETS]; +u32 TRK_cnt[ALLOC_BUCKETS]; +#endif /* DEBUG_BUILD */ + +#define LOGF(_x...) fprintf(lf, _x) + +/* Display usage information */ + +static void usage(void) { + + ERRORF( + +"Usage: p0f [ ...options... ] [ 'filter rule' ]\n" +"\n" +"Network interface options:\n" +"\n" +" -i iface - listen on the specified network interface\n" +" -r file - read offline pcap data from a given file\n" +" -p - put the listening interface in promiscuous mode\n" +" -L - list all available interfaces\n" +"\n" +"Operating mode and output settings:\n" +"\n" +" -f file - read fingerprint database from 'file' (%s)\n" +" -o file - write information to the specified log file\n" +" -j - Log in JSON format.\n" +" -l - Line buffered mode for logging to output file.\n" +#ifndef __CYGWIN__ +" -s name - answer to API queries at a named unix socket\n" +#endif /* !__CYGWIN__ */ +" -u user - switch to the specified unprivileged account and chroot\n" +" -d - fork into background (requires -o or -s)\n" +"\n" +"Performance-related options:\n" +"\n" +#ifndef __CYGWIN__ +" -S limit - limit number of parallel API connections (%u)\n" +#endif /* !__CYGWIN__ */ +" -t c,h - set connection / host cache age limits (%us,%um)\n" +" -m c,h - cap the number of active connections / hosts (%u,%u)\n" +"\n" +"Optional filter expressions (man tcpdump) can be specified in the command\n" +"line to prevent p0f from looking at incidental network traffic.\n" +"\n" +"Problems? You can reach the author at .\n", + + FP_FILE, +#ifndef __CYGWIN__ + API_MAX_CONN, +#endif /* !__CYGWIN__ */ + CONN_MAX_AGE, HOST_IDLE_LIMIT, MAX_CONN, MAX_HOSTS); + + exit(1); + +} + + +/* Obtain hash seed: */ + +static void get_hash_seed(void) { + + s32 f = open("/dev/urandom", O_RDONLY); + + if (f < 0) PFATAL("Cannot open /dev/urandom for reading."); + +#ifndef DEBUG_BUILD + + /* In debug versions, use a constant seed. */ + + if (read(f, &hash_seed, sizeof(hash_seed)) != sizeof(hash_seed)) + FATAL("Cannot read data from /dev/urandom."); + +#endif /* !DEBUG_BUILD */ + + close(f); + +} + + +/* Get rid of unnecessary file descriptors */ + +static void close_spare_fds(void) { + + s32 i, closed = 0; + DIR* d; + struct dirent* de; + + d = opendir("/proc/self/fd"); + + if (!d) { + /* Best we could do... */ + for (i = 3; i < 256; i++) + if (!close(i)) closed++; + return; + } + + while ((de = readdir(d))) { + i = atol(de->d_name); + if (i > 2 && !close(i)) closed++; + } + + closedir(d); + + if (closed) + SAYF("[+] Closed %u file descriptor%s.\n", closed, closed == 1 ? "" : "s" ); + +} + + +/* Create or open log file */ + +static void open_log(void) { + + struct stat st; + s32 log_fd; + + log_fd = open((char*)log_file, O_WRONLY | O_APPEND | O_NOFOLLOW | O_LARGEFILE); + + if (log_fd >= 0) { + + if (fstat(log_fd, &st)) PFATAL("fstat() on '%s' failed.", log_file); + + if (!S_ISREG(st.st_mode)) FATAL("'%s' is not a regular file.", log_file); + + } else { + + if (errno != ENOENT) PFATAL("Cannot open '%s'.", log_file); + + log_fd = open((char*)log_file, O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW, + LOG_MODE); + + if (log_fd < 0) PFATAL("Cannot open '%s'.", log_file); + + } + + if (flock(log_fd, LOCK_EX | LOCK_NB)) + FATAL("'%s' is being used by another process.", log_file); + + lf = fdopen(log_fd, "a"); + + if (!lf) FATAL("fdopen() on '%s' failed.", log_file); + + SAYF("[+] Log file '%s' opened for writing.\n", log_file); + +} + + +/* Create and start listening on API socket */ + +static void open_api(void) { + + s32 old_umask; + u32 i; + + struct sockaddr_un u; + struct stat st; + + api_fd = socket(PF_UNIX, SOCK_STREAM, 0); + + if (api_fd < 0) PFATAL("socket(PF_UNIX) failed."); + + memset(&u, 0, sizeof(u)); + u.sun_family = AF_UNIX; + + if (strlen((char*)api_sock) >= sizeof(u.sun_path)) + FATAL("API socket filename is too long for sockaddr_un (blame Unix)."); + + strcpy(u.sun_path, (char*)api_sock); + + /* This is bad, but you can't do any better with standard unix socket + semantics today :-( */ + + if (!stat((char*)api_sock, &st) && !S_ISSOCK(st.st_mode)) + FATAL("'%s' exists but is not a socket.", api_sock); + + if (unlink((char*)api_sock) && errno != ENOENT) + PFATAL("unlink('%s') failed.", api_sock); + + old_umask = umask(0777 ^ API_MODE); + + if (bind(api_fd, (struct sockaddr*)&u, sizeof(u))) + PFATAL("bind() on '%s' failed.", api_sock); + + umask(old_umask); + + if (listen(api_fd, api_max_conn)) + PFATAL("listen() on '%s' failed.", api_sock); + + if (fcntl(api_fd, F_SETFL, O_NONBLOCK)) + PFATAL("fcntl() to set O_NONBLOCK on API listen socket fails."); + + api_cl = DFL_ck_alloc(api_max_conn * sizeof(struct api_client)); + + for (i = 0; i < api_max_conn; i++) api_cl[i].fd = -1; + + SAYF("[+] Listening on API socket '%s' (max %u clients).\n", + api_sock, api_max_conn); + +} + + +/* Open log entry. */ + +void start_observation(char* keyword, u8 field_cnt, u8 to_srv, + struct packet_flow* f) { + + if (obs_fields) FATAL("Premature end of observation."); + + if (!daemon_mode) { + + SAYF(".-[ %s/%u -> ", addr_to_str(f->client->addr, f->client->ip_ver), + f->cli_port); + SAYF("%s/%u (%s) ]-\n|\n", addr_to_str(f->server->addr, f->client->ip_ver), + f->srv_port, keyword); + + SAYF("| %-8s = %s/%u\n", to_srv ? "client" : "server", + addr_to_str(to_srv ? f->client->addr : + f->server->addr, f->client->ip_ver), + to_srv ? f->cli_port : f->srv_port); + + } + + if (log_file) { + + u8 tmp[64]; + + time_t ut = get_unix_time(); + struct tm* lt = localtime(&ut); + + strftime((char*)tmp, 64, "%Y/%m/%d %H:%M:%S", lt); + + if (json_mode) { + json_record = json_object(); + json_object_set_new(json_record, "timestamp", json_string((char *)tmp)); + json_object_set_new(json_record, "mod", json_string((char *)keyword)); + json_object_set_new(json_record, "client_ip", json_string((char *)addr_to_str(f->client->addr, f->client->ip_ver))); + json_object_set_new(json_record, "server_ip", json_string((char *)addr_to_str(f->server->addr, f->server->ip_ver))); + json_object_set_new(json_record, "client_port", json_integer(f->cli_port)); + json_object_set_new(json_record, "server_port", json_integer(f->srv_port)); + json_object_set_new(json_record, "subject", json_string((char *)(to_srv ? "cli" : "srv"))); + } else { + LOGF("[%s] mod=%s|cli=%s/%u|",tmp, keyword, addr_to_str(f->client->addr, + f->client->ip_ver), f->cli_port); + + LOGF("srv=%s/%u|subj=%s", addr_to_str(f->server->addr, f->server->ip_ver), + f->srv_port, to_srv ? "cli" : "srv"); + } + } + + obs_fields = field_cnt; +} + + +/* Add log item. */ + +void add_observation_field(char* key, u8* value) { + + if (!obs_fields) FATAL("Unexpected observation field ('%s').", key); + + if (!daemon_mode) + SAYF("| %-8s = %s\n", key, value ? value : (u8*)"???"); + + if (log_file) { + if (json_mode) { + json_object_set_new(json_record, key, json_string( (char *)(value ? value : (u8*)"???") )); + } else { + LOGF("|%s=%s", key, value ? value : (u8*)"???"); + } + } + + obs_fields--; + + if (!obs_fields) { + + if (!daemon_mode) SAYF("|\n`----\n\n"); + + if (log_file){ + + if (json_mode) { + json_dumpf(json_record, lf, 0); + json_decref(json_record); + } + + LOGF("\n"); + if (line_buffered_mode) { + fflush(lf); + } + } + + } + +} + + +/* Show PCAP interface list */ + +static void list_interfaces(void) { + + char pcap_err[PCAP_ERRBUF_SIZE]; + pcap_if_t *dev; + u8 i = 0; + + /* There is a bug in several years' worth of libpcap releases that causes it + to SEGV here if /sys/class/net is not readable. See http://goo.gl/nEnGx */ + + if (access("/sys/class/net", R_OK | X_OK) && errno != ENOENT) + FATAL("This operation requires access to /sys/class/net/, sorry."); + + if (pcap_findalldevs(&dev, pcap_err) == -1) + FATAL("pcap_findalldevs: %s\n", pcap_err); + + if (!dev) FATAL("Can't find any interfaces. Maybe you need to be root?"); + + SAYF("\n-- Available interfaces --\n"); + + do { + + pcap_addr_t *a = dev->addresses; + + SAYF("\n%3d: Name : %s\n", i++, dev->name); + SAYF(" Description : %s\n", dev->description ? dev->description : "-"); + + /* Let's try to find something we can actually display. */ + + while (a && a->addr->sa_family != PF_INET && a->addr->sa_family != PF_INET6) + a = a->next; + + if (a) { + + if (a->addr->sa_family == PF_INET) + SAYF(" IP address : %s\n", addr_to_str(((u8*)a->addr) + 4, IP_VER4)); + else + SAYF(" IP address : %s\n", addr_to_str(((u8*)a->addr) + 8, IP_VER6)); + + } else SAYF(" IP address : (none)\n"); + + } while ((dev = dev->next)); + + SAYF("\n"); + + pcap_freealldevs(dev); + +} + + + +#ifdef __CYGWIN__ + +/* List PCAP-recognized interfaces */ + +static u8* find_interface(int num) { + + char pcap_err[PCAP_ERRBUF_SIZE]; + pcap_if_t *dev; + + if (pcap_findalldevs(&dev, pcap_err) == -1) + FATAL("pcap_findalldevs: %s\n", pcap_err); + + do { + + if (!num--) { + u8* ret = DFL_ck_strdup((char*)dev->name); + pcap_freealldevs(dev); + return ret; + } + + } while ((dev = dev->next)); + + FATAL("Interface not found (use -L to list all)."); + +} + +#endif /* __CYGWIN__ */ + + +/* Initialize PCAP capture */ + +static void prepare_pcap(void) { + + char pcap_err[PCAP_ERRBUF_SIZE]; + u8* orig_iface = use_iface; + + if (read_file) { + + if (set_promisc) + FATAL("Dude, how am I supposed to make a file promiscuous?"); + + if (use_iface) + FATAL("Options -i and -r are mutually exclusive."); + + if (access((char*)read_file, R_OK)) + PFATAL("Can't access file '%s'.", read_file); + + pt = pcap_open_offline((char*)read_file, pcap_err); + + if (!pt) FATAL("pcap_open_offline: %s", pcap_err); + + SAYF("[+] Will read pcap data from file '%s'.\n", read_file); + + } else { + + if (!use_iface) { + + /* See the earlier note on libpcap SEGV - same problem here. + Also, this returns something stupid on Windows, but hey... */ + + if (!access("/sys/class/net", R_OK | X_OK) || errno == ENOENT) + use_iface = (u8*)pcap_lookupdev(pcap_err); + + if (!use_iface) + FATAL("libpcap is out of ideas; use -i to specify interface."); + + } + +#ifdef __CYGWIN__ + + /* On Windows, interface names are unwieldy, and people prefer to use + numerical IDs. */ + + else { + + int iface_id; + + if (sscanf((char*)use_iface, "%u", &iface_id) == 1) { + use_iface = find_interface(iface_id); + } + + } + + pt = pcap_open_live((char*)use_iface, SNAPLEN, set_promisc, 250, pcap_err); + +#else + + /* PCAP timeouts tend to be broken, so we'll use a very small value + and rely on select() instead. */ + + pt = pcap_open_live((char*)use_iface, SNAPLEN, set_promisc, 5, pcap_err); + +#endif /* ^__CYGWIN__ */ + + if (!orig_iface) + SAYF("[+] Intercepting traffic on default interface '%s'.\n", use_iface); + else + SAYF("[+] Intercepting traffic on interface '%s'.\n", use_iface); + + if (!pt) FATAL("pcap_open_live: %s", pcap_err); + + } + + link_type = pcap_datalink(pt); + +} + + +/* Initialize BPF filtering */ + +static void prepare_bpf(void) { + + struct bpf_program flt; + + u8* final_rule; + u8 vlan_support; + + /* VLAN matching is somewhat brain-dead: you need to request it explicitly, + and it alters the semantics of the remainder of the expression. */ + + vlan_support = (pcap_datalink(pt) == DLT_EN10MB); + +retry_no_vlan: + + if (!orig_rule) { + + if (vlan_support) { + final_rule = (u8*)"tcp or (vlan and tcp)"; + } else { + final_rule = (u8*)"tcp"; + } + + } else { + + if (vlan_support) { + + final_rule = ck_alloc(strlen((char*)orig_rule) * 2 + 64); + + sprintf((char*)final_rule, "(tcp and (%s)) or (vlan and tcp and (%s))", + orig_rule, orig_rule); + + } else { + + final_rule = ck_alloc(strlen((char*)orig_rule) + 16); + + sprintf((char*)final_rule, "tcp and (%s)", orig_rule); + + } + + } + + DEBUG("[#] Computed rule: %s\n", final_rule); + + if (pcap_compile(pt, &flt, (char*)final_rule, 1, 0)) { + + if (vlan_support) { + + if (orig_rule) ck_free(final_rule); + vlan_support = 0; + goto retry_no_vlan; + + } + + pcap_perror(pt, "[-] pcap_compile"); + + if (!orig_rule) + FATAL("pcap_compile() didn't work, strange"); + else + FATAL("Syntax error! See 'man tcpdump' for help on filters."); + + } + + if (pcap_setfilter(pt, &flt)) + FATAL("pcap_setfilter() didn't work, strange."); + + pcap_freecode(&flt); + + if (!orig_rule) { + + SAYF("[+] Default packet filtering configured%s.\n", + vlan_support ? " [+VLAN]" : ""); + + } else { + + SAYF("[+] Custom filtering rule enabled: %s%s\n", + orig_rule ? orig_rule : (u8*)"tcp", + vlan_support ? " [+VLAN]" : ""); + + ck_free(final_rule); + + } + +} + + +/* Drop privileges and chroot(), with some sanity checks */ + +static void drop_privs(void) { + + struct passwd* pw; + + pw = getpwnam((char*)switch_user); + + if (!pw) FATAL("User '%s' not found.", switch_user); + + if (!strcmp(pw->pw_dir, "/")) + FATAL("User '%s' must have a dedicated home directory.", switch_user); + + if (!pw->pw_uid || !pw->pw_gid) + FATAL("User '%s' must be non-root.", switch_user); + + if (initgroups(pw->pw_name, pw->pw_gid)) + PFATAL("initgroups() for '%s' failed.", switch_user); + + if (chdir(pw->pw_dir)) + PFATAL("chdir('%s') failed.", pw->pw_dir); + + if (chroot(pw->pw_dir)) + PFATAL("chroot('%s') failed.", pw->pw_dir); + + if (chdir("/")) + PFATAL("chdir('/') after chroot('%s') failed.", pw->pw_dir); + + if (!access("/proc/", F_OK) || !access("/sys/", F_OK)) + FATAL("User '%s' must have a dedicated home directory.", switch_user); + + if (setgid(pw->pw_gid)) + PFATAL("setgid(%u) failed.", pw->pw_gid); + + if (setuid(pw->pw_uid)) + PFATAL("setuid(%u) failed.", pw->pw_uid); + + if (getegid() != pw->pw_gid || geteuid() != pw->pw_uid) + FATAL("Inconsistent euid / egid after dropping privs."); + + SAYF("[+] Privileges dropped: uid %u, gid %u, root '%s'.\n", + pw->pw_uid, pw->pw_gid, pw->pw_dir); + +} + + +/* Enter daemon mode. */ + +static void fork_off(void) { + + s32 npid; + + fflush(0); + + npid = fork(); + + if (npid < 0) PFATAL("fork() failed."); + + if (!npid) { + + /* Let's assume all this is fairly unlikely to fail, so we can live + with the parent possibly proclaiming success prematurely. */ + + if (dup2(null_fd, 0) < 0) PFATAL("dup2() failed."); + + /* If stderr is redirected to a file, keep that fd and use it for + normal output. */ + + if (isatty(2)) { + + if (dup2(null_fd, 1) < 0 || dup2(null_fd, 2) < 0) + PFATAL("dup2() failed."); + + } else { + + if (dup2(2, 1) < 0) PFATAL("dup2() failed."); + + } + + close(null_fd); + null_fd = -1; + + if (chdir("/")) PFATAL("chdir('/') failed."); + + setsid(); + + } else { + + SAYF("[+] Daemon process created, PID %u (stderr %s).\n", npid, + isatty(2) ? "not kept" : "kept as-is"); + + SAYF("\nGood luck, you're on your own now!\n"); + + exit(0); + + } + +} + + +/* Handler for Ctrl-C and related signals */ + +static void abort_handler(int sig) { + if (stop_soon) exit(1); + stop_soon = 1; +} + + +#ifndef __CYGWIN__ + +/* Regenerate pollfd data for poll() */ + +static u32 regen_pfds(struct pollfd* pfds, struct api_client** ctable) { + u32 i, count = 2; + + pfds[0].fd = pcap_fileno(pt); + pfds[0].events = (POLLIN | POLLERR | POLLHUP); + + DEBUG("[#] Recomputing pollfd data, pcap_fd = %d.\n", pfds[0].fd); + + if (!api_sock) return 1; + + pfds[1].fd = api_fd; + pfds[1].events = (POLLIN | POLLERR | POLLHUP); + + for (i = 0; i < api_max_conn; i++) { + + if (api_cl[i].fd == -1) continue; + + ctable[count] = api_cl + i; + + /* If we haven't received a complete query yet, wait for POLLIN. + Otherwise, we want to write stuff. */ + + if (api_cl[i].in_off < sizeof(struct p0f_api_query)) + pfds[count].events = (POLLIN | POLLERR | POLLHUP); + else + pfds[count].events = (POLLOUT | POLLERR | POLLHUP); + + pfds[count++].fd = api_cl[i].fd; + + } + + return count; + +} + +#endif /* !__CYGWIN__ */ + + +/* Event loop! Accepts and dispatches pcap data, API queries, etc. */ + +static void live_event_loop(void) { + +#ifndef __CYGWIN__ + + /* The huge problem with winpcap on cygwin is that you can't get a file + descriptor suitable for poll() / select() out of it: + + http://www.winpcap.org/pipermail/winpcap-users/2009-April/003179.html + + The only alternatives seem to be additional processes / threads, a + nasty busy loop, or a ton of Windows-specific code. If you need APi + queries on Windows, you are welcome to fix this :-) */ + + struct pollfd *pfds; + struct api_client** ctable; + u32 pfd_count; + + /* We need room for pcap, and possibly api_fd + api_clients. */ + + pfds = ck_alloc((1 + (api_sock ? (1 + api_max_conn) : 0)) * + sizeof(struct pollfd)); + + ctable = ck_alloc((1 + (api_sock ? (1 + api_max_conn) : 0)) * + sizeof(struct api_client*)); + + pfd_count = regen_pfds(pfds, ctable); + + if (!daemon_mode) + SAYF("[+] Entered main event loop.\n\n"); + + while (!stop_soon) { + + s32 pret, i; + u32 cur; + + /* We had a 250 ms timeout to keep Ctrl-C responsive without resortng + to silly sigaction hackery or unsafe signal handler code. Unfortunately, + if poll() timeout is much longer than pcap timeout, we end up with + dropped packets on VMs. Seems like a kernel bug, but for now, this + loop is a bit busier than it needs to be... */ + +poll_again: + + pret = poll(pfds, pfd_count, 10); + + if (pret < 0) { + if (errno == EINTR) break; + PFATAL("poll() failed."); + } + + if (!pret) { if (log_file) fflush(lf); continue; } + + /* Examine pfds... */ + + for (cur = 0; cur < pfd_count; cur++) { + + if (pfds[cur].revents & (POLLERR | POLLHUP)) switch (cur) { + + case 0: + + FATAL("Packet capture interface is down."); + + case 1: + + FATAL("API socket is down."); + + default: + + /* Shut down API connection and free its state. */ + + DEBUG("[#] API connection on fd %d closed.\n", pfds[cur].fd); + + close(pfds[cur].fd); + ctable[cur]->fd = -1; + + pfd_count = regen_pfds(pfds, ctable); + goto poll_again; + + } + + if (pfds[cur].revents & POLLOUT) switch (cur) { + + case 0: case 1: + + FATAL("Unexpected POLLOUT on fd %d.\n", cur); + + default: + + /* Write API response, restart state when complete. */ + + if (ctable[cur]->in_off < sizeof(struct p0f_api_query)) + FATAL("Inconsistent p0f_api_response state.\n"); + + i = write(pfds[cur].fd, + ((char*)&ctable[cur]->out_data) + ctable[cur]->out_off, + sizeof(struct p0f_api_response) - ctable[cur]->out_off); + + if (i <= 0) PFATAL("write() on API socket fails despite POLLOUT."); + + ctable[cur]->out_off += i; + + /* All done? Back to square zero then! */ + + if (ctable[cur]->out_off == sizeof(struct p0f_api_response)) { + + ctable[cur]->in_off = ctable[cur]->out_off = 0; + pfds[cur].events = (POLLIN | POLLERR | POLLHUP); + + } + + } + + if (pfds[cur].revents & POLLIN) switch (cur) { + + case 0: + + /* Process traffic on the capture interface. */ + + if (pcap_dispatch(pt, -1, (pcap_handler)parse_packet, 0) < 0) + FATAL("Packet capture interface is down."); + + break; + + case 1: + + /* Accept new API connection, limits permitting. */ + + if (!api_sock) FATAL("Unexpected API connection."); + + if (pfd_count - 2 < api_max_conn) { + + for (i = 0; i < api_max_conn && api_cl[i].fd >= 0; i++); + + if (i == api_max_conn) FATAL("Inconsistent API connection data."); + + api_cl[i].fd = accept(api_fd, NULL, NULL); + + if (api_cl[i].fd < 0) { + + WARN("Unable to handle API connection: accept() fails."); + + } else { + + if (fcntl(api_cl[i].fd, F_SETFL, O_NONBLOCK)) + PFATAL("fcntl() to set O_NONBLOCK on API connection fails."); + + api_cl[i].in_off = api_cl[i].out_off = 0; + pfd_count = regen_pfds(pfds, ctable); + + DEBUG("[#] Accepted new API connection, fd %d.\n", api_cl[i].fd); + + goto poll_again; + + } + + } else WARN("Too many API connections (use -S to adjust).\n"); + + break; + + default: + + /* Receive API query, dispatch when complete. */ + + if (ctable[cur]->in_off >= sizeof(struct p0f_api_query)) + FATAL("Inconsistent p0f_api_query state.