tweaking, add sentrypeer to logstash config

This commit is contained in:
t3chn0m4g3 2022-02-24 17:39:57 +00:00
parent aa6afc37fe
commit 5237215bf0
7 changed files with 49 additions and 105 deletions

View file

@ -3,7 +3,7 @@ input {
http {
id => "tpot"
host => "0.0.0.0"
port => "80"
port => "64305"
}
}

View file

@ -119,13 +119,6 @@ input {
type => "Honeypots"
}
# Honeysap
file {
path => ["/data/honeysap/log/honeysap-external.log"]
codec => json
type => "Honeysap"
}
# Honeytrap
file {
path => ["/data/honeytrap/log/attackers.json"]
@ -161,12 +154,6 @@ input {
type => "Medpot"
}
# Rdpy
file {
path => ["/data/rdpy/log/rdpy.log"]
type => "Rdpy"
}
# Redishoneypot
file {
path => ["/data/redishoneypot/log/redishoneypot.log"]
@ -181,6 +168,13 @@ input {
type => "NGINX"
}
# Sentrypeer
file {
path => ["/data/sentrypeer/log/sentrypeer.json"]
codec => json
type => "Sentrypeer"
}
# Tanner
file {
path => ["/data/tanner/log/tanner_report.json"]
@ -494,31 +488,6 @@ filter {
}
}
# Honeysap
if [type] == "Honeysap" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[data][error_msg]" => "event_type"
"service" => "sensor"
"source_port" => "src_port"
"source_ip" => "src_ip"
"target_port" => "dest_port"
"target_ip" => "dest_ip"
}
remove_field => "event"
remove_field => "return_code"
}
if [data] {
mutate {
remove_field => "[data]"
}
}
}
# Honeytrap
if [type] == "Honeytrap" {
date {
@ -591,18 +560,6 @@ filter {
}
}
# Rdpy
if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
}
mutate {
add_field => { "dest_port" => "3389" }
}
}
# Redishoneypot
if [type] == "Redishoneypot" {
date {
@ -629,6 +586,21 @@ filter {
}
}
# Sentrypeer
if [type] == "Sentrypeer" {
date {
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
remove_field => ["event_timestamp"]
}
mutate {
rename => {
"source_ip" => "src_ip"
"destination_ip" => "dest_ip"
}
add_field => { "dest_port" => "5060" }
}
}
# Tanner
if [type] == "Tanner" {
date {

View file

@ -119,13 +119,6 @@ input {
type => "Honeypots"
}
# Honeysap
file {
path => ["/data/honeysap/log/honeysap-external.log"]
codec => json
type => "Honeysap"
}
# Honeytrap
file {
path => ["/data/honeytrap/log/attackers.json"]
@ -161,12 +154,6 @@ input {
type => "Medpot"
}
# Rdpy
file {
path => ["/data/rdpy/log/rdpy.log"]
type => "Rdpy"
}
# Redishoneypot
file {
path => ["/data/redishoneypot/log/redishoneypot.log"]
@ -174,6 +161,13 @@ input {
type => "Redishoneypot"
}
# Sentrypeer
file {
path => ["/data/sentrypeer/log/sentrypeer.json"]
codec => json
type => "Sentrypeer"
}
# Host NGINX
file {
path => ["/data/nginx/log/access.log"]
@ -494,31 +488,6 @@ filter {
}
}
# Honeysap
if [type] == "Honeysap" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
mutate {
rename => {
"[data][error_msg]" => "event_type"
"service" => "sensor"
"source_port" => "src_port"
"source_ip" => "src_ip"
"target_port" => "dest_port"
"target_ip" => "dest_ip"
}
remove_field => "event"
remove_field => "return_code"
}
if [data] {
mutate {
remove_field => "[data]"
}
}
}
# Honeytrap
if [type] == "Honeytrap" {
date {
@ -591,18 +560,6 @@ filter {
}
}
# Rdpy
if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
date {
match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"]
}
mutate {
add_field => { "dest_port" => "3389" }
}
}
# Redishoneypot
if [type] == "Redishoneypot" {
date {
@ -629,6 +586,21 @@ filter {
}
}
# Sentrypeer
if [type] == "Sentrypeer" {
date {
match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
remove_field => ["event_timestamp"]
}
mutate {
rename => {
"source_ip" => "src_ip"
"destination_ip" => "dest_ip"
}
add_field => { "dest_port" => "5060" }
}
}
# Tanner
if [type] == "Tanner" {
date {

View file

@ -10,7 +10,7 @@
"limit": "2000"
}
},
"refresh_interval": "1s",
"refresh_interval": "5s",
"number_of_shards": "1",
"number_of_replicas": "0",
"query": {

View file

@ -15,7 +15,7 @@ services:
env_file:
- /opt/tpot/etc/compose/elk_environment
ports:
- "127.0.0.1:64305:80"
- "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:2203"
volumes:
- /data:/data

View file

@ -13,7 +13,7 @@ services:
networks:
- sentrypeer_local
ports:
- "5060:5060/udp"
- "5060-5069:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:2203"
read_only: true

View file

@ -59,7 +59,7 @@ services:
env_file:
- /opt/tpot/etc/compose/elk_environment
ports:
- "127.0.0.1:64305:80"
- "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:2203"
volumes:
- /data:/data