From b0339610a21f9a0c1203dcfdd23a4d201122c381 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 16 Dec 2021 20:25:40 +0000 Subject: [PATCH] Prep for Log4Pot integration --- bin/clean.sh | 9 + docker/elk/logstash/dist/logstash.conf | 21 +++ docker/log4pot/Dockerfile | 42 +++++ docker/log4pot/docker-compose.yml | 23 +++ etc/compose/log4j.yml | 237 +++++++++++++++++++++++++ iso/installer/install.sh | 17 +- update.sh | 1 + 7 files changed, 344 insertions(+), 6 deletions(-) create mode 100644 docker/log4pot/Dockerfile create mode 100644 docker/log4pot/docker-compose.yml create mode 100644 etc/compose/log4j.yml diff --git a/bin/clean.sh b/bin/clean.sh index f3538a4e..494e4575 100755 --- a/bin/clean.sh +++ b/bin/clean.sh @@ -237,6 +237,14 @@ fuIPPHONEY () { chown tpot:tpot /data/ipphoney -R } +# Let's create a function to clean up and prepare log4pot data +fuLOG4POT () { + if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi + mkdir -p /data/log4pot/log + chmod 770 /data/log4pot -R + chown tpot:tpot /data/log4pot -R +} + # Let's create a function to clean up and prepare mailoney data fuMAILONEY () { if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi @@ -351,6 +359,7 @@ if [ "$myPERSISTENCE" = "on" ]; fuHONEYPY fuHONEYTRAP fuIPPHONEY + fuLOG4POT fuMAILONEY fuMEDPOT fuNGINX diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 0499e247..c464ee50 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -147,6 +147,13 @@ input { type => "Ipphoney" } +# Log4pot + file { + path => ["/data/log4pot/log/log4pot.log"] + codec => json + type => "Log4pot" + } + # Mailoney file { path => ["/data/mailoney/log/commands.log"] @@ -564,6 +571,20 @@ filter { } } +# Log4pot + if [type] == "Log4pot" { + date { + match => [ "timestamp", "ISO8601" ] + } + mutate { + rename => { + "server_port" => "dest_port" + "port" => "src_port" + "client" => "src_ip" + } + } + } + # Mailoney if [type] == "Mailoney" { date { diff --git a/docker/log4pot/Dockerfile b/docker/log4pot/Dockerfile new file mode 100644 index 00000000..1626f7d8 --- /dev/null +++ b/docker/log4pot/Dockerfile @@ -0,0 +1,42 @@ +FROM alpine:3.14 +# +# Install packages +RUN apk -U add \ + build-base \ + cargo \ + git \ + libcap \ + libffi-dev \ + openssl-dev \ + python3 \ + python3-dev \ + rust && \ + apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing poetry && \ +# +# Install log4pot from GitHub and setup + mkdir -p /opt /var/log/log4pot && \ + cd /opt/ && \ + git clone https://github.com/thomaspatzke/Log4Pot && \ + cd Log4Pot && \ + git checkout 4269bf4a91457328fb64c3e7941cb2f520e5e911 && \ + sed -i 's#"type": logtype,#"reason": logtype,#g' log4pot.py && \ + poetry install && \ + setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \ +# +# Setup user, groups and configs + addgroup -g 2000 log4pot && \ + adduser -S -H -s /bin/ash -u 2000 -D -g 2000 log4pot && \ + chown log4pot:log4pot -R /opt/Log4Pot && \ +# +# Clean up + apk del --purge build-base \ + git \ + python3-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* +# +# Start log4pot +STOPSIGNAL SIGINT +USER log4pot:log4pot +WORKDIR /opt/Log4Pot/ +CMD ["/usr/bin/python3","log4pot.py","--port","8080","--log","/var/log/log4pot/log4pot.log"] diff --git a/docker/log4pot/docker-compose.yml b/docker/log4pot/docker-compose.yml new file mode 100644 index 00000000..5a6505c7 --- /dev/null +++ b/docker/log4pot/docker-compose.yml @@ -0,0 +1,23 @@ +version: '2.3' + +networks: + log4pot_local: + +services: + +# Log4pot service + log4pot: + build: . + container_name: log4pot + restart: always + networks: + - log4pot_local + ports: + - "80:8080" + - "443:8080" + - "8080:8080" + - "9200:8080" + image: "dtagdevsec/log4pot:2006" + read_only: true + volumes: + - /data/log4pot/log:/var/log/log4pot diff --git a/etc/compose/log4j.yml b/etc/compose/log4j.yml new file mode 100644 index 00000000..79844ae8 --- /dev/null +++ b/etc/compose/log4j.yml @@ -0,0 +1,237 @@ +# T-Pot (Log4j) +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' + +networks: + cyberchef_local: + log4pot_local: + ewsposter_local: + spiderfoot_local: + +services: + +################## +#### Honeypots +################## + +# Log4pot service + log4pot: + container_name: log4pot + restart: always + networks: + - log4pot_local + ports: + - "80:8080" + - "443:8080" + - "8080:8080" + - "9200:8080" + image: "dtagdevsec/log4pot:2006" + read_only: true + volumes: + - /data/log4pot/log:/var/log/log4pot + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:2006" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + + +################## +#### NSM +################## + +# Fatt service + fatt: + container_name: fatt + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/fatt:2006" + volumes: + - /data/fatt/log:/opt/fatt/log + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:2006" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:2006" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +# Cyberchef service + cyberchef: + container_name: cyberchef + restart: always + networks: + - cyberchef_local + ports: + - "127.0.0.1:64299:8000" + image: "dtagdevsec/cyberchef:2006" + read_only: true + +#### ELK +## Elasticsearch service + elasticsearch: + container_name: elasticsearch + restart: always + environment: + - bootstrap.memory_lock=true +# - ES_JAVA_OPTS=-Xms2048m -Xmx2048m + - ES_TMPDIR=/tmp + cap_add: + - IPC_LOCK + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 +# mem_limit: 4g + ports: + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elasticsearch:2006" + volumes: + - /data:/data + +## Kibana service + kibana: + container_name: kibana + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64296:5601" + image: "dtagdevsec/kibana:2006" + +## Logstash service + logstash: + container_name: logstash + restart: always +# environment: +# - LS_JAVA_OPTS=-Xms2048m -Xmx2048m + depends_on: + elasticsearch: + condition: service_healthy + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/logstash:2006" + volumes: + - /data:/data + +## Elasticsearch-head service + head: + container_name: head + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64302:9100" + image: "dtagdevsec/head:2006" + read_only: true + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + networks: + - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/ewsposter:2006" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Nginx service + nginx: + container_name: nginx + restart: always + environment: + ### If set to YES all changes within Heimdall will remain for the next start + ### Make sure to uncomment the corresponding volume statements below, or the setting will prevent a successful start of T-Pot. + - HEIMDALL_PERSIST=NO + tmpfs: + - /var/tmp/nginx/client_body + - /var/tmp/nginx/proxy + - /var/tmp/nginx/fastcgi + - /var/tmp/nginx/uwsgi + - /var/tmp/nginx/scgi + - /run + - /var/log/php7/ + - /var/lib/nginx/tmp:uid=100,gid=82 + - /var/lib/nginx/html/storage/logs:uid=100,gid=82 + - /var/lib/nginx/html/storage/framework/views:uid=100,gid=82 + network_mode: "host" + ports: + - "64297:64297" + - "127.0.0.1:64304:64304" + image: "dtagdevsec/nginx:2006" + read_only: true + volumes: + - /data/nginx/cert/:/etc/nginx/cert/:ro + - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro + - /data/nginx/log/:/var/log/nginx/ + ### Enable the following volumes if you set HEIMDALL_PERSIST=YES + # - /data/nginx/heimdall/database:/var/lib/nginx/html/database + # - /data/nginx/heimdall/storage:/var/lib/nginx/html/storage + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + networks: + - spiderfoot_local + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:2006" + volumes: + - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/iso/installer/install.sh b/iso/installer/install.sh index f7ac3917..3d30a8d5 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -731,6 +731,10 @@ case $myCONF_TPOT_FLAVOR in fuBANNER "STANDARD" ln -s /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE ;; + LOG4J) + fuBANNER "LOG4J" + ln -s /opt/tpot/etc/compose/log4j.yml $myTPOTCOMPOSE + ;; SENSOR) fuBANNER "SENSOR" ln -s /opt/tpot/etc/compose/sensor.yml $myTPOTCOMPOSE @@ -807,28 +811,29 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/conpot/log \ /data/citrixhoneypot/logs \ /data/cowrie/{downloads,keys,misc,log,log/tty} \ - /data/ddospot/{bl,db,log} \ - /data/dicompot/{images,log} \ + /data/ddospot/{bl,db,log} \ + /data/dicompot/{images,log} \ /data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp} \ /data/elasticpot/log \ /data/elk/{data,log} \ - /data/endlessh/log \ + /data/endlessh/log \ /data/fatt/log \ /data/honeytrap/{log,attacks,downloads} \ /data/glutton/log \ - /data/hellpot/log \ + /data/hellpot/log \ /data/heralding/log \ /data/honeypots/log \ /data/honeypy/log \ /data/honeysap/log \ - /data/ipphoney/log \ + /data/ipphoney/log \ + /data/log4pot/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/{log,heimdall} \ /data/emobility/log \ /data/ews/conf \ /data/rdpy/log \ - /data/redishoneypot/log \ + /data/redishoneypot/log \ /data/spiderfoot \ /data/suricata/log \ /data/tanner/{log,files} \ diff --git a/update.sh b/update.sh index 8b1aa432..9e116f21 100755 --- a/update.sh +++ b/update.sh @@ -243,6 +243,7 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/honeypy/log \ /data/honeysap/log \ /data/ipphoney/log \ + /data/log4pot/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/{log,heimdall} \