Merge branch 'master' into terraform-otc

2025-07-01 12:32:12 +00:00 · 2021-02-04 22:57:41 +01:00 · 2021-02-04 22:57:41 +01:00 · b214bed014
commit b214bed014
parent bde60734ea c60d53ca3f
100 changed files with 604 additions and 586 deletions
--- a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
+++ b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
@ -7,6 +7,8 @@ assignees: ''

 ---

+🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
+
 Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.

 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,15 @@
 # Changelog

+## 20200904
+- **Release T-Pot 20.06.1**
+  - Github offers a free Docker Container Registry for public packages. For our Open Source projects we want to make sure to have everything in one place and thus moving from Docker Hub to the GitHub Container Registry.
+- **Bump Elastic Stack**
+  - Update the Elastic Stack to 7.9.1.
+- **Rebuild Images**
+  - All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots and have been pinned to specific Alpine / Debian versions and git commits so rebuilds will less likely fail.
+- **Cleaning up**
+  - Clean up old references and links.
+
 ## 20200630
 - **Release T-Pot 20.06**
  - After 4 months of public testing with the NextGen edition T-Pot 20.06 can finally be released.
@ -51,7 +61,7 @@
 - **Update ISO image to fix upstream bug of missing kernel modules**
 - **Include dashboards for CitrixHoneypot**
  - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
-  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
+  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/telekom-security/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.

 ## 20200115
 - **Prepare integration of CitrixHoneypot**
--- a/README.md
+++ b/README.md
@ -40,7 +40,7 @@ Furthermore T-Pot includes the following tools

 # TL;DR
 1. Meet the [system requirements](#requirements). The T-Pot installation needs at least 8 GB RAM and 128 GB free disk space as well as a working (outgoing non-filtered) internet connection.
-2. Download the T-Pot ISO from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases) or [create it yourself](#createiso).
+2. Download the T-Pot ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) or [create it yourself](#createiso).
 3. Install the system in a [VM](#vm) or on [physical hardware](#hw) with [internet access](#placement).
 4. Enjoy your favorite beverage - [watch](https://sicherheitstacho.eu) and [analyze](#kibana).

@ -132,7 +132,7 @@ The T-Pot project provides all the tools and documentation necessary to build yo

 The source code and configuration files are fully stored in the T-Pot GitHub repository. The docker images are preconfigured for the T-Pot environment. If you want to run the docker images separately, make sure you study the docker-compose configuration (`/opt/tpot/etc/tpot.yml`) and the T-Pot systemd script (`/etc/systemd/system/tpot.service`), as they provide a good starting point for implementing changes.

-The individual docker configurations are located in the [docker folder](https://github.com/dtag-dev-sec/tpotce/tree/master/docker).
+The individual docker configurations are located in the [docker folder](https://github.com/telekom-security/tpotce/tree/master/docker).

 <a name="requirements"></a>
 # System Requirements
@ -183,18 +183,18 @@ There are prebuilt installation types available each focussing on different aspe
 # Installation
 The installation of T-Pot is straight forward and heavily depends on a working, transparent and non-proxied up and running internet connection. Otherwise the installation **will fail!**

-Firstly, decide if you want to download the prebuilt installation ISO image from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on an existing Debian 10 (Buster)](#postinstall).
+Firstly, decide if you want to download the prebuilt installation ISO image from [GitHub](https://github.com/telekom-security/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on an existing Debian 10 (Buster)](#postinstall).

 Secondly, decide where you the system to run: [real hardware](#hardware) or in a [virtual machine](#vm)?

 <a name="prebuilt"></a>
 ## Prebuilt ISO Image
-An installation ISO image is available for download (~50MB), which is created by the [ISO Creator](https://github.com/dtag-dev-sec/tpotce) you can use yourself in order to create your own image. It will basically just save you some time downloading components and creating the ISO image.
-You can download the prebuilt installation ISO from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases) and jump to the [installation](#vm) section.
+An installation ISO image is available for download (~50MB), which is created by the [ISO Creator](https://github.com/telekom-security/tpotce) you can use yourself in order to create your own image. It will basically just save you some time downloading components and creating the ISO image.
+You can download the prebuilt installation ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) and jump to the [installation](#vm) section.

 <a name="createiso"></a>
 ## Create your own ISO Image
-For transparency reasons and to give you the ability to customize your install you use the [ISO Creator](https://github.com/dtag-dev-sec/tpotce) that enables you to create your own ISO installation image.
+For transparency reasons and to give you the ability to customize your install you use the [ISO Creator](https://github.com/telekom-security/tpotce) that enables you to create your own ISO installation image.

 **Requirements to create the ISO image:**
 - Debian 10 as host system (others *may* work, but *remain* untested)
@ -206,7 +206,7 @@ For transparency reasons and to give you the ability to customize your install y

 1. Clone the repository and enter it.
 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce
 ```
 2. Run the `makeiso.sh` script to build the ISO image.
@ -237,7 +237,7 @@ You can now jump [here](#firstrun).
 If you decide to run T-Pot on dedicated hardware, just follow these steps:

 1. Burn a CD from the ISO image or make a bootable USB stick using the image. <br>
-Whereas most CD burning tools allow you to burn from ISO images, the procedure to create a bootable USB stick from an ISO image depends on your system. There are various Windows GUI tools available, e.g. [this tip](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows) might help you.<br> On [Linux](http://askubuntu.com/questions/59551/how-to-burn-a-iso-to-a-usb-device) or [MacOS](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx) you can use the tool *dd* or create the USB stick with T-Pot's [ISO Creator](https://github.com/dtag-dev-sec).
+Whereas most CD burning tools allow you to burn from ISO images, the procedure to create a bootable USB stick from an ISO image depends on your system. There are various Windows GUI tools available, e.g. [this tip](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows) might help you.<br> On [Linux](http://askubuntu.com/questions/59551/how-to-burn-a-iso-to-a-usb-device) or [MacOS](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx) you can use the tool *dd* or create the USB stick with T-Pot's [ISO Creator](https://github.com/telekom-security).
 2. Boot from the USB stick and install.

 *Please note*: Limited tests are performed for the Intel NUC platform other hardware platforms **remain untested**. There is no hardware support provided of any kind.
@ -255,7 +255,7 @@ The T-Pot Universal Installer will upgrade the system and install all required T
 Just follow these steps:

 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce/iso/installer/
 ./install.sh --type=user
 ```
@ -269,7 +269,7 @@ You can also let the installer run automatically if you provide your own `tpot.c
 Just follow these steps while adjusting `tpot.conf` to your needs:

 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce/iso/installer/
 cp tpot.conf.dist tpot.conf
 ./install.sh --type=auto --conf=tpot.conf
@ -436,7 +436,7 @@ You may opt out of the submission by removing the `# Ewsposter service` from `/o
    restart: always
    networks:
     - ewsposter_local
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"
    volumes:
     - /data:/data
     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
@ -466,7 +466,7 @@ As with every development there is always room for improvements ...

 Some features may be provided with updated docker images, others may require some hands on from your side.

-You are always invited to participate in development on our [GitHub](https://github.com/dtag-dev-sec/tpotce) page.
+You are always invited to participate in development on our [GitHub](https://github.com/telekom-security/tpotce) page.

 <a name="disclaimer"></a>
 # Disclaimer
@ -478,18 +478,18 @@ You are always invited to participate in development on our [GitHub](https://git

 <a name="faq"></a>
 # FAQ
-Please report any issues or questions on our [GitHub issue list](https://github.com/dtag-dev-sec/tpotce/issues), so the community can participate.
+Please report any issues or questions on our [GitHub issue list](https://github.com/telekom-security/tpotce/issues), so the community can participate.

 <a name="contact"></a>
 # Contact
 The software is provided **as is** in a Community Edition format. T-Pot is designed to run out of the box and with zero maintenance involved. <br>
-We hope you understand that we cannot provide support on an individual basis. We will try to address questions, bugs and problems on our [GitHub issue list](https://github.com/dtag-dev-sec/tpotce/issues).
+We hope you understand that we cannot provide support on an individual basis. We will try to address questions, bugs and problems on our [GitHub issue list](https://github.com/telekom-security/tpotce/issues).