\n"); + + i = read(pfds[cur].fd, + ((char*)&ctable[cur]->in_data) + ctable[cur]->in_off, + sizeof(struct p0f_api_query) - ctable[cur]->in_off); + + if (i < 0) PFATAL("read() on API socket fails despite POLLIN."); + + ctable[cur]->in_off += i; + + /* Query in place? Compute response and prepare to send it back. */ + + if (ctable[cur]->in_off == sizeof(struct p0f_api_query)) { + + handle_query(&ctable[cur]->in_data, &ctable[cur]->out_data); + pfds[cur].events = (POLLOUT | POLLERR | POLLHUP); + + } + + } + + + /* Processed all reported updates already? If so, bail out early. */ + + if (pfds[cur].revents && !--pret) break; + + } + + } + + ck_free(ctable); + ck_free(pfds); + +#else + + if (!daemon_mode) + SAYF("[+] Entered main event loop.\n\n"); + + /* Ugh. The only way to keep SIGINT and other signals working is to have this + funny loop with dummy I/O every 250 ms. Signal handlers don't get called + in pcap_dispatch() or pcap_loop() unless there's I/O. */ + + while (!stop_soon) { + + s32 ret = pcap_dispatch(pt, -1, (pcap_handler)parse_packet, 0); + + if (ret < 0) return; + + if (log_file && !ret) fflush(lf); + + write(2, NULL, 0); + + } + +#endif /* ^!__CYGWIN__ */ + + WARN("User-initiated shutdown."); + +} + + +/* Simple event loop for processing offline captures. */ + +static void offline_event_loop(void) { + + if (!daemon_mode) + SAYF("[+] Processing capture data.\n\n"); + + while (!stop_soon) { + + if (pcap_dispatch(pt, -1, (pcap_handler)parse_packet, 0) <= 0) return; + + } + + WARN("User-initiated shutdown."); + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 r; + + setlinebuf(stdout); + + SAYF("--- p0f " VERSION " by Michal Zalewski ---\n\n"); + + if (getuid() != geteuid()) + FATAL("Please don't make me setuid. See README for more.\n"); + + while ((r = getopt(argc, argv, "+LS:djlf:i:m:o:pr:s:t:u:")) != -1) switch (r) { + + case 'L': + + list_interfaces(); + exit(0); + + case 'S': + +#ifdef __CYGWIN__ + + FATAL("API mode not supported on Windows (see README)."); + +#else + + if (api_max_conn != API_MAX_CONN) + FATAL("Multiple -S options not supported."); + + api_max_conn = atol(optarg); + + if (!api_max_conn || api_max_conn > 100) + FATAL("Outlandish value specified for -S."); + + break; + +#endif /* ^__CYGWIN__ */ + + + case 'd': + + if (daemon_mode) + FATAL("Double werewolf mode not supported yet."); + + daemon_mode = 1; + break; + + case 'f': + + if (fp_file) + FATAL("Multiple -f options not supported."); + + fp_file = (u8*)optarg; + break; + + case 'i': + + if (use_iface) + FATAL("Multiple -i options not supported (try '-i any')."); + + use_iface = (u8*)optarg; + + break; + + case 'j': + + if (json_mode) + FATAL("Double werewolf mode not supported yet."); + + json_mode = 1; + break; + + case 'l': + + if (line_buffered_mode) + FATAL("Double werewolf mode not supported yet."); + + line_buffered_mode = 1; + break; + + case 'm': + + if (max_conn != MAX_CONN || max_hosts != MAX_HOSTS) + FATAL("Multiple -m options not supported."); + + if (sscanf(optarg, "%u,%u", &max_conn, &max_hosts) != 2 || + !max_conn || max_conn > 100000 || + !max_hosts || max_hosts > 500000) + FATAL("Outlandish value specified for -m."); + + break; + + case 'o': + + if (log_file) + FATAL("Multiple -o options not supported."); + + log_file = (u8*)optarg; + + break; + + case 'p': + + if (set_promisc) + FATAL("Even more promiscuous? People will start talking!"); + + set_promisc = 1; + break; + + case 'r': + + if (read_file) + FATAL("Multiple -r options not supported."); + + read_file = (u8*)optarg; + + break; + + case 's': + +#ifdef __CYGWIN__ + + FATAL("API mode not supported on Windows (see README)."); + +#else + + if (api_sock) + FATAL("Multiple -s options not supported."); + + api_sock = (u8*)optarg; + + break; + +#endif /* ^__CYGWIN__ */ + + case 't': + + if (conn_max_age != CONN_MAX_AGE || host_idle_limit != HOST_IDLE_LIMIT) + FATAL("Multiple -t options not supported."); + + if (sscanf(optarg, "%u,%u", &conn_max_age, &host_idle_limit) != 2 || + !conn_max_age || conn_max_age > 1000000 || + !host_idle_limit || host_idle_limit > 1000000) + FATAL("Outlandish value specified for -t."); + + break; + + case 'u': + + if (switch_user) + FATAL("Split personality mode not supported."); + + switch_user = (u8*)optarg; + + break; + + default: usage(); + + } + + if (optind < argc) { + + if (optind + 1 == argc) orig_rule = (u8*)argv[optind]; + else FATAL("Filter rule must be a single parameter (use quotes)."); + + } + + if (read_file && api_sock) + FATAL("API mode looks down on ofline captures."); + + if (!api_sock && api_max_conn != API_MAX_CONN) + FATAL("Option -S makes sense only with -s."); + + if (daemon_mode) { + + if (read_file) + FATAL("Daemon mode and offline captures don't mix."); + + if (!log_file && !api_sock) + FATAL("Daemon mode requires -o or -s."); + +#ifdef __CYGWIN__ + + if (switch_user) + SAYF("[!] Note: under cygwin, -u is largely useless.\n"); + +#else + + if (!switch_user) + SAYF("[!] Consider specifying -u in daemon mode (see README).\n"); + +#endif /* ^__CYGWIN__ */ + + } + + tzset(); + setlocale(LC_TIME, "C"); + + close_spare_fds(); + + get_hash_seed(); + + http_init(); + + read_config(fp_file ? fp_file : (u8*)FP_FILE); + + prepare_pcap(); + prepare_bpf(); + + if (log_file) open_log(); + if (api_sock) open_api(); + + if (daemon_mode) { + null_fd = open("/dev/null", O_RDONLY); + if (null_fd < 0) PFATAL("Cannot open '/dev/null'."); + } + + if (switch_user) drop_privs(); + + if (daemon_mode) fork_off(); + + signal(SIGHUP, daemon_mode ? SIG_IGN : abort_handler); + signal(SIGINT, abort_handler); + signal(SIGTERM, abort_handler); + + if (read_file) offline_event_loop(); else live_event_loop(); + + if (!daemon_mode) + SAYF("\nAll done. Processed %llu packets.\n", packet_cnt); + +#ifdef DEBUG_BUILD + destroy_all_hosts(); + TRK_report(); +#endif /* DEBUG_BUILD */ + + return 0; + +} diff --git a/docker/p0f/p0f.fp b/docker/p0f/p0f.fp new file mode 100644 index 00000000..74e25852 --- /dev/null +++ b/docker/p0f/p0f.fp @@ -0,0 +1,938 @@ +; +; p0f - fingerprint database +; -------------------------- +; +; See section 5 in the README for a detailed discussion of the format used here. +; +; Copyright (C) 2012 by Michal Zalewski +; +; Distributed under the terms and conditions of GNU LGPL. +; + +classes = win,unix,other + +; ============== +; MTU signatures +; ============== + +[mtu] + +; The most common values, used by Ethernet-homed systems, PPP over POTS, PPPoA +; DSL, etc: + +label = Ethernet or modem +sig = 576 +sig = 1500 + +; Common DSL-specific values (1492 is canonical for PPPoE, but ISPs tend to +; horse around a bit): + +label = DSL +sig = 1452 +sig = 1454 +sig = 1492 + +; Miscellanous tunnels (including VPNs, IPv6 tunneling, etc): + +label = GIF +sig = 1240 +sig = 1280 + +label = generic tunnel or VPN +sig = 1300 +sig = 1400 +sig = 1420 +sig = 1440 +sig = 1450 +sig = 1460 + +label = IPSec or GRE +sig = 1476 + +label = IPIP or SIT +sig = 1480 + +label = PPTP +sig = 1490 + +; Really exotic stuff: + +label = AX.25 radio modem +sig = 256 + +label = SLIP +sig = 552 + +label = Google +sig = 1470 + +label = VLAN +sig = 1496 + +label = Ericsson HIS modem +sig = 1656 + +label = jumbo Ethernet +sig = 9000 + +; Loopback interfaces on Linux and other systems: + +label = loopback +sig = 3924 +sig = 16384 +sig = 16436 + +; ================== +; TCP SYN signatures +; ================== + +[tcp:request] + +; ----- +; Linux +; ----- + +label = s:unix:Linux:3.11 and newer +sig = *:64:0:*:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:3.1-3.10 +sig = *:64:0:*:mss*10,4:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*10,5:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*10,6:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*10,7:mss,sok,ts,nop,ws:df,id+:0 + +; Fun fact: 2.6 with ws=7 seems to be really common for Amazon EC2, while 8 is +; common for Yahoo and Twitter. There seem to be some other (rare) uses, though, +; so not I'm not flagging these signatures in a special way. + +label = s:unix:Linux:2.6.x +sig = *:64:0:*:mss*4,6:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*4,7:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*4,8:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:2.4.x +sig = *:64:0:*:mss*4,0:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*4,1:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*4,2:mss,sok,ts,nop,ws:df,id+:0 + +; No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data: + +label = s:unix:Linux:2.2.x +sig = *:64:0:*:mss*11,0:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*20,0:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*22,0:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:2.0 +sig = *:64:0:*:mss*12,0:mss::0 +sig = *:64:0:*:16384,0:mss::0 + +; Just to keep people testing locally happy (IPv4 & IPv6): + +label = s:unix:Linux:3.x (loopback) +sig = *:64:0:16396:mss*2,4:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:16376:mss*2,4:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:2.6.x (loopback) +sig = *:64:0:16396:mss*2,2:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:16376:mss*2,2:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:2.4.x (loopback) +sig = *:64:0:16396:mss*2,0:mss,sok,ts,nop,ws:df,id+:0 + +label = s:unix:Linux:2.2.x (loopback) +sig = *:64:0:3884:mss*8,0:mss,sok,ts,nop,ws:df,id+:0 + +; Various distinctive flavors of Linux: + +label = s:unix:Linux:2.6.x (Google crawler) +sig = 4:64:0:1430:mss*4,6:mss,sok,ts,nop,ws::0 + +label = s:unix:Linux:(Android) +sig = *:64:0:*:mss*44,1:mss,sok,ts,nop,ws:df,id+:0 +sig = *:64:0:*:mss*44,3:mss,sok,ts,nop,ws:df,id+:0 + +; Catch-all rules: + +label = g:unix:Linux:3.x +sig = *:64:0:*:mss*10,*:mss,sok,ts,nop,ws:df,id+:0 + +label = g:unix:Linux:2.4.x-2.6.x +sig = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df,id+:0 + +label = g:unix:Linux:2.2.x-3.x +sig = *:64:0:*:*,*:mss,sok,ts,nop,ws:df,id+:0 + +label = g:unix:Linux:2.2.x-3.x (no timestamps) +sig = *:64:0:*:*,*:mss,nop,nop,sok,nop,ws:df,id+:0 + +label = g:unix:Linux:2.2.x-3.x (barebone) +sig = *:64:0:*:*,0:mss:df,id+:0 + +; ------- +; Windows +; ------- + +label = s:win:Windows:XP +sig = *:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,1:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,2:mss,nop,ws,nop,nop,sok:df,id+:0 + +label = s:win:Windows:7 or 8 +sig = *:128:0:*:8192,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:8192,2:mss,nop,ws,sok,ts:df,id+:0 + +; Robots with distinctive fingerprints: + +label = s:win:Windows:7 (Websense crawler) +sig = *:64:0:1380:mss*4,6:mss,nop,nop,ts,nop,ws:df,id+:0 +sig = *:64:0:1380:mss*4,7:mss,nop,nop,ts,nop,ws:df,id+:0 + +; Catch-all: + +label = g:win:Windows:NT kernel 5.x +sig = *:128:0:*:16384,*:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,*:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:16384,*:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,*:mss,nop,ws,nop,nop,sok:df,id+:0 + +label = g:win:Windows:NT kernel 6.x +sig = *:128:0:*:8192,*:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:8192,*:mss,nop,ws,nop,nop,sok:df,id+:0 + +label = g:win:Windows:NT kernel +sig = *:128:0:*:*,*:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:*,*:mss,nop,ws,nop,nop,sok:df,id+:0 + +; ------ +; Mac OS +; ------ + +label = s:unix:Mac OS X:10.x +sig = *:64:0:*:65535,1:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,3:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 + +label = s:unix:MacOS X:10.9 or newer (sometimes iPhone or iPad) +sig = *:64:0:*:65535,4:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 + +label = s:unix:iOS:iPhone or iPad +sig = *:64:0:*:65535,2:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 + +; Catch-all rules: + +label = g:unix:Mac OS X: +sig = *:64:0:*:65535,*:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 + +; ------- +; FreeBSD +; ------- + +label = s:unix:FreeBSD:9.x or newer +sig = *:64:0:*:65535,6:mss,nop,ws,sok,ts:df,id+:0 + +label = s:unix:FreeBSD:8.x +sig = *:64:0:*:65535,3:mss,nop,ws,sok,ts:df,id+:0 + +; Catch-all rules: + +label = g:unix:FreeBSD: +sig = *:64:0:*:65535,*:mss,nop,ws,sok,ts:df,id+:0 + +; ------- +; OpenBSD +; ------- + +label = s:unix:OpenBSD:3.x +sig = *:64:0:*:16384,0:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0 + +label = s:unix:OpenBSD:4.x-5.x +sig = *:64:0:*:16384,3:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0 + +; ------- +; Solaris +; ------- + +label = s:unix:Solaris:8 +sig = *:64:0:*:32850,1:nop,ws,nop,nop,ts,nop,nop,sok,mss:df,id+:0 + +label = s:unix:Solaris:10 +sig = *:64:0:*:mss*34,0:mss,nop,ws,nop,nop,sok:df,id+:0 + +; ------- +; OpenVMS +; ------- + +label = s:unix:OpenVMS:8.x +sig = 4:128:0:1460:mtu*2,0:mss,nop,ws::0 + +label = s:unix:OpenVMS:7.x +sig = 4:64:0:1460:61440,0:mss,nop,ws::0 + +; -------- +; NeXTSTEP +; -------- + +label = s:other:NeXTSTEP: +sig = 4:64:0:1024:mss*4,0:mss::0 + +; ----- +; Tru64 +; ----- + +label = s:unix:Tru64:4.x +sig = 4:64:0:1460:32768,0:mss,nop,ws:df,id+:0 + +; ---- +; NMap +; ---- + +label = s:!:NMap:SYN scan +sys = @unix,@win +sig = *:64-:0:1460:1024,0:mss::0 +sig = *:64-:0:1460:2048,0:mss::0 +sig = *:64-:0:1460:3072,0:mss::0 +sig = *:64-:0:1460:4096,0:mss::0 + +label = s:!:NMap:OS detection +sys = @unix,@win +sig = *:64-:0:265:512,0:mss,sok,ts:ack+:0 +sig = *:64-:0:0:4,10:sok,ts,ws,eol+0:ack+:0 +sig = *:64-:0:1460:1,10:ws,nop,mss,ts,sok:ack+:0 +sig = *:64-:0:536:16,10:mss,sok,ts,ws,eol+0:ack+:0 +sig = *:64-:0:640:4,5:ts,nop,nop,ws,nop,mss:ack+:0 +sig = *:64-:0:1400:63,0:mss,ws,sok,ts,eol+0:ack+:0 +sig = *:64-:0:265:31337,10:ws,nop,mss,ts,sok:ack+:0 +sig = *:64-:0:1460:3,10:ws,nop,mss,sok,nop,nop:ecn,uptr+:0 + +; ----------- +; p0f-sendsyn +; ----------- + +; These are intentionally goofy, to avoid colliding with any sensible real-world +; stacks. Do not tag these signatures as userspace, unless you want p0f to hide +; the responses! + +label = s:unix:p0f:sendsyn utility +sig = *:192:0:1331:1337,0:mss,nop,eol+18::0 +sig = *:192:0:1331:1337,0:mss,ts,nop,eol+8::0 +sig = *:192:0:1331:1337,5:mss,ws,nop,eol+15::0 +sig = *:192:0:1331:1337,0:mss,sok,nop,eol+16::0 +sig = *:192:0:1331:1337,5:mss,ws,ts,nop,eol+5::0 +sig = *:192:0:1331:1337,0:mss,sok,ts,nop,eol+6::0 +sig = *:192:0:1331:1337,5:mss,ws,sok,nop,eol+13::0 +sig = *:192:0:1331:1337,5:mss,ws,sok,ts,nop,eol+3::0 + +; ------------- +; Odds and ends +; ------------- + +label = s:other:Blackberry: +sig = *:128:0:1452:65535,0:mss,nop,nop,sok,nop,nop,ts::0 + +label = s:other:Nintendo:3DS +sig = *:64:0:1360:32768,0:mss,nop,nop,sok:df,id+:0 + +label = s:other:Nintendo:Wii +sig = 4:64:0:1460:32768,0:mss,nop,nop,sok:df,id+:0 + +label = s:unix:BaiduSpider: +sig = *:64:0:1460:mss*4,7:mss,sok,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,ws:df,id+:0 +sig = *:64:0:1460:mss*4,2:mss,sok,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,ws:df,id+:0 + +; ====================== +; TCP SYN+ACK signatures +; ====================== + +[tcp:response] + +; ----- +; Linux +; ----- + +; The variation here is due to ws, sok, or ts being adaptively removed if the +; client initiating the connection doesn't support them. Use tools/p0f-sendsyn +; to get a full set of up to 8 signatures. + + +label = s:unix:Linux:3.x +sig = *:64:0:*:mss*10,0:mss:df:0 +sig = *:64:0:*:mss*10,0:mss,sok,ts:df:0 +sig = *:64:0:*:mss*10,0:mss,nop,nop,ts:df:0 +sig = *:64:0:*:mss*10,0:mss,nop,nop,sok:df:0 +sig = *:64:0:*:mss*10,*:mss,nop,ws:df:0 +sig = *:64:0:*:mss*10,*:mss,sok,ts,nop,ws:df:0 +sig = *:64:0:*:mss*10,*:mss,nop,nop,ts,nop,ws:df:0 +sig = *:64:0:*:mss*10,*:mss,nop,nop,sok,nop,ws:df:0 + +label = s:unix:Linux:2.4-2.6 +sig = *:64:0:*:mss*4,0:mss:df:0 +sig = *:64:0:*:mss*4,0:mss,sok,ts:df:0 +sig = *:64:0:*:mss*4,0:mss,nop,nop,ts:df:0 +sig = *:64:0:*:mss*4,0:mss,nop,nop,sok:df:0 + +label = s:unix:Linux:2.4.x +sig = *:64:0:*:mss*4,0:mss,nop,ws:df:0 +sig = *:64:0:*:mss*4,0:mss,sok,ts,nop,ws:df:0 +sig = *:64:0:*:mss*4,0:mss,nop,nop,ts,nop,ws:df:0 +sig = *:64:0:*:mss*4,0:mss,nop,nop,sok,nop,ws:df:0 + +label = s:unix:Linux:2.6.x +sig = *:64:0:*:mss*4,*:mss,nop,ws:df:0 +sig = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df:0 +sig = *:64:0:*:mss*4,*:mss,nop,nop,ts,nop,ws:df:0 +sig = *:64:0:*:mss*4,*:mss,nop,nop,sok,nop,ws:df:0 + +; ------- +; Windows +; ------- + +label = s:win:Windows:XP +sig = *:128:0:*:65535,0:mss:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,ws:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,nop,ts:df,id+,ts1-:0 +sig = *:128:0:*:65535,0:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:65535,0:mss,nop,ws,nop,nop,ts:df,id+,ts1-:0 +sig = *:128:0:*:65535,0:mss,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0 +sig = *:128:0:*:65535,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0 + +sig = *:128:0:*:16384,0:mss:df,id+:0 +sig = *:128:0:*:16384,0:mss,nop,ws:df,id+:0 +sig = *:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:16384,0:mss,nop,nop,ts:df,id+,ts1-:0 +sig = *:128:0:*:16384,0:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:128:0:*:16384,0:mss,nop,ws,nop,nop,ts:df,id+,ts1-:0 +sig = *:128:0:*:16384,0:mss,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0 +sig = *:128:0:*:16384,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0 + +label = s:win:Windows:7 or 8 +sig = *:128:0:*:8192,0:mss:df,id+:0 +sig = *:128:0:*:8192,0:mss,sok,ts:df,id+:0 +sig = *:128:0:*:8192,8:mss,nop,ws:df,id+:0 +sig = *:128:0:*:8192,0:mss,nop,nop,ts:df,id+:0 +sig = *:128:0:*:8192,0:mss,nop,nop,sok:df,id+:0 +sig = *:128:0:*:8192,8:mss,nop,ws,sok,ts:df,id+:0 +sig = *:128:0:*:8192,8:mss,nop,ws,nop,nop,ts:df,id+:0 +sig = *:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0 + +; ------- +; FreeBSD +; ------- + +label = s:unix:FreeBSD:9.x +sig = *:64:0:*:65535,6:mss,nop,ws:df,id+:0 +sig = *:64:0:*:65535,6:mss,nop,ws,sok,ts:df,id+:0 +sig = *:64:0:*:65535,6:mss,nop,ws,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,6:mss,nop,ws,nop,nop,ts:df,id+:0 + +label = s:unix:FreeBSD:8.x +sig = *:64:0:*:65535,3:mss,nop,ws:df,id+:0 +sig = *:64:0:*:65535,3:mss,nop,ws,sok,ts:df,id+:0 +sig = *:64:0:*:65535,3:mss,nop,ws,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,3:mss,nop,ws,nop,nop,ts:df,id+:0 + +label = s:unix:FreeBSD:8.x-9.x +sig = *:64:0:*:65535,0:mss,sok,ts:df,id+:0 +sig = *:64:0:*:65535,0:mss,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,nop,ts:df,id+:0 + +; ------- +; OpenBSD +; ------- + +label = s:unix:OpenBSD:5.x +sig = *:64:0:1460:16384,0:mss,nop,nop,sok:df,id+:0 +sig = *:64:0:1460:16384,3:mss,nop,ws:df,id+:0 +sig = *:64:0:1460:16384,3:mss,nop,nop,sok,nop,ws:df,id+:0 +sig = *:64:0:1460:16384,0:mss,nop,nop,ts:df,id+:0 +sig = *:64:0:1460:16384,0:mss,nop,nop,sok,nop,nop,ts:df,id+:0 +sig = *:64:0:1460:16384,3:mss,nop,ws,nop,nop,ts:df,id+:0 +sig = *:64:0:1460:16384,3:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0 + +; This one resembles Windows, but almost nobody will be seeing it: +; sig = *:64:0:1460:16384,0:mss:df,id+:0 + +; -------- +; Mac OS X +; -------- + +label = s:unix:Mac OS X:10.x +sig = *:64:0:*:65535,0:mss,nop,ws:df,id+:0 +sig = *:64:0:*:65535,0:mss,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,nop,ts:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,ws,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,ws,nop,nop,ts:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,nop,ts,sok,eol+1:df,id+:0 +sig = *:64:0:*:65535,0:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0 + +; Ditto: +; sig = *:64:0:*:65535,0:mss:df,id+:0 + +; ------- +; Solaris +; ------- + +label = s:unix:Solaris:6 +sig = 4:255:0:*:mss*7,0:mss:df,id+:0 +sig = 4:255:0:*:mss*7,0:nop,ws,mss:df,id+:0 +sig = 4:255:0:*:mss*7,0:nop,nop,ts,mss:df,id+:0 +sig = 4:255:0:*:mss*7,0:nop,nop,ts,nop,ws,mss:df,id+:0 + +label = s:unix:Solaris:8 +sig = *:64:0:*:mss*19,0:mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,ws,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,nop,ts,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,nop,sok,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,nop,ts,nop,ws,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,ws,nop,nop,sok,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,nop,ts,nop,nop,sok,mss:df,id+:0 +sig = *:64:0:*:mss*19,0:nop,nop,ts,nop,ws,nop,nop,sok,mss:df,id+:0 + +label = s:unix:Solaris:10 +sig = *:64:0:*:mss*37,0:mss:df,id+:0 +sig = *:64:0:*:mss*37,0:mss,nop,ws:df,id+:0 +sig = *:64:0:*:mss*37,0:nop,nop,ts,mss:df,id+:0 +sig = *:64:0:*:mss*37,0:mss,nop,nop,sok:df,id+:0 +sig = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,ws:df,id+:0 +sig = *:64:0:*:mss*37,0:mss,nop,ws,nop,nop,sok:df,id+:0 +sig = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,nop,sok:df,id+:0 +sig = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,ws,nop,nop,sok:df,id+:0 + +; ----- +; HP-UX +; ----- + +label = s:unix:HP-UX:11.x +sig = *:64:0:*:32768,0:mss:df,id+:0 +sig = *:64:0:*:32768,0:mss,ws,nop:df,id+:0 +sig = *:64:0:*:32768,0:mss,nop,nop,ts:df,id+:0 +sig = *:64:0:*:32768,0:mss,nop,nop,sok:df,id+:0 +sig = *:64:0:*:32768,0:mss,ws,nop,nop,nop,ts:df,id+:0 +sig = *:64:0:*:32768,0:mss,nop,nop,sok,ws,nop:df,id+:0 +sig = *:64:0:*:32768,0:mss,nop,nop,sok,nop,nop,ts:df,id+:0 +sig = *:64:0:*:32768,0:mss,nop,nop,sok,ws,nop,nop,nop,ts:df,id+:0 + +; ------- +; OpenVMS +; ------- + +label = s:other:OpenVMS:7.x +sig = 4:64:0:1460:3993,0:mss::0 +sig = 4:64:0:1460:3993,0:mss,nop,ws::0 + +; ----- +; Tru64 +; ----- + +label = s:unix:Tru64:4.x +sig = 4:64:0:1460:mss*25,0:mss,nop,ws:df,id+:0 +sig = 4:64:0:1460:mss*25,0:mss:df,id+:0 + +; ====================== +; HTTP client signatures +; ====================== + +; Safari and Firefox are frequently seen using HTTP/1.0 when going through +; proxies; this is far less common for MSIE, Chrome, etc. I wildcarded some of +; the signatures accordingly. +; +; Also note that there are several proxies that mess with HTTP headers for no +; reason. For example, BlueCoat proxy appears to change 'keep-alive' to +; 'Keep-Alive' for a tiny percentage of users (why?!). + +[http:request] + +ua_os = Linux,Windows,iOS=[iPad],iOS=[iPhone],Mac OS X,FreeBSD,OpenBSD,NetBSD,Solaris=[SunOS] + +; ------- +; Firefox +; ------- + +label = s:!:Firefox:2.x +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip,deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[300],Connection=[keep-alive]::Firefox/ + +label = s:!:Firefox:3.x +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip,deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Connection=[keep-alive],?Referer::Firefox/ + +label = s:!:Firefox:4.x +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Connection=[keep-alive],?Referer::Firefox/ + +; I have no idea where this 'UTF-8' variant comes from, but it happens on *BSD. +; Likewise, no clue why Referer is in a different place for some users. + +label = s:!:Firefox:5.x-9.x +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?DNT=[1],Connection=[keep-alive],?Referer:Keep-Alive:Firefox/ +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[UTF-8,*],?DNT=[1],Connection=[keep-alive],?Referer:Keep-Alive:Firefox/ +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[UTF-8,*],?DNT=[1],?Referer,Connection=[keep-alive]:Keep-Alive:Firefox/ +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?DNT=[1],?Referer,Connection=[keep-alive]:Keep-Alive:Firefox/ +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?Referer,?DNT=[1],Connection=[keep-alive]:Keep-Alive:Firefox/ + +label = s:!:Firefox:10.x or newer +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],Connection=[keep-alive],?Referer:Accept-Charset,Keep-Alive:Firefox/ +sig = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],?Referer,Connection=[keep-alive]:Accept-Charset,Keep-Alive:Firefox/ + +; There is this one weird case where Firefox 10.x is indistinguishable +; from Safari 5.1: + +label = s:!:Firefox:10.x or Safari 5.x +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[xml;q=0.9,*/*;q=0.8],Accept-Language,Accept-Encoding=[gzip, deflate],Connection=[keep-alive]:Keep-Alive,Accept-Charset,DNT,Referer:Gecko + +; ---- +; MSIE +; ---- + +; MSIE 11 no longer sends the 'MSIE' part in U-A, but we don't consider +; U-A to be a robust signal for fingerprinting, so no dice. + +label = s:!:MSIE:8 or newer +sys = Windows +sig = 1:Accept=[*/*],?Referer,?Accept-Language,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset,UA-CPU:Trident/ +sig = 1:Accept=[*/*],?Referer,?Accept-Language,Accept-Encoding=[gzip, deflate],User-Agent,Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE + +label = s:!:MSIE:7 +sys = Windows +sig = 1:Accept=[*/*],?Referer,?Accept-Language,UA-CPU,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE + +; TODO: Check if this one ever uses Accept-Language, etc. Also try to find MSIE 5. + +label = s:!:MSIE:6 +sys = Windows +sig = 0:Accept=[*/*],?Referer,User-Agent,Host:Keep-Alive,Connection,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE +sig = 1:Accept=[*/*],Connection=[Keep-Alive],Host,?Pragma=[no-cache],?Range,?Referer,User-Agent:Keep-Alive,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE + +; ------ +; Chrome +; ------ + +label = s:!:Chrome:11.x to 26.x +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3]:: Chrom +sig = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[UTF-8,*;q=0.5]:: Chrom +sig = 1:Host,User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3],Connection=[keep-alive]::Chrom + +label = s:!:Chrome:27.x to 42.x +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],Accept=[*/*],User-Agent,?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom + +label = s:!:Chrome:43.x or 50.x +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],Accept=[*/*],User-Agent,?Referer,Accept-Encoding=[gzip, deflate, sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom + +label = s:!:Chrome:51.x or newer +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],Upgrade-Insecure-Requests=[1],User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom + +; ----- +; Opera +; ----- + +label = s:!:Opera:19.x or newer +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],Accept=[*/*;q=0.8],User-Agent,Accept-Encoding=[gzip,deflate,lzma,sdch],Accept-Language=[;q=0.]:Accept-Charset,Keep-Alive:OPR/ + +label = s:!:Opera:15.x-18.x +sys = Windows,@unix +sig = 1:Host,Connection=[keep-alive],Accept=[*/*;q=0.8],User-Agent,Accept-Encoding=[gzip, deflate],Accept-Language=[;q=0.]:Accept-Charset,Keep-Alive:OPR/ + +label = s:!:Opera:11.x-14.x +sys = Windows,@unix +sig = 1:User-Agent,Host,Accept=[*/*;q=0.1],?Accept-Language=[;q=0.],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive]:Accept-Charset,X-OperaMini-Phone-UA:) Presto/ + +label = s:!:Opera:10.x +sys = Windows,@unix +sig = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[;q=0.],Accept-Charset=[utf-8, utf-16, *;q=0.1],Accept-Encoding=[deflate, gzip, x-gzip, identity, *;q=0],Connection=[Keep-Alive]::Presto/ +sig = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[en],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive]:Accept-Charset:Opera/ + +label = s:!:Opera:Mini +sys = Linux +sig = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[;q=0.],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive],X-OperaMini-Phone-UA,X-OperaMini-Features,X-OperaMini-Phone,x-forwarded-for:Accept-Charset:Opera Mini/ + +label = s:!:Opera:on Nintendo Wii +sys = Nintendo +sig = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[en],Accept-Charset=[iso-8859-1, utf-8, utf-16, *;q=0.1],Accept-Encoding=[deflate, gzip, x-gzip, identity, *;q=0],Connection=[Keep-Alive]::Nintendo + +; --------------- +; Android browser +; --------------- + +label = s:!:Android:2.x +sys = Linux +sig = 1:Host,Accept-Encoding=[gzip],Accept-Language,User-Agent,Accept=[,*/*;q=0.5],Accept-Charset=[utf-16, *;q=0.7]:Connection:Android +sig = 1:Host,Connection=[keep-alive],Accept-Encoding=[gzip],Accept-Language,User-Agent,Accept=[,*/*;q=0.5],Accept-Charset=[utf-16, *;q=0.7]::Android +sig = 1:Host,Accept-Encoding=[gzip],Accept-Language=[en-US],Accept=[*/*;q=0.5],User-Agent,Accept-Charset=[utf-16, *;q=0.7]:Connection:Android + +label = s:!:Android:4.x +sys = Linux +sig = 1:Host,Connection=[keep-alive],Accept=[,*/*;q=0.8],User-Agent,Accept-Encoding=[gzip,deflate],Accept-Language,Accept-Charset=[utf-16, *;q=0.7]::Android + +; ------ +; Safari +; ------ + +label = s:!:Safari:7 or newer +sys = @unix +sig = *:Host,Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Accept=[*/*],User-Agent,Accept-Language,?Referer,?DNT:Accept-Charset,Keep-Alive:KHTML, like Gecko) + +label = s:!:Safari:5.1-6 +sys = Windows,@unix +sig = *:Host,User-Agent,Accept=[*/*],?Referer,Accept-Language,Accept-Encoding=[gzip, deflate],Connection=[keep-alive]:Accept-Charset:KHTML, like Gecko) +sig = *:Host,User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip, deflate],Accept-Language,Connection=[keep-alive]:Accept-Charset:KHTML, like Gecko) + +label = s:!:Safari:5.0 or earlier +sys = Mac OS X +sig = 0:Host,User-Agent,Connection=[close]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:CFNetwork/ + +; --------- +; Konqueror +; --------- + +label = s:!:Konqueror:4.6 or earlier +sys = Linux,FreeBSD,OpenBSD +sig = 1:Host,Connection=[Keep-Alive],User-Agent,?Pragma,?Cache-control,Accept=[*/*],Accept-Encoding=[x-gzip, x-deflate, gzip, deflate],Accept-Charset=[;q=0.5, *;q=0.5],Accept-Language::Konqueror/ + +label = s:!:Konqueror:4.7 or newer +sys = Linux,FreeBSD,OpenBSD +sig = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, x-gzip, x-deflate],Accept-Charset=[,*;q=0.5],Accept-Language::Konqueror/ + +; ------------------- +; Major search robots +; ------------------- + +label = s:!:BaiduSpider: +sys = BaiduSpider +sig = 1:Host,Connection=[close],User-Agent,Accept=[*/*]:Accept-Encoding,Accept-Language,Accept-Charset:Baiduspider-image +sig = 1:Host,Accept-Language=[zh-cn],Connection=[close],User-Agent:Accept,Accept-Encoding,Accept-Charset:Baiduspider +sig = 1:Host,Connection=[close],User-Agent,Accept-Language=[zh-cn,zh-tw],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider +sig = 1:Host,Connection=[close],User-Agent,Accept-Language=[tr-TR],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider +sig = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],?Accept-Language=[zh-cn,zh-tw],Accept=[*/*]:Accept-Charset:Baiduspider +sig = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],Accept-Language=[tr-TR],Accept=[*/*]:Accept-Charset:Baiduspider + +label = s:!:Googlebot: +sys = Linux +sig = 1:Host,Connection=[Keep-alive],Accept=[*/*],From=[googlebot(at)googlebot.com],User-Agent,Accept-Encoding=[gzip,deflate],?If-Modified-Since:Accept-Language,Accept-Charset:Googlebot +sig = 1:Host,Connection=[Keep-alive],Accept=[text/plain],Accept=[text/html],From=[googlebot(at)googlebot.com],User-Agent,Accept-Encoding=[gzip,deflate]:Accept-Language,Accept-Charset:Googlebot + +label = s:!:Googlebot:feed fetcher +sys = Linux +sig = 1:Host,Connection=[Keep-alive],Accept=[*/*],User-Agent,Accept-Encoding=[gzip,deflate],?If-Modified-Since:Accept-Language,Accept-Charset:-Google +sig = 1:User-Agent,?X-shindig-dos=[on],Cache-Control,Host,?X-Forwarded-For,Accept-Encoding=[gzip],?Accept-Language:Connection,Accept,Accept-Charset:Feedfetcher-Google + +label = s:!:Bingbot: +sys = Windows +sig = 1:Cache-Control,Connection=[Keep-Alive],Pragma=[no-cache],Accept=[*/*],Accept-Encoding,Host,User-Agent:Accept-Language,Accept-Charset:bingbot/ + +; MSNbot has a really silly Accept header, only a tiny part of which is preserved here: + +label = s:!:MSNbot: +sys = Windows +sig = 1:Connection=[Close],Accept,Accept-Encoding=[gzip, deflate],From=[msnbot(at)microsoft.com],Host,User-Agent:Accept-Language,Accept-Charset:msnbot + +label = s:!:Yandex:crawler +sys = FreeBSD +sig = 1:Host,Connection=[Keep-Alive],Accept=[*/*],Accept-Encoding=[gzip,deflate],Accept-Language=[en-us, en;q=0.7, *;q=0.01],User-Agent,From=[support@search.yandex.ru]:Accept-Charset:YandexBot/ +sig = 1:Host,Connection=[Keep-Alive],Accept=[image/jpeg, image/pjpeg, image/png, image/gif],User-Agent,From=[support@search.yandex.ru]:Accept-Encoding,Accept-Language,Accept-Charset:YandexImages/ +sig = 1:Host,Connection=[Keep-Alive],User-Agent,From=[support@search.yandex.ru]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:YandexBot/ + +label = s:!:Yahoo:crawler +sys = Linux +sig = 0:Host,User-Agent,Accept=[,image/png,*/*;q=0.5],Accept-Language=[en-us,en;q=0.5],Accept-Encoding=[gzip],Accept-Charset=[,utf-8;q=0.7,*;q=0.7]:Connection:Slurp + +; ----------------- +; Misc other robots +; ----------------- + +label = s:!:Flipboard:crawler +sys = Linux +sig = 1:User-Agent,Accept-Language=[en-us,en;q=0.5],Accept-Charset=[;q=0.7,*;q=0.5],Accept-Encoding=[gzip],Host,Accept=[*; q=.2, */*; q=.2],Connection=[keep-alive]::FlipboardProxy +sig = 1:Accept-language=[en-us,en;q=0.5],Accept-encoding=[gzip],Accept=[;q=0.9,*/*;q=0.8],User-agent,Host:User-Agent,Connection,Accept-Encoding,Accept-Language,Accept-Charset:FlipboardProxy + +label = s:!:Spinn3r:crawler +sys = Linux +sig = 1:User-Agent,Accept-Encoding=[gzip],Host,Accept=[*; q=.2, */*; q=.2],Connection=[close]:Accept-Language,Accept-Charset:Spinn3r + +label = s:!:Facebook:crawler +sys = Linux +sig = 1:User-Agent,Host,Accept=[*/*],Accept-Encoding=[deflate, gzip],Connection=[close]:Accept-Language,Accept-Charset:facebookexternalhit/ +sig = 1:User-Agent,Host,Accept=[*/*],Connection=[close]:Accept-Encoding,Accept-Language,Accept-Charset:facebookexternalhit/ + +label = s:!:paper.li:crawler +sys = Linux +sig = 1:Accept-Language=[en-us,en;q=0.5],Accept=[*/*],User-Agent,Connection=[close],Accept-Encoding=[gzip,identity],?Referer,Host,Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]::PaperLiBot/ + +label = s:!:Twitter:crawler +sys = Linux +sig = 1:User-Agent=[Twitterbot/],Host,Accept=[*; q=.2, */*; q=.2],Cache-Control,Connection=[keep-alive]:Accept-Encoding,Accept-Language,Accept-Charset:Twitterbot/ + +label = s:!:linkdex:crawler +sys = Linux +sig = 0:Host,Connection=[Keep-Alive],User-Agent,Accept-Encoding=[gzip,deflate]:Accept,Accept-Language,Accept-Charset:linkdex.com/ + +label = s:!:Yodaobot: +sys = Linux +sig = 1:Accept-Encoding=[identity;q=0.5, *;q=0.1],User-Agent,Host:Connection,Accept,Accept-Language,Accept-Charset:YodaoBot/ + +label = s:!:Tweetmeme:crawler +sys = Linux +sig = 1:Host,User-Agent,Accept=[,image/png,*/*;q=0.5],Accept-Language=[en-gb,en;q=0.5],Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]:Connection,Accept-Encoding:TweetmemeBot/ + +label = s:!:Archive.org:crawler +sys = Linux +sig = 0:User-Agent,Connection=[close],Accept=[application/xml;q=0.9,*/*;q=0.8],Host:Accept-Encoding,Accept-Language,Accept-Charset:archive.org + +label = s:!:Yahoo Pipes: +sys = Linux +sig = 0:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Connection=[keep-alive],Via:Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes +sig = 1:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Via:Connection,Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes + +label = s:!:Google Web Preview: +sys = Linux +sig = 1:Referer,User-Agent,Accept-Encoding=[gzip,deflate],Host,X-Forwarded-For:Connection,Accept,Accept-Language,Accept-Charset:Web Preview + +; -------------------------------- +; Command-line tools and libraries +; -------------------------------- + +label = s:!:wget: +sys = @unix,Windows +sig = *:User-Agent,Accept=[*/*],Host,Connection=[Keep-Alive]:Accept-Encoding,Accept-Language,Accept-Charset:Wget/ + +label = s:!:Lynx: +sys = @unix,Windows +sig = 0:Host,Accept=[text/sgml, */*;q=0.01],Accept-Encoding=[gzip, compress],Accept-Language,User-Agent:Connection,Accept-Charset:Lynx/ + +label = s:!:curl: +sys = @unix,Windows +sig = 1:User-Agent,Host,Accept=[*/*]:Connection,Accept-Encoding,Accept-Language,Accept-Charset:curl/ + +label = s:!:links: +sys = @unix,Windows +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, bzip2],Accept-Charset=[us-ascii],Accept-Language=[;q=0.1],Connection=[Keep-Alive]::Links +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip,deflate,bzip2],Accept-Charset=[us-ascii],Accept-Language=[;q=0.1],Connection=[keep-alive]::Links + +label = s:!:elinks: +sys = @unix,Windows +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[bzip2, deflate, gzip],Accept-Language:Connection,Accept-Charset:ELinks/ + +label = s:!:Java:JRE +sys = @unix,@win +sig = 1:User-Agent,Host,Accept=[*; q=.2, */*; q=.2],Connection=[keep-alive]:Accept-Encoding,Accept-Language,Accept-Charset:Java/ + +label = s:!:Python:urllib +sys = @unix,Windows +sig = 1:Accept-Encoding=[identity],Host,Connection=[close],User-Agent:Accept,Accept-Language,Accept-Charset:Python-urllib/ + +label = s:!:w3m: +sys = @unix,Windows +sig = 0:User-Agent,Accept=[image/*],Accept-Encoding=[gzip, compress, bzip, bzip2, deflate],Accept-Language=[;q=1.0],Host:Connection,Accept-Charset:w3m/ + +label = s:!:libfetch: +sys = @unix +sig = 1:Host,User-Agent,Connection=[close]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:libfetch/ + +; ------------- +; Odds and ends +; ------------- + +label = s:!:Google AppEngine: +sys = Linux +sig = 1:User-Agent,Host,Accept-Encoding=[gzip]:Connection,Accept,Accept-Language,Accept-Charset:AppEngine-Google + +label = s:!:WebOS: +sys = Linux +sig = 1:Host,Accept-Encoding=[gzip, deflate],User-Agent,Accept=[,*/*;q=0.5],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3]:Connection:wOSBrowser + +label = s:!:xxxterm: +sys = @unix +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip]:Connection,Accept-Language,Accept-Charset:xxxterm + +label = s:!:Google Desktop: +sys = Windows +sig = 1:Accept=[*/*],Accept-Encoding=[gzip],User-Agent,Host,Connection=[Keep-Alive]:Accept-Language,Accept-Charset:Google Desktop/ + +label = s:!:luakit: +sys = @unix +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip],Connection=[Keep-Alive]:Accept-Language,Accept-Charset:luakit + +label = s:!:Epiphany: +sys = @unix +sig = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip],Accept-Language:Connection,Accept-Charset,Keep-Alive:Epiphany/ + +; ====================== +; HTTP server signatures +; ====================== + +[http:response] + +; ------ +; Apache +; ------ + +label = s:!:Apache:2.x +sys = @unix,Windows +sig = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,?Content-Range,Keep-Alive=[timeout],Connection=[Keep-Alive],?Transfer-Encoding=[chunked],Content-Type::Apache +sig = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,?Connection=[close],?Transfer-Encoding=[chunked],Content-Type:Keep-Alive:Apache +sig = 1:Date,Server,Connection=[Keep-Alive],Keep-Alive=[timeout]:Content-Type,Accept-Ranges:Apache +sig = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,Content-Type,Keep-Alive=[timeout],Connection=[Keep-Alive]::Apache + +label = s:!:Apache:1.x +sys = @unix,Windows +sig = 1:Server,Content-Type,?Content-Length,Date,Connection=[keep-alive]:Keep-Alive,Accept-Ranges:Apache +sig = 1:Server,Content-Type,?Content-Length,Date,Connection=[close]:Keep-Alive,Accept-Ranges:Apache + +; --- +; IIS +; --- + +label = s:!:IIS:7.x +sys = Windows +sig = 1:?Content-Length,Content-Type,?Etag,Server,Date:Connection,Keep-Alive,Accept-Ranges:Microsoft-IIS/ +sig = 1:?Content-Length,Content-Type,?Etag,Server,Date,Connection=[close]:Keep-Alive,Accept-Ranges:Microsoft-IIS/ + +; -------- +; lighttpd +; -------- + +label = s:!:lighttpd:2.x +sys = @unix +sig = 1:?ETag,?Last-Modified,Accept-Ranges=[bytes],Content-Type,?Vary,?Content-Length,Date,Server:Connection,Keep-Alive:lighttpd/ +sig = 1:?ETag,?Last-Modified,Transfer-Encoding=[chunked],Content-Type,?Vary,?Content-Length,Date,Server:Connection,Keep-Alive:lighttpd/ + +label = s:!:lighttpd:1.x +sys = @unix +sig = 1:Content-Type,Accept-Ranges=[bytes],?ETag,?Last-Modified,Date,Server:Connection,Keep-Alive:lighttpd/ +sig = 1:Content-Type,Transfer-Encoding=[chunked],?ETag,?Last-Modified,Date,Server:Connection,Keep-Alive:lighttpd/ +sig = 0:Content-Type,Content-Length,Connection=[close],Date,Server:Keep-Alive,Accept-Ranges:lighttpd/ + +; ----- +; nginx +; ----- + +label = s:!:nginx:1.x +sys = @unix +sig = 1:Server,Date,Content-Type,?Content-Length,?Last-Modified,Connection=[keep-alive],Keep-Alive=[timeout],Accept-Ranges=[bytes]::nginx/ +sig = 1:Server,Date,Content-Type,?Content-Length,?Last-Modified,Connection=[close]:Keep-Alive,Accept-Ranges:nginx/ + +label = s:!:nginx:0.x +sys = @unix +sig = 1:Server,Date,Content-Type,?Content-Length,Connection=[keep-alive],?Last-Modified:Keep-Alive,Accept-Ranges:nginx/ +sig = 1:Server,Date,Content-Type,?Content-Length,Connection=[close],?Last-Modified:Keep-Alive,Accept-Ranges:nginx/ + +; ------------- +; Odds and ends +; ------------- + +label = s:!:Google Web Server: +sys = Linux +sig = *:Content-Type,X-Content-Type-Options=[nosniff],Date,Server=[sffe]:Connection,Accept-Ranges,Keep-Alive,Connection: +sig = *:Date,Content-Type,Server=[gws]:Connection,Accept-Ranges,Keep-Alive: +sig = *:Content-Type,X-Content-Type-Options=[nosniff],Server=[GSE]:Connection,Accept-Ranges,Keep-Alive: diff --git a/docker/p0f/p0f.h b/docker/p0f/p0f.h new file mode 100644 index 00000000..6a0840c9 --- /dev/null +++ b/docker/p0f/p0f.h @@ -0,0 +1,48 @@ +/* + p0f - exports from the main routine + ----------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_P0F_H +#define _HAVE_P0F_H + +#include "types.h" +#include "process.h" + +extern u8 daemon_mode; +extern s32 link_type; +extern u32 max_conn, max_hosts, conn_max_age, host_idle_limit, hash_seed; +extern u8* read_file; + +void start_observation(char* keyword, u8 field_cnt, u8 to_srv, + struct packet_flow* pf); + +void add_observation_field(char* key, u8* value); + +#define OBSERVF(_key, _fmt...) do { \ + u8* _val; \ + _val = alloc_printf(_fmt); \ + add_observation_field(_key, _val); \ + ck_free(_val); \ + } while (0) + +#include "api.h" + +struct api_client { + + s32 fd; /* -1 if slot free */ + + struct p0f_api_query in_data; /* Query recv buffer */ + u32 in_off; /* Query buffer offset */ + + struct p0f_api_response out_data; /* Response transmit buffer */ + u32 out_off; /* Response buffer offset */ + +}; + +#endif /* !