From b86d2c715b617a679f80ed349ac722e10a983516 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Mon, 24 Aug 2020 21:36:08 +0000 Subject: [PATCH] prep for ipphoney --- README.md | 7 +++++-- bin/clean.sh | 9 +++++++++ docker/elk/logstash/dist/logstash.conf | 27 +++++++++++++++++++++++++- etc/compose/nextgen.yml | 14 +++++++++++++ etc/logrotate/logrotate.conf | 1 + iso/installer/install.sh | 1 + update.sh | 1 + 7 files changed, 57 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 70287c35..078e13d5 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ and includes dockerized versions of the following honeypots * [honeypy](https://github.com/foospidy/HoneyPy), * [honeysap](https://github.com/SecureAuthCorp/HoneySAP), * [honeytrap](https://github.com/armedpot/honeytrap/), +* [ipphoney](https://gitlab.com/bontchev/ipphoney), * [mailoney](https://github.com/awhitehatter/mailoney), * [medpot](https://github.com/schmalle/medpot), * [rdpy](https://github.com/citronneur/rdpy), @@ -99,6 +100,7 @@ In T-Pot we combine the dockerized honeypots ... * [honeypy](https://github.com/foospidy/HoneyPy), * [honeysap](https://github.com/SecureAuthCorp/HoneySAP), * [honeytrap](https://github.com/armedpot/honeytrap/), +* [ipphoney](https://gitlab.com/bontchev/ipphoney), * [mailoney](https://github.com/awhitehatter/mailoney), * [medpot](https://github.com/schmalle/medpot), * [rdpy](https://github.com/citronneur/rdpy), @@ -168,7 +170,7 @@ There are prebuilt installation types available each focussing on different aspe ##### NextGen -- Honeypots: adbhoney, ciscoasa, citrixhoneypot, conpot, cowrie, dicompot, dionaea, glutton, heralding, honeypy, honeysap, mailoney, medpot, rdpy, snare & tanner +- Honeypots: adbhoney, ciscoasa, citrixhoneypot, conpot, cowrie, dicompot, dionaea, glutton, heralding, honeypy, honeysap, ipphoney, mailoney, medpot, rdpy, snare & tanner - Tools: cockpit, cyberchef, ELK, fatt, elasticsearch head, ewsposter, nginx / heimdall, spiderfoot, p0f & suricata @@ -487,7 +489,7 @@ We hope you understand that we cannot provide support on an individual basis. We # Licenses The software that T-Pot is built on uses the following licenses.
GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/) -
GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/dtag-dev-sec/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE) +
GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/dtag-dev-sec/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE)
Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/) @@ -519,6 +521,7 @@ Without open source and the fruitful development community (we are proud to be a * [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors) * [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors) * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors) +* [ipphoney](https://gitlab.com/bontchev/ipphoney/-/project_members) * [kibana](https://github.com/elastic/kibana/graphs/contributors) * [logstash](https://github.com/elastic/logstash/graphs/contributors) * [mailoney](https://github.com/awhitehatter/mailoney) diff --git a/bin/clean.sh b/bin/clean.sh index ea939645..65d28d83 100755 --- a/bin/clean.sh +++ b/bin/clean.sh @@ -197,6 +197,14 @@ fuHONEYTRAP () { chown tpot:tpot /data/honeytrap/ -R } +# Let's create a function to clean up and prepare ipphoney data +fuIPPHONEY () { + if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi + mkdir -p /data/ipphoney/log + chmod 770 /data/ipphoney -R + chown tpot:tpot /data/ipphoney -R +} + # Let's create a function to clean up and prepare mailoney data fuMAILONEY () { if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi @@ -298,6 +306,7 @@ if [ "$myPERSISTENCE" = "on" ]; fuHONEYSAP fuHONEYPY fuHONEYTRAP + fuIPPHONEY fuMAILONEY fuMEDPOT fuNGINX diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index aa46dd95..530e38fd 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -112,6 +112,13 @@ input { type => "Honeytrap" } +# Ipphoney + file { + path => ["/data/ipphoney/log/ipphoney.json"] + codec => json + type => "Ipphoney" + } + # Mailoney file { path => ["/data/mailoney/log/commands.log"] @@ -415,6 +422,24 @@ filter { } } +# Ipphoney + if [type] == "Ipphoney" { + date { + match => [ "timestamp", "ISO8601" ] + } + mutate { + rename => { + "content_type" => "http.http_content_type" + "dst_port" => "dest_port" + "dst_ip" => "dest_ip" + "request" => "request_method" + "operation" => "data" + "user_agent" => "http_user_agent" + "url" => "http.url" + } + } + } + # Mailoney if [type] == "Mailoney" { date { @@ -518,7 +543,7 @@ if "_grokparsefailure" in [tags] { drop {} } } # Add T-Pot hostname and external IP - if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { + if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { mutate { add_field => { "t-pot_ip_ext" => "${MY_EXTIP}" diff --git a/etc/compose/nextgen.yml b/etc/compose/nextgen.yml index 7d140c59..80a7e7ae 100644 --- a/etc/compose/nextgen.yml +++ b/etc/compose/nextgen.yml @@ -18,6 +18,7 @@ networks: heralding_local: honeypy_local: honeysap_local: + ipphoney_local: mailoney_local: medpot_local: rdpy_local: @@ -323,6 +324,19 @@ services: volumes: - /data/honeysap/log:/opt/honeysap/log +# Ipphoney service + ipphoney: + container_name: ipphoney + restart: always + networks: + - ipphoney_local + ports: + - "631:631" + image: "dtagdevsec/ipphoney:2006" + read_only: true + volumes: + - /data/ipphoney/log:/opt/ipphoney/log + # Mailoney service mailoney: container_name: mailoney diff --git a/etc/logrotate/logrotate.conf b/etc/logrotate/logrotate.conf index f3bc05bd..19a08e6c 100644 --- a/etc/logrotate/logrotate.conf +++ b/etc/logrotate/logrotate.conf @@ -24,6 +24,7 @@ /data/honeysap/log/*.log /data/honeytrap/log/*.log /data/honeytrap/log/*.json +/data/ipphoney/log/*.json /data/mailoney/log/*.log /data/medpot/log/*.log /data/nginx/log/*.log diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 719d745f..fc43b8f5 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -810,6 +810,7 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/heralding/log \ /data/honeypy/log \ /data/honeysap/log \ + /data/ipphoney/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/{log,heimdall} \ diff --git a/update.sh b/update.sh index ba8f1f54..f2032674 100755 --- a/update.sh +++ b/update.sh @@ -238,6 +238,7 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/heralding/log \ /data/honeypy/log \ /data/honeysap/log \ + /data/ipphoney/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/{log,heimdall} \