 <a name="licenses"></a>
 # Licenses
 The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
-<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/dtag-dev-sec/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
+<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
 <br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE)
 <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/)
--- a/bin/change_ews_config.sh
+++ b/bin/change_ews_config.sh
@ -60,7 +60,7 @@ fi
 echo ""
 echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
 echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
-wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
+wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
 if [[ -f "ews.cfg.dist" ]]; then
 	echo "[+] Successfully downloaded ews.cfg from github."
 else 
--- a/bin/updateip.sh
+++ b/bin/updateip.sh
@ -2,6 +2,7 @@
 # Let's add the first local ip to the /etc/issue and external ip to ews.ip file
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
+myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];
@ -26,6 +27,7 @@ tee /data/ews/conf/ews.ip << EOF
 ip = $myEXTIP
 EOF
 tee /opt/tpot/etc/compose/elk_environment << EOF
+HONEY_UUID=$myUUID
 MY_EXTIP=$myEXTIP
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
--- a/cloud/ansible/README.md
+++ b/cloud/ansible/README.md
@ -36,6 +36,8 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y

 <a name="ansible"></a>
 ## Ansible Installation
+:warning: Ansible 2.10 or newer is required!
+
 Example for Ubuntu 18.04:  

 At first we update the system:  
@ -48,6 +50,12 @@ Then we need to add the repository and install Ansible:

 For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).

+If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
+In short (if you already have Python3/pip3 installed):
+```
+pip3 install ansible
+```
+
 <a name="agent-forwarding"></a>
 ## Agent Forwarding
 If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
@ -96,7 +104,7 @@ Import your SSH public key.
 <a name="clone-git"></a>
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
-`git clone https://github.com/dtag-dev-sec/tpotce.git`  
+`git clone https://github.com/telekom-security/tpotce.git`  
 All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.

 <a name="settings"></a>
@ -160,14 +168,6 @@ Here you can choose:
  - a username for the web interface
  - a password for the web interface (**you should definitely change that**)

-```
-# tpot configuration file
-# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
-myCONF_TPOT_FLAVOR='STANDARD'
-myCONF_WEB_USER='webuser'
-myCONF_WEB_PW='w3b$ecret'
-```
-
 <a name="ews-cfg"></a>
 ## Optional: Custom `ews.cfg`
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@ -226,7 +226,7 @@ If you are running on a machine which asks for a sudo password, you can use:
 The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.  
 After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.

-Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access).
+Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

 <a name="documentation"></a>
 # Further documentation
--- a/cloud/ansible/openstack/clouds.yaml
+++ b/cloud/ansible/openstack/clouds.yaml
@ -1,6 +1,7 @@
 clouds:
  open-telekom-cloud:
    profile: otc
+    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
--- a/cloud/ansible/openstack/roles/check/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml
@ -1,14 +1,17 @@
 - name: Install dependencies
  package:
    name:
+      - gcc
      - pwgen
-      - python-setuptools
-      - python-pip
+      - python3-dev
+      - python3-setuptools
+      - python3-pip
    state: present

 - name: Install openstacksdk
  pip:
    name: openstacksdk
+    executable: pip3

 - name: Check if agent forwarding is enabled
  fail:
--- a/cloud/ansible/openstack/roles/install/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml
@ -6,7 +6,7 @@

 - name: Cloning T-Pot install directory
  git:
-    repo: "https://github.com/dtag-dev-sec/tpotce.git"
+    repo: "https://github.com/telekom-security/tpotce.git"
    dest: /root/tpot

 - name: Prepare to set user password
--- a/cloud/terraform/cloud-init.yaml
+++ b/cloud/terraform/cloud-init.yaml
@ -5,7 +5,7 @@ packages:
  - git

 runcmd:
-  - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
+  - git clone https://github.com/telekom-security/tpotce /root/tpot
  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
  - rm /root/tpot.conf
  - /sbin/shutdown -r now
--- a/cloud/terraform/otc/clouds.yaml
+++ b/cloud/terraform/otc/clouds.yaml
@ -1,5 +1,6 @@
 clouds:
  open-telekom-cloud:
+    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
--- a/doc/architecture.png
+++ b/doc/architecture.png
--- a/docker/adbhoney/Dockerfile
+++ b/docker/adbhoney/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest 
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -13,7 +13,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
            python3-dev && \
 #
 # Install adbhoney from git
-    git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    cd /opt/adbhoney && \
+    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
    cp /root/dist/adbhoney.cfg /opt/adbhoney && \
    sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
    sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
--- a/docker/adbhoney/docker-compose.yml
+++ b/docker/adbhoney/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - adbhoney_local
    ports:
     - "5555:5555"
-    image: "dtagdevsec/adbhoney:2006"
+    image: "ghcr.io/telekom-security/adbhoney:2006"
    read_only: true
    volumes:
     - /data/adbhoney/log:/opt/adbhoney/log
--- a/docker/ciscoasa/Dockerfile
+++ b/docker/ciscoasa/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -23,8 +23,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Get and install packages
    mkdir -p /opt/ && \
    cd /opt/ && \
-    git clone --depth=1 https://github.com/cymmetria/ciscoasa_honeypot && \
+    git clone https://github.com/cymmetria/ciscoasa_honeypot && \
    cd ciscoasa_honeypot && \
+    git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
    pip3 install --no-cache-dir -r requirements.txt && \
    cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
    chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
--- a/docker/ciscoasa/docker-compose.yml
+++ b/docker/ciscoasa/docker-compose.yml
@ -13,7 +13,7 @@ services:
    ports:
     - "5000:5000/udp"
     - "8443:8443"
-    image: "dtagdevsec/ciscoasa:2006"
+    image: "ghcr.io/telekom-security/ciscoasa:2006"
    read_only: true
    volumes:
     - /data/ciscoasa/log:/var/log/ciscoasa
--- a/docker/citrixhoneypot/Dockerfile
+++ b/docker/citrixhoneypot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Install packages
 RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
@ -15,7 +15,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install CitrixHoneypot from GitHub
 #    git clone --depth=1 https://github.com/malwaretech/citrixhoneypot /opt/citrixhoneypot && \
 #    git clone --depth=1 https://github.com/vorband/CitrixHoneypot /opt/citrixhoneypot && \
-    git clone --depth=1 https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+    git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+    cd /opt/citrixhoneypot && \
+    git checkout f59ad7320dc5bbb8c23c8baa5f111b52c52fbef3 && \
 #
 # Setup user, groups and configs
    mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \
--- a/docker/citrixhoneypot/docker-compose.yml
+++ b/docker/citrixhoneypot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - citrixhoneypot_local
    ports:
     - "443:443"
-    image: "dtagdevsec/citrixhoneypot:2006"
+    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
    read_only: true
    volumes:
     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
--- a/docker/conpot/Dockerfile
+++ b/docker/conpot/Dockerfile
@ -28,7 +28,7 @@ RUN apk -U add \
 # Setup ConPot
    git clone https://github.com/mushorg/conpot /opt/conpot && \
    cd /opt/conpot/ && \
-    git checkout 7a77329cd99cee9c37ee20e2f05a48952d8eece9 && \
+    git checkout ff09e009d10d953aa7dcff2c06b7c890e6ffd4b7 && \
    # Change template default ports if <1024
    sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ 
    sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \ 
--- a/docker/conpot/docker-compose.yml
+++ b/docker/conpot/docker-compose.yml
@ -35,7 +35,7 @@ services:
     - "2121:21"
     - "44818:44818"
     - "47808:47808"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -58,7 +58,7 @@ services:
    ports:
 #     - "161:161"
     - "2404:2404"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -80,7 +80,7 @@ services:
     - conpot_local_guardian_ast
    ports:
     - "10001:10001"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -102,7 +102,7 @@ services:
     - conpot_local_ipmi
    ports:
     - "623:623"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -125,7 +125,7 @@ services:
    ports:
     - "1025:1025"
     - "50100:50100"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
--- a/docker/cowrie/Dockerfile
+++ b/docker/cowrie/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -31,9 +31,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install cowrie
    mkdir -p /home/cowrie && \
    cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.1.0 && \
+    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.2.0 && \
    cd cowrie && \
-    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
+#    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
    mkdir -p log && \
    cp /root/dist/requirements.txt . && \
    pip3 install -r requirements.txt && \
--- a/docker/cowrie/docker-compose.yml
+++ b/docker/cowrie/docker-compose.yml
@ -18,7 +18,7 @@ services:
    ports:
     - "22:22"
     - "23:23"
-    image: "dtagdevsec/cowrie:2006"
+    image: "ghcr.io/telekom-security/cowrie:2006"
    read_only: true
    volumes:
     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
--- a/docker/cyberchef/Dockerfile
+++ b/docker/cyberchef/Dockerfile
@ -13,7 +13,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #
 # Install CyberChef 
    cd /root && \
-    git clone https://github.com/gchq/cyberchef --depth=1 && \
+    git clone https://github.com/gchq/cyberchef -b v9.21.0 && \
    chown -R nobody:nobody cyberchef && \
    cd cyberchef && \
    npm install && \
--- a/docker/cyberchef/docker-compose.yml
+++ b/docker/cyberchef/docker-compose.yml
@ -14,5 +14,5 @@ services:
     - cyberchef_local
    ports:
     - "127.0.0.1:64299:8000"
-    image: "dtagdevsec/cyberchef:2006"
+    image: "ghcr.io/telekom-security/cyberchef:2006"
    read_only: true
--- a/docker/deprecated/elasticpot.old/README.md
+++ b/docker/deprecated/elasticpot.old/README.md
@ -1,10 +1,10 @@
-[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/ghcr.io/telekom-security/elasticpot:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/elasticpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/ghcr.io/telekom-security/elasticpot:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/elasticpot:1903 "Get your own image badge on microbadger.com")