_HAVE_P0F_H */ diff --git a/docker/p0f/process.c b/docker/p0f/process.c new file mode 100644 index 00000000..4eccb13d --- /dev/null +++ b/docker/p0f/process.c @@ -0,0 +1,1548 @@ +/* + p0f - packet capture and overall host / flow bookkeeping + -------------------------------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "process.h" +#include "hash.h" +#include "tcp.h" +#include "readfp.h" +#include "p0f.h" + +#include "fp_tcp.h" +#include "fp_mtu.h" +#include "fp_http.h" + +u64 packet_cnt; /* Total number of packets processed */ + +static s8 link_off = -1; /* Link-specific IP header offset */ +static u8 bad_packets; /* Seen non-IP packets? */ + +static struct host_data *host_by_age, /* All host entries, by last mod */ + *newest_host; /* Tail of the list */ + +static struct packet_flow *flow_by_age, /* All flows, by creation time */ + *newest_flow; /* Tail of the list */ + +static struct timeval* cur_time; /* Current time, courtesy of pcap */ + +/* Bucketed hosts and flows: */ + +static struct host_data *host_b[HOST_BUCKETS]; +static struct packet_flow *flow_b[FLOW_BUCKETS]; + +static u32 host_cnt, flow_cnt; /* Counters for bookkeeping purposes */ + +static void flow_dispatch(struct packet_data* pk); +static void nuke_flows(u8 silent); +static void expire_cache(void); + + +/* Get unix time in milliseconds. */ + +u64 get_unix_time_ms(void) { + + return ((u64)cur_time->tv_sec) * 1000 + (cur_time->tv_usec / 1000); +} + + +/* Get unix time in seconds. */ + +u32 get_unix_time(void) { + return cur_time->tv_sec; +} + + +/* Find link-specific offset (pcap knows, but won't tell). */ + +static void find_offset(const u8* data, s32 total_len) { + + u8 i; + + /* Check hardcoded values for some of the most common options. */ + + switch (link_type) { + + case DLT_RAW: link_off = 0; return; + + case DLT_NULL: + case DLT_PPP: link_off = 4; return; + + case DLT_LOOP: + +#ifdef DLT_PPP_SERIAL + case DLT_PPP_SERIAL: +#endif /* DLT_PPP_SERIAL */ + + case DLT_PPP_ETHER: link_off = 8; return; + + case DLT_EN10MB: link_off = 14; return; + +#ifdef DLT_LINUX_SLL + case DLT_LINUX_SLL: link_off = 16; return; +#endif /* DLT_LINUX_SLL */ + + case DLT_PFLOG: link_off = 28; return; + + case DLT_IEEE802_11: link_off = 32; return; + } + + /* If this fails, try to auto-detect. There is a slight risk that if the + first packet we see is maliciously crafted, and somehow gets past the + configured BPF filter, we will configure the wrong offset. But that + seems fairly unlikely. */ + + for (i = 0; i < 40; i += 2, total_len -= 2) { + + if (total_len < MIN_TCP4) break; + + /* Perhaps this is IPv6? We check three things: IP version (first 4 bits); + total length sufficient to accommodate IPv6 and TCP headers; and the + "next protocol" field equal to PROTO_TCP. */ + + if (total_len >= MIN_TCP6 && (data[i] >> 4) == IP_VER6) { + + struct ipv6_hdr* hdr = (struct ipv6_hdr*)(data + i); + + if (hdr->proto == PROTO_TCP) { + + DEBUG("[#] Detected packet offset of %u via IPv6 (link type %u).\n", i, + link_type); + link_off = i; + break; + + } + + } + + /* Okay, let's try IPv4 then. The same approach, except the shortest packet + size must be just enough to accommodate IPv4 + TCP (already checked). */ + + if ((data[i] >> 4) == IP_VER4) { + + struct ipv4_hdr* hdr = (struct ipv4_hdr*)(data + i); + + if (hdr->proto == PROTO_TCP) { + + DEBUG("[#] Detected packet offset of %u via IPv4 (link type %u).\n", i, + link_type); + link_off = i; + break; + + } + + } + + } + + /* If we found something, adjust for VLAN tags (ETH_P_8021Q == 0x8100). Else, + complain once and try again soon. */ + + if (link_off >= 4 && data[i-4] == 0x81 && data[i-3] == 0x00) { + + DEBUG("[#] Adjusting offset due to VLAN tagging.\n"); + link_off -= 4; + + } else if (link_off == -1) { + + link_off = -2; + WARN("Unable to find link-specific packet offset. This is bad."); + + } + +} + + +/* Convert IPv4 or IPv6 address to a human-readable form. */ + +u8* addr_to_str(u8* data, u8 ip_ver) { + + static char tmp[128]; + + /* We could be using inet_ntop(), but on systems that have older libc + but still see passing IPv6 traffic, we would be in a pickle. */ + + if (ip_ver == IP_VER4) { + + sprintf(tmp, "%u.%u.%u.%u", data[0], data[1], data[2], data[3]); + + } else { + + sprintf(tmp, "%x:%x:%x:%x:%x:%x:%x:%x", + (data[0] << 8) | data[1], (data[2] << 8) | data[3], + (data[4] << 8) | data[5], (data[6] << 8) | data[7], + (data[8] << 8) | data[9], (data[10] << 8) | data[11], + (data[12] << 8) | data[13], (data[14] << 8) | data[15]); + + } + + return (u8*)tmp; + +} + + +/* Parse PCAP input, with plenty of sanity checking. Store interesting details + in a protocol-agnostic buffer that will be then examined upstream. */ + +void parse_packet(void* junk, const struct pcap_pkthdr* hdr, const u8* data) { + + struct tcp_hdr* tcp; + struct packet_data pk; + + s32 packet_len; + u32 tcp_doff; + + u8* opt_end; + + packet_cnt++; + + cur_time = (struct timeval*)&hdr->ts; + + if (!(packet_cnt % EXPIRE_INTERVAL)) expire_cache(); + + /* Be paranoid about how much data we actually have off the wire. */ + + packet_len = MIN(hdr->len, hdr->caplen); + if (packet_len > SNAPLEN) packet_len = SNAPLEN; + + // DEBUG("[#] Received packet: len = %d, caplen = %d, limit = %d\n", + // hdr->len, hdr->caplen, SNAPLEN); + + /* Account for link-level headers. */ + + if (link_off < 0) find_offset(data, packet_len); + + if (link_off > 0) { + + data += link_off; + packet_len -= link_off; + + } + + /* If there is no way we could have received a complete TCP packet, bail + out early. */ + + if (packet_len < MIN_TCP4) { + DEBUG("[#] Packet too short for any IPv4 + TCP headers, giving up!\n"); + return; + } + + pk.quirks = 0; + + if ((*data >> 4) == IP_VER4) { + + /************************ + * IPv4 header parsing. * + ************************/ + + const struct ipv4_hdr* ip4 = (struct ipv4_hdr*)data; + + u32 hdr_len = (ip4->ver_hlen & 0x0F) * 4; + u16 flags_off = ntohs(RD16(ip4->flags_off)); + u16 tot_len = ntohs(RD16(ip4->tot_len)); + + /* If the packet claims to be shorter than what we received off the wire, + honor this claim to account for etherleak-type bugs. */ + + if (packet_len > tot_len) { + packet_len = tot_len; + // DEBUG("[#] ipv4.tot_len = %u, adjusted accordingly.\n", tot_len); + } + + /* Bail out if the result leaves no room for IPv4 + TCP headers. */ + + if (packet_len < MIN_TCP4) { + DEBUG("[#] packet_len = %u. Too short for IPv4 + TCP, giving up!\n", + packet_len); + return; + } + + /* Bail out if the declared length of IPv4 headers is nonsensical. */ + + if (hdr_len < sizeof(struct ipv4_hdr)) { + DEBUG("[#] ipv4.hdr_len = %u. Too short for IPv4, giving up!\n", + hdr_len); + return; + } + + /* If the packet claims to be longer than the recv buffer, best to back + off - even though we could just ignore this and recover. */ + + if (tot_len > packet_len) { + DEBUG("[#] ipv4.tot_len = %u but packet_len = %u, bailing out!\n", + tot_len, packet_len); + return; + } + + /* And finally, bail out if after skipping the IPv4 header as specified + (including options), there wouldn't be enough room for TCP. */ + + if (hdr_len + sizeof(struct tcp_hdr) > packet_len) { + DEBUG("[#] ipv4.hdr_len = %u, packet_len = %d, no room for TCP!\n", + hdr_len, packet_len); + return; + } + + /* Bail out if the subsequent protocol is not TCP. */ + + if (ip4->proto != PROTO_TCP) { + DEBUG("[#] Whoa, IPv4 packet with non-TCP payload (%u)?\n", ip4->proto); + return; + } + + /* Ignore any traffic with MF or non-zero fragment offset specified. We + can do enough just fingerprinting the non-fragmented traffic. */ + + if (flags_off & ~(IP4_DF | IP4_MBZ)) { + DEBUG("[#] Packet fragment (0x%04x), letting it slide!\n", flags_off); + return; + } + + /* Store some relevant information about the packet. */ + + pk.ip_ver = IP_VER4; + + pk.ip_opt_len = hdr_len - 20; + + memcpy(pk.src, ip4->src, 4); + memcpy(pk.dst, ip4->dst, 4); + + pk.tos = ip4->tos_ecn >> 2; + + pk.ttl = ip4->ttl; + + if (ip4->tos_ecn & (IP_TOS_CE | IP_TOS_ECT)) pk.quirks |= QUIRK_ECN; + + /* Tag some of the corner cases associated with implementation quirks. */ + + if (flags_off & IP4_MBZ) pk.quirks |= QUIRK_NZ_MBZ; + + if (flags_off & IP4_DF) { + + pk.quirks |= QUIRK_DF; + if (RD16(ip4->id)) pk.quirks |= QUIRK_NZ_ID; + + } else { + + if (!RD16(ip4->id)) pk.quirks |= QUIRK_ZERO_ID; + + } + + pk.tot_hdr = hdr_len; + + tcp = (struct tcp_hdr*)(data + hdr_len); + packet_len -= hdr_len; + + } else if ((*data >> 4) == IP_VER6) { + + /************************ + * IPv6 header parsing. * + ************************/ + + const struct ipv6_hdr* ip6 = (struct ipv6_hdr*)data; + u32 ver_tos = ntohl(RD32(ip6->ver_tos)); + u32 tot_len = ntohs(RD16(ip6->pay_len)) + sizeof(struct ipv6_hdr); + + /* If the packet claims to be shorter than what we received off the wire, + honor this claim to account for etherleak-type bugs. */ + + if (packet_len > tot_len) { + packet_len = tot_len; + // DEBUG("[#] ipv6.tot_len = %u, adjusted accordingly.\n", tot_len); + } + + /* Bail out if the result leaves no room for IPv6 + TCP headers. */ + + if (packet_len < MIN_TCP6) { + DEBUG("[#] packet_len = %u. Too short for IPv6 + TCP, giving up!\n", + packet_len); + return; + } + + /* If the packet claims to be longer than the data we have, best to back + off - even though we could just ignore this and recover. */ + + if (tot_len > packet_len) { + DEBUG("[#] ipv6.tot_len = %u but packet_len = %u, bailing out!\n", + tot_len, packet_len); + return; + } + + /* Bail out if the subsequent protocol is not TCP. One day, we may try + to parse and skip IPv6 extensions, but there seems to be no point in + it today. */ + + if (ip6->proto != PROTO_TCP) { + DEBUG("[#] IPv6 packet with non-TCP payload (%u).\n", ip6->proto); + return; + } + + /* Store some relevant information about the packet. */ + + pk.ip_ver = IP_VER6; + + pk.ip_opt_len = 0; + + memcpy(pk.src, ip6->src, 16); + memcpy(pk.dst, ip6->dst, 16); + + pk.tos = (ver_tos >> 22) & 0x3F; + + pk.ttl = ip6->ttl; + + if (ver_tos & 0xFFFFF) pk.quirks |= QUIRK_FLOW; + + if ((ver_tos >> 20) & (IP_TOS_CE | IP_TOS_ECT)) pk.quirks |= QUIRK_ECN; + + pk.tot_hdr = sizeof(struct ipv6_hdr); + + tcp = (struct tcp_hdr*)(ip6 + 1); + packet_len -= sizeof(struct ipv6_hdr); + + } else { + + if (!bad_packets) { + WARN("Unknown packet type %u, link detection issue?", *data >> 4); + bad_packets = 1; + } + + return; + + } + + /*************** + * TCP parsing * + ***************/ + + data = (u8*)tcp; + + tcp_doff = (tcp->doff_rsvd >> 4) * 4; + + /* As usual, let's start with sanity checks. */ + + if (tcp_doff < sizeof(struct tcp_hdr)) { + DEBUG("[#] tcp.hdr_len = %u, not enough for TCP!\n", tcp_doff); + return; + } + + if (tcp_doff > packet_len) { + DEBUG("[#] tcp.hdr_len = %u, past end of packet!\n", tcp_doff); + return; + } + + pk.tot_hdr += tcp_doff; + + pk.sport = ntohs(RD16(tcp->sport)); + pk.dport = ntohs(RD16(tcp->dport)); + + pk.tcp_type = tcp->flags & (TCP_SYN | TCP_ACK | TCP_FIN | TCP_RST); + + /* NUL, SYN+FIN, SYN+RST, FIN+RST, etc, should go to /dev/null. */ + + if (((tcp->flags & TCP_SYN) && (tcp->flags & (TCP_FIN | TCP_RST))) || + ((tcp->flags & TCP_FIN) && (tcp->flags & TCP_RST)) || + !pk.tcp_type) { + + DEBUG("[#] Silly combination of TCP flags: 0x%02x.\n", tcp->flags); + return; + + } + + pk.win = ntohs(RD16(tcp->win)); + + pk.seq = ntohl(RD32(tcp->seq)); + + /* Take note of miscellanous features and quirks. */ + + if ((tcp->flags & (TCP_ECE | TCP_CWR)) || + (tcp->doff_rsvd & TCP_NS_RES)) pk.quirks |= QUIRK_ECN; + + if (!pk.seq) pk.quirks |= QUIRK_ZERO_SEQ; + + if (tcp->flags & TCP_ACK) { + + if (!RD32(tcp->ack)) pk.quirks |= QUIRK_ZERO_ACK; + + } else { + + /* A good proportion of RSTs tend to have "illegal" ACK numbers, so + ignore these. */ + + if (RD32(tcp->ack) & !(tcp->flags & TCP_RST)) { + + DEBUG("[#] Non-zero ACK on a non-ACK packet: 0x%08x.\n", + ntohl(RD32(tcp->ack))); + + pk.quirks |= QUIRK_NZ_ACK; + + } + + } + + if (tcp->flags & TCP_URG) { + + pk.quirks |= QUIRK_URG; + + } else { + + if (RD16(tcp->urg)) { + + DEBUG("[#] Non-zero UPtr on a non-URG packet: 0x%08x.\n", + ntohl(RD16(tcp->urg))); + + pk.quirks |= QUIRK_NZ_URG; + + } + + } + + if (tcp->flags & TCP_PUSH) pk.quirks |= QUIRK_PUSH; + + /* Handle payload data. */ + + if (tcp_doff == packet_len) { + + pk.payload = NULL; + pk.pay_len = 0; + + } else { + + pk.payload = (u8*)data + tcp_doff; + pk.pay_len = packet_len - tcp_doff; + + } + + /********************** + * TCP option parsing * + **********************/ + + opt_end = (u8*)data + tcp_doff; /* First byte of non-option data */ + data = (u8*)(tcp + 1); + + pk.opt_cnt = 0; + pk.opt_eol_pad = 0; + pk.mss = 0; + pk.wscale = 0; + pk.ts1 = 0; + + /* Option parsing problems are non-fatal, but we want to keep track of + them to spot buggy TCP stacks. */ + + while (data < opt_end && pk.opt_cnt < MAX_TCP_OPT) { + + pk.opt_layout[pk.opt_cnt++] = *data; + + switch (*data++) { + + case TCPOPT_EOL: + + /* EOL is a single-byte option that aborts further option parsing. + Take note of how many bytes of option data are left, and if any of + them are non-zero. */ + + pk.opt_eol_pad = opt_end - data; + + while (data < opt_end && !*data++); + + if (data != opt_end) { + pk.quirks |= QUIRK_OPT_EOL_NZ; + data = opt_end; + } + + break; + + case TCPOPT_NOP: + + /* NOP is a single-byte option that does nothing. */ + + break; + + case TCPOPT_MAXSEG: + + /* MSS is a four-byte option with specified size. */ + + if (data + 3 > opt_end) { + DEBUG("[#] MSS option would end past end of header (%u left).\n", + opt_end - data); + goto abort_options; + } + + if (*data != 4) { + DEBUG("[#] MSS option expected to have 4 bytes, not %u.\n", *data); + pk.quirks |= QUIRK_OPT_BAD; + } + + pk.mss = ntohs(RD16p(data+1)); + + data += 3; + + break; + + case TCPOPT_WSCALE: + + /* WS is a three-byte option with specified size. */ + + if (data + 2 > opt_end) { + DEBUG("[#] WS option would end past end of header (%u left).\n", + opt_end - data); + goto abort_options; + } + + if (*data != 3) { + DEBUG("[#] WS option expected to have 3 bytes, not %u.\n", *data); + pk.quirks |= QUIRK_OPT_BAD; + } + + pk.wscale = data[1]; + + if (pk.wscale > 14) pk.quirks |= QUIRK_OPT_EXWS; + + data += 2; + + break; + + case TCPOPT_SACKOK: + + /* SACKOK is a two-byte option with specified size. */ + + if (data + 1 > opt_end) { + DEBUG("[#] SACKOK option would end past end of header (%u left).\n", + opt_end - data); + goto abort_options; + } + + if (*data != 2) { + DEBUG("[#] SACKOK option expected to have 2 bytes, not %u.\n", *data); + pk.quirks |= QUIRK_OPT_BAD; + } + + data++; + + break; + + case TCPOPT_SACK: + + /* SACK is a variable-length option of 10 to 34 bytes. Because we don't + know the size any better, we need to bail out if it looks wonky. */ + + if (data == opt_end) { + DEBUG("[#] SACK option without room for length field."); + goto abort_options; + } + + if (*data < 10 || *data > 34) { + DEBUG("[#] SACK length out of range (%u), bailing out.\n", *data); + goto abort_options; + } + + if (data - 1 + *data > opt_end) { + DEBUG("[#] SACK option (len %u) is too long (%u left).\n", + *data, opt_end - data); + goto abort_options; + } + + data += *data - 1; + + break; + + case TCPOPT_TSTAMP: + + /* Timestamp is a ten-byte option with specified size. */ + + if (data + 9 > opt_end) { + DEBUG("[#] TStamp option would end past end of header (%u left).\n", + opt_end - data); + goto abort_options; + } + + if (*data != 10) { + DEBUG("[#] TStamp option expected to have 10 bytes, not %u.\n", + *data); + pk.quirks |= QUIRK_OPT_BAD; + } + + pk.ts1 = ntohl(RD32p(data + 1)); + + if (!pk.ts1) pk.quirks |= QUIRK_OPT_ZERO_TS1; + + if (pk.tcp_type == TCP_SYN && RD32p(data + 5)) { + + DEBUG("[#] Non-zero second timestamp: 0x%08x.\n", + ntohl(*(u32*)(data + 5))); + + pk.quirks |= QUIRK_OPT_NZ_TS2; + + } + + data += 9; + + break; + + default: + + /* Unknown option, presumably with specified size. */ + + if (data == opt_end) { + DEBUG("[#] Unknown option 0x%02x without room for length field.", + data[-1]); + goto abort_options; + } + + if (*data < 2 || *data > 40) { + DEBUG("[#] Unknown option 0x%02x has invalid length %u.\n", + data[-1], *data); + goto abort_options; + } + + if (data - 1 + *data > opt_end) { + DEBUG("[#] Unknown option 0x%02x (len %u) is too long (%u left).\n", + data[-1], *data, opt_end - data); + goto abort_options; + } + + data += *data - 1; + + } + + } + + if (data != opt_end) { + +abort_options: + + DEBUG("[#] Option parsing aborted (cnt = %u, remainder = %u).\n", + pk.opt_cnt, opt_end - data); + + pk.quirks |= QUIRK_OPT_BAD; + + } + + flow_dispatch(&pk); + +} + + +/* Calculate hash bucket for packet_flow. Keep the hash symmetrical: switching + source and dest should have no effect. */ + +static u32 get_flow_bucket(struct packet_data* pk) { + + u32 bucket; + + if (pk->ip_ver == IP_VER4) { + bucket = hash32(pk->src, 4, hash_seed) ^ hash32(pk->dst, 4, hash_seed); + } else { + bucket = hash32(pk->src, 16, hash_seed) ^ hash32(pk->dst, 16, hash_seed); + } + + bucket ^= hash32(&pk->sport, 2, hash_seed) ^ hash32(&pk->dport, 2, hash_seed); + + return bucket % FLOW_BUCKETS; + +} + + +/* Calculate hash bucket for host_data. */ + +static u32 get_host_bucket(u8* addr, u8 ip_ver) { + + u32 bucket; + + bucket = hash32(addr, (ip_ver == IP_VER4) ? 