diff --git a/README.md b/README.md index bd1acc1a..9e2b4f2a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# T-Pot 18.11 +# T-Pot 19.03 -T-Pot 18.11 runs on the latest 18.04.x LTS Ubuntu Server Network Installer image, is based on +T-Pot 19.03 runs on Debian (Sid), is based heavily on [docker](https://www.docker.com/), [docker-compose](https://docs.docker.com/compose/) @@ -9,12 +9,13 @@ and includes dockerized versions of the following honeypots * [adbhoney](https://github.com/huuck/ADBHoney), * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot), * [conpot](http://conpot.org/), -* [cowrie](http://www.micheloosterhof.com/cowrie/), +* [cowrie](https://github.com/cowrie/cowrie), * [dionaea](https://github.com/DinoTools/dionaea), -* [elasticpot](https://github.com/schmalle/ElasticPot), +* [elasticpot](https://github.com/schmalle/ElasticpotPY), * [glastopf](http://mushmush.org/), * [glutton](https://github.com/mushorg/glutton), * [heralding](https://github.com/johnnykv/heralding), +* [honeypy](https://github.com/foospidy/HoneyPy), * [honeytrap](https://github.com/armedpot/honeytrap/), * [mailoney](https://github.com/awhitehatter/mailoney), * [medpot](https://github.com/schmalle/medpot), @@ -60,6 +61,7 @@ Furthermore we use the following tools - [Tools](#tools) - [Maintenance](#maintenance) - [Community Data Submission](#submission) + - [Opt-In HPFEEDS Data Submission](#hpfeeds-optin) - [Roadmap](#roadmap) - [Disclaimer](#disclaimer) - [FAQ](#faq) @@ -67,58 +69,54 @@ Furthermore we use the following tools - [Licenses](#licenses) - [Credits](#credits) - [Stay tuned](#staytuned) +- [Testimonial](#testimonial) - [Fun Fact](#funfact) -# Changelog -- **New honeypots** - - *Adbhoney* Low interaction honeypot designed for Android Debug Bridge over TCP/IP. - - *Ciscoasa* a low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability. - - *Glutton* (NextGen) is the all eating honeypot - - *Heralding* a credentials catching honeypot. - - *Medpot* is a HL7 / FHIR honeypot. - - *Snare* is a web application honeypot sensor, is the successor of Glastopf. SNARE has feature parity with Glastopf and allows to convert existing web pages into attack surfaces. - - *Tanner* is SNARES' "brain". Every event is send from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client. This allows us to change the behaviour of many sensors on the fly. We are providing a TANNER instance for your use, but there is nothing stopping you from setting up your own instance. -- **New tools** - - *Cockpit* is an interactive server admin interface. It is easy to use and very lightweight. Cockpit interacts directly with the operating system from a real Linux session in a browser. - - *Cyberchef* is the Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis. - - *grc* (commandline) is yet another colouriser (written in python) for beautifying your logfiles or output of commands. - - *multitail* (commandline) allows you to monitor logfiles and command output in multiple windows in a terminal, colorize, filter and merge. - - *tped.sh* (commandline) allows you to switch between T-Pot Editions after installation. -- **Deprecated tools** - - *Netdata*, *Portainer* and *WeTTY* were superseded by *Cockpit* which is much more lightweight, perfectly well integrated into Ubuntu 18.04 LTS and of course comes with the same but a more basic feature set. -- **New Standard Installation** - - The new standard installation is now running a whopping *14* honeypot instances. -- **T-Pot Universal Installer** - - The T-Pot installer now also includes the option to install on a existing machine, the T-Pot-Autoinstaller is no longer necessary. -- **Tighten Security** - - The docker containers are now running mostly with a read-only file system - - If possible using `setcap` to start daemons without root or dropping privileges - - Introducing `fail2ban` to ease up on `authorized_keys` requirement which is no longer necessary for `SSH`. Also to further prevent brute-force attacks on `Cockpit` and `NGINX` allowing for faster load times of the WebUI. -- **Iptables exceptions for NFQ based honeypots** - - In previous versions `iptables`had manually be maintained, now a a script parses `/opt/tpot/etc/tpot.yml` and extracts port information to automatically generate exceptions for ports that should not be forwarded to NFQ. -- **CI** - - The Kibana UI now uses a magenta theme. -- **ES HEAD** - - A Java Script now automatically enters the correct FQDN / IP. A manual step is no longer required. -- **ELK STACK** - - The ELK Stack was updated to the latest 6.x versions. - - This also means you can now expect the availability of basic *X-Pack-Feaures*, the full feature set however is only available to users with a valid license. -- **Dashboards Makeover** - - Because Kibana 6.x introduced so much whitespace the dashboards and some of the visualizations needed some overhaul. While it probably needs some getting used to the key was to focus on displaying as much information while not compromising on clarity. - - Because of the new honeypots we now more than **200 Visualizations** pre-configured and compiled to 16 individual **Kibana Dashboards**. Monitor all *honeypot events* locally on your T-Pot installation. Aside from *honeypot events* you can also view *Suricata NSM and NGINX* events for a quick overview of wire events. -- **Honeypot updates and improvements** - - All honeypots were updated to their latest stable versions. - - Docker images were mostly overhauled to tighten security even further - - Some of the honeypot configurations were modified to keep things fresh +# Release Notes +- **Move from Ubuntu 18.04 to Debian (Sid)** + - For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Sid / unstable) which will provide us with the latest advancements in a Debian based distribution. +- **Include HoneyPy honeypot** + - *HoneyPy* is now included in the NEXTGEN installation type +- **Include Suricata 4.1.3** + - Building *Suricata 4.1.3* from scratch to enable JA3 and overall better protocol support. +- **Update tools to the latest versions** + - ELK Stack 6.6.2 + - CyberChef 8.27.0 + - SpiderFoot v3.0 + - Cockpit 188 + - NGINX is now built to enforce TLS 1.3 on the T-Pot WebUI +- **Update honeypots** + - Where possible / feasible the honeypots have been updated to their latest versions. + - *Cowrie* now supports *HASSH* generated hashes which allows for an easier identification of an attacker accross IP adresses. + - *Heralding* now supports *SOCKS5* emulation. +- **Update Dashboards & Visualizations** + - *Offset Dashboard* added to easily spot changes in attacks on a single dashboard in 24h time window. + - *Cowrie Dashboard* modified to integrate *HASSH* support / visualizations. + - *HoneyPy Dashboard* added to support latest honeypot addition. + - *Suricata Dashboard* modified to integrate *JA3* support / visualizations. +- **Debian mirror selection** + - During base install you now have to manually select a mirror. + - Upon T-Pot install the mirror closest to you will be determined automatically. + - This solves peering problems for most of the users speeding up installation and updates. +- **Bugs** + - Fixed issue #298 where the import and export of objects on the shell did not work. + - Fixed issue #313 where Spiderfoot raised a KeyError, which was previously fixed in upstream. + - Fixed error in Suricata where path for reference.config changed. +- **Release Cycle** + - As far as possible we will integrate changes now faster into the master branch, eliminating the need for monolithic releases. The update feature will be continuously improved on that behalf. However this might not account for all feature changes. +- **HPFEEDS Opt-In** + - If you want to share your T-Pot data with a 3rd party HPFEEDS broker such as [SISSDEN](https://sissden.eu) you can do so by creating an account at the SISSDEN portal and run `hpfeeds_optin.sh` on T-Pot. - **Update Feature** - - For the ones who like to live on the bleeding edge of T-Pot development there is now a update script available in `/opt/tpot/update.sh`. - - This feature is now in beta and is mostly intended to provide you with the latest development advances without the need of reinstalling T-Pot. + - For the ones who like to live on the bleeding edge of T-Pot development there is now an update script available in `/opt/tpot/update.sh`. + - This feature is beta and is mostly intended to provide you with the latest development advances without the need of reinstalling T-Pot. +- **Deprecated tools** + - *ctop* will no longer be part of T-Pot. # Technical Concept -T-Pot is based on the network installer of Ubuntu Server 18.04.x LTS. +T-Pot is based on the network installer Debian (Stretch). During installation the whole system will be updated to Debian (Sid). The honeypot daemons as well as other support components being used have been containerized using [docker](http://docker.io). This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. @@ -132,6 +130,7 @@ In T-Pot we combine the dockerized honeypots ... * [glastopf](http://mushmush.org/), * [glutton](https://github.com/mushorg/glutton), * [heralding](https://github.com/johnnykv/heralding), +* [honeypy](https://github.com/foospidy/HoneyPy), * [honeytrap](https://github.com/armedpot/honeytrap/), * [mailoney](https://github.com/awhitehatter/mailoney), * [medpot](https://github.com/schmalle/medpot), @@ -147,11 +146,11 @@ In T-Pot we combine the dockerized honeypots ... * [Spiderfoot](https://github.com/smicallef/spiderfoot) a open source intelligence automation tool. * [Suricata](http://suricata-ids.org/) a Network Security Monitoring engine. -... to give you the best out-of-the-box experience possible and a easy-to-use multi-honeypot appliance. +... to give you the best out-of-the-box experience possible and an easy-to-use multi-honeypot appliance. ![Architecture](doc/architecture.png) -While data within docker containers is volatile we do now ensure a default 30 day persistence of all relevant honeypot and tool data in the well known `/data` folder and sub-folders. The persistence configuration may be adjusted in `/opt/tpot/etc/logrotate/logrotate.conf`. Once a docker container crashes, all other data produced within its environment is erased and a fresh instance is started from the corresponding docker image.
+While data within docker containers is volatile we do ensure a default 30 day persistence of all relevant honeypot and tool data in the well known `/data` folder and sub-folders. The persistence configuration may be adjusted in `/opt/tpot/etc/logrotate/logrotate.conf`. Once a docker container crashes, all other data produced within its environment is erased and a fresh instance is started from the corresponding docker image.
Basically, what happens when the system is booted up is the following: @@ -170,7 +169,7 @@ The individual docker configurations are located in the [docker folder](https:// Depending on your installation type, whether you install on [real hardware](#hardware) or in a [virtual machine](#vm), make sure your designated T-Pot system meets the following requirements: ##### Standard Installation -- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, heralding, honeytrap, mailoney, rdpy, snare, tanner and vnclowpot +- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, heralding, honeytrap, mailoney, medpot, rdpy, snare & tanner - Tools: cockpit, cyberchef, ELK, elasticsearch head, ewsposter, NGINX, spiderfoot, p0f and suricata - 6-8 GB RAM (less RAM is possible but might introduce swapping) @@ -179,7 +178,7 @@ Depending on your installation type, whether you install on [real hardware](#har - A working, non-proxied, internet connection ##### Sensor Installation -- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, heralding, honeytrap, mailoney, rdpy, snare, tanner and vnclowpot +- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, heralding, honeytrap, mailoney, medpot, rdpy, snare & tanner - Tools: cockpit - 6-8 GB RAM (less RAM is possible but might introduce swapping) @@ -188,7 +187,7 @@ Depending on your installation type, whether you install on [real hardware](#har - A working, non-proxied, internet connection ##### Industrial Installation -- Honeypots: conpot, rdpy, vnclowpot +- Honeypots: conpot, cowrie, heralding, medpot, rdpy - Tools: cockpit, cyberchef, ELK, elasticsearch head, ewsposter, NGINX, spiderfoot, p0f and suricata - 6-8 GB RAM (less RAM is possible but might introduce swapping) @@ -205,17 +204,8 @@ Depending on your installation type, whether you