From b66e482837cd289efcc74f49f87fe104378aeb1a Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Tue, 24 Sep 2024 16:13:16 +0200
Subject: [PATCH] Continue working on Galah

---
 docker/_builder/docker-compose.yml            |  9 +++++++++
 docker/beelzebub/Dockerfile                   | 18 +++++++++--------
 docker/beelzebub/docker-compose.yml           |  2 +-
 docker/elk/logstash/Dockerfile                |  2 +-
 docker/elk/logstash/dist/http_output.conf     | 20 ++++++++++++++++---
 docker/elk/logstash/dist/logstash.conf        | 14 +++++++++++++
 docker/elk/map/Dockerfile                     |  4 ++--
 docker/galah/docker-compose.yml               |  4 ++--
 docker/tpotinit/dist/bin/clean.sh             |  9 +++++++++
 .../dist/etc/logrotate/logrotate.conf         |  1 +
 env.example                                   |  6 +++---
 11 files changed, 69 insertions(+), 20 deletions(-)

diff --git a/docker/_builder/docker-compose.yml b/docker/_builder/docker-compose.yml
index ef50e777..05c6f33a 100644
--- a/docker/_builder/docker-compose.yml
+++ b/docker/_builder/docker-compose.yml
@@ -117,6 +117,15 @@ services:
       context: ../endlessh/
       <<: *common-build
 
+# Galah
+  galah:
+    image: ${TPOT_DOCKER_REPO}/galah:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/galah:${TPOT_VERSION}
+      context: ../galah/
+      <<: *common-build
+
 # Glutton
 #  glutton:
 #    image: ${TPOT_DOCKER_REPO}/glutton:${TPOT_VERSION}
diff --git a/docker/beelzebub/Dockerfile b/docker/beelzebub/Dockerfile
index f3b6ae58..a8f452c3 100644
--- a/docker/beelzebub/Dockerfile
+++ b/docker/beelzebub/Dockerfile
@@ -22,14 +22,16 @@ COPY --from=builder /root/beelzebub/main /opt/beelzebub/
 COPY --from=builder /root/beelzebub/configurations /opt/beelzebub/configurations
 #
 # Setup user, groups and configs
-RUN sed -i "s#logsPath: ./log#logsPath: ./configurations/log/beelzebub.json#g" /opt/beelzebub/configurations/beelzebub.yaml && \
-    sed -i 's/passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"/passwordRegex: ".*"/g' /opt/beelzebub/configurations/services/ssh-22.yaml && \
-    addgroup -g 2000 beelzebub && \
-    adduser -S -s /bin/ash -u 2000 -D -g 2000 beelzebub && \
-    mkdir -p /beelzebub/configurations/key \
-             /beelzebub/configurations/log && \
-    chown beelzebub:beelzebub -R /opt/beelzebub/configurations && \
-    chmod 0770 -R /opt/beelzebub/configurations
+RUN <<EOF
+sed -i "s#logsPath: ./log#logsPath: ./configurations/log/beelzebub.json#g" /opt/beelzebub/configurations/beelzebub.yaml
+sed -i 's/passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"/passwordRegex: ".*"/g' /opt/beelzebub/configurations/services/ssh-22.yaml
+addgroup -g 2000 beelzebub
+adduser -S -s /bin/ash -u 2000 -D -g 2000 beelzebub
+mkdir -p /beelzebub/configurations/key \
+         /beelzebub/configurations/log
+chown beelzebub:beelzebub -R /opt/beelzebub/configurations
+chmod 0770 -R /opt/beelzebub/configurations
+EOF
 #
 # Start beelzebub
 WORKDIR /opt/beelzebub
diff --git a/docker/beelzebub/docker-compose.yml b/docker/beelzebub/docker-compose.yml
index 4a5ab4f9..6fc31a31 100644
--- a/docker/beelzebub/docker-compose.yml
+++ b/docker/beelzebub/docker-compose.yml
@@ -22,7 +22,7 @@ services:
     environment:
       LLMMODEL: "ollama"
       LLMHOST: "http://ollama.local:11434/api/chat"
-      OLLAMAMODEL: "llama3.1"
+      OLLAMAMODEL: "openchat"
     image: "dtagdevsec/beelzebub:24.04"
     read_only: true
     volumes:
diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile
index 8fd418be..0aa92483 100644
--- a/docker/elk/logstash/Dockerfile
+++ b/docker/elk/logstash/Dockerfile
@@ -1,5 +1,5 @@
 FROM ubuntu:22.04
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
 ENV LS_VER=8.14.2
 #
 # Include dist
diff --git a/docker/elk/logstash/dist/http_output.conf b/docker/elk/logstash/dist/http_output.conf
index 62fba9ff..885d2f7b 100644
--- a/docker/elk/logstash/dist/http_output.conf
+++ b/docker/elk/logstash/dist/http_output.conf
@@ -99,6 +99,13 @@ input {
     type => "Endlessh"
   }
 
+# Galah
+  file {
+    path => ["/data/galah/log/galah.json"]
+    codec => json
+    type => "Galah"
+  }
+
 # Glutton
   file {
     path => ["/data/glutton/log/glutton.log"]
@@ -210,9 +217,9 @@ filter {
     mutate {
       rename => {
         "sourceIp" => "src_ip"
-	"destinationIp" => "dest_ip"
-	"sourcePort" => "src_port"
-	"destinationPort" => "dest_port"
+	      "destinationIp" => "dest_ip"
+        "sourcePort" => "src_port"
+        "destinationPort" => "dest_port"
         "gquic" => "fatt_gquic"
         "http" => "fatt_http"
         "rdp" => "fatt_rdp"
@@ -460,6 +467,13 @@ filter {
     }
   }
 