4 : 16, hash_seed); + + return bucket % HOST_BUCKETS; + +} + + +/* Look up host data. */ + +struct host_data* lookup_host(u8* addr, u8 ip_ver) { + + u32 bucket = get_host_bucket(addr, ip_ver); + struct host_data* h = host_b[bucket]; + + while (CP(h)) { + + if (ip_ver == h->ip_ver && + !memcmp(addr, h->addr, (h->ip_ver == IP_VER4) ? 4 : 16)) + return h; + + h = h->next; + + } + + return NULL; + +} + + +/* Destroy host data. */ + +static void destroy_host(struct host_data* h) { + + u32 bucket; + + bucket = get_host_bucket(CP(h)->addr, h->ip_ver); + + if (h->use_cnt) FATAL("Attempt to destroy used host data."); + + DEBUG("[#] Destroying host data: %s (bucket %d)\n", + addr_to_str(h->addr, h->ip_ver), bucket); + + /* Remove it from the bucketed linked list. */ + + if (CP(h->next)) h->next->prev = h->prev; + + if (CP(h->prev)) h->prev->next = h->next; + else host_b[bucket] = h->next; + + /* Remove from the by-age linked list. */ + + if (CP(h->newer)) h->newer->older = h->older; + else newest_host = h->older; + + if (CP(h->older)) h->older->newer = h->newer; + else host_by_age = h->newer; + + /* Free memory. */ + + ck_free(h->last_syn); + ck_free(h->last_synack); + + ck_free(h->http_resp); + ck_free(h->http_req_os); + + ck_free(h); + + host_cnt--; + +} + + +/* Indiscriminately kill some of the older hosts. */ + +static void nuke_hosts(void) { + + u32 kcnt = 1 + (host_cnt * KILL_PERCENT / 100); + struct host_data* target = host_by_age; + + if (!read_file) + WARN("Too many host entries, deleting %u. Use -m to adjust.", kcnt); + + nuke_flows(1); + + while (kcnt && CP(target)) { + struct host_data* next = target->older; + if (!target->use_cnt) { kcnt--; destroy_host(target); } + target = next; + } + +} + + + +/* Create a minimal host data. */ + +static struct host_data* create_host(u8* addr, u8 ip_ver) { + + u32 bucket = get_host_bucket(addr, ip_ver); + struct host_data* nh; + + if (host_cnt > max_hosts) nuke_hosts(); + + DEBUG("[#] Creating host data: %s (bucket %u)\n", + addr_to_str(addr, ip_ver), bucket); + + nh = ck_alloc(sizeof(struct host_data)); + + /* Insert into the bucketed linked list. */ + + if (CP(host_b[bucket])) { + host_b[bucket]->prev = nh; + nh->next = host_b[bucket]; + } + + host_b[bucket] = nh; + + /* Insert into the by-age linked list. */ + + if (CP(newest_host)) { + + newest_host->newer = nh; + nh->older = newest_host; + + } else host_by_age = nh; + + newest_host = nh; + + /* Populate other data. */ + + nh->ip_ver = ip_ver; + memcpy(nh->addr, addr, (ip_ver == IP_VER4) ? 4 : 16); + + nh->last_seen = nh->first_seen = get_unix_time(); + + nh->last_up_min = -1; + nh->last_class_id = -1; + nh->last_name_id = -1; + nh->http_name_id = -1; + nh->distance = -1; + + host_cnt++; + + return nh; + +} + + +/* Touch host data to make it more recent. */ + +static void touch_host(struct host_data* h) { + + CP(h); + + DEBUG("[#] Refreshing host data: %s\n", addr_to_str(h->addr, h->ip_ver)); + + if (h != CP(newest_host)) { + + /* Remove from the the by-age linked list. */ + + CP(h->newer); + h->newer->older = h->older; + + if (CP(h->older)) h->older->newer = h->newer; + else host_by_age = h->newer; + + /* Re-insert in front. */ + + newest_host->newer = h; + h->older = newest_host; + h->newer = NULL; + + newest_host = h; + + /* This wasn't the only entry on the list, so there is no + need to update the tail (host_by_age). */ + + } + + /* Update last seen time. */ + + h->last_seen = get_unix_time(); + +} + + + +/* Destroy a flow. */ + +static void destroy_flow(struct packet_flow* f) { + + CP(f); + CP(f->client); + CP(f->server); + + DEBUG("[#] Destroying flow: %s/%u -> ", + addr_to_str(f->client->addr, f->client->ip_ver), f->cli_port); + + DEBUG("%s/%u (bucket %u)\n", + addr_to_str(f->server->addr, f->server->ip_ver), f->srv_port, + f->bucket); + + /* Remove it from the bucketed linked list. */ + + if (CP(f->next)) f->next->prev = f->prev; + + if (CP(f->prev)) f->prev->next = f->next; + else { CP(flow_b[f->bucket]); flow_b[f->bucket] = f->next; } + + /* Remove from the by-age linked list. */ + + if (CP(f->newer)) f->newer->older = f->older; + else { CP(newest_flow); newest_flow = f->older; } + + if (CP(f->older)) f->older->newer = f->newer; + else flow_by_age = f->newer; + + /* Free memory, etc. */ + + f->client->use_cnt--; + f->server->use_cnt--; + + free_sig_hdrs(&f->http_tmp); + + ck_free(f->request); + ck_free(f->response); + ck_free(f); + + flow_cnt--; + +} + + +/* Indiscriminately kill some of the oldest flows. */ + +static void nuke_flows(u8 silent) { + + u32 kcnt = 1 + (flow_cnt * KILL_PERCENT / 100); + + if (silent) + DEBUG("[#] Pruning connections - trying to delete %u...\n",kcnt); + else if (!read_file) + WARN("Too many tracked connections, deleting %u. " + "Use -m to adjust.", kcnt); + + while (kcnt-- && flow_by_age) destroy_flow(flow_by_age); + +} + + + +/* Create flow, and host data if necessary. If counts exceeded, prune old. */ + +static struct packet_flow* create_flow_from_syn(struct packet_data* pk) { + + u32 bucket = get_flow_bucket(pk); + struct packet_flow* nf; + + if (flow_cnt > max_conn) nuke_flows(0); + + DEBUG("[#] Creating flow from SYN: %s/%u -> ", + addr_to_str(pk->src, pk->ip_ver), pk->sport); + + DEBUG("%s/%u (bucket %u)\n", + addr_to_str(pk->dst, pk->ip_ver), pk->dport, bucket); + + nf = ck_alloc(sizeof(struct packet_flow)); + + nf->client = lookup_host(pk->src, pk->ip_ver); + + if (nf->client) touch_host(nf->client); + else nf->client = create_host(pk->src, pk->ip_ver); + + nf->server = lookup_host(pk->dst, pk->ip_ver); + + if (nf->server) touch_host(nf->server); + else nf->server = create_host(pk->dst, pk->ip_ver); + + nf->client->use_cnt++; + nf->server->use_cnt++; + + nf->client->total_conn++; + nf->server->total_conn++; + + /* Insert into the bucketed linked list.*/ + + if (CP(flow_b[bucket])) { + flow_b[bucket]->prev = nf; + nf->next = flow_b[bucket]; + } + + flow_b[bucket] = nf; + + /* Insert into the by-age linked list */ + + if (CP(newest_flow)) { + newest_flow->newer = nf; + nf->older = newest_flow; + } else flow_by_age = nf; + + newest_flow = nf; + + /* Populate other data */ + + nf->cli_port = pk->sport; + nf->srv_port = pk->dport; + nf->bucket = bucket; + nf->created = get_unix_time(); + + nf->next_cli_seq = pk->seq + 1; + + flow_cnt++; + return nf; + +} + + +/* Look up an existing flow. */ + +static struct packet_flow* lookup_flow(struct packet_data* pk, u8* to_srv) { + + u32 bucket = get_flow_bucket(pk); + struct packet_flow* f = flow_b[bucket]; + + while (CP(f)) { + + CP(f->client); + CP(f->server); + + if (pk->ip_ver != f->client->ip_ver) goto lookup_next; + + if (pk->sport == f->cli_port && pk->dport == f->srv_port && + !memcmp(pk->src, f->client->addr, (pk->ip_ver == IP_VER4) ? 4 : 16) && + !memcmp(pk->dst, f->server->addr, (pk->ip_ver == IP_VER4) ? 4 : 16)) { + + *to_srv = 1; + return f; + + } + + if (pk->dport == f->cli_port && pk->sport == f->srv_port && + !memcmp(pk->dst, f->client->addr, (pk->ip_ver == IP_VER4) ? 4 : 16) && + !memcmp(pk->src, f->server->addr, (pk->ip_ver == IP_VER4) ? 4 : 16)) { + + *to_srv = 0; + return f; + + } + +lookup_next: + + f = f->next; + + } + + return NULL; + +} + + +/* Go through host and flow cache, expire outdated items. */ + +static void expire_cache(void) { + struct host_data* target; + static u32 pt; + + u32 ct = get_unix_time(); + + if (ct == pt) return; + pt = ct; + + DEBUG("[#] Cache expiration kicks in...\n"); + + while (CP(flow_by_age) && ct - flow_by_age->created > conn_max_age) + destroy_flow(flow_by_age); + + target = host_by_age; + + while (CP(target) && ct - target->last_seen > host_idle_limit * 60) { + struct host_data* newer = target->newer; + if (!target->use_cnt) destroy_host(target); + target = newer; + } + +} + + +/* Insert data from a packet into a flow, call handlers as appropriate. */ + +static void flow_dispatch(struct packet_data* pk) { + + struct packet_flow* f; + struct tcp_sig* tsig; + u8 to_srv = 0; + u8 need_more = 0; + + DEBUG("[#] Received TCP packet: %s/%u -> ", + addr_to_str(pk->src, pk->ip_ver), pk->sport); + + DEBUG("%s/%u (type 0x%02x, pay_len = %u)\n", + addr_to_str(pk->dst, pk->ip_ver), pk->dport, pk->tcp_type, + pk->pay_len); + + f = lookup_flow(pk, &to_srv); + + switch (pk->tcp_type) { + + case TCP_SYN: + + if (f) { + + /* Perhaps just a simple dupe? */ + if (to_srv && f->next_cli_seq - 1 == pk->seq) return; + + DEBUG("[#] New SYN for an existing flow, resetting.\n"); + destroy_flow(f); + + } + + f = create_flow_from_syn(pk); + + tsig = fingerprint_tcp(1, pk, f); + + /* We don't want to do any further processing on generic non-OS + signatures (e.g. NMap). The easiest way to guarantee that is to + kill the flow. */ + + if (!tsig && !f->sendsyn) { + + destroy_flow(f); + return; + + } + + fingerprint_mtu(1, pk, f); + check_ts_tcp(1, pk, f); + + if (tsig) { + + /* This can't be done in fingerprint_tcp because check_ts_tcp() + depends on having original SYN / SYN+ACK data. */ + + ck_free(f->client->last_syn); + f->client->last_syn = tsig; + + } + + break; + + case TCP_SYN | TCP_ACK: + + if (!f) { + + DEBUG("[#] Stray SYN+ACK with no flow.\n"); + return; + + } + + /* This is about as far as we want to go with p0f-sendsyn. */ + + if (f->sendsyn) { + + fingerprint_tcp(0, pk, f); + destroy_flow(f); + return; + + } + + + if (to_srv) { + + DEBUG("[#] SYN+ACK from client to server, trippy.\n"); + return; + + } + + if (f->acked) { + + if (f->next_srv_seq - 1 != pk->seq) + DEBUG("[#] Repeated but non-identical SYN+ACK (0x%08x != 0x%08x).\n", + f->next_srv_seq - 1, pk->seq); + + return; + + } + + f->acked = 1; + + tsig = fingerprint_tcp(0, pk, f); + + /* SYN from real OS, SYN+ACK from a client stack. Weird, but whatever. */ + + if (!tsig) { + + destroy_flow(f); + return; + + } + + fingerprint_mtu(0, pk, f); + check_ts_tcp(0, pk, f); + + ck_free(f->server->last_synack); + f->server->last_synack = tsig; + + f->next_srv_seq = pk->seq + 1; + + break; + + case TCP_RST | TCP_ACK: + case TCP_RST: + case TCP_FIN | TCP_ACK: + case TCP_FIN: + + if (f) { + + check_ts_tcp(to_srv, pk, f); + destroy_flow(f); + + } + + break; + + case TCP_ACK: + + if (!f) return; + + /* Stop there, you criminal scum! */ + + if (f->sendsyn) { + destroy_flow(f); + return; + } + + if (!f->acked) { + + DEBUG("[#] Never received SYN+ACK to complete handshake, huh.\n"); + destroy_flow(f); + return; + + } + + if (to_srv) { + + /* We don't do stream reassembly, so if something arrives out of order, + we won't catch it. Oh well. */ + + if (f->next_cli_seq != pk->seq) { + + /* Not a simple dupe? */ + + if (f->next_cli_seq - pk->pay_len != pk->seq) + DEBUG("[#] Expected client seq 0x%08x, got 0x%08x.\n", f->next_cli_seq, pk->seq); + + return; + } + + /* Append data */ + + if (f->req_len < MAX_FLOW_DATA && pk->pay_len) { + + u32 read_amt = MIN(pk->pay_len, MAX_FLOW_DATA - f->req_len); + + f->request = ck_realloc_kb(f->request, f->req_len + read_amt + 1); + memcpy(f->request + f->req_len, pk->payload, read_amt); + f->req_len += read_amt; + + } + + check_ts_tcp(1, pk, f); + + f->next_cli_seq += pk->pay_len; + + } else { + + if (f->next_srv_seq != pk->seq) { + + /* Not a simple dupe? */ + + if (f->next_srv_seq - pk->pay_len != pk->seq) + DEBUG("[#] Expected server seq 0x%08x, got 0x%08x.\n", + f->next_cli_seq, pk->seq); + + return; + + } + + /* Append data */ + + if (f->resp_len < MAX_FLOW_DATA && pk->pay_len) { + + u32 read_amt = MIN(pk->pay_len, MAX_FLOW_DATA - f->resp_len); + + f->response = ck_realloc_kb(f->response, f->resp_len + read_amt + 1); + memcpy(f->response + f->resp_len, pk->payload, read_amt); + f->resp_len += read_amt; + + } + + check_ts_tcp(0, pk, f); + + f->next_srv_seq += pk->pay_len; + + } + + if (!pk->pay_len) return; + + need_more |= process_http(to_srv, f); + + if (!need_more) { + + DEBUG("[#] All modules done, no need to keep tracking flow.\n"); + destroy_flow(f); + + } else if (f->req_len >= MAX_FLOW_DATA && f->resp_len >= MAX_FLOW_DATA) { + + DEBUG("[#] Per-flow capture size limit exceeded.\n"); + destroy_flow(f); + + } + + break; + + default: + + WARN("Huh. Unexpected packet type 0x%02x in flow_dispatch().", pk->tcp_type); + + } + +} + + +/* Add NAT score, check if alarm due. */ + +void add_nat_score(u8 to_srv, struct packet_flow* f, u16 reason, u8 score) { + + static u8 rea[1024]; + + struct host_data* hd; + u8 *scores, *rptr = rea; + u32 i; + u8 over_5 = 0, over_2 = 0, over_1 = 0, over_0 = 0; + + if (to_srv) { + + hd = f->client; + scores = hd->cli_scores; + + } else { + + hd = f->server; + scores = hd->srv_scores; + + } + + memmove(scores, scores + 1, NAT_SCORES - 1); + scores[NAT_SCORES - 1] = score; + hd->nat_reasons |= reason; + + if (!score) return; + + for (i = 0; i < NAT_SCORES; i++) switch (scores[i]) { + case 6 ... 255: over_5++; + case 3 ... 5: over_2++; + case 2: over_1++; + case 1: over_0++; + } + + if (over_5 > 2 || over_2 > 4 || over_1 > 6 || over_0 > 8) { + + start_observation("ip sharing", 2, to_srv, f); + + reason = hd->nat_reasons; + + hd->last_nat = get_unix_time(); + + memset(scores, 0, NAT_SCORES); + hd->nat_reasons = 0; + + } else { + + /* Wait for something more substantial. */ + if (score == 1) return; + + start_observation("host change", 2, to_srv, f); + + hd->last_chg = get_unix_time(); + + } + + *rptr = 0; + +#define REAF(_par...) do { \ + rptr += sprintf((char*)rptr, _par); \ + } while (0) + + if (reason & NAT_APP_SIG) REAF(" app_vs_os"); + if (reason & NAT_OS_SIG) REAF(" os_diff"); + if (reason & NAT_UNK_DIFF) REAF(" sig_diff"); + if (reason & NAT_TO_UNK) REAF(" x_known"); + if (reason & NAT_TS) REAF(" tstamp"); + if (reason & NAT_TTL) REAF(" ttl"); + if (reason & NAT_PORT) REAF(" port"); + if (reason & NAT_MSS) REAF(" mtu"); + if (reason & NAT_FUZZY) REAF(" fuzzy"); + + if (reason & NAT_APP_VIA) REAF(" via"); + if (reason & NAT_APP_DATE) REAF(" date"); + if (reason & NAT_APP_LB) REAF(" srv_sig_lb"); + if (reason & NAT_APP_UA) REAF(" ua_vs_os"); + +#undef REAF + + add_observation_field("reason", rea[0] ? (rea + 1) : NULL); + + OBSERVF("raw_hits", "%u,%u,%u,%u", over_5, over_2, over_1, over_0); + +} + + +/* Verify if tool class (called from modules). */ + +void verify_tool_class(u8 to_srv, struct packet_flow* f, u32* sys, u32 sys_cnt) { + + struct host_data* hd; + u32 i; + + if (to_srv) hd = f->client; else hd = f->server; + + CP(sys); + + /* No existing data; although there is perhaps some value in detecting + app-only conflicts in absence of other info, it's probably OK to just + wait until more data becomes available. */ + + if (hd->last_class_id == -1) return; + + for (i = 0; i < sys_cnt; i++) + + if ((sys[i] & SYS_CLASS_FLAG)) { + + if (SYS_NF(sys[i]) == hd->last_class_id) break; + + } else { + + if (SYS_NF(sys[i]) == hd->last_name_id) break; + + } + + /* Oops, a mismatch. */ + + if (i == sys_cnt) { + + DEBUG("[#] Detected app not supposed to run on host OS.\n"); + add_nat_score(to_srv, f, NAT_APP_SIG, 4); + + } else { + + DEBUG("[#] Detected app supported on host OS.\n"); + add_nat_score(to_srv, f, 0, 0); + + } + +} + + +/* Clean up everything. */ + +void destroy_all_hosts(void) { + + while (flow_by_age) destroy_flow(flow_by_age); + while (host_by_age) destroy_host(host_by_age); + +} diff --git a/docker/p0f/process.h b/docker/p0f/process.h new file mode 100644 index 00000000..54332829 --- /dev/null +++ b/docker/p0f/process.h @@ -0,0 +1,216 @@ +/* + p0f - packet capture and overall host / flow bookkeeping + -------------------------------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_PROCESS_H +#define _HAVE_PROCESS_H + +#include + +#include "types.h" +#include "fp_tcp.h" +#include "fp_http.h" + +/* Parsed information handed over by the pcap callback: */ + +struct packet_data { + + u8 ip_ver; /* IP_VER4, IP_VER6 */ + u8 tcp_type; /* TCP_SYN, ACK, FIN, RST */ + + u8 src[16]; /* Source address (left-aligned) */ + u8 dst[16]; /* Destination address (left-aligned */ + + u16 sport; /* Source port */ + u16 dport; /* Destination port */ + + u8 ttl; /* Observed TTL */ + u8 tos; /* IP ToS value */ + + u16 mss; /* Maximum segment size */ + u16 win; /* Window size */ + u8 wscale; /* Window scaling */ + u16 tot_hdr; /* Total headers (for MTU calc) */ + + u8 opt_layout[MAX_TCP_OPT]; /* Ordering of TCP options */ + u8 opt_cnt; /* Count of TCP options */ + u8 opt_eol_pad; /* Amount of padding past EOL */ + + u32 ts1; /* Own timestamp */ + + u32 quirks; /* QUIRK_* */ + + u8 ip_opt_len; /* Length of IP options */ + + u8* payload; /* TCP payload */ + u16 pay_len; /* Length of TCP payload */ + + u32 seq; /* seq value seen */ + +}; + +/* IP-level quirks: */ + +#define QUIRK_ECN 0x00000001 /* ECN supported */ +#define QUIRK_DF 0x00000002 /* DF used (probably PMTUD) */ +#define QUIRK_NZ_ID 0x00000004 /* Non-zero IDs when DF set */ +#define QUIRK_ZERO_ID 0x00000008 /* Zero IDs when DF not set */ +#define QUIRK_NZ_MBZ 0x00000010 /* IP "must be zero" field isn't */ +#define QUIRK_FLOW 0x00000020 /* IPv6 flows used */ + +/* Core TCP quirks: */ + +#define QUIRK_ZERO_SEQ 0x00001000 /* SEQ is zero */ +#define QUIRK_NZ_ACK 0x00002000 /* ACK non-zero when ACK flag not set */ +#define QUIRK_ZERO_ACK 0x00004000 /* ACK is zero when ACK flag set */ +#define QUIRK_NZ_URG 0x00008000 /* URG non-zero when URG flag not set */ +#define QUIRK_URG 0x00010000 /* URG flag set */ +#define QUIRK_PUSH 0x00020000 /* PUSH flag on a control packet */ + +/* TCP option quirks: */ + +#define QUIRK_OPT_ZERO_TS1 0x01000000 /* Own timestamp set to zero */ +#define QUIRK_OPT_NZ_TS2 0x02000000 /* Peer timestamp non-zero on SYN */ +#define QUIRK_OPT_EOL_NZ 0x04000000 /* Non-zero padding past EOL */ +#define QUIRK_OPT_EXWS 0x08000000 /* Excessive window scaling */ +#define QUIRK_OPT_BAD 0x10000000 /* Problem parsing TCP options */ + +/* Host record with persistent fingerprinting data: */ + +struct host_data { + + struct host_data *prev, *next; /* Linked lists */ + struct host_data *older, *newer; + u32 use_cnt; /* Number of packet_flows attached */ + + u32 first_seen; /* Record created (unix time) */ + u32 last_seen; /* Host last seen (unix time) */ + u32 total_conn; /* Total number of connections ever */ + + u8 ip_ver; /* Address type */ + u8 addr[16]; /* Host address data */ + + struct tcp_sig* last_syn; /* Sig of the most recent SYN */ + struct tcp_sig* last_synack; /* Sig of the most recent SYN+ACK */ + + s32 last_class_id; /* OS class ID (-1 = not found) */ + s32 last_name_id; /* OS name ID (-1 = not found) */ + u8* last_flavor; /* Last OS flavor */ + + u8 last_quality; /* Generic or fuzzy match? */ + + u8* link_type; /* MTU-derived link type */ + + u8 cli_scores[NAT_SCORES]; /* Scoreboard for client NAT */ + u8 srv_scores[NAT_SCORES]; /* Scoreboard for server NAT */ + u16 nat_reasons; /* NAT complaints */ + + u32 last_nat; /* Last NAT detection time */ + u32 last_chg; /* Last OS change detection time */ + + u16 last_port; /* Source port on last SYN */ + + u8 distance; /* Last measured distance */ + + s32 last_up_min; /* Last computed uptime (-1 = none) */ + u32 up_mod_days; /* Uptime modulo (days) */ + + /* HTTP business: */ + + struct http_sig* http_req_os; /* Last request, if class != -1 */ + struct http_sig* http_resp; /* Last response */ + + s32 http_name_id; /* Client name ID (-1 = not found) */ + u8* http_flavor; /* Client flavor */ + + u8* language; /* Detected language */ + + u8 bad_sw; /* Used dishonest U-A or Server? */ + + u16 http_resp_port; /* Port on which response seen */ + +}; + +/* Reasons for NAT detection: */ + +#define NAT_APP_SIG 0x0001 /* App signature <-> OS mismatch */ +#define NAT_OS_SIG 0x0002 /* OS detection mismatch */ +#define NAT_UNK_DIFF 0x0004 /* Current sig unknown, but different */ +#define NAT_TO_UNK 0x0008 /* Sig changed from known to unknown */ +#define NAT_TS 0x0010 /* Timestamp goes back */ +#define NAT_PORT 0x0020 /* Source port goes back */ +#define NAT_TTL 0x0040 /* TTL changes unexpectedly */ +#define NAT_FUZZY 0x0080 /* Signature fuzziness changes */ +#define NAT_MSS 0x0100 /* MSS changes */ + +#define NAT_APP_LB 0x0200 /* Server signature changes */ +#define NAT_APP_VIA 0x0400 /* Via / X-Forwarded-For seen */ +#define NAT_APP_DATE 0x0800 /* Date changes in a weird way */ +#define NAT_APP_UA 0x1000 /* User-Agent OS inconsistency */ + +/* TCP flow record, maintained until all fingerprinting modules are happy: */ + +struct packet_flow { + + struct packet_flow *prev, *next; /* Linked lists */ + struct packet_flow *older, *newer; + u32 bucket; /* Bucket this flow belongs to */ + + struct host_data* client; /* Requesting client */ + struct host_data* server; /* Target server */ + + u16 cli_port; /* Client port */ + u16 srv_port; /* Server port */ + + u8 acked; /* SYN+ACK received? */ + u8 sendsyn; /* Created by p0f-sendsyn? */ + + s16 srv_tps; /* Computed TS divisor (-1 = bad) */ + s16 cli_tps; + + u8* request; /* Client-originating data */ + u32 req_len; /* Captured data length */ + u32 next_cli_seq; /* Next seq on cli -> srv packet */ + + u8* response; /* Server-originating data */ + u32 resp_len; /* Captured data length */ + u32 next_srv_seq; /* Next seq on srv -> cli packet */ + u16 syn_mss; /* MSS on SYN packet */ + + u32 created; /* Flow creation date (unix time) */ + + /* Application-level fingerprinting: */ + + s8 in_http; /* 0 = tbd, 1 = yes, -1 = no */ + + u8 http_req_done; /* Done collecting req headers? */ + u32 http_pos; /* Current parsing offset */ + u8 http_gotresp1; /* Got initial line of a response? */ + + struct http_sig http_tmp; /* Temporary signature */ + +}; + +extern u64 packet_cnt; + +void parse_packet(void* junk, const struct pcap_pkthdr* hdr, const u8* data); + +u8* addr_to_str(u8* data, u8 ip_ver); + +u64 get_unix_time_ms(void); +u32 get_unix_time(void); + +void add_nat_score(u8 to_srv, struct packet_flow* f, u16 reason, u8 score); +void verify_tool_class(u8 to_srv, struct packet_flow* f, u32* sys, u32 sys_cnt); + +struct host_data* lookup_host(u8* addr, u8 ip_ver); + +void destroy_all_hosts(void); + +#endif /* !