install on [real hardware](#har - Network via DHCP - A working, non-proxied, internet connection -##### NextGen Installation (Glutton instead of Honeytrap) -- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, glutton, heralding, mailoney, rdpy, snare, tanner and vnclowpot -- Tools: cockpit, cyberchef, ELK, elasticsearch head, ewsposter, NGINX, spiderfoot, p0f and suricata - -- 6-8 GB RAM (less RAM is possible but might introduce swapping) -- 128 GB SSD (smaller is possible but limits the capacity of storing events) -- Network via DHCP -- A working, non-proxied, internet connection - -##### Legacy Installation (honeypots based on Standard Installation of T-Pot 17.10) -- Honeypots: cowrie, dionaea, elasticpot, glastopf, honeytrap, mailoney, rdpy and vnclowpot +##### NextGen Installation (Glutton replacing Honeytrap, HoneyPy replacing Elasticpot) +- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, glutton, heralding, honeypy, mailoney, rdpy, snare & tanner - Tools: cockpit, cyberchef, ELK, elasticsearch head, ewsposter, NGINX, spiderfoot, p0f and suricata - 6-8 GB RAM (less RAM is possible but might introduce swapping) @@ -227,7 +217,7 @@ Depending on your installation type, whether you install on [real hardware](#har # Installation The installation of T-Pot is straight forward and heavily depends on a working, transparent and non-proxied up and running internet connection. Otherwise the installation **will fail!** -Firstly, decide if you want to download our prebuilt installation ISO image from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on a existing Ubuntu Server 18.04 LTS](#postinstall). +Firstly, decide if you want to download our prebuilt installation ISO image from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on an existing Debian 9.7 (Stretch)](#postinstall). Secondly, decide where you want to let the system run: [real hardware](#hardware) or in a [virtual machine](#vm)? @@ -241,7 +231,7 @@ You can download the prebuilt installation image from [GitHub](https://github.co For transparency reasons and to give you the ability to customize your install, we provide you the [ISO Creator](https://github.com/dtag-dev-sec/tpotce) that enables you to create your own ISO installation image. **Requirements to create the ISO image:** -- Ubuntu 18.04 LTS or newer as host system (others *may* work, but *remain* untested) +- Debian 9.7 or newer as host system (others *may* work, but *remain* untested) - 4GB of free memory - 32GB of free storage - A working internet connection @@ -284,17 +274,17 @@ If you decide to run T-Pot on dedicated hardware, just follow these steps: Whereas most CD burning tools allow you to burn from ISO images, the procedure to create a bootable USB stick from an ISO image depends on your system. There are various Windows GUI tools available, e.g. [this tip](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows) might help you.
On [Linux](http://askubuntu.com/questions/59551/how-to-burn-a-iso-to-a-usb-device) or [MacOS](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx) you can use the tool *dd* or create the USB stick with T-Pot's [ISO Creator](https://github.com/dtag-dev-sec). 2. Boot from the USB stick and install. -*Please note*: We will ensure the compatibility with the Intel NUC platform, as we really like the form factor, looks and build quality. Other platforms **remain untested**. +*Please note*: While we are performing limited tests with the Intel NUC platform other hardware platforms **remain untested**. We can not provide hardware support of any kind. ## Post-Install User -In some cases it is necessary to install Ubuntu Server 18.04 LTS on your own: +In some cases it is necessary to install Debian 9.7 (Stretch) on your own: - Cloud provider does not offer mounting ISO images. - Hardware setup needs special drivers and / or kernels. - Within your company you have to setup special policies, software etc. - You just like to stay on top of things. -While the T-Pot-Autoinstaller served us perfectly well in the past we decided to include the feature directly into T-Pot and its Universal Installer. +The T-Pot Universal Installer will upgrade the system to Debian (Sid) and install all required T-Pot dependencies. Just follow these steps: @@ -308,7 +298,7 @@ The installer will now start and guide you through the install process. ## Post-Install Auto -You can also let the installer run automatically if you provide your own `tpot.conf`. A example is available in `tpotce/iso/installer/tpot.conf.dist`. This should make things easier in case you want to automate the installation i.e. with **Ansible**. +You can also let the installer run automatically if you provide your own `tpot.conf`. An example is available in `tpotce/iso/installer/tpot.conf.dist`. This should make things easier in case you want to automate the installation i.e. with **Ansible**. Just follow these steps while adjusting `tpot.conf` to your needs: @@ -344,7 +334,7 @@ You can also login from your browser and access the Web UI: `https://:6 # System Placement -Make sure your system is reachable through the internet. Otherwise it will not capture any attacks, other than the ones from your internal network! We recommend you put it in an unfiltered zone, where all TCP and UDP traffic is forwarded to T-Pot's network interface. However to avoid fingerprinting you can put T-Pot behind a firewall and forward all TCP / UDP traffic in the port range of 1-64000 to T-Pot while allowing access to ports > 64000 only from trusted IPs. +Make sure your system is reachable through a network you suspect intruders in / from (i.e. the internet). Otherwise T-Pot will most likely not capture any attacks, other than the ones from your internal network! We recommend you put it in an unfiltered zone, where all TCP and UDP traffic is forwarded to T-Pot's network interface. However to avoid fingerprinting you can put T-Pot behind a firewall and forward all TCP / UDP traffic in the port range of 1-64000 to T-Pot while allowing access to ports > 64000 only from trusted IPs. A list of all relevant ports is available as part of the [Technical Concept](#concept)
