Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 04:52:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

finetune new honeypots logging

Browse source
This commit is contained in:
t3chn0m4g3 2021-11-02 19:13:28 +00:00
parent db74c610ad
commit c9b909e51d
2 changed files with 16 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docker/elk/logstash/Dockerfile
View file

@ -15,7 +15,7 @@ RUN apk -U --no-cache add \
libc6-compat \ libc6-compat \
libzmq \ libzmq \
nss && \ nss && \
apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing openjdk16-jre && \ apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
# #
# Get and install packages # Get and install packages
mkdir -p /etc/listbot && \ mkdir -p /etc/listbot && \

24
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -425,7 +425,7 @@ filter {
# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24 # Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096 # Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
if [type] == "Endlessh" { if [type] == "Endlessh" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:DURATION}%{SPACE}bytes=%{NUMBER:BYTES}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } } grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }
date { date {
match => [ "timestamp", "ISO8601" ] match => [ "timestamp", "ISO8601" ]
remove_field => ["timestamp"] remove_field => ["timestamp"]
@ -458,6 +458,14 @@ filter {
"dest_port" => "80" "dest_port" => "80"
"dest_ip" => "${MY_EXTIP}" "dest_ip" => "${MY_EXTIP}"
} }
rename => {
"BYTES" => "bytes"
"DURATION" => "duration"
"REMOTE_ADDR" => "src_ip"
"URL" => "url"
"USERAGENT" => "http_user_agent"
"message" => "reason"
}
} }
} }
@ -670,15 +678,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
} }
# Add T-Pot hostname and external IP # Add T-Pot hostname and external IP
# if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { mutate {
mutate { add_field => {
add_field => { "t-pot_ip_ext" => "${MY_EXTIP}"
"t-pot_ip_ext" => "${MY_EXTIP}" "t-pot_ip_int" => "${MY_INTIP}"
"t-pot_ip_int" => "${MY_INTIP}" "t-pot_hostname" => "${MY_HOSTNAME}"
"t-pot_hostname" => "${MY_HOSTNAME}"
}
} }
# } }
} }