_HAVE_PROCESS_H */ diff --git a/docker/p0f/readfp.c b/docker/p0f/readfp.c new file mode 100644 index 00000000..34a3cac8 --- /dev/null +++ b/docker/p0f/readfp.c @@ -0,0 +1,450 @@ +/* + p0f - p0f.fp file parser + ------------------------ + + Every project has this one really ugly C file. This is ours. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#define _GNU_SOURCE + +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "types.h" +#include "config.h" +#include "debug.h" +#include "alloc-inl.h" +#include "fp_tcp.h" +#include "fp_mtu.h" +#include "fp_http.h" +#include "readfp.h" + +static u32 sig_cnt; /* Total number of p0f.fp sigs */ + +static u8 state = CF_NEED_SECT, /* Parser state (CF_NEED_*) */ + mod_type, /* Current module (CF_MOD_*) */ + mod_to_srv, /* Traffic direction */ + generic; /* Generic signature? */ + +static s32 sig_class; /* Signature class ID (-1 = userland) */ +static u32 sig_name; /* Signature name */ +static u8* sig_flavor; /* Signature flavor */ + +static u32* cur_sys; /* Current 'sys' values */ +static u32 cur_sys_cnt; /* Number of 'sys' entries */ + +u8 **fp_os_classes, /* Map of OS classes */ + **fp_os_names; /* Map of OS names */ + +static u32 class_cnt, /* Sizes for maps */ + name_cnt, + label_id, /* Current label ID */ + line_no; /* Current line number */ + + +/* Parse 'classes' parameter by populating fp_os_classes. */ + +static void config_parse_classes(u8* val) { + + while (*val) { + + u8* nxt; + + while (isblank(*val) || *val == ',') val++; + + nxt = val; + + while (isalnum(*nxt)) nxt++; + + if (nxt == val || (*nxt && *nxt != ',')) + FATAL("Malformed class entry in line %u.", line_no); + + fp_os_classes = DFL_ck_realloc(fp_os_classes, (class_cnt + 1) * sizeof(u8*)); + + fp_os_classes[class_cnt++] = DFL_ck_memdup_str(val, nxt - val); + + val = nxt; + + } + +} + + +/* Look up or create OS or application id. */ + +u32 lookup_name_id(u8* name, u8 len) { + + u32 i; + + for (i = 0; i < name_cnt; i++) + if (!strncasecmp((char*)name, (char*)fp_os_names[i], len) + && !fp_os_names[i][len]) break; + + if (i == name_cnt) { + + sig_name = name_cnt; + + fp_os_names = DFL_ck_realloc(fp_os_names, (name_cnt + 1) * sizeof(u8*)); + fp_os_names[name_cnt++] = DFL_ck_memdup_str(name, len); + + } + + return i; + +} + + +/* Parse 'label' parameter by looking up ID and recording name / flavor. */ + +static void config_parse_label(u8* val) { + + u8* nxt; + u32 i; + + /* Simplified handling for [mtu] signatures. */ + + if (mod_type == CF_MOD_MTU) { + + if (!*val) FATAL("Empty MTU label in line %u.\n", line_no); + + sig_flavor = DFL_ck_strdup(val); + return; + + } + + if (*val == 'g') generic = 1; + else if (*val == 's') generic = 0; + else FATAL("Malformed class entry in line %u.", line_no); + + if (val[1] != ':') FATAL("Malformed class entry in line %u.", line_no); + + val += 2; + + nxt = val; + while (isalnum(*nxt) || *nxt == '!') nxt++; + + if (nxt == val || *nxt != ':') FATAL("Malformed class entry in line %u.", line_no); + + if (*val == '!' && val[1] == ':') { + + sig_class = -1; + + } else { + + *nxt = 0; + + for (i = 0; i < class_cnt; i++) + if (!strcasecmp((char*)val, (char*)fp_os_classes[i])) break; + + if (i == class_cnt) FATAL("Unknown class '%s' in line %u.", val, line_no); + + sig_class = i; + + } + + nxt++; + val = nxt; + while (isalnum(*nxt) || (*nxt && strchr(NAME_CHARS, *nxt))) nxt++; + + if (nxt == val || *nxt != ':') FATAL("Malformed name in line %u.", line_no); + + sig_name = lookup_name_id(val, nxt - val); + + if (nxt[1]) sig_flavor = DFL_ck_strdup(nxt + 1); + else sig_flavor = NULL; + + label_id++; + +} + + +/* Parse 'sys' parameter into cur_sys[]. */ + +static void config_parse_sys(u8* val) { + + if (cur_sys) { + cur_sys = NULL; + cur_sys_cnt = 0; + } + + while (*val) { + + u8* nxt; + u8 is_cl = 0, orig; + u32 i; + + while (isblank(*val) || *val == ',') val++; + + if (*val == '@') { is_cl = 1; val++; } + + nxt = val; + + while (isalnum(*nxt) || (*nxt && strchr(NAME_CHARS, *nxt))) nxt++; + + if (nxt == val || (*nxt && *nxt != ',')) + FATAL("Malformed sys entry in line %u.", line_no); + + orig = *nxt; + *nxt = 0; + + if (is_cl) { + + for (i = 0; i < class_cnt; i++) + if (!strcasecmp((char*)val, (char*)fp_os_classes[i])) break; + + if (i == class_cnt) + FATAL("Unknown class '%s' in line %u.", val, line_no); + + i |= SYS_CLASS_FLAG; + + } else { + + for (i = 0; i < name_cnt; i++) + if (!strcasecmp((char*)val, (char*)fp_os_names[i])) break; + + if (i == name_cnt) { + fp_os_names = DFL_ck_realloc(fp_os_names, (name_cnt + 1) * sizeof(u8*)); + fp_os_names[name_cnt++] = DFL_ck_memdup_str(val, nxt - val); + } + + } + + cur_sys = DFL_ck_realloc(cur_sys, (cur_sys_cnt + 1) * 4); + cur_sys[cur_sys_cnt++] = i; + + *nxt = orig; + val = nxt; + + } + +} + + +/* Read p0f.fp line, dispatching it to fingerprinting modules as necessary. */ + +static void config_parse_line(u8* line) { + + u8 *val,*eon; + + /* Special handling for [module:direction]... */ + + if (*line == '[') { + + u8* dir; + + line++; + + /* Simplified case for [mtu]. */ + + if (!strcmp((char*)line, "mtu]")) { + + mod_type = CF_MOD_MTU; + state = CF_NEED_LABEL; + return; + + } + + dir = (u8*)strchr((char*)line, ':'); + + if (!dir) FATAL("Malformed section identifier in line %u.", line_no); + + *dir = 0; dir++; + + if (!strcmp((char*)line, "tcp")) { + + mod_type = CF_MOD_TCP; + + } else if (!strcmp((char*)line, "http")) { + + mod_type = CF_MOD_HTTP; + + } else { + + FATAL("Unrecognized fingerprinting module '%s' in line %u.", line, line_no); + + } + + if (!strcmp((char*)dir, "request]")) { + + mod_to_srv = 1; + + } else if (!strcmp((char*)dir, "response]")) { + + mod_to_srv = 0; + + } else { + + FATAL("Unrecognized traffic direction in line %u.", line_no); + + } + + state = CF_NEED_LABEL; + return; + + } + + /* Everything else follows the 'name = value' approach. */ + + val = line; + + while (isalpha(*val) || *val == '_') val++; + eon = val; + + while (isblank(*val)) val++; + + if (line == val || *val != '=') + FATAL("Unexpected statement in line %u.", line_no); + + while (isblank(*++val)); + + *eon = 0; + + if (!strcmp((char*)line, "classes")) { + + if (state != CF_NEED_SECT) + FATAL("misplaced 'classes' in line %u.", line_no); + + config_parse_classes(val); + + } else if (!strcmp((char*)line, "ua_os")) { + + if (state != CF_NEED_LABEL || mod_to_srv != 1 || mod_type != CF_MOD_HTTP) + FATAL("misplaced 'us_os' in line %u.", line_no); + + http_parse_ua(val, line_no); + + } else if (!strcmp((char*)line, "label")) { + + /* We will drop sig_sys / sig_flavor on the floor if no signatures + actually created, but it's not worth tracking that. */ + + if (state != CF_NEED_LABEL && state != CF_NEED_SIG) + FATAL("misplaced 'label' in line %u.", line_no); + + config_parse_label(val); + + if (mod_type != CF_MOD_MTU && sig_class < 0) state = CF_NEED_SYS; + else state = CF_NEED_SIG; + + } else if (!strcmp((char*)line, "sys")) { + + if (state != CF_NEED_SYS) + FATAL("Misplaced 'sys' in line %u.", line_no); + + config_parse_sys(val); + + state = CF_NEED_SIG; + + } else if (!strcmp((char*)line, "sig")) { + + if (state != CF_NEED_SIG) FATAL("Misplaced 'sig' in line %u.", line_no); + + switch (mod_type) { + + case CF_MOD_TCP: + tcp_register_sig(mod_to_srv, generic, sig_class, sig_name, sig_flavor, + label_id, cur_sys, cur_sys_cnt, val, line_no); + break; + + case CF_MOD_MTU: + mtu_register_sig(sig_flavor, val, line_no); + break; + + case CF_MOD_HTTP: + http_register_sig(mod_to_srv, generic, sig_class, sig_name, sig_flavor, + label_id, cur_sys, cur_sys_cnt, val, line_no); + break; + + } + + sig_cnt++; + + } else { + + FATAL("Unrecognized field '%s' in line %u.", line, line_no); + + } + +} + + +/* Top-level file parsing. */ + +void read_config(u8* fname) { + + s32 f; + struct stat st; + u8 *data, *cur; + + f = open((char*)fname, O_RDONLY); + if (f < 0) PFATAL("Cannot open '%s' for reading.", fname); + + if (fstat(f, &st)) PFATAL("fstat() on '%s' failed.", fname); + + if (!st.st_size) { + close(f); + goto end_fp_read; + } + + cur = data = ck_alloc(st.st_size + 1); + + if (read(f, data, st.st_size) != st.st_size) + FATAL("Short read from '%s'.", fname); + + data[st.st_size] = 0; + + close(f); + + /* If you put NUL in your p0f.fp... Well, sucks to be you. */ + + while (1) { + + u8 *eol; + + line_no++; + + while (isblank(*cur)) cur++; + + eol = cur; + while (*eol && *eol != '\n') eol++; + + if (*cur != ';' && cur != eol) { + + u8* line = ck_memdup_str(cur, eol - cur); + + config_parse_line(line); + + ck_free(line); + + } + + if (!*eol) break; + + cur = eol + 1; + + } + + ck_free(data); + +end_fp_read: + + if (!sig_cnt) + SAYF("[!] No signatures found in '%s'.\n", fname); + else + SAYF("[+] Loaded %u signature%s from '%s'.\n", sig_cnt, + sig_cnt == 1 ? "" : "s", fname); + +} + diff --git a/docker/p0f/readfp.h b/docker/p0f/readfp.h new file mode 100644 index 00000000..9998e00b --- /dev/null +++ b/docker/p0f/readfp.h @@ -0,0 +1,41 @@ +/* + p0f - p0f.fp file parser + ------------------------ + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_READFP_H +#define _HAVE_READFP_H + +#include "types.h" + +/* List of fingerprinting modules: */ + +#define CF_MOD_TCP 0x00 /* fp_tcp.c */ +#define CF_MOD_MTU 0x01 /* fp_mtu.c */ +#define CF_MOD_HTTP 0x02 /* fp_http.c */ + +/* Parser states: */ + +#define CF_NEED_SECT 0x00 /* Waiting for [...] or 'classes' */ +#define CF_NEED_LABEL 0x01 /* Waiting for 'label' */ +#define CF_NEED_SYS 0x02 /* Waiting for 'sys' */ +#define CF_NEED_SIG 0x03 /* Waiting for signatures, if any. */ + +/* Flag to distinguish OS class and name IDs */ + +#define SYS_CLASS_FLAG (1<<31) +#define SYS_NF(_x) ((_x) & ~SYS_CLASS_FLAG) + +extern u8** fp_os_classes; +extern u8** fp_os_names; + +void read_config(u8* fname); + +u32 lookup_name_id(u8* name, u8 len); + +#endif /* !_HAVE_READFP_H */ diff --git a/docker/p0f/tcp.h b/docker/p0f/tcp.h new file mode 100644 index 00000000..c5858f67 --- /dev/null +++ b/docker/p0f/tcp.h @@ -0,0 +1,141 @@ +/* + p0f - portable IP and TCP headers + --------------------------------- + + Note that all multi-byte fields are in network (i.e., big) endian, and may + need to be converted before use. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_TCP_H +#define _HAVE_TCP_H + +#include "types.h" + +/************* + * IP common * + *************/ + +/* Protocol versions: */ + +#define IP_VER4 0x04 +#define IP_VER6 0x06 + +/* IP-level ECN: */ + +#define IP_TOS_CE 0x01 /* Congestion encountered */ +#define IP_TOS_ECT 0x02 /* ECN supported */ + +/* Encapsulated protocols we care about: */ + +#define PROTO_TCP 0x06 + + +/******** + * IPv4 * + ********/ + +struct ipv4_hdr { + + u8 ver_hlen; /* IP version (4), IP hdr len in dwords (4) */ + u8 tos_ecn; /* ToS field (6), ECN flags (2) */ + u16 tot_len; /* Total packet length, in bytes */ + u16 id; /* IP ID */ + u16 flags_off; /* Flags (3), fragment offset (13) */ + u8 ttl; /* Time to live */ + u8 proto; /* Next protocol */ + u16 cksum; /* Header checksum */ + u8 src[4]; /* Source IP */ + u8 dst[4]; /* Destination IP */ + + /* Dword-aligned options may follow. */ + +} __attribute__((packed)); + +/* IP flags: */ + +#define IP4_MBZ 0x8000 /* "Must be zero" */ +#define IP4_DF 0x4000 /* Don't fragment (usually PMTUD) */ +#define IP4_MF 0x2000 /* More fragments coming */ + + +/******** + * IPv6 * + ********/ + +struct ipv6_hdr { + + u32 ver_tos; /* Version (4), ToS (6), ECN (2), flow (20) */ + u16 pay_len; /* Total payload length, in bytes */ + u8 proto; /* Next protocol */ + u8 ttl; /* Time to live */ + u8 src[16]; /* Source IP */ + u8 dst[16]; /* Destination IP */ + + /* Dword-aligned options may follow if proto != PROTO_TCP and are + included in total_length; but we won't be seeing such traffic due + to BPF rules. */ + +} __attribute__((packed)); + + + +/******* + * TCP * + *******/ + +struct tcp_hdr { + + u16 sport; /* Source port */ + u16 dport; /* Destination port */ + u32 seq; /* Sequence number */ + u32 ack; /* Acknowledgment number */ + u8 doff_rsvd; /* Data off dwords (4), rsvd (3), ECN (1) */ + u8 flags; /* Flags, including ECN */ + u16 win; /* Window size */ + u16 cksum; /* Header and payload checksum */ + u16 urg; /* "Urgent" pointer */ + + /* Dword-aligned options may follow. */ + +} __attribute__((packed)); + + +/* Normal flags: */ + +#define TCP_FIN 0x01 +#define TCP_SYN 0x02 +#define TCP_RST 0x04 +#define TCP_PUSH 0x08 +#define TCP_ACK 0x10 +#define TCP_URG 0x20 + +/* ECN stuff: */ + +#define TCP_ECE 0x40 /* ECN supported (SYN) or detected */ +#define TCP_CWR 0x80 /* ECE acknowledgment */ +#define TCP_NS_RES 0x01 /* ECE notification via TCP */ + +/* Notable options: */ + +#define TCPOPT_EOL 0 /* End of options (1) */ +#define TCPOPT_NOP 1 /* No-op (1) */ +#define TCPOPT_MAXSEG 2 /* Maximum segment size (4) */ +#define TCPOPT_WSCALE 3 /* Window scaling (3) */ +#define TCPOPT_SACKOK 4 /* Selective ACK permitted (2) */ +#define TCPOPT_SACK 5 /* Actual selective ACK (10-34) */ +#define TCPOPT_TSTAMP 8 /* Timestamp (10) */ + + +/*************** + * Other stuff * + ***************/ + +#define MIN_TCP4 (sizeof(struct ipv4_hdr) + sizeof(struct tcp_hdr)) +#define MIN_TCP6 (sizeof(struct ipv6_hdr) + sizeof(struct tcp_hdr)) + +#endif /* !_HAVE_TCP_H */ diff --git a/docker/p0f/tools/Makefile b/docker/p0f/tools/Makefile new file mode 100644 index 00000000..5f74322d --- /dev/null +++ b/docker/p0f/tools/Makefile @@ -0,0 +1,18 @@ +# +# p0f - Makefile for tools +# ------------------------ +# +# Copyright (C) 2012 by Michal Zalewski +# +# Distributed under the terms and conditions of GNU LGPL. +# + +CC = gcc +CFLAGS = -g -ggdb -Wall -Wno-format -funsigned-char +LDFLAGS = +TARGETS = p0f-client p0f-sendsyn p0f-sendsyn6 + +all: $(TARGETS) + +clean: + rm -f -- $(TARGETS) *.exe *.o a.out *~ core core.[1-9][0-9]* *.stackdump 2>/dev/null diff --git a/docker/p0f/tools/README-TOOLS b/docker/p0f/tools/README-TOOLS new file mode 100644 index 00000000..fab3c6b3 --- /dev/null +++ b/docker/p0f/tools/README-TOOLS @@ -0,0 +1,16 @@ +This directory contains several helper tools mentioned in ../README: + + p0f-sendsyn.c - a tool for gathering new SYN+ACK signatures + + p0f-sendsyn6.c - the same, for IPv6 destinations + + p0f-client.c - simple API client tool for p0f -s mode + +Note that IPv6 addresses need to be passed to the utilities in a fully-expanded +form (i.e., no ::). + +To build any of these programs, simply type 'make progname', e.g.: + + make p0f-sendsyn + +If that fails, you can drop me a mail at lcamtuf@coredump.cx. diff --git a/docker/p0f/tools/p0f-client.c b/docker/p0f/tools/p0f-client.c new file mode 100644 index 00000000..77db4acf --- /dev/null +++ b/docker/p0f/tools/p0f-client.c @@ -0,0 +1,215 @@ +/* + p0f-client - simple API client + ------------------------------ + + Can be used to query p0f API sockets. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "../types.h" +#include "../config.h" +#include "../alloc-inl.h" +#include "../debug.h" +#include "../api.h" + +/* Parse IPv4 address into a buffer. */ + +static void parse_addr4(char* str, u8* ret) { + + u32 a1, a2, a3, a4; + + if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4) + FATAL("Malformed IPv4 address."); + + if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255) + FATAL("Malformed IPv4 address."); + + ret[0] = a1; + ret[1] = a2; + ret[2] = a3; + ret[3] = a4; + +} + + +/* Parse IPv6 address into a buffer. */ + +static void parse_addr6(char* str, u8* ret) { + + u32 seg = 0; + u32 val; + + while (*str) { + + if (seg == 8) FATAL("Malformed IPv6 address (too many segments)."); + + if (sscanf((char*)str, "%x", &val) != 1 || + val > 65535) FATAL("Malformed IPv6 address (bad octet value)."); + + ret[seg * 2] = val >> 8; + ret[seg * 2 + 1] = val; + + seg++; + + while (isxdigit(*str)) str++; + if (*str) str++; + + } + + if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate)."); + +} + + +int main(int argc, char** argv) { + + u8 tmp[128]; + struct tm* t; + + static struct p0f_api_query q; + static struct p0f_api_response r; + + static struct sockaddr_un sun; + + s32 sock; + time_t ut; + + if (argc != 3) { + ERRORF("Usage: p0f-client /path/to/socket host_ip\n"); + exit(1); + } + + q.magic = P0F_QUERY_MAGIC; + + if (strchr(argv[2], ':')) { + + parse_addr6(argv[2], q.addr); + q.addr_type = P0F_ADDR_IPV6; + + } else { + + parse_addr4(argv[2], q.addr); + q.addr_type = P0F_ADDR_IPV4; + + } + + sock = socket(PF_UNIX, SOCK_STREAM, 0); + + if (sock < 0) PFATAL("Call to socket() failed."); + + sun.sun_family = AF_UNIX; + + if (strlen(argv[1]) >= sizeof(sun.sun_path)) + FATAL("API socket filename is too long for sockaddr_un (blame Unix)."); + + strcpy(sun.sun_path, argv[1]); + + if (connect(sock, (struct sockaddr*)&sun, sizeof(sun))) + PFATAL("Can't connect to API socket."); + + if (write(sock, &q, sizeof(struct p0f_api_query)) != + sizeof(struct p0f_api_query)) FATAL("Short write to API socket."); + + if (read(sock, &r, sizeof(struct p0f_api_response)) != + sizeof(struct p0f_api_response)) FATAL("Short read from API socket."); + + close(sock); + + if (r.magic != P0F_RESP_MAGIC) + FATAL("Bad response magic (0x%08x).\n", r.magic); + + if (r.status == P0F_STATUS_BADQUERY) + FATAL("P0f did not understand the query.\n"); + + if (r.status == P0F_STATUS_NOMATCH) { + SAYF("No matching host in p0f cache. That's all we know.\n"); + return 0; + } + + ut = r.first_seen; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + + SAYF("First seen = %s\n", tmp); + + ut = r.last_seen; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + + SAYF("Last update = %s\n", tmp); + + SAYF("Total flows = %u\n", r.total_conn); + + if (!r.os_name[0]) + SAYF("Detected OS = ???\n"); + else + SAYF("Detected OS = %s %s%s%s\n", r.os_name, r.os_flavor, + (r.os_match_q & P0F_MATCH_GENERIC) ? " [generic]" : "", + (r.os_match_q & P0F_MATCH_FUZZY) ? " [fuzzy]" : ""); + + if (!r.http_name[0]) + SAYF("HTTP software = ???\n"); + else + SAYF("HTTP software = %s %s (ID %s)\n", r.http_name, r.http_flavor, + (r.bad_sw == 2) ? "is fake" : (r.bad_sw ? "OS mismatch" : "seems legit")); + + if (!r.link_type[0]) + SAYF("Network link = ???\n"); + else + SAYF("Network link = %s\n", r.link_type); + + if (!r.language[0]) + SAYF("Language = ???\n"); + else + SAYF("Language = %s\n", r.language); + + + if (r.distance == -1) + SAYF("Distance = ???\n"); + else + SAYF("Distance = %u\n", r.distance); + + if (r.last_nat) { + ut = r.last_nat; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + SAYF("IP sharing = %s\n", tmp); + } + + if (r.last_chg) { + ut = r.last_chg; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + SAYF("Sys change = %s\n", tmp); + } + + if (r.uptime_min) { + SAYF("Uptime = %u days %u hrs %u min (modulo %u days)\n", + r.uptime_min / 60 / 24, (r.uptime_min / 60) % 24, r.uptime_min % 60, + r.up_mod_days); + } + + return 0; + +} + diff --git a/docker/p0f/tools/p0f-sendsyn.c b/docker/p0f/tools/p0f-sendsyn.c new file mode 100644 index 00000000..78f23c5f --- /dev/null +++ b/docker/p0f/tools/p0f-sendsyn.c @@ -0,0 +1,185 @@ +/* + p0f-sendsyn - SYN sender + ------------------------ + + This trivial utility sends 8 SYN packets to open ports on destination hosts, + and lets you capture SYN+ACK signatures. The problem with SYN+ACK + fingerprinting is that on some systems, the response varies depending on the + use of window scaling, timestamps, or selective ACK in the initial SYN - so + this utility is necessary to exercise all the code paths. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "../types.h" +#include "../config.h" +#include "../alloc-inl.h" +#include "../debug.h" +#include "../tcp.h" + + +/* Do a basic IPv4 TCP checksum. */ + +static void tcp_cksum(u8* src, u8* dst, struct tcp_hdr* t, u8 opt_len) { + + u32 sum, i; + u8* p; + + if (opt_len % 4) FATAL("Packet size not aligned to 4."); + + t->cksum = 0; + + sum = PROTO_TCP + sizeof(struct tcp_hdr) + opt_len; + + p = (u8*)t; + + for (i = 0; i < sizeof(struct tcp_hdr) + opt_len; i += 2, p += 2) + sum += (*p << 8) + p[1]; + + p = src; + + for (i = 0; i < 4; i += 2, p += 2) sum += (*p << 8) + p[1]; + + p = dst; + + for (i = 0; i < 4; i += 2, p += 2) sum += (*p << 8) + p[1]; + + t->cksum = htons(~(sum + (sum >> 16))); + +} + + +/* Parse IPv4 address into a buffer. */ + +static void parse_addr(char* str, u8* ret) { + + u32 a1, a2, a3, a4; + + if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4) + FATAL("Malformed IPv4 address."); + + if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255) + FATAL("Malformed IPv4 address."); + + ret[0] = a1; + ret[1] = a2; + ret[2] = a3; + ret[3] = a4; + +} + + +#define W(_x) (_x) >> 8, (_x) & 0xff +#define D(_x) (_x) >> 24, ((_x) >> 16) & 0xff, ((_x) >> 8) & 0xff, (_x) & 0xff + +#define EOL TCPOPT_EOL +#define NOP TCPOPT_NOP +#define MSS(_x) TCPOPT_MAXSEG, 4, W(_x) +#define WS(_x) TCPOPT_WSCALE, 3, (_x) +#define SOK TCPOPT_SACKOK, 2 +#define TS(_x,_y) TCPOPT_TSTAMP, 10, D(_x), D(_y) + +/* There are virtually no OSes that do not send MSS. Support for RFC 1323 + and 2018 is not given, so we have to test various combinations here. */ + +static u8 opt_combos[8][24] = { + + { MSS(SPECIAL_MSS), NOP, EOL }, /* 6 */ + + { MSS(SPECIAL_MSS), SOK, NOP, EOL }, /* 8 */ + + { MSS(SPECIAL_MSS), WS(5), NOP, EOL }, /* 9 */ + + { MSS(SPECIAL_MSS), WS(5), SOK, NOP, EOL }, /* 12 */ + + { MSS(SPECIAL_MSS), TS(1337, 0), NOP, EOL }, /* 17 */ + + { MSS(SPECIAL_MSS), SOK, TS(1337, 0), NOP, EOL }, /* 19 */ + + { MSS(SPECIAL_MSS), WS(5), TS(1337, 0), NOP, EOL }, /* 20 */ + + { MSS(SPECIAL_MSS), WS(5), SOK, TS(1337, 0), NOP, EOL } /* 22 */ + +}; + + +int main(int argc, char** argv) { + + static struct sockaddr_in sin; + char one = 1; + s32 sock; + u32 i; + + static u8 work_buf[MIN_TCP4 + 24]; + + struct ipv4_hdr* ip4 = (struct ipv4_hdr*)work_buf; + struct tcp_hdr* tcp = (struct tcp_hdr*)(ip4 + 1); + u8 *opts = work_buf + MIN_TCP4; + + + if (argc != 4) { + ERRORF("Usage: p0f-sendsyn your_ip dst_ip port\n"); + exit(1); + } + + parse_addr(argv[1], ip4->src); + parse_addr(argv[2], ip4->dst); + + sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + + if (sock < 0) PFATAL("Can't open raw socket (you need to be root)."); + + if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&one, sizeof(char))) + PFATAL("setsockopt() on raw socket failed."); + + sin.sin_family = PF_INET; + + memcpy(&sin.sin_addr.s_addr, ip4->dst, 4); + + ip4->ver_hlen = 0x45; + ip4->tot_len = htons(MIN_TCP4 + 24); + ip4->ttl = 192; + ip4->proto = PROTO_TCP; + + tcp->dport = htons(atoi(argv[3])); + tcp->seq = htonl(0x12345678); + tcp->doff_rsvd = ((sizeof(struct tcp_hdr) + 24) / 4) << 4; + tcp->flags = TCP_SYN; + tcp->win = htons(SPECIAL_WIN); + + for (i = 0; i < 8; i++) { + + tcp->sport = htons(65535 - i); + + memcpy(opts, opt_combos[i], 24); + tcp_cksum(ip4->src, ip4->dst, tcp, 24); + + if (sendto(sock, work_buf, sizeof(work_buf), 0, (struct sockaddr*)&sin, + sizeof(struct sockaddr_in)) < 0) PFATAL("sendto() fails."); + + usleep(100000); + + } + + SAYF("Eight packets sent! Check p0f output to examine responses, if any.\n"); + + return 0; + +} + diff --git a/docker/p0f/tools/p0f-sendsyn6.c b/docker/p0f/tools/p0f-sendsyn6.c new file mode 100644 index 00000000..8e8e5440 --- /dev/null +++ b/docker/p0f/tools/p0f-sendsyn6.c @@ -0,0 +1,198 @@ +/* + p0f-sendsyn6 - IPv6 SYN sender + ------------------------------ + + This trivial utility sends 8 SYN packets to open ports on destination hosts, + and lets you capture SYN+ACK signatures. The problem with SYN+ACK + fingerprinting is that on some systems, the response varies depending on the + use of window scaling, timestamps, or selective ACK in the initial SYN - so + this utility is necessary to exercise all the code paths. + + Note that the IPv6 variant will not compile properly if you don't have + IPv6-enabled libc; and will not work unless your kernel actually supports + IPv6. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "../types.h" +#include "../config.h" +#include "../alloc-inl.h" +#include "../debug.h" +#include "../tcp.h" + + +/* Do a basic IPv6 TCP checksum. */ + +static void tcp_cksum(u8* src, u8* dst, struct tcp_hdr* t, u8 opt_len) { + + u32 sum, i; + u8* p; + + if (opt_len % 4) FATAL("Packet size not aligned to 4."); + + t->cksum = 0; + + sum = PROTO_TCP + sizeof(struct tcp_hdr) + opt_len; + + p = (u8*)t; + + for (i = 0; i < sizeof(struct tcp_hdr) + opt_len; i += 2, p += 2) + sum += (*p << 8) + p[1]; + + p = src; + + for (i = 0; i < 16; i += 2, p += 2) sum += (*p << 8) + p[1]; + + p = dst; + + for (i = 0; i < 16; i += 2, p += 2) sum += (*p << 8) + p[1]; + + t->cksum = htons(~(sum + (sum >> 16))); + +} + + +/* Parse IPv6 address into a buffer. */ + +static void parse_addr(char* str, u8* ret) { + + u32 seg = 0; + u32 val; + + while (*str) { + + if (seg == 8) FATAL("Malformed IPv6 address (too many segments)."); + + if (sscanf((char*)str, "%x", &val) != 1 || + val > 65535) FATAL("Malformed IPv6 address (bad octet value)."); + + ret[seg * 2] = val >> 8; + ret[seg * 2 + 1] = val; + + seg++; + + while (isxdigit(*str)) str++; + if (*str) str++; + + } + + if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate)."); + +} + + +#define W(_x) (_x) >> 8, (_x) & 0xff +#define D(_x) (_x) >> 24, ((_x) >> 16) & 0xff, ((_x) >> 8) & 0xff, (_x) & 0xff + +#define EOL TCPOPT_EOL +#define NOP TCPOPT_NOP +#define MSS(_x) TCPOPT_MAXSEG, 4, W(_x) +#define WS(_x) TCPOPT_WSCALE, 3, (_x) +#define SOK TCPOPT_SACKOK, 2 +#define TS(_x,_y) TCPOPT_TSTAMP, 10, D(_x), D(_y) + +/* There are virtually no OSes that do not send MSS. Support for RFC 1323 + and 2018 is not given, so we have to test various combinations here. */ + +static u8 opt_combos[8][24] = { + + { MSS(SPECIAL_MSS), NOP, EOL }, /* 6 */ + + { MSS(SPECIAL_MSS), SOK, NOP, EOL }, /* 8 */ + + { MSS(SPECIAL_MSS), WS(5), NOP, EOL }, /* 9 */ + + { MSS(SPECIAL_MSS), WS(5), SOK, NOP, EOL }, /* 12 */ + + { MSS(SPECIAL_MSS), TS(1337, 0), NOP, EOL }, /* 17 */ + + { MSS(SPECIAL_MSS), SOK, TS(1337, 0), NOP, EOL }, /* 19 */ + + { MSS(SPECIAL_MSS), WS(5), TS(1337, 0), NOP, EOL }, /* 20 */ + + { MSS(SPECIAL_MSS), WS(5), SOK, TS(1337, 0), NOP, EOL } /* 22 */ + +}; + +int main(int argc, char** argv) { + + static struct sockaddr_in6 sin; + char one = 1; + s32 sock; + u32 i; + + static u8 work_buf[MIN_TCP6 + 24]; + + struct ipv6_hdr* ip6 = (struct ipv6_hdr*)work_buf; + struct tcp_hdr* tcp = (struct tcp_hdr*)(ip6 + 1); + u8 *opts = work_buf + MIN_TCP6; + + + if (argc != 4) { + ERRORF("Usage: p0f-sendsyn your_ip dst_ip port\n"); + exit(1); + } + + parse_addr(argv[1], ip6->src); + parse_addr(argv[2], ip6->dst); + + sock = socket(AF_INET, SOCK_RAW, IPPROTO_IPV6); + + if (sock < 0) PFATAL("Can't open raw socket (you need to be root)."); + + if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&one, sizeof(char))) + PFATAL("setsockopt() on raw socket failed."); + + sin.sin6_family = PF_INET6; + + memcpy(&sin.sin6_addr, ip6->dst, 16); + + ip6->ver_tos = ntohl(6 << 24); + ip6->pay_len = ntohs(sizeof(struct tcp_hdr) + 24); + ip6->proto = PROTO_TCP; + ip6->ttl = 192; + + tcp->dport = htons(atoi(argv[3])); + tcp->seq = htonl(0x12345678); + tcp->doff_rsvd = ((sizeof(struct tcp_hdr) + 24) / 4) << 4; + tcp->flags = TCP_SYN; + tcp->win = htons(SPECIAL_WIN); + + for (i = 0; i < 8; i++) { + + tcp->sport = htons(65535 - i); + + memcpy(opts, opt_combos[i], 24); + tcp_cksum(ip6->src, ip6->dst, tcp, 24); + + if (sendto(sock, work_buf, sizeof(work_buf), 0, (struct sockaddr*)&sin, + sizeof(struct sockaddr_in6)) < 0) PFATAL("sendto() fails."); + + usleep(100000); + + } + + SAYF("Eight packets sent! Check p0f output to examine responses, if any.\n"); + + return 0; + +} + diff --git a/docker/p0f/types.h b/docker/p0f/types.h new file mode 100644 index 00000000..bef76531 --- /dev/null +++ b/docker/p0f/types.h @@ -0,0 +1,46 @@ +/* + p0f - type definitions and minor macros + --------------------------------------- + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#ifndef _HAVE_TYPES_H +#define _HAVE_TYPES_H + +#include + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef uint64_t u64; + +typedef int8_t s8; +typedef int16_t s16; +typedef int32_t s32; +typedef int64_t s64; + +#ifndef MIN +# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) +# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) +#endif /* !MIN */ + +/* Macros for non-aligned memory access. */ + +#ifdef ALIGN_ACCESS +# include +# define RD16(_val) ({ u16 _ret; memcpy(&_ret, &(_val), 2); _ret; }) +# define RD32(_val) ({ u32 _ret; memcpy(&_ret, &(_val), 4); _ret; }) +# define RD16p(_ptr) ({ u16 _ret; memcpy(&_ret, _ptr, 2); _ret; }) +# define RD32p(_ptr) ({ u32 _ret; memcpy(&_ret, _ptr, 4); _ret; }) +#else +# define RD16(_val) ((u16)_val) +# define RD32(_val) ((u32)_val) +# define RD16p(_ptr) (*((u16*)(_ptr))) +# define RD32p(_ptr) (*((u32*)(_ptr))) +#endif /* ^ALIGN_ACCESS */ + +#endif /* ! _HAVE_TYPES_H */ diff --git a/docker/rdpy/Dockerfile b/docker/rdpy/Dockerfile new file mode 100644 index 00000000..999361cc --- /dev/null +++ b/docker/rdpy/Dockerfile @@ -0,0 +1,36 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Get and install dependencies & packages +RUN apk -U upgrade && \ + apk add bash build-base git libffi-dev openssl openssl-dev procps python python-dev py-pip py-setuptools && \ + apk -U add --repository https://dl-cdn.alpinelinux.org/alpine/edge/testing/ \ + py-qt && \ + +# Setup user + addgroup -g 2000 rdpy && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 rdpy && \ + +# Install rdpy from git + cd /home/rdpy && \ + git clone https://github.com/t3chn0m4g3/rdpy && \ + pip install --no-cache-dir --upgrade cffi && \ + pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1==0.3.3 && \ + cd rdpy && \ + python setup.py install && \ + +# Setup user, groups and configs + cp /root/dist/* /home/rdpy/ && \ + chown rdpy:rdpy -R /home/rdpy/* && \ + mkdir -p /var/log/rdpy && \ + +# Clean up + rm -rf /root/* && \ + apk del build-base libffi-dev openssl-dev python-dev py-pip py-qt && \ + rm -rf /var/cache/apk/* + +# Start rdpy +CMD /usr/bin/python2 -i /usr/bin/rdpy-rdphoneypot.py /home/rdpy/1 /home/rdpy/2 /home/rdpy/3 >> /var/log/rdpy/rdpy.log diff --git a/docker/rdpy/LICENSE b/docker/rdpy/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/rdpy/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/rdpy/README.md b/docker/rdpy/README.md new file mode 100644 index 00000000..859b9074 --- /dev/null +++ b/docker/rdpy/README.md @@ -0,0 +1,2 @@ +# dockerized rdpy + diff --git a/docker/rdpy/dist/1 b/docker/rdpy/dist/1 new file mode 100644 index 00000000..382f9272 Binary files /dev/null and b/docker/rdpy/dist/1 differ diff --git a/docker/rdpy/dist/2 b/docker/rdpy/dist/2 new file mode 100644 index 00000000..804d6980 Binary files /dev/null and b/docker/rdpy/dist/2 differ diff --git a/docker/rdpy/dist/3 b/docker/rdpy/dist/3 new file mode 100644 index 00000000..b4c23a75 Binary files /dev/null and b/docker/rdpy/dist/3 differ diff --git a/docker/rdpy/docker-compose.yml b/docker/rdpy/docker-compose.yml new file mode 100644 index 00000000..bc05bd31 --- /dev/null +++ b/docker/rdpy/docker-compose.yml @@ -0,0 +1,20 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.1' + +networks: + rdpy_local: + +services: + +# Rdpy service + rdpy: + container_name: rdpy + restart: always + networks: + - rdpy_local + ports: + - "3389:3389" + image: "dtagdevsec/rdpy:1706" + volumes: + - /data/rdpy/log:/var/log/rdpy diff --git a/docker/spiderfoot/Dockerfile b/docker/spiderfoot/Dockerfile new file mode 100644 index 00000000..40917b33 --- /dev/null +++ b/docker/spiderfoot/Dockerfile @@ -0,0 +1,32 @@ +FROM alpine +MAINTAINER MO + +# Get and install dependencies & packages +RUN apk -U upgrade && \ + apk add bash build-base curl git libxml2-dev libxslt-dev openssl-dev procps python-dev py-lxml py-netaddr py-mako py-pip py-setuptools py-requests swig && \ + apk -U add --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \ + py-beautifulsoup4 py-cherrypy && \ + pip install m2crypto && \ + +# Setup user + addgroup -g 2000 spiderfoot && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 spiderfoot && \ + +# Install spiderfoot + git clone https://github.com/smicallef/spiderfoot -b v2.11.0-final /home/spiderfoot && \ + chown -R spiderfoot:spiderfoot /home/spiderfoot && \ + sed -i "s#'__docroot': ''#'__docroot': '\/spiderfoot'#" /home/spiderfoot/sf.py && \ + sed -i 's#raise cherrypy.HTTPRedirect("\/")#raise cherrypy.HTTPRedirect("\/spiderfoot")#' /home/spiderfoot/sfwebui.py && \ + +# Clean up + apk del build-base git libxml2-dev libxslt-dev openssl-dev python-dev py-pip py-setuptools && \ + apk add openssl libxml2 libxslt python && \ + rm -rf /var/cache/apk/* + +# Healthcheck +HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8080' + +# Set user, workdir and start spiderfoot +USER spiderfoot +WORKDIR /home/spiderfoot +CMD ["/usr/bin/python", "sf.py", "0.0.0.0:8080"] diff --git a/docker/spiderfoot/README.md b/docker/spiderfoot/README.md new file mode 100644 index 00000000..7dbd34c0 --- /dev/null +++ b/docker/spiderfoot/README.md @@ -0,0 +1,4 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/spiderfoot:1706.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/spiderfoot:1706.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1706 "Get your own image badge on microbadger.com") + +# spiderfoot +Dockerized Spiderfoot for use in T-Pot diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile new file mode 100644 index 00000000..fa531451 --- /dev/null +++ b/docker/suricata/Dockerfile @@ -0,0 +1,29 @@ +FROM alpine +MAINTAINER MO + +# Include dist +ADD dist/ /root/dist/ + +# Install packages +RUN apk -U upgrade && \ + apk add bash ca-certificates file procps wget && \ + apk -U add --repository https://dl-cdn.alpinelinux.org/alpine/edge/community \ + suricata && \ + +# Setup user, groups and configs + addgroup -g 2000 suri && \ + adduser -S -H -u 2000 -D -g 2000 suri && \ + mv /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ + mv /root/dist/capture-filter.bpf /etc/suricata/capture-filter.bpf && \ + +# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules + cp /root/dist/update.sh /usr/bin/ && \ + chmod u+x /usr/bin/update.sh && \ + update.sh && \ + +# Clean up + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Start suricata +CMD update.sh && suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) diff --git a/docker/suricata/LICENSE b/docker/suricata/LICENSE new file mode 100644 index 00000000..ef7e7efc --- /dev/null +++ b/docker/suricata/LICENSE @@ -0,0 +1,674 @@ +GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/docker/suricata/README.md b/docker/suricata/README.md new file mode 100644 index 00000000..cec54f18 --- /dev/null +++ b/docker/suricata/README.md @@ -0,0 +1,31 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/suricata:1706.svg)](https://microbadger.com/images/dtagdevsec/suricata:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/suricata:1706.svg)](https://microbadger.com/images/dtagdevsec/suricata:1706 "Get your own image badge on microbadger.com") + +# dockerized suricata + + +[suricata](http://suricata-ids.org/) is a Network IDS, IPS and Network Security Monitoring engine. + +This repository contains the necessary files to create a *dockerized* version of suricata. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized suricata and will be used to setup the docker image. + +The `suricata.yaml` is tailored to fit the T-Pot environment. + +The `supervisord.conf` is used to start suricata under supervision of supervisord. + +Using systemd, copy the `systemd/suricata.service` to `/etc/systemd/system/suricata.service` and start using + +``` +systemctl enable suricata +systemctl start suricata +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +By default all data will be stored in `/data/suricata/` until the service will be restarted which is by default every 24 hours. If you want to keep data persistently simply edit the ``service`` file, find the line that contains ``clean.sh`` and set the option from ``off`` to ``on``. Be advised to establish some sort of log management if you wish to do so. + +# Suricata Dashboard + +![Suricata Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/suricata/master/doc/dashboard.png) diff --git a/docker/suricata/dist/capture-filter.bpf b/docker/suricata/dist/capture-filter.bpf new file mode 100644 index 00000000..e2c35df5 --- /dev/null +++ b/docker/suricata/dist/capture-filter.bpf @@ -0,0 +1,3 @@ +not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and +not (host archive.ubuntu.com or security.ubuntu.com) and +not (host index.docker.io or docker.io) diff --git a/docker/suricata/dist/suricata.yaml b/docker/suricata/dist/suricata.yaml new file mode 100644 index 00000000..d05d99ff --- /dev/null +++ b/docker/suricata/dist/suricata.yaml @@ -0,0 +1,1724 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml + +## +## Step 1: inform Suricata about your network +## + +vars: + # more specifc is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + #EXTERNAL_NET: "!