@@ -355,7 +345,7 @@ In case you need external Admin UI access, forward TCP port 64294 to T-Pot, see In case you need external SSH access, forward TCP port 64295 to T-Pot, see below. In case you need external Web UI access, forward TCP port 64297 to T-Pot, see below. -T-Pot requires outgoing git, http, https connections for updates (Ubuntu, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location. +T-Pot requires outgoing git, http, https connections for updates (Debian, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location. # Updates @@ -363,10 +353,9 @@ For the ones of you who want to live on the bleeding edge of T-Pot development w **If you made any relevant changes to the T-Pot relevant config files make sure to create a backup first.** - The Update script will - **merciless** overwrite local changes to be in sync with the T-Pot master branch - - upgrade the system to the latest kernel within Ubuntu 18.04.x LTS - - upgrade the system to the latest packages available within Ubuntu 18.04.x LTS - - update all resources to be en par with the T-Pot master branch - - ensure all T-Pot relevant system files will be patched / copied into original T-Pot state + - upgrade the system to the packages available in Debian (Sid) + - update all resources to be in-sync with the T-Pot master branch + - ensure all T-Pot relevant system files will be patched / copied into the original T-Pot state You simply run the update script: ``` @@ -428,7 +417,7 @@ If new versions of the components involved appear, we will test them and build n ## Community Data Submission -We provide T-Pot in order to make it accessible to all parties interested in honeypot deployment. By default, the captured data is submitted to a community backend. This community backend uses the data to feed [Sicherheitstacho](https://sicherheitstacho.eu. +We provide T-Pot in order to make it accessible to all parties interested in honeypot deployment. By default, the captured data is submitted to a community backend. This community backend uses the data to feed [Sicherheitstacho](https://sicherheitstacho.eu). You may opt out of the submission by removing the `# Ewsposter service` from `/opt/tpot/etc/tpot.yml`: 1. Stop T-Pot services: `systemctl stop tpot` 2. Remove Ewsposter service: `vi /opt/tpot/etc/tpot.yml` @@ -440,7 +429,7 @@ You may opt out of the submission by removing the `# Ewsposter service` from `/o restart: always networks: - ewsposter_local - image: "dtagdevsec/ewsposter:1810" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -451,6 +440,11 @@ Data is submitted in a structured ews-format, a XML stucture. Hence, you can par We encourage you not to disable the data submission as it is the main purpose of the community approach - as you all know **sharing is caring** 😍 + +## Opt-In HPFEEDS Data Submission +As an Opt-In it is now possible to also share T-Pot data with 3rd party HPFEEDS brokers, such as [SISSDEN](https://sissden.eu). +If you want to share your T-Pot data you simply have to regsiter an account with a 3rd party broker with its own benefits towards the community. Once registered you will receive your credentials to share events with the broker. In T-Pot you simply run `hpfeeds_optin.sh` which will ask for your credentials, in case of SISSDEN this is just `Ident` and `Secret`, everything else is pre-configured. It will automatically update `/opt/tpot/etc/tpot.yml` to deliver events to your desired broker. + # Roadmap As with every development there is always room for improvements ... @@ -479,15 +473,15 @@ We hope you understand that we cannot provide support on an individual basis. We # Licenses The software that T-Pot is built on uses the following licenses. -
GPLv2: [conpot)](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/) +
GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://github.com/schmalle/ElasticPot), [ewsposter](https://github.com/dtag-dev-sec/ews/), [glastopf](https://github.com/glastopf/glastopf/blob/master/GPL), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE) -
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ctop](https://github.com/bcicen/ctop/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE) -
Other: [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Ubuntu licensing](http://www.ubuntu.com/about/about-ubuntu/licensing) +
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE) +
Other: [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/) # Credits -Without open source and the fruitful development community we are proud to be a part of, T-Pot would not have been possible! Our thanks are extended but not limited to the following people and organizations: +Without open source and the fruitful development community (we are proud to be a part of), T-Pot would not have been possible! Our thanks are extended but not limited to the following people and organizations: ### The developers and development communities of @@ -496,15 +490,17 @@ Without open source and the fruitful development community we are proud to be a * [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors) * [conpot](https://github.com/mushorg/conpot/graphs/contributors) * [cowrie](https://github.com/micheloosterhof/cowrie/graphs/contributors) +* [debian](http://www.debian.org/) * [dionaea](https://github.com/DinoTools/dionaea/graphs/contributors) * [docker](https://github.com/docker/docker/graphs/contributors) -* [elasticpot](https://github.com/schmalle/ElasticPot/graphs/contributors) +* [elasticpot](https://github.com/schmalle/ElasticpotPY/graphs/contributors) * [elasticsearch](https://github.com/elastic/elasticsearch/graphs/contributors) * [elasticsearch-head](https://github.com/mobz/elasticsearch-head/graphs/contributors) * [ewsposter](https://github.com/armedpot/ewsposter/graphs/contributors) * [glastopf](https://github.com/mushorg/glastopf/graphs/contributors) * [glutton](https://github.com/mushorg/glutton/graphs/contributors) * [heralding](https://github.com/johnnykv/heralding/graphs/contributors) +* [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors) * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors) * [kibana](https://github.com/elastic/kibana/graphs/contributors) * [logstash](https://github.com/elastic/logstash/graphs/contributors) @@ -516,10 +512,9 @@ Without open source and the fruitful development community we are proud to be a * [snare](https://github.com/mushorg/snare/graphs/contributors) * [tanner](https://github.com/mushorg/tanner/graphs/contributors) * [suricata](https://github.com/inliniac/suricata/graphs/contributors) -* [ubuntu](http://www.ubuntu.com/) ### The following companies and organizations -* [canonical](http://www.canonical.com/) +* [debian](https://www.debian.org/) * [docker](https://www.docker.com/) * [elastic.io](https://www.elastic.co/) * [honeynet project](https://www.honeynet.org/) @@ -531,7 +526,12 @@ Without open source and the fruitful development community we are proud to be a # Stay tuned ... We will be releasing a new version of T-Pot about every 6-12 months. + +# Testimonial +One of the greatest feedback we have gotten so far is by one of the Conpot developers:
+***"[...] I highly recommend T-Pot which is ... it's not exactly a swiss army knife .. it's more like a swiss army soldier, equipped with a swiss army knife. Inside a tank. A swiss tank. [...]"*** + # Fun Fact -In an effort of saving the environment we are now brewing our own Mate Ice Tea and consumed 241 liters so far for the T-Pot 18.11 development 😇 +In an effort of saving the environment we are now brewing our own Mate Ice Tea and consumed 73 liters so far for the T-Pot 19.03 development 😇 diff --git a/bin/backup_es_folders.sh b/bin/backup_es_folders.sh index 775f64f8..88a279be 100755 --- a/bin/backup_es_folders.sh +++ b/bin/backup_es_folders.sh @@ -1,4 +1,12 @@ #!/bin/bash +# Run as root only. +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + # Backup all ES relevant folders # Make sure ES is available myES="http://127.0.0.1:64298/" @@ -16,7 +24,7 @@ fi myCOUNT=1 myDATE=$(date +%Y%m%d%H%M) myELKPATH="/data/elk/data" -myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/' | grep -w ".kibana_1" | awk '{ print $4 }') +myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }') myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME # Let's ensure normal operation on exit or if interrupted ... diff --git a/bin/clean.sh b/bin/clean.sh index 79f663c9..3b7e8c42 100755 --- a/bin/clean.sh +++ b/bin/clean.sh @@ -1,6 +1,5 @@ #!/bin/bash # T-Pot Container Data Cleaner & Log Rotator - # Set colors myRED="" myGREEN="" @@ -154,6 +153,14 @@ fuHERALDING () { chown tpot:tpot /data/heralding -R } +# Let's create a function to clean up and prepare honeypy data +fuHONEYPY () { + if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi + mkdir -p /data/honeypy/log + chmod 760 /data/honeypy -R + chown tpot:tpot /data/honeypy -R +} + # Let's create a function to clean up and prepare honeytrap data fuHONEYTRAP () { if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi @@ -258,6 +265,7 @@ if [ "$myPERSISTENCE" = "on" ]; fuGLASTOPF fuGLUTTON fuHERALDING + fuHONEYPY fuHONEYTRAP fuMAILONEY fuMEDPOT diff --git a/bin/dps.sh b/bin/dps.sh index 29a89fac..2c25a330 100755 --- a/bin/dps.sh +++ b/bin/dps.sh @@ -1,4 +1,13 @@ #/bin/bash + +# Run as root only. +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + # Show current status of T-Pot containers myPARAM="$1" myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")" @@ -9,14 +18,13 @@ myWHITE="" myMAGENTA="" function fuGETSTATUS { -grc docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort +grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort } function fuGETSYS { printf "========| System |========\n" printf "%+10s %-20s\n" "Date: " "$(date)" printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)" -printf "%+10s %-20s\n" "CPU temp: " "$(sensors | grep 'Physical' | awk '{ print $4" " }' | tr -d [:cntrl:])" echo } diff --git a/bin/dump_es.sh b/bin/dump_es.sh index 9ed82b9b..a6e17895 100755 --- a/bin/dump_es.sh +++ b/bin/dump_es.sh @@ -2,10 +2,10 @@ # Dump all ES data # Make sure ES is available myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) +myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow") if ! [ "$myESSTATUS" = "1" ] then - echo "### Elasticsearch is not available, try starting via 'systemctl start elk'." + echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." exit else echo "### Elasticsearch is available, now continuing." @@ -20,12 +20,12 @@ trap fuCLEANUP EXIT # Set vars myDATE=$(date +%Y%m%d%H%M) -myINDICES=$(curl -s -XGET ''$myES'_cat/indices/' | awk '{ print $3 }' | sort | grep -v 1970) -myES="http://127.0.0.1:64298/" +myINDICES=$(curl -s -XGET ''$myES'_cat/indices/logstash-*' | awk '{ print $3 }' | sort | grep -v 1970) +myINDICES+=" .kibana" myCOL1="" myCOL0="" -# Dumping all ES data +# Dumping Kibana and Logstash data echo $myCOL1"### The following indices will be dumped: "$myCOL0 echo $myINDICES echo diff --git a/bin/hpfeeds_optin.sh b/bin/hpfeeds_optin.sh new file mode 100755 index 00000000..5310e401 --- /dev/null +++ b/bin/hpfeeds_optin.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +# Run as root only. +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + +myTPOTYMLFILE="/opt/tpot/etc/tpot.yml" + +function fuSISSDEN () { +echo +echo "You chose SISSDEN, you just need to provide ident and secret" +echo +myENABLE="true" +myHOST="hpfeeds.sissden.eu" +myPORT="10000" +myCHANNEL="t-pot.events" +myCERT="/opt/ewsposter/sissden.pem" +read -p "Ident: " myIDENT +read -p "Secret: " mySECRET +myFORMAT="json" +} + +function fuGENERIC () { +echo +echo "You chose generic, please provide all the details of the broker" +echo +myENABLE="true" +read -p "Host URL: " myHOST +read -p "Port: " myPORT +read -p "Channel: " myCHANNEL +echo "For generic providers set this to 'false'" +echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE" +read -p "TLS - 'false' or path to CA in container: " myCERT +read -p "Ident: " myIDENT +read -p "Secret: " mySECRET +read -p "Format ews (xml) or json: " myFORMAT +} + +function fuOPTOUT () { +echo +while [ 1 != 2 ] + do + read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT + echo $mySELECT + case "$mySELECT" in + [y,Y]) + echo "Opt out." + break + ;; + [n,N]) + echo "Aborted." + exit + ;; + esac +done +myENABLE="false" +myHOST="host" +myPORT="port" +myCHANNEL="channels" +myCERT="false" +myIDENT="user" +mySECRET="secret" +myFORMAT="json" +} + +function fuAPPLY () { +echo "Now stopping T-Pot ..." +systemctl stop tpot +echo "Applying your settings ... " +sed --follow-symlinks -i "s/EWS_HPFEEDS_ENABLE.*/EWS_HPFEEDS_ENABLE=${myENABLE}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_HOST.