diff --git a/docker/elk/logstash/dist/http_input.conf b/docker/elk/logstash/dist/http_input.conf index b51823d8..c966cc90 100644 --- a/docker/elk/logstash/dist/http_input.conf +++ b/docker/elk/logstash/dist/http_input.conf @@ -3,7 +3,7 @@ input { http { id => "tpot" host => "0.0.0.0" - port => "80" + port => "64305" } } diff --git a/docker/elk/logstash/dist/http_output.conf b/docker/elk/logstash/dist/http_output.conf index 3dc33047..febf2f12 100644 --- a/docker/elk/logstash/dist/http_output.conf +++ b/docker/elk/logstash/dist/http_output.conf @@ -119,13 +119,6 @@ input { type => "Honeypots" } -# Honeysap - file { - path => ["/data/honeysap/log/honeysap-external.log"] - codec => json - type => "Honeysap" - } - # Honeytrap file { path => ["/data/honeytrap/log/attackers.json"] @@ -161,12 +154,6 @@ input { type => "Medpot" } -# Rdpy - file { - path => ["/data/rdpy/log/rdpy.log"] - type => "Rdpy" - } - # Redishoneypot file { path => ["/data/redishoneypot/log/redishoneypot.log"] @@ -181,6 +168,13 @@ input { type => "NGINX" } +# Sentrypeer + file { + path => ["/data/sentrypeer/log/sentrypeer.json"] + codec => json + type => "Sentrypeer" + } + # Tanner file { path => ["/data/tanner/log/tanner_report.json"] @@ -494,31 +488,6 @@ filter { } } -# Honeysap - if [type] == "Honeysap" { - date { - match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] - remove_field => ["timestamp"] - } - mutate { - rename => { - "[data][error_msg]" => "event_type" - "service" => "sensor" - "source_port" => "src_port" - "source_ip" => "src_ip" - "target_port" => "dest_port" - "target_ip" => "dest_ip" - } - remove_field => "event" - remove_field => "return_code" - } - if [data] { - mutate { - remove_field => "[data]" - } - } - } - # Honeytrap if [type] == "Honeytrap" { date { @@ -591,18 +560,6 @@ filter { } } -# Rdpy - if [type] == "Rdpy" { - grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } } - date { - match => [ "timestamp", "ISO8601" ] - remove_field => ["timestamp"] - } - mutate { - add_field => { "dest_port" => "3389" } - } - } - # Redishoneypot if [type] == "Redishoneypot" { date { @@ -629,6 +586,21 @@ filter { } } +# Sentrypeer + if [type] == "Sentrypeer" { + date { + match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ] + remove_field => ["event_timestamp"] + } + mutate { + rename => { + "source_ip" => "src_ip" + "destination_ip" => "dest_ip" + } + add_field => { "dest_port" => "5060" } + } + } + # Tanner if [type] == "Tanner" { date { diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 8e0322ab..69ae739c 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -119,13 +119,6 @@ input { type => "Honeypots" } -# Honeysap - file { - path => ["/data/honeysap/log/honeysap-external.log"] - codec => json - type => "Honeysap" - } - # Honeytrap file { path => ["/data/honeytrap/log/attackers.json"] @@ -161,12 +154,6 @@ input { type => "Medpot" } -# Rdpy - file { - path => ["/data/rdpy/log/rdpy.log"] - type => "Rdpy" - } - # Redishoneypot file { path => ["/data/redishoneypot/log/redishoneypot.log"] @@ -174,6 +161,13 @@ input { type => "Redishoneypot" } +# Sentrypeer + file { + path => ["/data/sentrypeer/log/sentrypeer.json"] + codec => json + type => "Sentrypeer" + } + # Host NGINX file { path => ["/data/nginx/log/access.log"] @@ -494,31 +488,6 @@ filter { } } -# Honeysap - if [type] == "Honeysap" { - date { - match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] - remove_field => ["timestamp"] - } - mutate { - rename => { - "[data][error_msg]" => "event_type" - "service" => "sensor" - "source_port" => "src_port" - "source_ip" => "src_ip" - "target_port" => "dest_port" - "target_ip" => "dest_ip" - } - remove_field => "event" - remove_field => "return_code" - } - if [data] { - mutate { - remove_field => "[data]" - } - } - } - # Honeytrap if [type] == "Honeytrap" { date { @@ -591,18 +560,6 @@ filter { } } -# Rdpy - if [type] == "Rdpy" { - grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } } - date { - match => [ "timestamp", "ISO8601" ] - remove_field => ["timestamp"] - } - mutate { - add_field => { "dest_port" => "3389" } - } - } - # Redishoneypot if [type] == "Redishoneypot" { date { @@ -629,6 +586,21 @@ filter { } } +# Sentrypeer + if [type] == "Sentrypeer" { + date { + match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ] + remove_field => ["event_timestamp"] + } + mutate { + rename => { + "source_ip" => "src_ip" + "destination_ip" => "dest_ip" + } + add_field => { "dest_port" => "5060" } + } + } + # Tanner if [type] == "Tanner" { date { diff --git a/docker/elk/logstash/dist/tpot-template.json b/docker/elk/logstash/dist/tpot-template.json index 5adfa01c..375f8d7d 100644 --- a/docker/elk/logstash/dist/tpot-template.json +++ b/docker/elk/logstash/dist/tpot-template.json @@ -10,7 +10,7 @@ "limit": "2000" } }, - "refresh_interval": "1s", + "refresh_interval": "5s", "number_of_shards": "1", "number_of_replicas": "0", "query": { diff --git a/docker/elk/logstash/docker-compose.yml b/docker/elk/logstash/docker-compose.yml index 01eb454e..4e1a6e1f 100644 --- a/docker/elk/logstash/docker-compose.yml +++ b/docker/elk/logstash/docker-compose.yml @@ -15,7 +15,7 @@ services: env_file: - /opt/tpot/etc/compose/elk_environment ports: - - "127.0.0.1:64305:80" + - "127.0.0.1:64305:64305" image: "dtagdevsec/logstash:2203" volumes: - /data:/data diff --git a/docker/sentrypeer/docker-compose.yml b/docker/sentrypeer/docker-compose.yml index e3645674..34b65579 100644 --- a/docker/sentrypeer/docker-compose.yml +++ b/docker/sentrypeer/docker-compose.yml @@ -13,7 +13,7 @@ services: networks: - sentrypeer_local ports: - - "5060:5060/udp" + - "5060-5069:5060/udp" # - "127.0.0.1:8082:8082" image: "dtagdevsec/sentrypeer:2203" read_only: true diff --git a/etc/compose/hive.yml b/etc/compose/hive.yml index 85d3c14d..753164e0 100644 --- a/etc/compose/hive.yml +++ b/etc/compose/hive.yml @@ -59,7 +59,7 @@ services: env_file: - /opt/tpot/etc/compose/elk_environment ports: - - "127.0.0.1:64305:80" + - "127.0.0.1:64305:64305" image: "dtagdevsec/logstash:2203" volumes: - /data:/data