$HOME_NET" + EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80,8080,8081" + SHELLCODE_PORTS: "!80,!8080,!8081" + ORACLE_PORTS: "1433,1521,3306" + SSH_PORTS: "22,64295" + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + + +## +## Step 2: select the rules to enable or disable +## + +default-rule-path: /etc/suricata/rules +rule-files: + - botcc.rules + - botcc.portgrouped.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules + - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules + - emerging-games.rules + - emerging-icmp_info.rules + - emerging-icmp.rules + - emerging-imap.rules + - emerging-inappropriate.rules + - emerging-info.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules +# - emerging-scada_special.rules + - emerging-scan.rules + - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules + - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules + - decoder-events.rules # available in suricata sources under rules dir + - stream-events.rules # available in suricata sources under rules dir + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir + - modbus-events.rules # available in suricata sources under rules dir + - app-layer-events.rules # available in suricata sources under rules dir + - dnp3-events.rules # available in suricata sources under rules dir + +classification-file: /etc/suricata/rules/classification.config +reference-config-file: /etc/suricata/rules/reference.config +# threshold-file: /etc/suricata/threshold.config + + +## +## Step 3: select outputs to enable +## + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# global stats configuration +stats: + enabled: no + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: no + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # mode: list ## possible values: list (default), channel + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + types: + - alert: + # payload: yes # enable dumping payload in Base64 + payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + http: yes # enable dumping of http fields + tls: yes # enable dumping of tls fields + ssh: yes # enable dumping of ssh fields + smtp: yes # enable dumping of smtp fields + dnp3: yes # enable dumping of DNP3 fields + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: yes + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + custom: [Accept-Encoding, Accept-Language, Authorization, Forwarded, From, Referer, Via] + - dns: + # control logging of queries and answers + # default yes, no to disable + query: yes # enable logging of DNS queries + answer: no # enable logging of DNS answers + # control which RR types are logged + # all enabled if custom not specified + #custom: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: yes # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + custom: [reply-to, bcc, message-id, subject, x-mailer, user-agent, received, x-originating-ip, in-reply-to, references, organization, date] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + md5: [body, subject] + + - ssh + #- stats: + # totals: no # stats for all threads merged together + # threads: no # per thread stats + # deltas: no # include delta values + # bi-directional flows + #- flow + # uni-directional flows + #- netflow + #- dnp3 + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: no + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + + # HTTP X-Forwarded-For support by adding the unified2 extra header or + # overwriting the source or destination IP address (depending on flow + # direction) with the one reported in the X-Forwarded-For HTTP header. + # This is helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + #extended: yes # Log extended information like fingerprint + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + mode: normal # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the suricata engine. + - stats: + enabled: no + filename: stats.log + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # output module to store extracted files to disk + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. + # + # File extraction depends on a lot of things to be fully done: + # - file-store stream-depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + force-filestore: no # force storing of all files + # override global stream-depth for sessions in which we want to + # perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + #waldo: file.waldo # waldo file to store the file_id across runs + + # output module to log files tracked in a easily parsable json format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.depth + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output + - lua: + enabled: no + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overriden in an + # output section. You can leave this out to get the default. + # + # This value is overriden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: /var/log/suricata/suricata.log + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + + +## +## Step 4: configure common capture settings +## +## See "Advanced Capture Options" below for more options, including NETMAP +## and PF_RING. +##" + +# Linux high speed capture support +af-packet: + - interface: eth0 + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_random: packets are sent randomly to sockets but with an equipartition. + # Requires at least Linux 3.14. + # * cluster_rollover: kernel rotates between sockets filling each socket before moving + # to the next. Requires at least Linux 3.10. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (require cpu affinity tuning and system irq tuning) + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is + # full then kernel will send the packet on the next socket with room available. This option + # can minimize packet drop and increase the treated bandwidth on single intensive flow. + #rollover: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + #use-mmap: yes + # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock + # your system + #mmap-locked: yes + # Use experimental tpacket_v3 capture mode, only active if use-mmap is true + #tpacket-v3: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independently of the number + # of threads: + #ring-size: 2048 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: no + #rollover: yes + #tpacket-v3: yes + +# Cross platform libpcap capture support +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# See "Advanced Capture Options" below for more options, including NETMAP +# and PF_RING. + + +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: "443,64297" + + # Completely stop processing TLS/SSL session after the handshake + # completed. If bypass is enabled this will also trigger flow + # bypass. If disabled (the default), TLS/SSL session is still + # tracked for Heartbleed and other anomalies. + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: yes + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: "137, 138, 139, 445" + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # response-body-decompress-layer-limit: + # Limit to how many layers of compression will be + # decompressed. Defaults to 2. + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: yes + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: yes + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: yes + detection-ports: + dp: 44818 + sp: 44818 + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run suricata as user and group. +run-as: + user: suri + group: suri + +# Some logging module will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default pid file. +# Will use this file if no --pidfile in command options. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +# +# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules +# apply. In that case try something like 60000 or more. This is because the CUDA +# pattern matcher buffers and scans as many packets as possible in parallel. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +magic-file: /usr/share/misc/magic.mgc + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# bypass: no # Bypass packets when stream.depth is reached +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# chunk-prealloc: 250 # Number of preallocated stream chunks. These +# # are used during stream inspection (raw). +# segments: # Settings for reassembly segment pool. +# - size: 4 # Size of the (data)segment for a pool +# prealloc: 256 # Number of segments to prealloc and keep +# # in the pool. +# zero-copy-size: 128 # This option sets in bytes the value at +# # which segment data is passed to the app +# # layer API directly. Data sizes equal to +# # and higher than the value set are passed +# # on directly. +# +stream: + memcap: 64mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #chunk-prealloc: 250 + #segments: + # - size: 4 + # prealloc: 256 + # - size: 16 + # prealloc: 512 + # - size: 112 + # prealloc: 512 + # - size: 248 + # prealloc: 512 + # - size: 512 + # prealloc: 512 + # - size: 768 + # prealloc: 1024 + # 'from_mtu' means that the size is mtu - 40, + # or 1460 if mtu couldn't be determined. + # - size: from_mtu + # prealloc: 1024 + # - size: 65535 + # prealloc: 128 + #zero-copy-size: 128 + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-cuda" - Aho-Corasick, CUDA implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + +# Luajit has a strange memory requirement, it's 'states' need to be in the +# first 2G of the process' memory. +# +# 'luajit.states' is used to control how many states are preallocated. +# State use: per detect script: 1 per detect thread. Per output script: 1 per +# script. +luajit: + states: 128 + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + sort: avgticks + + # Limit the number of items printed at exit (ignored for json). + limit: 100 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Nefilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# bypass-mark: 1 +# bypass-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +## +## Advanced Capture Options +## + +# general settings affecting packet capture +capture: + # disable NIC offloading. It's restored when Suricata exists. + # Enabled by default + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # commandline + #checksum-validation: none + +# Netmap support +# +# Netmap operates with NIC directly in driver, so you need FreeBSD wich have +# built-in netmap support or compile and install netmap module and appropriate +# NIC driver on your Linux system. +# To reach maximum throughput disable all receive-, segmentation-, +# checksum- offloadings on NIC. +# Disabling Tx checksum offloading is *required* for connecting OS endpoint +# with NIC endpoint. +# You can find more information at https://github.com/luigirizzo/netmap +# +netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of receive threads. "auto" uses number of RSS queues on interface. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/products/pf_ring/ +pfring: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are cluster_flow or cluster_round_robin. + cluster-type: cluster_flow + # bpf filter for this interface + #bpf-filter: tcp + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on + streams: [1, 2, 3] + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +## +## Hardware accelaration +## + +# Cuda configuration. +cuda: + # The "mpm" profile. On not specifying any of these parameters, the engine's + # internal default values are used, which are same as the ones specified in + # in the default conf file. + mpm: + # The minimum length required to buffer data to the gpu. + # Anything below this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + # A value of 0 indicates there's no limit. + data-buffer-size-min-limit: 0 + # The maximum length for data that we would buffer to the gpu. + # Anything over this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + data-buffer-size-max-limit: 1500 + # The ring buffer size used by the CudaBuffer API to buffer data. + cudabuffer-buffer-size: 500mb + # The max chunk size that can be sent to the gpu in a single go. + gpu-transfer-size: 50mb + # The timeout limit for batching of packets in microseconds. + batching-timeout: 2000 + # The device to use for the mpm. Currently we don't support load balancing + # on multiple gpus. In case you have multiple devices on your system, you + # can specify the device to use, using this conf. By default we hold 0, to + # specify the first device cuda sees. To find out device-id associated with + # the card(s) on the system run "suricata --list-cuda-cards". + device-id: 0 + # No of Cuda streams used for asynchronous processing. All values > 0 are valid. + # For this option you need a device with Compute Capability > 1.0. + cuda-streams: 2 + +## +## Include other configs +## + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/docker/suricata/dist/update.sh b/docker/suricata/dist/update.sh new file mode 100644 index 00000000..f1938cb1 --- /dev/null +++ b/docker/suricata/dist/update.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Let's ensure normal operation on exit or if interrupted ... +function fuCLEANUP { + exit 0 +} +trap fuCLEANUP EXIT + +# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules +cd /tmp +wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz +tar xvfz emerging.rules.tar.gz -C /etc/suricata/ +sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules diff --git a/docker/suricata/doc/dashboard.png b/docker/suricata/doc/dashboard.png new file mode 100644 index 00000000..8313db8c Binary files /dev/null and b/docker/suricata/doc/dashboard.png differ diff --git a/docker/ui-for-docker/Dockerfile b/docker/ui-for-docker/Dockerfile new file mode 100644 index 00000000..87c2f859 --- /dev/null +++ b/docker/ui-for-docker/Dockerfile @@ -0,0 +1,6 @@ +FROM portainer/portainer:latest + +ADD favicon.ico /ico +#ADD small.png /images/logo.png + +ENTRYPOINT ["/portainer"] diff --git a/docker/ui-for-docker/README.md b/docker/ui-for-docker/README.md new file mode 100644 index 00000000..e65432ff --- /dev/null +++ b/docker/ui-for-docker/README.md @@ -0,0 +1,26 @@ +# dockerized portainer (ui-for-docker) + +[portainer](http://portainer.io/) Portainer allows you to manage your Docker containers, images, volumes, networks and more ! It is compatible with the standalone Docker engine and with Docker Swarm. + +This repository contains the necessary files to create a *dockerized* version of portainer. + +This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG. + +The `Dockerfile` contains the blueprint for the dockerized portainer and will be used to setup the docker image. + +Using systemd, copy the `systemd/ui-for-docker.service` to `/etc/systemd/system/ui-for-docker.service` and start using + +``` +systemctl enable ui-for-docker +systemctl start ui-for-docker +``` + +This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot. + +# Portainer Dashboard + +![Portainer Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/ui-for-docker/master/doc/dashboard1.png) +![Portainer Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/ui-for-docker/master/doc/dashboard2.png) +![Portainer Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/ui-for-docker/master/doc/dashboard3.png) +![Portainer Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/ui-for-docker/master/doc/dashboard4.png) +![Portainer Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/ui-for-docker/master/doc/dashboard5.png) diff --git a/docker/ui-for-docker/doc/dashboard1.png b/docker/ui-for-docker/doc/dashboard1.png new file mode 100644 index 00000000..662606c8 Binary files /dev/null and b/docker/ui-for-docker/doc/dashboard1.png differ diff --git a/docker/ui-for-docker/doc/dashboard2.png b/docker/ui-for-docker/doc/dashboard2.png new file mode 100644 index 00000000..54e93b8b Binary files /dev/null and b/docker/ui-for-docker/doc/dashboard2.png differ diff --git a/docker/ui-for-docker/doc/dashboard3.png b/docker/ui-for-docker/doc/dashboard3.png new file mode 100644 index 00000000..82d04d70 Binary files /dev/null and b/docker/ui-for-docker/doc/dashboard3.png differ diff --git a/docker/ui-for-docker/doc/dashboard4.png b/docker/ui-for-docker/doc/dashboard4.png new file mode 100644 index 00000000..482a7b6b Binary files /dev/null and b/docker/ui-for-docker/doc/dashboard4.png differ diff --git a/docker/ui-for-docker/doc/dashboard5.png b/docker/ui-for-docker/doc/dashboard5.png new file mode 100644 index 00000000..ca3176fd Binary files /dev/null and b/docker/ui-for-docker/doc/dashboard5.png differ diff --git a/docker/ui-for-docker/favicon.ico b/docker/ui-for-docker/favicon.ico new file mode 100644 index 00000000..a40c2372 Binary files /dev/null and b/docker/ui-for-docker/favicon.ico differ diff --git a/docker/ui-for-docker/small.png b/docker/ui-for-docker/small.png new file mode 100644 index 00000000..12c9dca5 Binary files /dev/null and b/docker/ui-for-docker/small.png differ diff --git a/docker/ui-for-docker/systemd/ui-for-docker.service b/docker/ui-for-docker/systemd/ui-for-docker.service new file mode 100644 index 00000000..c833f756 --- /dev/null +++ b/docker/ui-for-docker/systemd/ui-for-docker.service @@ -0,0 +1,14 @@ +[Unit] +Description=ui-for-docker +Requires=docker.service +After=docker.service + +[Service] +Restart=always +ExecStartPre=-/usr/bin/docker stop ui-for-docker +ExecStartPre=-/usr/bin/docker rm -v ui-for-docker +ExecStart=/usr/bin/docker run --name ui-for-docker --rm=true -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:64299:9000 dtagdevsec/ui-for-docker:1706 -H unix:///var/run/docker.sock --no-auth +ExecStop=/usr/bin/docker stop ui-for-docker + +[Install] +WantedBy=multi-user.target diff --git a/docker/vnclowpot/Dockerfile b/docker/vnclowpot/Dockerfile new file mode 100644 index 00000000..9a0d123b --- /dev/null +++ b/docker/vnclowpot/Dockerfile @@ -0,0 +1,29 @@ +FROM alpine +MAINTAINER MO + +# Include dist +#ADD dist/ /root/dist/ + +# Setup apk +RUN apk -U add bash \ + build-base \ + git \ + go \ + procps && \ + +# Setup vnclowpot + go get github.com/magisterquis/vnclowpot && \ + go install github.com/magisterquis/vnclowpot && \ + +# Setup user, groups and configs + addgroup -g 2000 vnclowpot && \ + adduser -S -s /bin/bash -u 2000 -D -g 2000 vnclowpot && \ + mkdir -p /var/log/vnclowpot && \ + +# Clean up + apk del build-base \ + git && \ + rm -rf /var/cache/apk/* + +# Run supervisor upon container start +CMD /root/go/bin/vnclowpot -j >> /var/log/vnclowpot/vnclowpot.log diff --git a/docker/vnclowpot/README.md b/docker/vnclowpot/README.md new file mode 100644 index 00000000..3189b623 --- /dev/null +++ b/docker/vnclowpot/README.md @@ -0,0 +1,4 @@ +[![](https://images.microbadger.com/badges/version/dtagdevsec/vnclowpot:1706.svg)](https://microbadger.com/images/dtagdevsec/vnclowpot:1706 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/vnclowpot:1706.svg)](https://microbadger.com/images/dtagdevsec/vnclowpot:1706 "Get your own image badge on microbadger.com") + +# vnclowpot + diff --git a/docker/vnclowpot/docker-compose.yml b/docker/vnclowpot/docker-compose.yml new file mode 100644 index 00000000..6929b8df --- /dev/null +++ b/docker/vnclowpot/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.1' + +networks: + vnclowpot_local: + +services: + +# vnclowpot service + vnclowpot: + container_name: vnclowpot + restart: always + networks: + - vnclowpot_local + ports: + - "5900:5900" + image: "dtagdevsec/vnclowpot:1706" + volumes: + - /data/vnclowpot/log:/var/log/vnclowpot