Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-15 20:58:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tweaking, add sentrypeer to logstash config

Browse source
This commit is contained in:
t3chn0m4g3 2022-02-24 17:39:57 +00:00
parent aa6afc37fe
commit 5237215bf0
7 changed files with 49 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docker/elk/logstash/dist/http_input.conf vendored
View file

@ -3,7 +3,7 @@ input {
http { http {
id => "tpot" id => "tpot"
host => "0.0.0.0" host => "0.0.0.0"
port => "80" port => "64305"
} }
} }

72
docker/elk/logstash/dist/http_output.conf vendored
View file

@ -119,13 +119,6 @@ input {
type => "Honeypots" type => "Honeypots"
} }
# Honeysap
file {
path => ["/data/honeysap/log/honeysap-external.log"]
codec => json
type => "Honeysap"
}
# Honeytrap # Honeytrap
file { file {
path => ["/data/honeytrap/log/attackers.json"] path => ["/data/honeytrap/log/attackers.json"]
@ -161,12 +154,6 @@ input {
type => "Medpot" type => "Medpot"
} }
# Rdpy
file {
path => ["/data/rdpy/log/rdpy.log"]
type => "Rdpy"
}
# Redishoneypot # Redishoneypot
file { file {
path => ["/data/redishoneypot/log/redishoneypot.log"] path => ["/data/redishoneypot/log/redishoneypot.log"]
@ -181,6 +168,13 @@ input {
type => "NGINX" type => "NGINX"
} }
# Sentrypeer
file {
path => ["/data/sentrypeer/log/sentrypeer.json"]
codec => json
type => "Sentrypeer"
}
# Tanner # Tanner
file { file {
path => ["/data/tanner/log/tanner_report.json"] path => ["/data/tanner/log/tanner_report.json"]
@ -494,31 +488,6 @@ filter {
} }
} }
# Honeysap
if [type] == "Honeysap" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[data][error_msg]" => "event_type"
"service" => "sensor"
"source_port" => "src_port"
"source_ip" => "src_ip"
"target_port" => "dest_port"
"target_ip" => "dest_ip"
}
remove_field => "event"
remove_field => "return_code"
}
if [data] {
mutate {
remove_field => "[data]"
}
}
}
# Honeytrap # Honeytrap
if [type] == "Honeytrap" { if [type] == "Honeytrap" {
date { date {
@ -591,18 +560,6 @@ filter {
} }
} }
# Rdpy
if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
}
mutate {
add_field => { "dest_port" => "3389" }
}
}
# Redishoneypot # Redishoneypot
if [type] == "Redishoneypot" { if [type] == "Redishoneypot" {
date { date {
@ -629,6 +586,21 @@ filter {
} }
} }
# Sentrypeer
if [type] == "Sentrypeer" {
date {
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
remove_field => ["event_timestamp"]
}
mutate {
rename => {
"source_ip" => "src_ip"
"destination_ip" => "dest_ip"
}
add_field => { "dest_port" => "5060" }
}
}
# Tanner # Tanner
if [type] == "Tanner" { if [type] == "Tanner" {
date { date {

72
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -119,13 +119,6 @@ input {
type => "Honeypots" type => "Honeypots"
} }
# Honeysap
file {
path => ["/data/honeysap/log/honeysap-external.log"]
codec => json
type => "Honeysap"
}
# Honeytrap # Honeytrap
file { file {
path => ["/data/honeytrap/log/attackers.json"] path => ["/data/honeytrap/log/attackers.json"]
@ -161,12 +154,6 @@ input {
type => "Medpot" type => "Medpot"
} }
# Rdpy
file {
path => ["/data/rdpy/log/rdpy.log"]
type => "Rdpy"
}
# Redishoneypot # Redishoneypot
file { file {
path => ["/data/redishoneypot/log/redishoneypot.log"] path => ["/data/redishoneypot/log/redishoneypot.log"]
@ -174,6 +161,13 @@ input {
type => "Redishoneypot" type => "Redishoneypot"
} }
# Sentrypeer
file {
path => ["/data/sentrypeer/log/sentrypeer.json"]
codec => json
type => "Sentrypeer"
}
# Host NGINX # Host NGINX
file { file {
path => ["/data/nginx/log/access.log"] path => ["/data/nginx/log/access.log"]
@ -494,31 +488,6 @@ filter {
} }
} }
# Honeysap
if [type] == "Honeysap" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[data][error_msg]" => "event_type"
"service" => "sensor"
"source_port" => "src_port"
"source_ip" => "src_ip"
"target_port" => "dest_port"
"target_ip" => "dest_ip"
}
remove_field => "event"
remove_field => "return_code"
}
if [data] {
mutate {
remove_field => "[data]"
}
}
}
# Honeytrap # Honeytrap
if [type] == "Honeytrap" { if [type] == "Honeytrap" {
date { date {
@ -591,18 +560,6 @@ filter {
} }
} }
# Rdpy
if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
}
mutate {
add_field => { "dest_port" => "3389" }
}
}
# Redishoneypot # Redishoneypot
if [type] == "Redishoneypot" { if [type] == "Redishoneypot" {
date { date {
@ -629,6 +586,21 @@ filter {
} }
} }
# Sentrypeer
if [type] == "Sentrypeer" {
date {
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
remove_field => ["event_timestamp"]
}
mutate {
rename => {
"source_ip" => "src_ip"
"destination_ip" => "dest_ip"
}
add_field => { "dest_port" => "5060" }
}
}
# Tanner # Tanner
if [type] == "Tanner" { if [type] == "Tanner" {
date { date {

2
docker/elk/logstash/dist/tpot-template.json vendored
View file

@ -10,7 +10,7 @@
"limit": "2000" "limit": "2000"
} }
}, },
"refresh_interval": "1s", "refresh_interval": "5s",
"number_of_shards": "1", "number_of_shards": "1",
"number_of_replicas": "0", "number_of_replicas": "0",
"query": { "query": {

2
docker/elk/logstash/docker-compose.yml
View file

@ -15,7 +15,7 @@ services:
env_file: env_file:
- /opt/tpot/etc/compose/elk_environment - /opt/tpot/etc/compose/elk_environment
ports: ports:
- "127.0.0.1:64305:80" - "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:2203" image: "dtagdevsec/logstash:2203"
volumes: volumes:
- /data:/data - /data:/data

2
docker/sentrypeer/docker-compose.yml
View file

@ -13,7 +13,7 @@ services:
networks: networks:
- sentrypeer_local - sentrypeer_local
ports: ports:
- "5060:5060/udp" - "5060-5069:5060/udp"
# - "127.0.0.1:8082:8082" # - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:2203" image: "dtagdevsec/sentrypeer:2203"
read_only: true read_only: true

2
etc/compose/hive.yml
View file

@ -59,7 +59,7 @@ services:
env_file: env_file:
- /opt/tpot/etc/compose/elk_environment - /opt/tpot/etc/compose/elk_environment
ports: ports:
- "127.0.0.1:64305:80" - "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:2203" image: "dtagdevsec/logstash:2203"
volumes: volumes:
- /data:/data - /data:/data