mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-05-15 12:48:09 +00:00
tweaking, add sentrypeer to logstash config
This commit is contained in:
t3chn0m4g3
parent
aa6afc37fe
commit
5237215bf0
7 changed files with 49 additions and 105 deletions
docker
elk/logstash
sentrypeer
etc/compose
2
docker/elk/logstash/dist/http_input.conf
vendored
2
docker/elk/logstash/dist/http_input.conf
vendored
|
|
@ -3,7 +3,7 @@ input {
|
|||
http {
|
||||
id => "tpot"
|
||||
host => "0.0.0.0"
|
||||
port => "80"
|
||||
port => "64305"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
72
docker/elk/logstash/dist/http_output.conf
vendored
72
docker/elk/logstash/dist/http_output.conf
vendored
|
|
@ -119,13 +119,6 @@ input {
|
|||
type => "Honeypots"
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
file {
|
||||
path => ["/data/honeysap/log/honeysap-external.log"]
|
||||
codec => json
|
||||
type => "Honeysap"
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
file {
|
||||
path => ["/data/honeytrap/log/attackers.json"]
|
||||
|
|
@ -161,12 +154,6 @@ input {
|
|||
type => "Medpot"
|
||||
}
|
||||
|
||||
# Rdpy
|
||||
file {
|
||||
path => ["/data/rdpy/log/rdpy.log"]
|
||||
type => "Rdpy"
|
||||
}
|
||||
|
||||
# Redishoneypot
|
||||
file {
|
||||
path => ["/data/redishoneypot/log/redishoneypot.log"]
|
||||
|
|
@ -181,6 +168,13 @@ input {
|
|||
type => "NGINX"
|
||||
}
|
||||
|
||||
# Sentrypeer
|
||||
file {
|
||||
path => ["/data/sentrypeer/log/sentrypeer.json"]
|
||||
codec => json
|
||||
type => "Sentrypeer"
|
||||
}
|
||||
|
||||
# Tanner
|
||||
file {
|
||||
path => ["/data/tanner/log/tanner_report.json"]
|
||||
|
|
@ -494,31 +488,6 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
if [type] == "Honeysap" {
|
||||
date {
|
||||
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
|
||||
remove_field => ["timestamp"]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[data][error_msg]" => "event_type"
|
||||
"service" => "sensor"
|
||||
"source_port" => "src_port"
|
||||
"source_ip" => "src_ip"
|
||||
"target_port" => "dest_port"
|
||||
"target_ip" => "dest_ip"
|
||||
}
|
||||
remove_field => "event"
|
||||
remove_field => "return_code"
|
||||
}
|
||||
if [data] {
|
||||
mutate {
|
||||
remove_field => "[data]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
if [type] == "Honeytrap" {
|
||||
date {
|
||||
|
|
@ -591,18 +560,6 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Rdpy
|
||||
if [type] == "Rdpy" {
|
||||
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
|
||||
date {
|
||||
match => [ "timestamp", "ISO8601" ]
|
||||
remove_field => ["timestamp"]
|
||||
}
|
||||
mutate {
|
||||
add_field => { "dest_port" => "3389" }
|
||||
}
|
||||
}
|
||||
|
||||
# Redishoneypot
|
||||
if [type] == "Redishoneypot" {
|
||||
date {
|
||||
|
|
@ -629,6 +586,21 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Sentrypeer
|
||||
if [type] == "Sentrypeer" {
|
||||
date {
|
||||
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
|
||||
remove_field => ["event_timestamp"]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"source_ip" => "src_ip"
|
||||
"destination_ip" => "dest_ip"
|
||||
}
|
||||
add_field => { "dest_port" => "5060" }
|
||||
}
|
||||
}
|
||||
|
||||
# Tanner
|
||||
if [type] == "Tanner" {
|
||||
date {
|
||||
|
|
|
|||
72
docker/elk/logstash/dist/logstash.conf
vendored
72
docker/elk/logstash/dist/logstash.conf
vendored
|
|
@ -119,13 +119,6 @@ input {
|
|||
type => "Honeypots"
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
file {
|
||||
path => ["/data/honeysap/log/honeysap-external.log"]
|
||||
codec => json
|
||||