+# Galah
+  if [type] == "Galah" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {
diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf
index 77ebb22f..0b34d979 100644
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@@ -99,6 +99,13 @@ input {
     type => "Endlessh"
   }
 
+# Galah
+  file {
+    path => ["/data/galah/log/galah.json"]
+    codec => json
+    type => "Galah"
+  }
+
 # Glutton
   file {
     path => ["/data/glutton/log/glutton.log"]
@@ -460,6 +467,13 @@ filter {
     }
   }
 
+# Galah
+  if [type] == "Galah" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {
diff --git a/docker/elk/map/Dockerfile b/docker/elk/map/Dockerfile
index fde3fba6..aad9e08a 100644
--- a/docker/elk/map/Dockerfile
+++ b/docker/elk/map/Dockerfile
@@ -13,7 +13,7 @@ RUN apk --no-cache -U add \
 # Install from GitHub and setup
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.1 && \
+    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.2 && \
     cd t-pot-attack-map && \
     pip3 install --break-system-packages --upgrade pip && \
     pip3 install --break-system-packages -r requirements.txt && \
@@ -35,4 +35,4 @@ ENV TZ=UTC
 STOPSIGNAL SIGINT
 USER map:map
 WORKDIR /opt/t-pot-attack-map
-CMD /usr/bin/python3 $MAP_COMMAND
+CMD ["/bin/sh", "-c", "/usr/bin/python3 $MAP_COMMAND"]
diff --git a/docker/galah/docker-compose.yml b/docker/galah/docker-compose.yml
index 2b6da8cf..3bf660fa 100644
--- a/docker/galah/docker-compose.yml
+++ b/docker/galah/docker-compose.yml
@@ -21,7 +21,7 @@ services:
     environment:
       LLM_PROVIDER: "ollama"
       LLM_SERVER_URL: "http://ollama.local:11434"
-      LLM_MODEL: "gemma2"
+      LLM_MODEL: "llama3"
       # LLM_TEMPERATURE: ${GALAH_LLM_TEMPERATURE}
       # LLM_API_KEY: ${GALAH_LLM_API_KEY}
       # LLM_CLOUD_LOCATION: ${GALAH_LLM_CLOUD_LOCATION}
@@ -30,4 +30,4 @@ services:
     volumes:
      - $HOME/tpotce/data/galah/cache:/opt/galah/config/cache
      - $HOME/tpotce/data/galah/cert:/opt/galah/config/cert
-     - $HOME/tpotce/data/galah/log:/opt/galah/log
\ No newline at end of file
+     - $HOME/tpotce/data/galah/log:/opt/galah/log
diff --git a/docker/tpotinit/dist/bin/clean.sh b/docker/tpotinit/dist/bin/clean.sh
index e4a5b8c2..acc767d5 100755
--- a/docker/tpotinit/dist/bin/clean.sh
+++ b/docker/tpotinit/dist/bin/clean.sh
@@ -198,6 +198,14 @@ fuFATT () {
   chown tpot:tpot -R /data/fatt
 }
 
+# Let's create a function to clean up and prepare galah data
+fuGALAH () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/galah/*; fi
+  mkdir -vp /data/galah/{cache,cert,log}
+  chmod 770 /data/galah/ -R
+  chown tpot:tpot /data/galah/ -R
+}
+
 # Let's create a function to clean up and prepare glastopf data
 fuGLUTTON () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
@@ -382,6 +390,7 @@ fuELASTICPOT
 fuELK
 fuENDLESSH
 fuFATT
+fuGALAH
 fuGLUTTON
 fuHERALDING
 fuHELLPOT
diff --git a/docker/tpotinit/dist/etc/logrotate/logrotate.conf b/docker/tpotinit/dist/etc/logrotate/logrotate.conf
index 9576fb47..6f630906 100644
--- a/docker/tpotinit/dist/etc/logrotate/logrotate.conf
+++ b/docker/tpotinit/dist/etc/logrotate/logrotate.conf
@@ -18,6 +18,7 @@
 /data/elk/log/*.log
 /data/endlessh/log/*.log
 /data/fatt/log/fatt.log
+/data/galah/log/*.json
 /data/glutton/log/*.log
 /data/glutton/log/*.err
 /data/hellpot/log/*.log
diff --git a/env.example b/env.example
index 65a3d217..d7329bbc 100644
--- a/env.example
+++ b/env.example
@@ -111,7 +111,7 @@ OINKCODE=OPEN
 # BEELZEBUB_OPENAISECRETKEY: "sk-proj-123456"
 BEELZEBUB_LLM_MODEL: "ollama"
 BEELZEBUB_LLM_HOST: "http://ollama.local:11434/api/chat"
-BEELZEBUB_OLLAMA_MODEL: "llama3.1"
+BEELZEBUB_OLLAMA_MODEL: "openchat"
 
 # Galah is a LLM-powered web honeypot supporting various LLM backends.
 # Galah is not part of the standard edition, please follow the README regarding setup.
@@ -125,8 +125,8 @@ BEELZEBUB_OLLAMA_MODEL: "llama3.1"
 # GALAH_LLM_CLOUD_LOCATION: ""
 # GALAH_LLM_CLOUD_PROJECT: ""
 GALAH_LLM_PROVIDER: "ollama"
-GALAH_LLM_SERVER_URL: "http://ollama.local:11434/api/chat"
-GALAH_LLM_MODEL: "gemma2"
+GALAH_LLM_SERVER_URL: "http://ollama.local:11434"
+GALAH_LLM_MODEL: "llama3"
 
 
 ###################################################################################