mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-01 12:32:12 +00:00
add honeysap logstash config
This commit is contained in:
t3chn0m4g3
parent
6ab87e684a
commit
a396356785
1 changed files with 34 additions and 2 deletions
36
docker/elk/logstash/dist/logstash.conf
vendored
36
docker/elk/logstash/dist/logstash.conf
vendored
|
|
@ -91,6 +91,13 @@ input {
|
|||
type => "Honeypy"
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
file {
|
||||
path => ["/data/honeysap/log/honeysap-external.log"]
|
||||
codec => json
|
||||
type => "Honeysap"
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
file {
|
||||
path => ["/data/honeytrap/log/attackers.json"]
|
||||
|
|
@ -328,7 +335,7 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Honeypy
|
||||
# Honeypy
|
||||
if [type] == "Honeypy" {
|
||||
date {
|
||||
match => [ "timestamp", "ISO8601" ]
|
||||
|
|
@ -339,6 +346,31 @@ filter {
|
|||
}
|
||||
}
|
||||
|
||||
# Honeysap
|
||||
if [type] == "Honeysap" {
|
||||
date {
|
||||
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
|
||||
remove_field => ["timestamp"]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[data][error_msg]" => "event_type"
|
||||
"service" => "sensor"
|
||||
"source_port" => "src_port"
|
||||
"source_ip" => "src_ip"
|
||||
"target_port" => "dest_port"
|
||||
"target_ip" => "dest_ip"
|
||||
}
|
||||
remove_field => "event"
|
||||
remove_field => "return_code"
|
||||
}
|
||||
if [data] {
|
||||
mutate {
|
||||
remove_field => "[data]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Honeytrap
|
||||
if [type] == "Honeytrap" {
|
||||
date {
|
||||
|
|
@ -457,7 +489,7 @@ if "_grokparsefailure" in [tags] { drop {} }
|
|||
}
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
|
||||
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
|
|
|
|||
Loading…
Reference in a new issue