*/EWS_HPFEEDS_HOST=${myHOST}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_PORT.*/EWS_HPFEEDS_PORT=${myPORT}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_CHANNELS.*/EWS_HPFEEDS_CHANNELS=${myCHANNEL}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s#EWS_HPFEEDS_TLSCERT.*#EWS_HPFEEDS_TLSCERT=${myCERT}#g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_IDENT.*/EWS_HPFEEDS_IDENT=${myIDENT}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_SECRET.*/EWS_HPFEEDS_SECRET=${mySECRET}/g" "$myTPOTYMLFILE" +sed --follow-symlinks -i "s/EWS_HPFEEDS_FORMAT.*/EWS_HPFEEDS_FORMAT=${myFORMAT}/g" "$myTPOTYMLFILE" +echo "Now starting T-Pot ..." +systemctl start tpot +echo "You can always change or review your settings in the ewsposter section of $myTPOTYMLFILE" +echo "Done." +} + +echo "HPFEEDS Delivery Opt-In for T-Pot" +echo "---------------------------------" +echo "By running this script you agree to share your data with a 3rd party and agree to their corresponding sharing terms." +echo +echo +echo "Please choose your broker" +echo "---------------------------" +echo "[1] - SISSDEN" +echo "[2] - Generic (enter details manually)" +echo "[0] - Opt out of HPFEEDS" +echo "[q] - Do not agree end exit" +echo +while [ 1 != 2 ] + do + read -s -n 1 -p "Your choice: " mySELECT + echo $mySELECT + case "$mySELECT" in + [1]) + fuSISSDEN + break + ;; + [2]) + fuGENERIC + break + ;; + [0]) + fuOPTOUT + break + ;; + [q,Q]) + echo "Aborted." + exit + ;; + esac +done +fuAPPLY + diff --git a/bin/restore_es.sh b/bin/restore_es.sh index 9a461c6d..35557bf4 100755 --- a/bin/restore_es.sh +++ b/bin/restore_es.sh @@ -2,10 +2,10 @@ # Restore folder based ES backup # Make sure ES is available myES="http://127.0.0.1:64298/" -myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) +myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow") if ! [ "$myESSTATUS" = "1" ] then - echo "### Elasticsearch is not available, try starting via 'systemctl start elk'." + echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'." exit else echo "### Elasticsearch is available, now continuing." @@ -41,17 +41,31 @@ echo $myCOL1"### Now unpacking tar archive: "$myDUMP $myCOL0 tar xvf $myDUMP # Build indices list -myINDICES=$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev) +myINDICES="$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)" myINDICES+=" .kibana" echo $myCOL1"### The following indices will be restored: "$myCOL0 echo $myINDICES echo +# Force single seat template for everything +echo -n $myCOL1"### Forcing single seat template: "$myCOL0 +curl -s XPUT ''$myES'_template/.*' -H 'Content-Type: application/json' -d' +{ "index_patterns": ".*", + "order": 1, + "settings": + { + "number_of_shards": 1, + "number_of_replicas": 0 + } +}' +echo + # Restore indices +curl -s -X DELETE ''$myES'.kibana*' > /dev/null for i in $myINDICES; do # Delete index if it already exists - curl -s -XDELETE $myES$i > /dev/null + curl -s -X DELETE $myES$i > /dev/null echo $myCOL1"### Now uncompressing: tmp/$i.gz" $myCOL0 gunzip -f tmp/$i.gz # Restore index to ES diff --git a/bin/rules.sh b/bin/rules.sh index b3b80ac8..52eb7e48 100755 --- a/bin/rules.sh +++ b/bin/rules.sh @@ -23,10 +23,10 @@ function fuNFQCHECK { myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq) if [ "$myNFQCHECK" == "" ]; then - echo "No NFQ related honeypot detected, no iptables rules needed. Exiting." + echo "No NFQ related honeypot detected, no iptables-legacy rules needed. Exiting." exit else - echo "Detected $myNFQCHECK as NFQ based honeypot, iptables rules needed. Continuing." + echo "Detected $myNFQCHECK as NFQ based honeypot, iptables-legacy rules needed. Continuing." fi } @@ -41,54 +41,54 @@ echo "$myRULESPORTS" } function fuSETRULES { -### Setting up iptables rules for honeytrap +### Setting up iptables-legacy rules for honeytrap if [ "$myNFQCHECK" == "honeytrap" ]; then - /sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT - /sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT for myPORT in $myRULESPORTS; do - /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT + /usr/sbin/iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT done - /sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE + /usr/sbin/iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE fi -### Setting up iptables rules for glutton +### Setting up iptables-legacy rules for glutton if [ "$myNFQCHECK" == "glutton" ]; then - /sbin/iptables -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT - /sbin/iptables -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT for myPORT in $myRULESPORTS; do - /sbin/iptables -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT done # No need for NFQ forwarding, such rules are set up by glutton fi } function fuUNSETRULES { -### Removing iptables rules for honeytrap +### Removing iptables-legacy rules for honeytrap if [ "$myNFQCHECK" == "honeytrap" ]; then - /sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT - /sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT for myPORT in $myRULESPORTS; do - /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT + /usr/sbin/iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT done - /sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE + /usr/sbin/iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE fi -### Removing iptables rules for glutton +### Removing iptables-legacy rules for glutton if [ "$myNFQCHECK" == "glutton" ]; then - /sbin/iptables -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT - /sbin/iptables -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT for myPORT in $myRULESPORTS; do - /sbin/iptables -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT + /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT done # No need for removing NFQ forwarding, such rules are removed by glutton fi diff --git a/bin/tped.sh b/bin/tped.sh index 4e8769f9..8c91fe0e 100755 --- a/bin/tped.sh +++ b/bin/tped.sh @@ -1,5 +1,13 @@ #!