Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 20:42:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

logstash parsing for ddospot, hellpot

Browse source
This commit is contained in:
t3chn0m4g3 2021-10-28 18:57:55 +00:00
parent 1a844d13ba
commit c1eb9f7216
1 changed files with 47 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -320,6 +320,38 @@ filter {
match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["time"] remove_field => ["time"]
} }
if [path] == "/data/ddospot/log/chargenpot.log" {
mutate {
add_field => {
"dest_port" => "19"
"dest_ip" => "${MY_EXTIP}"
}
}
}
if [path] == "/data/ddospot/log/dnspot.log" {
mutate {
add_field => {
"dest_port" => "53"
"dest_ip" => "${MY_EXTIP}"
}
}
}
if [path] == "/data/ddospot/log/ntpot.log" {
mutate {
add_field => {
"dest_port" => "123"
"dest_ip" => "${MY_EXTIP}"
}
}
}
if [path] == "/data/ddospot/log/ssdpot.log" {
mutate {
add_field => {
"dest_port" => "1900"
"dest_ip" => "${MY_EXTIP}"
}
}
}
} }
# Dionaea # Dionaea
@ -397,6 +429,21 @@ filter {
} }
} }
# Hellpot
if [type] == "Hellpot" {
date {
match => [ "time", "ISO8601" ]
remove_field => ["time"]
remove_field => ["timestamp"]
}
mutate {
add_field => {
"dest_port" => "80"
"dest_ip" => "${MY_EXTIP}"
}
}
}
# Heralding # Heralding
if [type] == "Heralding" { if [type] == "Heralding" {
csv { csv {