Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-06 23:28:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

prepare citrixhoneypot for ELK integration

Browse source
This commit is contained in:
t3chn0m4g3 2020-01-16 15:13:58 +00:00
parent a953542f8f
commit a6ed6613a5
4 changed files with 38 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docker/elk/elasticsearch/Dockerfile
View file

@ -15,8 +15,8 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
# Get and install packages # Get and install packages
cd /root/dist/ && \ cd /root/dist/ && \
mkdir -p /usr/share/elasticsearch/ && \ mkdir -p /usr/share/elasticsearch/ && \
aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.2.tar.gz && \ aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.6.tar.gz && \
tar xvfz elasticsearch-6.8.2.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \ tar xvfz elasticsearch-6.8.6.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \
# #
# Add and move files # Add and move files
cd /root/dist/ && \ cd /root/dist/ && \

4
docker/elk/kibana/Dockerfile
View file

@ -12,8 +12,8 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
# Get and install packages # Get and install packages
cd /root/dist/ && \ cd /root/dist/ && \
mkdir -p /usr/share/kibana/ && \ mkdir -p /usr/share/kibana/ && \
aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/kibana/kibana-6.8.2-linux-x86_64.tar.gz && \ aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/kibana/kibana-6.8.6-linux-x86_64.tar.gz && \
tar xvfz kibana-6.8.2-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \ tar xvfz kibana-6.8.6-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \
# #
# Kibana's bundled node does not work in alpine # Kibana's bundled node does not work in alpine
rm /usr/share/kibana/node/bin/node && \ rm /usr/share/kibana/node/bin/node && \

4
docker/elk/logstash/Dockerfile
View file

@ -23,8 +23,8 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
bunzip2 *.bz2 && \ bunzip2 *.bz2 && \
cd /root/dist/ && \ cd /root/dist/ && \
mkdir -p /usr/share/logstash/ && \ mkdir -p /usr/share/logstash/ && \
aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-6.8.2.tar.gz && \ aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-6.8.6.tar.gz && \
tar xvfz logstash-6.8.2.tar.gz --strip-components=1 -C /usr/share/logstash/ && \ tar xvfz logstash-6.8.6.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
/usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \ /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
/usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \ /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
# #

34
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -36,6 +36,13 @@ input {
type => "Ciscoasa" type => "Ciscoasa"
} }
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
codec => json
type => "CitrixHoneypot"
}
# Conpot # Conpot
file { file {
path => ["/data/conpot/log/*.json"] path => ["/data/conpot/log/*.json"]
@ -206,6 +213,29 @@ filter {
} }
} }
# CitrixHoneypot
if [type] == "CitrixHoneypot" {
grok {
match => {
"message" => [ "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{UNIXPATH:filename}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg} %{CISCO_REASON:filename.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{GREEDYDATA:msg}" ]
}
}
date {
match => [ "asctime", "ISO8601" ]
remove_field => ["asctime"]
remove_field => ["message"]
}
mutate {
add_field => {
"dest_port" => "443"
}
}
}
# Conpot # Conpot
if [type] == "ConPot" { if [type] == "ConPot" {
date { date {
@ -417,7 +447,7 @@ if "_grokparsefailure" in [tags] { drop {} }
} }
# Add T-Pot hostname and external IP # Add T-Pot hostname and external IP
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
mutate { mutate {
add_field => { add_field => {
"t-pot_ip_ext" => "${MY_EXTIP}" "t-pot_ip_ext" => "${MY_EXTIP}"
@ -443,7 +473,7 @@ output {
# } # }
#} #}
# Debug output # Debug output
#if [type] == "XYZ" { #if [type] == "CitrixHoneypot" {
# stdout { # stdout {
# codec => rubydebug # codec => rubydebug
# } # }