Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-04 14:02:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

tweak logstash.conf for citrixhoneypot

Browse source
This commit is contained in:
t3chn0m4g3 2020-01-16 18:04:29 +00:00
parent a6ed6613a5
commit 1d0aad3b34
1 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -217,10 +217,10 @@ filter {
if [type] == "CitrixHoneypot" {
grok {
match => {
"message" => [ "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{UNIXPATH:filename}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg} %{CISCO_REASON:filename.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{GREEDYDATA:msg}" ]
"message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
"\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ]
}
}
date {
@ -231,7 +231,9 @@ filter {
mutate {
add_field => {
"dest_port" => "443"
}
rename => {
"levelname" => "level"
}
}
}