 # elasticpot

 [elasticpot](https://github.com/schmalle/ElasticPot) is a simple elastic search honeypot.

-This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
+This dockerized version is part of the **[T-Pot community honeypot](http://telekom-security.github.io/)** of Deutsche Telekom AG.

 The `Dockerfile` contains the blueprint for the dockerized elasticpot and will be used to setup the docker image.

--- a/docker/deprecated/elasticpot.old/docker-compose.yml
+++ b/docker/deprecated/elasticpot.old/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - elasticpot_local
    ports:
     - "9200:9200"
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"
    read_only: true
    volumes:
     - /data/elasticpot/log:/opt/ElasticpotPY/log
--- a/docker/deprecated/glastopf/README.md
+++ b/docker/deprecated/glastopf/README.md
@ -1,10 +1,10 @@
-[![](https://images.microbadger.com/badges/version/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/ghcr.io/telekom-security/glastopf:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/glastopf:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/ghcr.io/telekom-security/glastopf:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/glastopf:1903 "Get your own image badge on microbadger.com")

 # glastopf (deprecated)

 [glastopf](https://github.com/mushorg/glastopf) is a python web application honeypot.

-This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
+This dockerized version is part of the **[T-Pot community honeypot](http://telekom-security.github.io/)** of Deutsche Telekom AG.

 The `Dockerfile` contains the blueprint for the dockerized glastopf and will be used to setup the docker image.

--- a/docker/deprecated/glastopf/docker-compose.yml
+++ b/docker/deprecated/glastopf/docker-compose.yml
@ -16,7 +16,7 @@ services:
     - glastopf_local
    ports:
     - "8081:80"
-    image: "dtagdevsec/glastopf:1903"
+    image: "ghcr.io/telekom-security/glastopf:1903"
    read_only: true
    volumes:
     - /data/glastopf/db:/tmp/glastopf/db
--- a/docker/deprecated/hpfeeds/docker-compose.yml
+++ b/docker/deprecated/hpfeeds/docker-compose.yml
@ -16,4 +16,4 @@ services:
     - hpfeeds_local
    ports:
     - "20000:20000"
-    image: "dtagdevsec/hpfeeds:latest"
+    image: "ghcr.io/telekom-security/hpfeeds:latest"
--- a/docker/deprecated/nginx/docker-compose.yml
+++ b/docker/deprecated/nginx/docker-compose.yml
@ -17,7 +17,7 @@ services:
    network_mode: "host"
    ports:
     - "64297:64297"
-    image: "dtagdevsec/nginx:1903"
+    image: "ghcr.io/telekom-security/nginx:1903"
    read_only: true
    volumes:
     - /data/nginx/cert/:/etc/nginx/cert/:ro
--- a/docker/dicompot/Dockerfile
+++ b/docker/dicompot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Setup apk
 RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
@ -14,6 +14,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    cd /opt/go/ && \
    git clone https://github.com/nsmfoo/dicompot.git && \
    cd dicompot && \
+    git checkout 41331194156bbb17078bcc1594f4952ac06a731e && \
    go mod download && \
    go install -a -x github.com/nsmfoo/dicompot/server && \
 #
--- a/docker/dicompot/docker-compose.yml
+++ b/docker/dicompot/docker-compose.yml
@ -17,7 +17,7 @@ services:
     - dicompot_local
    ports:
     - "11112:11112"
-    image: "dtagdevsec/dicompot:2006"
+    image: "ghcr.io/telekom-security/dicompot:2006"
    read_only: true
    volumes:
     - /data/dicompot/log:/var/log/dicompot
--- a/docker/dionaea/Dockerfile
+++ b/docker/dionaea/Dockerfile
@ -36,7 +36,7 @@ RUN apt-get update -y && \
 #
 # Get and install dionaea
    # Latest master is unstable, SIP causes crashing
-    git clone --depth=1 https://github.com/dinotools/dionaea -b 0.8.0 /root/dionaea/ && \
+    git clone --depth=1 https://github.com/dinotools/dionaea -b 0.11.0 /root/dionaea/ && \
    cd /root/dionaea && \
    #git checkout 1426750b9fd09c5bfeae74d506237333cd8505e2 && \
    mkdir build && \
--- a/docker/dionaea/docker-compose.yml
+++ b/docker/dionaea/docker-compose.yml
@ -31,7 +31,7 @@ services:
     - "5060:5060/udp"
     - "5061:5061"
     - "27017:27017"
-    image: "dtagdevsec/dionaea:2006"
+    image: "ghcr.io/telekom-security/dionaea:2006"
    read_only: true
    volumes:
     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -10,98 +10,98 @@ services:
 # Adbhoney service
  adbhoney:
    build: adbhoney/.
-    image: "dtagdevsec/adbhoney:2006"
+    image: "ghcr.io/telekom-security/adbhoney:2006"

 # Ciscoasa service
  ciscoasa:
    build: ciscoasa/.
-    image: "dtagdevsec/ciscoasa:2006"
+    image: "ghcr.io/telekom-security/ciscoasa:2006"

 # CitrixHoneypot service
  citrixhoneypot:
    build: citrixhoneypot/.
-    image: "dtagdevsec/citrixhoneypot:2006"
+    image: "ghcr.io/telekom-security/citrixhoneypot:2006"

 # Conpot IEC104 service
  conpot_IEC104:
    build: conpot/.
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"

 # Cowrie service
  cowrie:
    build: cowrie/.
-    image: "dtagdevsec/cowrie:2006"
+    image: "ghcr.io/telekom-security/cowrie:2006"

 # Dicompot service
  dicompot:
    build: dicompot/.
-    image: "dtagdevsec/dicompot:2006"
+    image: "ghcr.io/telekom-security/dicompot:2006"

 # Dionaea service
  dionaea:
    build: dionaea/.
-    image: "dtagdevsec/dionaea:2006"
+    image: "ghcr.io/telekom-security/dionaea:2006"

 # ElasticPot service
  elasticpot:
    build: elasticpot/.
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"

 # Glutton service
  glutton:
    build: glutton/.
-    image: "dtagdevsec/glutton:2006"
+    image: "ghcr.io/telekom-security/glutton:2006"

 # Heralding service
  heralding:
    build: heralding/.
-    image: "dtagdevsec/heralding:2006"
+    image: "ghcr.io/telekom-security/heralding:2006"

 # HoneyPy service
  honeypy:
    build: honeypy/.
-    image: "dtagdevsec/honeypy:2006"
+    image: "ghcr.io/telekom-security/honeypy:2006"

