tweaking, bump elastic stack to 7.14.1, rebuild dashboards

docker/ddospot/docker-compose.yml

@@ -16,7 +16,7 @@ services:
      - "19:19/udp"
      - "53:53/udp"
      - "123:123/udp"
-     - "161:161/udp"
+#     - "161:161/udp"
      - "1900:1900/udp"
     image: "dtagdevsec/ddospot:2006"
     read_only: true

docker/elk/elasticsearch/Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:3.14
 #
 # VARS
-ENV ES_VER=7.13.4 \
+ENV ES_VER=7.14.1 \
     ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk
 
 # Include dist

docker/elk/kibana/Dockerfile

@@ -1,7 +1,7 @@
-FROM node:14.17.2-alpine
+FROM node:14.17.5-alpine3.14
 #
 # VARS
-ENV KB_VER=7.13.4
+ENV KB_VER=7.14.1
 # 
 # Include dist
 ADD dist/ /root/dist/

docker/elk/logstash/Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:3.14
 #
 # VARS
-ENV LS_VER=7.13.4
+ENV LS_VER=7.14.1
 # Include dist
 ADD dist/ /root/dist/
 #

docker/elk/logstash/dist/logstash.conf

@@ -314,6 +314,14 @@ filter {
     }
   }
 
+# Ddospot
+  if [type] == "Ddospot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["time"]
+    }
+  }
+
 # Dionaea
   if [type] == "Dionaea" {
     date {
@@ -534,18 +542,20 @@ filter {
 
 # Drop if parse fails
 if "_grokparsefailure" in [tags] { drop {} }
+if "_jsonparsefailure" in [tags] { drop {} }
+
 
 # Add geo coordinates / ASN info / IP rep.
   if [src_ip]  {
     geoip {
       cache_size => 10000
       source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.1.3-java/vendor/GeoLite2-City.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.2-java/vendor/GeoLite2-City.mmdb"
     }
     geoip {
       cache_size => 10000
       source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.1.3-java/vendor/GeoLite2-ASN.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.2-java/vendor/GeoLite2-ASN.mmdb"
     }
     translate {
       refresh_interval => 86400
@@ -576,6 +586,11 @@ if "_grokparsefailure" in [tags] { drop {} }
         convert => { "id" => "string" }
     }
   }
+  if [request] {
+    mutate {
+        convert => { "request" => "string" }
+    }
+  }
 
 # Add T-Pot hostname and external IP
 #  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {