logstash parsing for ddospot, hellpot

2025-07-01 20:42:11 +00:00 · 2021-10-28 18:57:55 +00:00 · 2021-10-28 18:57:55 +00:00 · c1eb9f7216
commit c1eb9f7216
parent 1a844d13ba
1 changed files with 47 additions and 0 deletions
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -320,6 +320,38 @@ filter {
      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["time"]
    }
+    if [path] == "/data/ddospot/log/chargenpot.log" {
+      mutate {
+        add_field => {
+	  "dest_port" => "19"
+          "dest_ip" => "${MY_EXTIP}"
+	}
+      }
+    }
+    if [path] == "/data/ddospot/log/dnspot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "53"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ntpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "123"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ssdpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "1900"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
  }

 # Dionaea
@ -397,6 +429,21 @@ filter {
    }
  }

+# Hellpot
+  if [type] == "Hellpot" {
+    date {
+      match => [ "time", "ISO8601" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "80"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
 # Heralding
  if [type] == "Heralding" {
    csv {