 # Honeytrap service
  honeytrap:
    build: honeytrap/.
-    image: "dtagdevsec/honeytrap:2006"
+    image: "ghcr.io/telekom-security/honeytrap:2006"

 # Mailoney service
  mailoney:
    build: mailoney/.
-    image: "dtagdevsec/mailoney:2006"
+    image: "ghcr.io/telekom-security/mailoney:2006"

 # Medpot service
  medpot:
    build: medpot/.
-    image: "dtagdevsec/medpot:2006"
+    image: "ghcr.io/telekom-security/medpot:2006"

 # Rdpy service
  rdpy:
    build: rdpy/.
-    image: "dtagdevsec/rdpy:2006"
+    image: "ghcr.io/telekom-security/rdpy:2006"

 #### Snare / Tanner
 ## Tanner Redis Service
  tanner_redis:
    build: tanner/redis/.
-    image: "dtagdevsec/redis:2006"
+    image: "ghcr.io/telekom-security/redis:2006"

 ## PHP Sandbox service
  tanner_phpox:
    build: tanner/phpox/.
-    image: "dtagdevsec/phpox:2006"
+    image: "ghcr.io/telekom-security/phpox:2006"

 ## Tanner API Service
  tanner_api:
    build: tanner/tanner/.
-    image: "dtagdevsec/tanner:2006"
+    image: "ghcr.io/telekom-security/tanner:2006"

 ## Snare Service
  snare:
    build: tanner/snare/.
-    image: "dtagdevsec/snare:2006"
+    image: "ghcr.io/telekom-security/snare:2006"


 ##################
@ -111,17 +111,17 @@ services:
 # Fatt service
  fatt:
    build: fatt/.
-    image: "dtagdevsec/fatt:2006"
+    image: "ghcr.io/telekom-security/fatt:2006"

 # P0f service
  p0f:
    build: p0f/.
-    image: "dtagdevsec/p0f:2006"
+    image: "ghcr.io/telekom-security/p0f:2006"

 # Suricata service
  suricata:
    build: suricata/.
-    image: "dtagdevsec/suricata:2006"
+    image: "ghcr.io/telekom-security/suricata:2006"


 ##################
@ -131,40 +131,40 @@ services:
 # Cyberchef service
  cyberchef:
    build: cyberchef/.
-    image: "dtagdevsec/cyberchef:2006"
+    image: "ghcr.io/telekom-security/cyberchef:2006"

 #### ELK
 ## Elasticsearch service
  elasticsearch:
    build: elk/elasticsearch/.
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"

 ## Kibana service
  kibana:
    build: elk/kibana/.
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"

 ## Logstash service
  logstash:
    build: elk/logstash/.
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"

 ## Elasticsearch-head service
  head:
    build: elk/head/.
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"

 # Ewsposter service
  ewsposter:
    build: ews/.
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"

 # Nginx service
  nginx:
    build: heimdall/.
-    image: "dtagdevsec/nginx:2006"
+    image: "ghcr.io/telekom-security/nginx:2006"

 # Spiderfoot service
  spiderfoot:
    build: spiderfoot/.
-    image: "dtagdevsec/spiderfoot:2006"
+    image: "ghcr.io/telekom-security/spiderfoot:2006"
--- a/docker/elasticpot/Dockerfile
+++ b/docker/elasticpot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -20,8 +20,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
             python3-dev && \
    mkdir -p /opt && \
    cd /opt/ && \
-    git clone --depth=1 https://gitlab.com/bontchev/elasticpot.git/ && \
+    git clone https://gitlab.com/bontchev/elasticpot.git/ && \
    cd elasticpot && \
+    git checkout d12649730d819bd78ea622361b6c65120173ad45 && \
    pip3 install -r requirements.txt && \
 #
 # Setup user, groups and configs
--- a/docker/elasticpot/docker-compose.yml
+++ b/docker/elasticpot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - elasticpot_local
    ports:
     - "9200:9200"
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"
    read_only: true
    volumes:
     - /data/elasticpot/log:/opt/elasticpot/log
--- a/docker/elk/docker-compose.yml
+++ b/docker/elk/docker-compose.yml
@ -24,7 +24,7 @@ services:
    mem_limit: 4g
    ports:
     - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"
    volumes:
     - /data:/data

@ -39,7 +39,7 @@ services:
        condition: service_healthy
    ports:
     - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"

 ## Logstash service
  logstash:
@ -53,7 +53,7 @@ services:
        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"
    volumes:
     - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
@ -68,5 +68,5 @@ services:
        condition: service_healthy
    ports:
     - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"
    read_only: true
--- a/docker/elk/elasticsearch/Dockerfile
+++ b/docker/elk/elasticsearch/Dockerfile
@ -1,7 +1,7 @@
 FROM alpine:3.12
 #
 # VARS
-ENV ES_VER=7.9.0 \
+ENV ES_VER=7.10.1 \
    JAVA_HOME=/usr/lib/jvm/java-11-openjdk
 # Include dist
 ADD dist/ /root/dist/
--- a/docker/elk/elasticsearch/docker-compose.yml
+++ b/docker/elk/elasticsearch/docker-compose.yml
@ -24,6 +24,6 @@ services:
    mem_limit: 2g
    ports:
     - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"
    volumes:
     - /data:/data
--- a/docker/elk/head/Dockerfile
+++ b/docker/elk/head/Dockerfile
@ -10,7 +10,9 @@ RUN apk -U add \
 # Get and install packages
    mkdir -p /usr/src/app/ && \
    cd /usr/src/app/ && \
-    git clone --depth=1 https://github.com/mobz/elasticsearch-head . && \
+    git clone https://github.com/mobz/elasticsearch-head . && \
+#    git checkout d0a25608854479f0b3f2dca24e8039a2fd66b0e2 && \
+    git checkout 2932af571b84017f87bc1c5beee5b6dfbf11b0a5 && \
    npm install http-server && \
    sed -i "s#\"http\:\/\/localhost\:9200\"#window.location.protocol \+ \'\/\/\' \+ window.location.hostname \+ \'\:\' \+ window.location.port \+ \'\/es\/\'#" /usr/src/app/_site/app.js && \
 #
--- a/docker/elk/head/docker-compose.yml
+++ b/docker/elk/head/docker-compose.yml
@ -12,5 +12,5 @@ services:
    #        condition: service_healthy
    ports:
     - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"
    read_only: true
--- a/docker/elk/kibana/Dockerfile
+++ b/docker/elk/kibana/Dockerfile
@ -1,7 +1,7 @@
-FROM node:10.21.0-alpine
+FROM node:10.22.1-alpine
 #
 # VARS
-ENV KB_VER=7.9.0
+ENV KB_VER=7.10.1
 # 
 # Include dist
 ADD dist/ /root/dist/
--- a/docker/elk/kibana/docker-compose.yml
+++ b/docker/elk/kibana/docker-compose.yml
@ -12,4 +12,4 @@ services:
 #        condition: service_healthy
    ports:
     - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"
--- a/docker/elk/logstash/Dockerfile
+++ b/docker/elk/logstash/Dockerfile
@ -1,7 +1,7 @@
 FROM alpine:3.12
 #
 # VARS
-ENV LS_VER=7.9.0
+ENV LS_VER=7.10.1
 # Include dist
 ADD dist/ /root/dist/
 #
@ -25,8 +25,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    bunzip2 *.bz2 && \
    cd /root/dist/ && \
    mkdir -p /usr/share/logstash/ && \
-    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER.tar.gz && \
-    tar xvfz logstash-$LS_VER.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
+    tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    rm -rf /usr/share/logstash/jdk && \
    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
 #
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -321,6 +321,7 @@ filter {
    }
    mutate {
      rename => {
+        "ID" => "id"
        "IP" => "src_ip"
        "Port" => "src_port"
        "AETitle" => "aetitle"
@ -542,6 +543,11 @@ if "_grokparsefailure" in [tags] { drop {} }
        convert => { "status" => "integer" }
    }
  }
+  if [id] {
+    mutate {
+        convert => { "id" => "string" }
+    }
+  }

 # Add T-Pot hostname and external IP
  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
--- a/docker/elk/logstash/docker-compose.yml
+++ b/docker/elk/logstash/docker-compose.yml
@ -14,7 +14,7 @@ services:
 #        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"
    volumes:
     - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
--- a/docker/ews/Dockerfile
+++ b/docker/ews/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -23,7 +23,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    pip3 install --no-cache-dir configparser hpfeeds3 pyOpenSSL xmljson && \
 #
 # Setup ewsposter
-    git clone --depth=1 https://github.com/dtag-dev-sec/ewsposter /opt/ewsposter && \
+    git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \
+    cd /opt/ewsposter && \
+    git checkout 09508938de3a28856114f6ea5f3f529fdb776d79 && \
    mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \
 #
 # Setup user and groups
--- a/docker/ews/dist/ews.cfg
+++ b/docker/ews/dist/ews.cfg
@ -4,10 +4,11 @@ spooldir = /opt/ewsposter/spool/
 logdir = /opt/ewsposter/log/
 del_malware_after_send = false
 send_malware = false
-sendlimit = 500
+sendlimit = 5000
 contact = your_email_address
-proxy =
-ip =
+proxy = None
+ip_int = None
+ip_ext = None

 [EWS]
 ews = true
@ -39,24 +40,6 @@ nodeid = glastopfv3-community-01
 sqlitedb = /data/glastopf/db/glastopf.db
 malwaredir = /data/glastopf/data/files/

-[GLASTOPFV2]
-glastopfv2 = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
-[KIPPO]
-kippo = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
 [COWRIE]
 cowrie = true
 nodeid = cowrie-community-01
@ -75,12 +58,6 @@ newversion = true
 payloaddir = /data/honeytrap/attacks/
 attackerfile = /data/honeytrap/log/attacker.log

-[RDPDETECT]
-rdpdetect = false
-nodeid =
-iptableslog =
-targetip =
-
 [EMOBILITY]
 eMobility = false
 nodeid = emobility-community-01
@ -135,3 +112,18 @@ logfile = /data/tanner/log/tanner_report.json
 glutton = true
 nodeid = glutton-community-01
 logfile = /data/glutton/log/glutton.log
+
+[HONEYSAP]
+honeysap = true
+nodeid = honeysap-community-01
+logfile = /data/honeysap/log/honeysap-external.log
+
+[ADBHONEY]
+adbhoney = true
+nodeid = adbhoney-community-01
+logfile = /data/adbhoney/log/adbhoney.json
+
+[FATT]
+fatt = true
+nodeid = fatt-community-01
+logfile = /data/fatt/log/fatt.log
--- a/docker/ews/docker-compose.yml
+++ b/docker/ews/docker-compose.yml
@ -23,8 +23,7 @@ services:
     - EWS_HPFEEDS_FORMAT=json
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"
    volumes:
     - /data:/data
-     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
-
+#     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
--- a/docker/fatt/Dockerfile
+++ b/docker/fatt/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 #ADD dist/ /root/dist/
@ -21,8 +21,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install fatt
    mkdir -p /opt && \
    cd /opt && \
-    git clone --depth=1 https://github.com/0x4D31/fatt && \
+    git clone https://github.com/0x4D31/fatt && \
    cd fatt && \
+    git checkout 314cd1ff7873b5a145a51ec4e85f6107828a2c79 && \
    mkdir -p log && \
    pip3 install pyshark==0.4.2.2 && \
 #
@ -39,4 +40,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 STOPSIGNAL SIGINT
 ENV PYTHONPATH /opt/fatt
 WORKDIR /opt/fatt
-CMD python3 fatt.py -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) --print_output --json_logging -o log/fatt.log
+CMD python3 fatt.py -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') --print_output --json_logging -o log/fatt.log
--- a/docker/fatt/docker-compose.yml
+++ b/docker/fatt/docker-compose.yml
@ -12,6 +12,6 @@ services:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
-    image: "dtagdevsec/fatt:2006"
+    image: "ghcr.io/telekom-security/fatt:2006"
    volumes:
     - /data/fatt/log:/opt/fatt/log
--- a/docker/glutton/Dockerfile
+++ b/docker/glutton/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -22,6 +22,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    cd /opt/go/ && \
    git clone https://github.com/mushorg/glutton && \
    cd /opt/go/glutton/ && \
+    git checkout 08f364fff489a82667866ecff2bcc4815569a0c8 && \
    mv /root/dist/system.go /opt/go/glutton/ && \
    go mod download && \
    make build && \
@ -52,4 +53,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Start glutton 
 WORKDIR /opt/glutton
 USER glutton:glutton
-CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log > /dev/null 2>&1
+CMD exec bin/server -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1
--- a/docker/glutton/docker-compose.yml
+++ b/docker/glutton/docker-compose.yml
@ -13,7 +13,7 @@ services:
    network_mode: "host"
    cap_add:
     - NET_ADMIN
-    image: "dtagdevsec/glutton:2006"
+    image: "ghcr.io/telekom-security/glutton:2006"
    read_only: true
    volumes:
     - /data/glutton/log:/var/log/glutton
--- a/docker/heimdall/Dockerfile
+++ b/docker/heimdall/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -28,6 +28,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #
 # Clone and setup Heimdall, Nginx
    git clone https://github.com/linuxserver/heimdall && \
+    cd heimdall && \
+    git checkout 3a9bdd2c431d70803b259990fa4d81db4b06dba4 && \
+    cd .. && \
    cp -R heimdall/. /var/lib/nginx/html && \
    rm -rf heimdall && \
    cd /var/lib/nginx/html && \
--- a/docker/heimdall/docker-compose.yml
+++ b/docker/heimdall/docker-compose.yml
@ -26,7 +26,7 @@ services:
    ports:
     - "64297:64297"
     - "127.0.0.1:64304:64304"
-    image: "dtagdevsec/nginx:2006"
+    image: "ghcr.io/telekom-security/nginx:2006"
    read_only: true
    volumes:
     - /data/nginx/cert/:/etc/nginx/cert/:ro
--- a/docker/heralding/Dockerfile
+++ b/docker/heralding/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12.1
 #  
 # Include dist
 ADD dist/ /root/dist/
@ -21,8 +21,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Setup heralding
    mkdir -p /opt && \
    cd /opt/ && \
-    git clone --depth=1 https://github.com/johnnykv/heralding && \
+    git clone https://github.com/johnnykv/heralding && \
    cd heralding && \
+    git checkout 9e9e9218f053c515ebb234667fb5575e6154ffa5 && \
    pip3 install --no-cache-dir -r requirements.txt && \
    pip3 install --no-cache-dir . && \
 #
--- a/docker/heralding/docker-compose.yml
+++ b/docker/heralding/docker-compose.yml
@ -30,7 +30,7 @@ services:
     - "3389:3389"
     - "5432:5432"
     - "5900:5900"
-    image: "dtagdevsec/heralding:2006"
+    image: "ghcr.io/telekom-security/heralding:2006"
    read_only: true
    volumes:
     - /data/heralding/log:/var/log/heralding
--- a/docker/honeypy/Dockerfile
+++ b/docker/honeypy/Dockerfile
@ -17,8 +17,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    pip install --no-cache-dir virtualenv && \
 #
 # Clone honeypy from git
-    git clone --depth=1 https://github.com/foospidy/HoneyPy /opt/honeypy && \
+    git clone https://github.com/foospidy/HoneyPy /opt/honeypy && \
    cd /opt/honeypy && \
+    git checkout feccab56ca922bcab01cac4ffd82f588d61ab1c5 && \
    sed -i 's/local_host/dest_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \
    sed -i 's/local_port/dest_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \
    sed -i 's/remote_host/src_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \
--- a/docker/honeypy/docker-compose.yml
+++ b/docker/honeypy/docker-compose.yml
@ -20,7 +20,7 @@ services:
     - "2324:2324"
     - "4096:4096"
     - "9200:9200"
-    image: "dtagdevsec/honeypy:2006"
+    image: "ghcr.io/telekom-security/honeypy:2006"
    read_only: true
    volumes:
     - /data/honeypy/log:/opt/honeypy/log
--- a/docker/honeysap/Dockerfile
+++ b/docker/honeysap/Dockerfile
@ -18,6 +18,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #    git clone --depth=1 https://github.com/SecureAuthCorp/HoneySAP /opt/honeysap && \
    git clone --depth=1 https://github.com/t3chn0m4g3/HoneySAP /opt/honeysap && \
    cd /opt/honeysap && \
+    git checkout a3c355a710d399de9d543659a685effaa70e683d && \
    mkdir conf && \
    cp /root/dist/* conf/ && \
    python setup.py install && \
--- a/docker/honeysap/docker-compose.yml
+++ b/docker/honeysap/docker-compose.yml
@ -14,6 +14,6 @@ services:
     - honeysap_local
    ports:
     - "3299:3299"
-    image: "dtagdevsec/honeysap:2006"
+    image: "ghcr.io/telekom-security/honeysap:2006"
    volumes:
     - /data/honeysap/log:/opt/honeysap/log
--- a/docker/honeytrap/Dockerfile
+++ b/docker/honeytrap/Dockerfile
@ -29,6 +29,7 @@ RUN apt-get update -y && \
    git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
 #    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
    cd /root/honeytrap/ && \
+    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
    autoreconf -vfi && \
    ./configure \
      --with-stream-mon=nfq \
--- a/docker/honeytrap/docker-compose.yml
+++ b/docker/honeytrap/docker-compose.yml
@ -12,7 +12,7 @@ services:
    network_mode: "host"
    cap_add:
     - NET_ADMIN
-    image: "dtagdevsec/honeytrap:2006"
+    image: "ghcr.io/telekom-security/honeytrap:2006"
    read_only: true
    volumes:
     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
--- a/docker/ipphoney/Dockerfile
+++ b/docker/ipphoney/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12.1
 #
 # Include dist
 ADD dist/ /root/dist/
@ -21,8 +21,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
             python3-dev && \
    mkdir -p /opt && \
    cd /opt/ && \
-    git clone --depth=1 https://gitlab.com/bontchev/ipphoney.git/ && \
+    git clone https://gitlab.com/bontchev/ipphoney.git/ && \
    cd ipphoney && \
+    git checkout 7ab1cac437baba17cb2cd25d5bb1400327e1bb79 && \
    pip3 install -r requirements.txt && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
 #
--- a/docker/ipphoney/docker-compose.yml
+++ b/docker/ipphoney/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - ipphoney_local
    ports:
     - "631:631"
-    image: "dtagdevsec/ipphoney:2006"
+    image: "ghcr.io/telekom-security/ipphoney:2006"
    read_only: true
    volumes:
     - /data/ipphoney/log:/opt/ipphoney/log
--- a/docker/mailoney/Dockerfile
+++ b/docker/mailoney/Dockerfile
@ -13,8 +13,9 @@ RUN apk -U --no-cache add \
            python-dev && \
 #
 # Install libemu    
-    git clone --depth=1 https://github.com/buffer/libemu /root/libemu/ && \
+    git clone https://github.com/buffer/libemu /root/libemu/ && \
    cd /root/libemu/ && \
+    git checkout e2624361e13588da74a2ce3e1dea0abb59dcf1d0 && \
    autoreconf -vi && \
    ./configure && \
    make && \
@ -26,7 +27,9 @@ RUN apk -U --no-cache add \
                        pylibemu && \ 
 #
 # Install mailoney from git
-    git clone --depth=1 https://github.com/t3chn0m4g3/mailoney /opt/mailoney && \
+    git clone https://github.com/t3chn0m4g3/mailoney /opt/mailoney && \
+    cd /opt/mailoney && \
+    git checkout 85c37649a99e1cec3f8d48d509653c9a8127ea4f && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 mailoney && \
--- a/docker/mailoney/docker-compose.yml
+++ b/docker/mailoney/docker-compose.yml
@ -20,7 +20,7 @@ services:
     - mailoney_local
    ports:
     - "25:25"
-    image: "dtagdevsec/mailoney:2006"
+    image: "ghcr.io/telekom-security/mailoney:2006"
    read_only: true
    volumes:
     - /data/mailoney/log:/opt/mailoney/logs
--- a/docker/medpot/Dockerfile
+++ b/docker/medpot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Setup apk
 RUN apk -U --no-cache add \
@ -12,6 +12,9 @@ RUN apk -U --no-cache add \
    mkdir -p /opt/go/src && \
    cd /opt/go/src && \
    git clone https://github.com/schmalle/medpot && \
+    cd medpot && \
+    git checkout 75a2e6134cf926c35b6017d62542274434c87388 && \
+    cd .. && \
    go get -d -v github.com/davecgh/go-spew/spew && \
    go get -d -v github.com/go-ini/ini && \
    go get -d -v github.com/mozillazg/request && \
--- a/docker/medpot/docker-compose.yml
+++ b/docker/medpot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - medpot_local
    ports:
     - "2575:2575"
-    image: "dtagdevsec/medpot:2006"
+    image: "ghcr.io/telekom-security/medpot:2006"
    read_only: true
    volumes:
     - /data/medpot/log/:/var/log/medpot
--- a/docker/p0f/Dockerfile
+++ b/docker/p0f/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Add source
 ADD . /opt/p0f
@ -29,7 +29,7 @@ RUN apk -U --no-cache add \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
-# Start suricata
+# Start p0f
 WORKDIR /opt/p0f
 USER p0f:p0f
-CMD exec /opt/p0f/p0f -u p0f -j -o /var/log/p0f/p0f.json -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) > /dev/null
+CMD exec /opt/p0f/p0f -u p0f -j -o /var/log/p0f/p0f.json -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') > /dev/null
--- a/docker/p0f/README.md
+++ b/docker/p0f/README.md
@ -1,11 +0,0 @@
-[![](https://images.microbadger.com/badges/version/dtagdevsec/p0f:1804.svg)](https://microbadger.com/images/dtagdevsec/p0f:1804 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/p0f:1804.svg)](https://microbadger.com/images/dtagdevsec/p0f:1804 "Get your own image badge on microbadger.com")
-
-# p0f
-
-[p0f](http://lcamtuf.coredump.cx/p0f3/) P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.
-
-This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
-
-The `Dockerfile` contains the blueprint for the dockerized p0f and will be used to setup the docker image.
-
-The `docker-compose.yml` contains the necessary settings to test p0f using `docker-compose`. This will ensure to start the docker container with the appropriate permissions and port mappings.
--- a/docker/p0f/docker-compose.yml
+++ b/docker/p0f/docker-compose.yml
@ -8,7 +8,7 @@ services:
    container_name: p0f
    restart: always
    network_mode: "host"
-    image: "dtagdevsec/p0f:2006"
+    image: "ghcr.io/telekom-security/p0f:2006"
    read_only: true
    volumes:
     - /data/p0f/log:/var/log/p0f
--- a/docker/rdpy/Dockerfile
+++ b/docker/rdpy/Dockerfile
@ -34,8 +34,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install rdpy from git
    mkdir -p /opt && \
    cd /opt && \
-    git clone --depth=1 https://github.com/t3chn0m4g3/rdpy && \
+    git clone https://github.com/t3chn0m4g3/rdpy && \
    cd rdpy && \
+    git checkout 1d2a4132aefe0637d09cac1a6ab83ec5391f40ca && \
    python setup.py install && \
 #
 # Setup user, groups and configs
--- a/docker/rdpy/docker-compose.yml
+++ b/docker/rdpy/docker-compose.yml
@ -22,7 +22,7 @@ services:
     - rdpy_local
    ports:
     - "3389:3389"
-    image: "dtagdevsec/rdpy:2006"
+    image: "ghcr.io/telekom-security/rdpy:2006"
    read_only: true
    volumes:
     - /data/rdpy/log:/var/log/rdpy
--- a/docker/spiderfoot/Dockerfile
+++ b/docker/spiderfoot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Get and install dependencies & packages
 RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
@ -33,7 +33,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 spiderfoot && \
 #
 # Install spiderfoot 
-    git clone --depth=1 -b v3.1 https://github.com/smicallef/spiderfoot /home/spiderfoot && \
+    git clone --depth=1 -b v3.2.1 https://github.com/smicallef/spiderfoot /home/spiderfoot && \
    cd /home/spiderfoot && \
    pip3 install --no-cache-dir wheel && \ 
    pip3 install --no-cache-dir -r requirements.txt && \ 
--- a/docker/spiderfoot/docker-compose.yml
+++ b/docker/spiderfoot/docker-compose.yml
@ -14,6 +14,6 @@ services:
     - spiderfoot_local
    ports:
     - "127.0.0.1:64303:8080"
-    image: "dtagdevsec/spiderfoot:2006"
+    image: "ghcr.io/telekom-security/spiderfoot:2006"
    volumes:
     - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
--- a/docker/suricata/Dockerfile
+++ b/docker/suricata/Dockerfile
@ -1,30 +1,31 @@
-FROM alpine:latest
+FROM alpine:edge
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
                 ca-certificates \
                 curl \
                 file \
+		 hiredis \
                 libcap \
-                 wget && \
-    apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
+                 wget \
                 suricata && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 suri && \
    adduser -S -H -u 2000 -D -g 2000 suri && \
    chmod 644 /etc/suricata/*.config && \
-    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.yaml /etc/suricata/ && \
+    cp /root/dist/*.conf /etc/suricata/ && \
    cp /root/dist/*.bpf /etc/suricata/ && \
 #
-# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
+# Download the latest EmergingThreats OPEN ruleset
    cp /root/dist/update.sh /usr/bin/ && \
    chmod 755 /usr/bin/update.sh && \
-    update.sh OPEN && \
+    suricata-update update-sources && \
+    suricata-update --no-reload && \
 #
 # Clean up
    rm -rf /root/* && \
@ -33,4 +34,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #
 # Start suricata
 STOPSIGNAL SIGINT
-CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
+CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }')
--- a/docker/suricata/Dockerfile.from.source
+++ b/docker/suricata/Dockerfile.from.source
@ -1,7 +1,7 @@
 FROM alpine
 #
 # VARS
-ENV VER=5.0.2
+ENV VER=6.0.0
 #
 # Include dist
 ADD dist/ /root/dist/
@ -59,8 +59,7 @@ RUN    apk -U add \
               libhtp \
               libhtp-dev && \
 #
-# Upgrade pip, install suricata-update to meet deps, however we will not be using it 
-# to reduce image (no python needed) and use the update script.
+# Upgrade pip, install suricata-update to meet deps
    pip3 install --no-cache-dir --upgrade pip && \
    pip3 install --no-cache-dir suricata-update && \
 #
@ -93,15 +92,17 @@ RUN    apk -U add \
    addgroup -g 2000 suri && \
    adduser -S -H -u 2000 -D -g 2000 suri && \
    chmod 644 /etc/suricata/*.config && \
-    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.yaml /etc/suricata/ && \
+    cp /root/dist/*.conf /etc/suricata/ && \
    cp /root/dist/*.bpf /etc/suricata/ && \
    mkdir -p /etc/suricata/rules && \
    cp /opt/builder/rules/* /etc/suricata/rules/ && \
 #
-# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
+# Download the latest EmergingThreats OPEN ruleset
    cp /root/dist/update.sh /usr/bin/ && \
    chmod 755 /usr/bin/update.sh && \
-    update.sh OPEN && \
+    suricata-update update-sources && \
+    suricata-update --no-reload && \
 #
 # Clean up
    apk del --purge \
@ -126,8 +127,6 @@ RUN    apk -U add \
                 nss-dev \
                 nspr-dev \
                 pcre-dev \
-		 python3 \
-                 rust \
                 yaml-dev && \
    rm -rf /opt/builder && \
    rm -rf /root/* && \
@ -136,4 +135,4 @@ RUN    apk -U add \
 #
 # Start suricata
 STOPSIGNAL SIGINT
-CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
+CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }')
--- a/docker/suricata/dist/capture-filter.bpf
+++ b/docker/suricata/dist/capture-filter.bpf
@ -1,3 +1,5 @@
 not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
+not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and
 not (host deb.debian.org) and
+not (host ghcr.io) and
 not (host index.docker.io or docker.io)
--- a/docker/suricata/dist/disable.conf
+++ b/docker/suricata/dist/disable.conf
--- a/docker/suricata/dist/enable.conf
+++ b/docker/suricata/dist/enable.conf
@ -0,0 +1,3 @@
+# Since honeypot traffic is usually low, we can afford to enable
+# all the rules that are normally disabled for performance reasons.
+re:.
--- a/docker/suricata/dist/modify.conf
+++ b/docker/suricata/dist/modify.conf
--- a/docker/suricata/dist/suricata.yaml
+++ b/docker/suricata/dist/suricata.yaml
--- a/docker/suricata/dist/update.sh
+++ b/docker/suricata/dist/update.sh
@ -9,24 +9,6 @@ trap fuCLEANUP EXIT
 ### Vars
 myOINKCODE="$1"

-function fuDLRULES {
-### Check if args are present then download rules, if not throw error
-if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
-  then
-    echo "Downloading ET open ruleset."
-    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
-  else
-    if [ "$myOINKCODE" != "" ];
-      then
-	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
-      else	
-        echo "Usage: update.sh <[OPEN, OINKCODE]>"
-	exit
-    fi	
-fi
-}
-
 # Check internet availability 
 function fuCHECKINET () {
 mySITES=$1
@ -46,9 +28,14 @@ for i in $mySITES;
 myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
 if [ "$myCHECK" == "0" ];
  then
-    fuDLRULES 2>&1 > /dev/null
-    tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
-    sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
+    if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
+      then
+        suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
+      else
+        # suricata-update uses et/open ruleset by default if not configured
+        rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
+    fi
+    suricata-update -q --no-test --no-reload > /dev/null
    echo "/etc/suricata/capture-filter.bpf"
  else
    echo "/etc/suricata/null.bpf"
--- a/docker/suricata/dist/update.yaml
+++ b/docker/suricata/dist/update.yaml
@ -0,0 +1,12 @@
+disable-conf: /etc/suricata/disable.conf
+enable-conf: /etc/suricata/enable.conf
+#drop-conf: /etc/suricata/drop.conf
+modify-conf: /etc/suricata/modify.conf
+
+ignore:
+  - "*deleted.rules"
+  - "dhcp-events.rules"  # DHCP is disabled in suricata.yaml
+  - "files.rules"  # file-store is disabled in suricata.yaml
+
+reload-command: suricatasc -c ruleset-reload-rules
+
--- a/docker/suricata/docker-compose.yml
+++ b/docker/suricata/docker-compose.yml
@ -15,6 +15,6 @@ services:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
-    image: "dtagdevsec/suricata:2006"
+    image: "ghcr.io/telekom-security/suricata:2006"
    volumes:
     - /data/suricata/log:/var/log/suricata
--- a/docker/tanner/docker-compose.yml
+++ b/docker/tanner/docker-compose.yml
@ -14,7 +14,7 @@ services:
    tty: true
    networks:
     - tanner_local
-    image: "dtagdevsec/redis:2006"
+    image: "ghcr.io/telekom-security/redis:2006"
    read_only: true

 # PHP Sandbox service
@ -28,7 +28,7 @@ services:
    tty: true
    networks:
     - tanner_local
-    image: "dtagdevsec/phpox:2006"
+    image: "ghcr.io/telekom-security/phpox:2006"
    read_only: true

