diff --git a/docker/ddospot/docker-compose.yml b/docker/ddospot/docker-compose.yml index e95e03a7..cfeaf7db 100644 --- a/docker/ddospot/docker-compose.yml +++ b/docker/ddospot/docker-compose.yml @@ -16,7 +16,7 @@ services: - "19:19/udp" - "53:53/udp" - "123:123/udp" - - "161:161/udp" +# - "161:161/udp" - "1900:1900/udp" image: "dtagdevsec/ddospot:2006" read_only: true diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile index 9926cb05..77b0253e 100644 --- a/docker/elk/elasticsearch/Dockerfile +++ b/docker/elk/elasticsearch/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.14 # # VARS -ENV ES_VER=7.13.4 \ +ENV ES_VER=7.14.1 \ ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk # Include dist diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile index 64e1273e..64b2b298 100644 --- a/docker/elk/kibana/Dockerfile +++ b/docker/elk/kibana/Dockerfile @@ -1,7 +1,7 @@ -FROM node:14.17.2-alpine +FROM node:14.17.5-alpine3.14 # # VARS -ENV KB_VER=7.13.4 +ENV KB_VER=7.14.1 # # Include dist ADD dist/ /root/dist/ diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 7df4c117..fd6817b3 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.14 # # VARS -ENV LS_VER=7.13.4 +ENV LS_VER=7.14.1 # Include dist ADD dist/ /root/dist/ # diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 8ba68d9d..90b3b308 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -314,6 +314,14 @@ filter { } } +# Ddospot + if [type] == "Ddospot" { + date { + match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] + remove_field => ["time"] + } + } + # Dionaea if [type] == "Dionaea" { date { @@ -534,18 +542,20 @@ filter { # Drop if parse fails if "_grokparsefailure" in [tags] { drop {} } +if "_jsonparsefailure" in [tags] { drop {} } + # Add geo coordinates / ASN info / IP rep. if [src_ip] { geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.1.3-java/vendor/GeoLite2-City.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.2-java/vendor/GeoLite2-City.mmdb" } geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.1.3-java/vendor/GeoLite2-ASN.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.2-java/vendor/GeoLite2-ASN.mmdb" } translate { refresh_interval => 86400 @@ -576,6 +586,11 @@ if "_grokparsefailure" in [tags] { drop {} } convert => { "id" => "string" } } } + if [request] { + mutate { + convert => { "request" => "string" } + } + } # Add T-Pot hostname and external IP # if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { diff --git a/etc/objects/elkbase.tgz b/etc/objects/elkbase.tgz index b476bca3..41b566d8 100644 Binary files a/etc/objects/elkbase.tgz and b/etc/objects/elkbase.tgz differ diff --git a/etc/objects/kibana-objects.tgz b/etc/objects/kibana-objects.tgz index 438e2c00..efa7211b 100644 Binary files a/etc/objects/kibana-objects.tgz and b/etc/objects/kibana-objects.tgz differ