prepare for honeypy

bin/clean.sh

@@ -154,6 +154,14 @@ fuHERALDING () {
   chown tpot:tpot /data/heralding -R
 }
 
+# Let's create a function to clean up and prepare honeypy data
+fuHONEYPY () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
+  mkdir -p /data/honeypy/log
+  chmod 760 /data/honeypy -R
+  chown tpot:tpot /data/honeypy -R
+}
+
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
@@ -258,6 +266,7 @@ if [ "$myPERSISTENCE" = "on" ];
     fuGLASTOPF
     fuGLUTTON
     fuHERALDING
+    fuHONEYPY
     fuHONEYTRAP
     fuMAILONEY
     fuMEDPOT

docker/elk/logstash/Dockerfile

@@ -4,7 +4,8 @@ FROM alpine
 ADD dist/ /root/dist/
 
 # Setup env and apt
-RUN apk -U add \
+RUN sed -i 's/dl-cdn/dl-4/g' /etc/apk/repositories && \
+    apk -U --no-cache add \
              bash \
              curl \
              git \

docker/elk/logstash/dist/logstash.conf

@@ -76,6 +76,13 @@ input {
     type => "Heralding"
   }
 
+# Honeypy
+  file {
+    path => ["/data/honeypy/log/json.log"]
+    codec => json
+    type => "Honeypy"
+  }
+
 # Honeytrap
   file {
     path => ["/data/honeytrap/log/attackers.json"]
@@ -266,6 +273,17 @@ filter {
     }
   }
 
+# Honeypy 
+  if [type] == "Honeypy" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+      remove_field => ["date"]
+      remove_field => ["time"]
+      remove_field => ["millisecond"]
+    }
+  }
+
 # Honeytrap
   if [type] == "Honeytrap" {
     date {
@@ -388,7 +406,7 @@ if "_grokparsefailure" in [tags] { drop {} }
   }
 
 # Add T-Pot hostname and external IP
-  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
+  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
     mutate {
       add_field => {
         "t-pot_ip_ext" => "${MY_EXTIP}"

docker/honeypy/Dockerfile

@@ -20,6 +20,14 @@ RUN sed -i 's/dl-cdn/dl-4/g' /etc/apk/repositories && \
 # Clone honeypy from git
     git clone --depth=1 https://github.com/foospidy/HoneyPy /opt/honeypy && \
     cd /opt/honeypy && \
+    sed -i 's/local_host/dest_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/local_port/dest_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/remote_host/src_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/remote_port/src_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/service/proto/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/event/event_type/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/bytes/size/g' /opt/honeypy/loggers/file/honeypy_file.py && \
+    sed -i 's/date_time/timestamp/g' /opt/honeypy/loggers/file/honeypy_file.py && \
     virtualenv env && \
     cp /root/dist/services.cfg /opt/honeypy/etc && \
     cp /root/dist/honeypy.cfg /opt/honeypy/etc && \
@@ -40,8 +48,6 @@ RUN sed -i 's/dl-cdn/dl-4/g' /etc/apk/repositories && \
     rm -rf /var/cache/apk/*
 
 # Set workdir and start mailoney
-#STOPSIGNAL SIGINT
 USER honeypy:honeypy
 WORKDIR /opt/honeypy
-#EXPOSE 7 8 23 24 25 69 80 123 2048 4096 5060 9200
 CMD ["/opt/honeypy/env/bin/python2", "/opt/honeypy/Honey.py", "-d"]

etc/logrotate/logrotate.conf

@@ -22,6 +22,7 @@
 /data/glutton/log/*.err
 /data/heralding/log/*.log
 /data/heralding/log/*.csv
+/data/honeypy/log/*.log
 /data/honeytrap/log/*.log
 /data/honeytrap/log/*.json
 /data/honeytrap/attacks.tgz

iso/installer/install.sh

@@ -751,6 +751,7 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
          /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
          /data/glutton/log \
          /data/heralding/log \
+         /data/honeypy/log \
          /data/mailoney/log \
          /data/medpot/log \
          /data/nginx/log \

update.sh

@@ -213,6 +213,7 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
          /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
          /data/glutton/log \
          /data/heralding/log \
+         /data/honeypy/log \
          /data/mailoney/log \
          /data/medpot/log \
          /data/nginx/log \