 # Tanner API Service
@ -42,7 +42,7 @@ services:
    tty: true
    networks:
     - tanner_local
-    image: "dtagdevsec/tanner:2006"
+    image: "ghcr.io/telekom-security/tanner:2006"
    read_only: true
    volumes:
     - /data/tanner/log:/var/log/tanner
@ -63,7 +63,7 @@ services:
     - tanner_local
 #    ports:
 #     - "127.0.0.1:8091:8091"
-    image: "dtagdevsec/tanner:2006"
+    image: "ghcr.io/telekom-security/tanner:2006"
    command: tannerweb
    read_only: true
    volumes:
@ -82,7 +82,7 @@ services:
    tty: true
    networks:
     - tanner_local
-    image: "dtagdevsec/tanner:2006"
+    image: "ghcr.io/telekom-security/tanner:2006"
    command: tanner
    read_only: true
    volumes:
@ -104,6 +104,6 @@ services:
     - tanner_local
    ports:
     - "80:80"
-    image: "dtagdevsec/snare:2006"
+    image: "ghcr.io/telekom-security/snare:2006"
    depends_on:
     - tanner
--- a/docker/tanner/phpox/Dockerfile
+++ b/docker/tanner/phpox/Dockerfile
@ -15,8 +15,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
               re2c && \
 #
 # Install bfr sandbox from git
-    git clone --depth=1 https://github.com/mushorg/BFR /opt/BFR && \
+    git clone https://github.com/mushorg/BFR /opt/BFR && \
    cd /opt/BFR && \
+    git checkout 508729202428a35bcc6bb27dd97b831f7e5009b5 && \
    phpize7 && \
    ./configure \
      --with-php-config=/usr/bin/php-config7 \
@ -28,8 +29,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    echo "zend_extension = "$(find /usr -name bfr.so) >> /etc/php7/php.ini && \
 #
 # Install PHP Sandbox
-    git clone --depth=1 https://github.com/mushorg/phpox /opt/phpox && \
+    git clone https://github.com/mushorg/phpox /opt/phpox && \
    cd /opt/phpox && \
+    git checkout 001437b9ed3e228fac3828e18fe90991a330578d && \
    pip3 install -r requirements.txt && \
    make && \
 #
--- a/docker/tanner/snare/Dockerfile
+++ b/docker/tanner/snare/Dockerfile
@ -13,8 +13,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
               python3-dev && \ 
 #
 # Setup Snare 
-    git clone --depth=1 https://github.com/mushorg/snare /opt/snare && \
+    git clone https://github.com/mushorg/snare /opt/snare && \
    cd /opt/snare/ && \
+    git checkout 7762b762b272f0599c16e11ef997c37d2899d33e && \
    pip3 install --no-cache-dir setuptools && \
    pip3 install --no-cache-dir -r requirements.txt && \
    python3 setup.py install && \
--- a/docker/tanner/tanner/Dockerfile
+++ b/docker/tanner/tanner/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.12
 #
 # Include dist
 ADD dist/ /root/dist/
@ -18,10 +18,11 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
               python3-dev && \ 
 #
 # Setup Tanner
-    git clone --depth=1 https://github.com/mushorg/tanner /opt/tanner && \
+    git clone https://github.com/mushorg/tanner /opt/tanner && \
    cd /opt/tanner/ && \
 #    git fetch origin pull/364/head:test && \	
 #    git checkout test && \
+    git checkout 40e2357119065445cbb06234e953a95e5a73ce93 && \
    cp /root/dist/config.yaml /opt/tanner/tanner/data && \
    pip3 install --no-cache-dir setuptools && \
    pip3 install --no-cache-dir -r requirements.txt && \
--- a/etc/objects/elkbase.tgz
+++ b/etc/objects/elkbase.tgz
--- a/etc/objects/kibana-objects.tgz
+++ b/etc/objects/kibana-objects.tgz
--- a/etc/objects/kibana_export.ndjson.zip
+++ b/etc/objects/kibana_export.ndjson.zip
--- a/iso/installer/install.sh
+++ b/iso/installer/install.sh
@ -16,13 +16,13 @@ fi
 myBACKTITLE="T-Pot-Installer"
 myCONF_FILE="/root/installer/iso.conf"
 myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80"
-mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org"
+mySITES="https://ghcr.io https://github.com https://pypi.python.org https://debian.org"
 myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
 myLSB_STABLE_SUPPORTED="stretch buster"
 myLSB_TESTING_SUPPORTED="stable"
 myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org https://listbot.sicherheitstacho.eu"
-myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet"
-myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release net-tools software-properties-common toilet"
+myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 myINFO="\
 ###########################################
 ### T-Pot Installer for Debian (Stable) ###
@ -290,21 +290,6 @@ function fuCHECKNET {
 # Install T-Pot dependencies
 function fuGET_DEPS {
  export DEBIAN_FRONTEND=noninteractive
-  # Determine fastest mirror
-  echo
-  echo "### Determine fastest mirror for your location."
-  echo
-  netselect-apt -n -a amd64 stable && cp sources.list /etc/apt/
-  mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c stable)
-  if [ "$mySOURCESCHECK" == "0" ]
-    then
-      echo "### Automatic mirror selection failed, using main mirror."
-      # Point to Debian (stable)
-tee /etc/apt/sources.list <<EOF
-deb http://deb.debian.org/debian stable main contrib non-free
-deb-src http://deb.debian.org/debian stable main contrib non-free
-EOF
-  fi
  echo
  echo "### Getting update information."
  echo
@ -704,7 +689,7 @@ hash -r
 if ! [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
  then
    fuBANNER "Cloning T-Pot"
-    git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot
+    git clone https://github.com/telekom-security/tpotce /opt/tpot
 fi

 # Let's create the T-Pot user
--- a/iso/installer/tpot.conf.dist
+++ b/iso/installer/tpot.conf.dist
@ -1,5 +1,5 @@
 # tpot configuration file
-# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
+# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]
 myCONF_TPOT_FLAVOR='STANDARD'
 myCONF_WEB_USER='webuser'
 myCONF_WEB_PW='w3b$ecret'
--- a/iso/isolinux/txt.cfg
+++ b/iso/isolinux/txt.cfg
@ -1,6 +1,6 @@
 default install
 label install
-  menu label ^T-Pot 20.06.0 (based on Debian Stable)
+  menu label ^T-Pot 20.06.1 (based on Debian Stable)
  menu default
  kernel linux
  append vga=788 initrd=initrd.gz console-setup/ask_detect=true --
--- a/iso/preseed/tpot.seed
+++ b/iso/preseed/tpot.seed
@ -109,7 +109,7 @@ tasksel tasksel/first multiselect ssh-server
 ########################
 ### Package Installation
 ########################
-d-i pkgsel/include string apache2-utils cracklib-runtime curl dialog figlet git grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet
+d-i pkgsel/include string apache2-utils cracklib-runtime curl dialog figlet git grc libcrack2 libpq-dev lsb-release net-tools software-properties-common toilet
 popularity-contest popularity-contest/participate boolean false

 #################
@ -131,7 +131,7 @@ in-target apt-get -y install grub-pc; \
 in-target grub-install --force $(debconf-get partman-auto/disk); \
 update-dev; \
 in-target update-grub; \
-in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce /opt/tpot; \
+in-target git clone --depth=1 https://github.com/telekom-security/tpotce /opt/tpot; \
 in-target sed -i 's/allow-hotplug/auto/g' /etc/network/interfaces; \
 #in-target apt-get -y remove exim4-base; \
 #in-target apt-get -y autoremove; \
--- a/update.sh
+++ b/update.sh
@ -82,7 +82,7 @@ echo
 # Let's check for version
 function fuCHECK_VERSION () {
 local myMINVERSION="19.03.0"
-local myMASTERVERSION="20.06.0"
+local myMASTERVERSION="20.06.1"
 echo
 echo "### Checking for Release ID"
 myRELEASE=$(lsb_release -i | grep Debian -c)
@ -183,7 +183,7 @@ function fuUPDATER () {
 export DEBIAN_FRONTEND=noninteractive
 echo "### Installing apt-fast"
 /bin/bash -c "$(curl -sL https://raw.githubusercontent.com/ilikenwf/apt-fast/master/quick-install.sh)"
-local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 # Remove purge in the future
 echo "### Removing repository based install of elasticsearch-curator"
 apt-get purge elasticsearch-curator -y
@ -266,7 +266,7 @@ echo "### If you made changes to tpot.yml please ensure to add them again."
 echo "### We stored the previous version as backup in /root/."
 echo "### Some updates may need an import of the latest Kibana objects as well."
 echo "### Download the latest objects here if they recently changed:"
-echo "### https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip"
+echo "### https://raw.githubusercontent.com/telekom-security/tpotce/master/etc/objects/kibana_export.ndjson.zip"
 echo "### Export and import the objects easily through the Kibana WebUI:"
 echo "### Go to Kibana > Management > Saved Objects > Export / Import"
 echo "### Or use the command:"
--- a/2
+++ b/2
@ -1 +1 @@
-20.06.0
+20.06.1
 @ -1 +1 @@
 .06.0
 .06.1