type => "Honeysap"
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
file {
|
||||
path => ["/data/honeytrap/log/attackers.json"]
|
||||
|
|
@ -161,12 +154,6 @@ input {
|
|||
type => "Medpot"
|
||||
}
|
||||
|
||||
# Rdpy
|
||||
file {
|
||||
path => ["/data/rdpy/log/rdpy.log"]
|
||||
type => "Rdpy"
|
||||
}
|
||||
|
||||
# Redishoneypot
|
||||
file {
|
||||
path => ["/data/redishoneypot/log/redishoneypot.log"]
|
||||
|
|
@ -174,6 +161,13 @@ input {
|
|||
type => "Redishoneypot"
|
||||
}
|
||||
|
||||
# Sentrypeer
|
||||
file {
|
||||
path => ["/data/sentrypeer/log/sentrypeer.json"]
|
||||
codec => json
|
||||
type => "Sentrypeer"
|
||||
}
|
||||
|
||||
# Host NGINX
|
||||
file {
|
||||
path => ["/data/nginx/log/access.log"]
|
||||
|
|
@ -494,31 +488,6 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
if [type] == "Honeysap" {
|
||||
date {
|
||||
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
|
||||
remove_field => ["timestamp"]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[data][error_msg]" => "event_type"
|
||||
"service" => "sensor"
|
||||
"source_port" => "src_port"
|
||||
"source_ip" => "src_ip"
|
||||
"target_port" => "dest_port"
|
||||
"target_ip" => "dest_ip"
|
||||
}
|
||||
remove_field => "event"
|
||||
remove_field => "return_code"
|
||||
}
|
||||
if [data] {
|
||||
mutate {
|
||||
remove_field => "[data]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
if [type] == "Honeytrap" {
|
||||
date {
|
||||
|
|
@ -591,18 +560,6 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Rdpy
|
||||
if [type] == "Rdpy" {
|
||||
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
|
||||
date {
|
||||
match => [ "timestamp", "ISO8601" ]
|
||||
remove_field => ["timestamp"]
|
||||
}
|
||||
mutate {
|
||||
add_field => { "dest_port" => "3389" }
|
||||
}
|
||||
}
|
||||
|
||||
# Redishoneypot
|
||||
if [type] == "Redishoneypot" {
|
||||
date {
|
||||
|
|
@ -629,6 +586,21 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Sentrypeer
|
||||
if [type] == "Sentrypeer" {
|
||||
date {
|
||||
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
|
||||
remove_field => ["event_timestamp"]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"source_ip" => "src_ip"
|
||||
"destination_ip" => "dest_ip"
|
||||
}
|
||||
add_field => { "dest_port" => "5060" }
|
||||
}
|
||||
}
|
||||
|
||||
# Tanner
|
||||
if [type] == "Tanner" {
|
||||
date {
|
||||
|
|
|
|||
2
docker/elk/logstash/dist/tpot-template.json
vendored
2
docker/elk/logstash/dist/tpot-template.json
vendored
|
|
@ -10,7 +10,7 @@
|
|||
"limit": "2000"
|
||||
}
|
||||
},
|
||||
"refresh_interval": "1s",
|
||||
"refresh_interval": "5s",
|
||||
"number_of_shards": "1",
|
||||
"number_of_replicas": "0",
|
||||
"query": {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ services:
|
|||
env_file:
|
||||
- /opt/tpot/etc/compose/elk_environment
|
||||
ports:
|
||||
- "127.0.0.1:64305:80"
|
||||
- "127.0.0.1:64305:64305"
|
||||
image: "dtagdevsec/logstash:2203"
|
||||
volumes:
|
||||
- /data:/data
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ services:
|
|||
networks:
|
||||
- sentrypeer_local
|
||||
ports:
|
||||
- "5060:5060/udp"
|
||||
- "5060-5069:5060/udp"
|
||||
# - "127.0.0.1:8082:8082"
|
||||
image: "dtagdevsec/sentrypeer:2203"
|
||||
read_only: true
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ services:
|
|||
env_file:
|
||||
- /opt/tpot/etc/compose/elk_environment
|
||||
ports:
|
||||
- "127.0.0.1:64305:80"
|
||||
- "127.0.0.1:64305:64305"
|
||||
image: "dtagdevsec/logstash:2203"
|
||||
volumes:
|
||||
- /data:/data
|
||||
|
|
|
|||
Loading…
Reference in a new issue