mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 04:52:11 +00:00
finetune new honeypots logging
This commit is contained in:
t3chn0m4g3
parent
db74c610ad
commit
c9b909e51d
2 changed files with 16 additions and 10 deletions
|
|
@ -15,7 +15,7 @@ RUN apk -U --no-cache add \
|
|||
libc6-compat \
|
||||
libzmq \
|
||||
nss && \
|
||||
apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing openjdk16-jre && \
|
||||
apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
|
||||
#
|
||||
# Get and install packages
|
||||
mkdir -p /etc/listbot && \
|
||||
|
|
|
|||
12
docker/elk/logstash/dist/logstash.conf
vendored
12
docker/elk/logstash/dist/logstash.conf
vendored
|
|
@ -425,7 +425,7 @@ filter {
|
|||
# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
|
||||
# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
|
||||
if [type] == "Endlessh" {
|
||||
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:DURATION}%{SPACE}bytes=%{NUMBER:BYTES}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }
|
||||
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }
|
||||
date {
|
||||
match => [ "timestamp", "ISO8601" ]
|
||||
remove_field => ["timestamp"]
|
||||
|
|
@ -458,6 +458,14 @@ filter {
|
|||
"dest_port" => "80"
|
||||
"dest_ip" => "${MY_EXTIP}"
|
||||
}
|
||||
rename => {
|
||||
"BYTES" => "bytes"
|
||||
"DURATION" => "duration"
|
||||
"REMOTE_ADDR" => "src_ip"
|
||||
"URL" => "url"
|
||||
"USERAGENT" => "http_user_agent"
|
||||
"message" => "reason"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -670,7 +678,6 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
|||
}
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
# if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
|
|
@ -678,7 +685,6 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
|||
"t-pot_hostname" => "${MY_HOSTNAME}"
|
||||
}
|
||||
}
|
||||
# }
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue