mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-04-19 21:52:27 +00:00
tweaking
This commit is contained in:
Marco Ochse
parent
edfd5eaa5b
commit
446880de55
9 changed files with 32 additions and 25 deletions
|
|
@ -132,6 +132,14 @@ fuGLASTOPF () {
|
|||
chown tpot:tpot /data/glastopf -R
|
||||
}
|
||||
|
||||
# Let's create a function to clean up and prepare glastopf data
|
||||
fuGLUTTON () {
|
||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
|
||||
mkdir -p /data/glutton/log
|
||||
chmod 760 /data/glutton -R
|
||||
chown tpot:tpot /data/glutton -R
|
||||
}
|
||||
|
||||
# Let's create a function to clean up and prepare heralding data
|
||||
fuHERALDING () {
|
||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
|
||||
|
|
@ -234,6 +242,7 @@ if [ "$myPERSISTENCE" = "on" ];
|
|||
fuELK
|
||||
fuEMOBILITY
|
||||
fuGLASTOPF
|
||||
fuGLUTTON
|
||||
fuHERALDING
|
||||
fuHONEYTRAP
|
||||
fuMAILONEY
|
||||
|
|
|
|||
|
|
@ -49,4 +49,4 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
|
|||
|
||||
# Start logstash
|
||||
USER logstash:logstash
|
||||
CMD update.sh && /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
|
||||
CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
|
||||
|
|
|
|||
17
docker/elk/logstash/dist/logstash.conf
vendored
17
docker/elk/logstash/dist/logstash.conf
vendored
|
|
@ -55,6 +55,13 @@ input {
|
|||
type => "Glastopf"
|
||||
}
|
||||
|
||||
# Glutton
|
||||
file {
|
||||
path => ["/data/glutton/log/glutton.log"]
|
||||
codec => json
|
||||
type => "Glutton"
|
||||
}
|
||||
|
||||
# Heralding
|
||||
file {
|
||||
path => ["/data/heralding/log/auth.csv"]
|
||||
|
|
@ -207,6 +214,14 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Glutton
|
||||
if [type] == "Glutton" {
|
||||
date {
|
||||
match => [ "ts", "UNIX" ]
|
||||
remove_field => ["ts"]
|
||||
}
|
||||
}
|
||||
|
||||
# Heralding
|
||||
if [type] == "Heralding" {
|
||||
csv {
|
||||
|
|
@ -395,7 +410,7 @@ if "_grokparsefailure" in [tags] { drop {} }
|
|||
}
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
if [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" {
|
||||
if [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" {
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
|
|
|
|||
|
|
@ -45,4 +45,4 @@ RUN apk -U --no-cache add bash \
|
|||
|
||||
# Run supervisor upon container start
|
||||
WORKDIR /opt/glutton
|
||||
CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log -d true
|
||||
CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log
|
||||
|
|
|
|||
16
docker/glutton/dist/rules.yaml
vendored
16
docker/glutton/dist/rules.yaml
vendored
|
|
@ -1,11 +1,4 @@
|
|||
rules:
|
||||
- match: tcp dst port 5001
|
||||
type: passthrough
|
||||
name: ssh
|
||||
- match: tcp dst port 22 or port 2222
|
||||
type: conn_handler
|
||||
name: proxy_ssh
|
||||
target: tcp://172.17.0.2:22
|
||||
- match: tcp dst port 23 or port 2323 or port 23231
|
||||
type: conn_handler
|
||||
target: telnet
|
||||
|
|
@ -24,15 +17,6 @@ rules:
|
|||
- match: tcp dst port 5060
|
||||
type: conn_handler
|
||||
target: sip
|
||||
- match: tcp dst port 1080
|
||||
type: passthrough
|
||||
name: http
|
||||
- match: tcp dst port 6000 or port 7000
|
||||
type: conn_handler
|
||||
name: proxy_tcp
|
||||
target: tcp://172.17.0.2:22
|
||||
- match: tcp
|
||||
type: conn_handler
|
||||
target: default
|
||||
- match: udp
|
||||
type: drop
|
||||
|
|
@ -5,14 +5,10 @@ services:
|
|||
|
||||
# glutton service
|
||||
glutton:
|
||||
build: .
|
||||
container_name: glutton
|
||||
restart: always
|
||||
network_mode: "host"
|
||||
#networks:
|
||||
# - glutton_local
|
||||
#ports:
|
||||
# - "5000:5000"
|
||||
# - "22:5000"
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
image: "dtagdevsec/glutton:1804"
|
||||
|
|
|
|||
|
|
@ -23,4 +23,4 @@ RUN apk -U upgrade && \
|
|||
rm -rf /var/cache/apk/*
|
||||
|
||||
# Start nginx
|
||||
CMD nginx -g 'daemon off;'
|
||||
CMD exec nginx -g 'daemon off;'
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@
|
|||
/data/emobility/log/centralsystemEWS.log
|
||||
/data/glastopf/log/glastopf.log
|
||||
/data/glastopf/db/glastopf.db
|
||||
/data/glutton/log/*.log
|
||||
/data/glutton/log/*.err
|
||||
/data/heralding/log/*.log
|
||||
/data/heralding/log/*.csv
|
||||
/data/honeytrap/log/*.log
|
||||
|
|
|
|||
|
|
@ -446,6 +446,7 @@ mkdir -p /data/ciscoasa/log \
|
|||
/data/elasticpot/log \
|
||||
/data/elk/data /data/elk/log \
|
||||
/data/glastopf /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
|
||||
/data/glutton/log \
|
||||
/data/heralding/log \
|
||||
/data/mailoney/log \
|
||||
/data/nginx/log \
|
||||
|
|
|
|||
Loading…
Reference in a new issue