/bin/bash +# Run as root only. +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + # set backtitle, get filename myBACKTITLE="T-Pot Edition Selection Tool" myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml) @@ -21,7 +29,7 @@ for i in $myYMLS; do myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " done -myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 13 50 6 $myITEMS 3>&1 1>&2 2>&3 3>&-) +myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-) if [ "$myEDITION" == "" ]; then echo "Have a nice day!" diff --git a/bin/updateip.sh b/bin/updateip.sh index a0eecba1..87e454f3 100755 --- a/bin/updateip.sh +++ b/bin/updateip.sh @@ -9,10 +9,18 @@ if [ "$myEXTIP" = "" ]; myEXTIP=$myLOCALIP fi mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1) -sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue -sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue -sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue -sed -i "s#ADMIN:.*#ADMIN: https://$myLOCALIP:64294#" /etc/issue +echo "" > /etc/issue +toilet -f ivrit -F metal --filter border:metal "T-Pot 19.03" | sed 's/\\/\\\\/g' >> /etc/issue +echo >> /etc/issue +echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue +echo "|" >> /etc/issue +echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue +echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue +echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue +echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue +echo "|" >> /etc/issue +echo "\`----" >> /etc/issue +echo >> /etc/issue tee /data/ews/conf/ews.ip << EOF [MAIN] ip = $myEXTIP diff --git a/doc/architecture.png b/doc/architecture.png index a76330f2..f3f2c5f1 100644 Binary files a/doc/architecture.png and b/doc/architecture.png differ diff --git a/docker/adbhoney/docker-compose.yml b/docker/adbhoney/docker-compose.yml index e38d692a..56d6a497 100644 --- a/docker/adbhoney/docker-compose.yml +++ b/docker/adbhoney/docker-compose.yml @@ -14,7 +14,7 @@ services: - adbhoney_local ports: - "5555:5555" - image: "dtagdevsec/adbhoney:1811" + image: "dtagdevsec/adbhoney:1903" read_only: true volumes: - /data/adbhoney/log:/opt/adbhoney/log diff --git a/docker/ciscoasa/README.md b/docker/ciscoasa/README.md index d33b3320..bcfbbb68 100644 --- a/docker/ciscoasa/README.md +++ b/docker/ciscoasa/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/ciscoasa:1811.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ciscoasa:1811.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/ciscoasa:1903.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ciscoasa:1903.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1903 "Get your own image badge on microbadger.com") # ciscoasa diff --git a/docker/ciscoasa/docker-compose.yml b/docker/ciscoasa/docker-compose.yml index 8d1154aa..2d4e2d1f 100644 --- a/docker/ciscoasa/docker-compose.yml +++ b/docker/ciscoasa/docker-compose.yml @@ -13,7 +13,7 @@ services: ports: - "5000:5000/udp" - "8443:8443" - image: "dtagdevsec/ciscoasa:1811" + image: "dtagdevsec/ciscoasa:1903" read_only: true volumes: - /data/ciscoasa/log:/var/log/ciscoasa diff --git a/docker/conpot/README.md b/docker/conpot/README.md index 72de159a..0c491b6b 100644 --- a/docker/conpot/README.md +++ b/docker/conpot/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1811.svg)](https://microbadger.com/images/dtagdevsec/conpot:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1811.svg)](https://microbadger.com/images/dtagdevsec/conpot:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1903.svg)](https://microbadger.com/images/dtagdevsec/conpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1903.svg)](https://microbadger.com/images/dtagdevsec/conpot:1903 "Get your own image badge on microbadger.com") # conpot diff --git a/docker/conpot/docker-compose.yml b/docker/conpot/docker-compose.yml index 18ef35b3..0187c19e 100644 --- a/docker/conpot/docker-compose.yml +++ b/docker/conpot/docker-compose.yml @@ -35,7 +35,7 @@ services: - "2121:21" - "44818:44818" - "47808:47808" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -58,7 +58,7 @@ services: ports: # - "161:161" - "2404:2404" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -80,7 +80,7 @@ services: - conpot_local_guardian_ast ports: - "10001:10001" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -102,7 +102,7 @@ services: - conpot_local_ipmi ports: - "623:623" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -125,7 +125,7 @@ services: ports: - "1025:1025" - "50100:50100" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot diff --git a/docker/cowrie/Dockerfile b/docker/cowrie/Dockerfile index d2742913..65964d90 100644 --- a/docker/cowrie/Dockerfile +++ b/docker/cowrie/Dockerfile @@ -5,6 +5,7 @@ ADD dist/ /root/dist/ # Get and install dependencies & packages RUN apk -U --no-cache add \ + bash \ build-base \ git \ gmp-dev \ @@ -12,6 +13,7 @@ RUN apk -U --no-cache add \ libffi-dev \ mpc1-dev \ mpfr-dev \ + openssl \ openssl-dev \ python \ python-dev \ @@ -24,11 +26,14 @@ RUN apk -U --no-cache add \ addgroup -g 2000 cowrie && \ adduser -S -s /bin/ash -u 2000 -D -g 2000 cowrie && \ -# Install cowrie from git - git clone --depth=1 https://github.com/micheloosterhof/cowrie /home/cowrie/cowrie/ -b v1.3.0 && \ - cd /home/cowrie/cowrie && \ - pip install --no-cache-dir --upgrade cffi pip && \ - pip install --no-cache-dir --upgrade -r requirements.txt && \ +# Install cowrie + mkdir -p /home/cowrie && \ + cd /home/cowrie && \ + git clone --depth=1 https://github.com/micheloosterhof/cowrie -b 1.5.3 && \ + cd cowrie && \ + mkdir -p log && \ + pip install --upgrade pip && \ + pip install --upgrade -r requirements.txt && \ # Setup configs setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \ @@ -36,9 +41,9 @@ RUN apk -U --no-cache add \ chown cowrie:cowrie -R /home/cowrie/* /usr/lib/python2.7/site-packages/twisted/plugins && \ # Start Cowrie once to prevent dropin.cache errors upon container start caused by read-only filesystem - su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie && \ - cd /home/cowrie/cowrie && \ - /usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \ + su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie:/home/cowrie/cowrie/src && \ + cd /home/cowrie/cowrie && \ + /usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \ sleep 10 && \ # Clean up @@ -49,6 +54,7 @@ RUN apk -U --no-cache add \ libffi-dev \ mpc1-dev \ mpfr-dev \ + openssl-dev \ python-dev \ py-mysqldb \ py-pip && \ @@ -57,7 +63,7 @@ RUN apk -U --no-cache add \ rm -rf /home/cowrie/cowrie/cowrie.pid # Start cowrie -ENV PYTHONPATH /home/cowrie/cowrie +ENV PYTHONPATH /home/cowrie/cowrie:/home/cowrie/cowrie/src WORKDIR /home/cowrie/cowrie USER cowrie:cowrie CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "/tmp/cowrie/cowrie.pid", "cowrie"] diff --git a/docker/cowrie/README.md b/docker/cowrie/README.md index 0ce52931..59750bc5 100644 --- a/docker/cowrie/README.md +++ b/docker/cowrie/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/cowrie:1811.svg)](https://microbadger.com/images/dtagdevsec/cowrie:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/cowrie:1811.svg)](https://microbadger.com/images/dtagdevsec/cowrie:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/cowrie:1903.svg)](https://microbadger.com/images/dtagdevsec/cowrie:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/cowrie:1903.svg)](https://microbadger.com/images/dtagdevsec/cowrie:1903 "Get your own image badge on microbadger.com") # cowrie diff --git a/docker/cowrie/dist/cowrie.cfg b/docker/cowrie/dist/cowrie.cfg index 2124f5e4..9b9c2d17 100644 --- a/docker/cowrie/dist/cowrie.cfg +++ b/docker/cowrie/dist/cowrie.cfg @@ -1,14 +1,44 @@ [honeypot] hostname = ubuntu +log_path = log +download_path = dl report_public_ip = true +share_path= share/cowrie +state_path = /tmp/cowrie/data +etc_path = etc +contents_path = honeyfs +txtcmds_path = txtcmds +ttylog = true +ttylog_path = log/tty +interactive_timeout = 180 +authentication_timeout = 120 +backend = shell auth_class = AuthRandom auth_class_parameters = 2, 5, 10 reported_ssh_port = 22 data_path = /tmp/cowrie/data +[shell] +filesystem = share/cowrie/fs.pickle +processes = share/cowrie/cmdoutput.json +arch = linux-x64-lsb +kernel_version = 3.2.0-4-amd64 +kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1 +hardware_platform = x86_64 +operating_system = GNU/Linux + [ssh] +enabled = true +rsa_public_key = etc/ssh_host_rsa_key.pub +rsa_private_key = etc/ssh_host_rsa_key +dsa_public_key = etc/ssh_host_dsa_key.pub +dsa_private_key = etc/ssh_host_dsa_key version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 listen_endpoints = tcp:22:interface=0.0.0.0 +sftp_enabled = true +forwarding = true +forward_redirect = false +forward_tunnel = false [telnet] enabled = true @@ -18,8 +48,10 @@ reported_port = 23 [output_jsonlog] enabled = true logfile = log/cowrie.json +epoch_timestamp = false [output_textlog] enabled = false logfile = log/cowrie-textlog.log format = text + diff --git a/docker/cowrie/docker-compose.yml b/docker/cowrie/docker-compose.yml index 0bd54a70..7fc90ebf 100644 --- a/docker/cowrie/docker-compose.yml +++ b/docker/cowrie/docker-compose.yml @@ -18,7 +18,7 @@ services: ports: - "22:22" - "23:23" - image: "dtagdevsec/cowrie:1811" + image: "dtagdevsec/cowrie:1903" read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl diff --git a/docker/cyberchef/Dockerfile b/docker/cyberchef/Dockerfile index b030b4fc..becfb0e3 100644 --- a/docker/cyberchef/Dockerfile +++ b/docker/cyberchef/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine +FROM alpine:3.8 # Get and install dependencies & packages RUN apk -U --no-cache add \ @@ -12,7 +12,7 @@ RUN apk -U --no-cache add \ # Install CyberChef cd /root && \ - git clone https://github.com/gchq/cyberchef -b v8.20.0 --depth=1 && \ + git clone https://github.com/gchq/cyberchef --depth=1 && \ chown -R nobody:nobody cyberchef && \ cd cyberchef && \ npm install && \ diff --git a/docker/cyberchef/README.md b/docker/cyberchef/README.md index 2c2e1238..83fd0107 100644 --- a/docker/cyberchef/README.md +++ b/docker/cyberchef/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/cyberchef:1811.svg)](https://microbadger.com/images/dtagdevsec/cyberchef:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/cyberchef:1811.svg)](https://microbadger.com/images/dtagdevsec/cyberchef:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/cyberchef:1903.svg)](https://microbadger.com/images/dtagdevsec/cyberchef:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/cyberchef:1903.svg)](https://microbadger.com/images/dtagdevsec/cyberchef:1903 "Get your own image badge on microbadger.com") # cyberchef diff --git a/docker/cyberchef/docker-compose.yml b/docker/cyberchef/docker-compose.yml index 899c6ae3..0bdf0e77 100644 --- a/docker/cyberchef/docker-compose.yml +++ b/docker/cyberchef/docker-compose.yml @@ -14,5 +14,5 @@ services: - cyberchef_local ports: - "127.0.0.1:64299:8000" - image: "dtagdevsec/cyberchef:1811" + image: "dtagdevsec/cyberchef:1903" read_only: true diff --git a/docker/dionaea/README.md b/docker/dionaea/README.md index cd86ece9..61ec9ad6 100644 --- a/docker/dionaea/README.md +++ b/docker/dionaea/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/dionaea:1811.svg)](https://microbadger.com/images/dtagdevsec/dionaea:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/dionaea:1811.svg)](https://microbadger.com/images/dtagdevsec/dionaea:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/dionaea:1903.svg)](https://microbadger.com/images/dtagdevsec/dionaea:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/dionaea:1903.svg)](https://microbadger.com/images/dtagdevsec/dionaea:1903 "Get your own image badge on microbadger.com") # dionaea diff --git a/docker/dionaea/docker-compose.yml b/docker/dionaea/docker-compose.yml index fa35736a..ac6218a1 100644 --- a/docker/dionaea/docker-compose.yml +++ b/docker/dionaea/docker-compose.yml @@ -27,7 +27,7 @@ services: - "5060:5060/udp" - "5061:5061" - "27017:27017" - image: "dtagdevsec/dionaea:1811" + image: "dtagdevsec/dionaea:1903" read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp diff --git a/docker/elasticpot/README.md b/docker/elasticpot/README.md index 2eba07d2..cbe64597 100644 --- a/docker/elasticpot/README.md +++ b/docker/elasticpot/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticpot:1811.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticpot:1811.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own image badge on microbadger.com") # elasticpot diff --git a/docker/elasticpot/docker-compose.yml b/docker/elasticpot/docker-compose.yml index 29615291..5e336ee8 100644 --- a/docker/elasticpot/docker-compose.yml +++ b/docker/elasticpot/docker-compose.yml @@ -14,7 +14,7 @@ services: - elasticpot_local ports: - "9200:9200" - image: "dtagdevsec/elasticpot:1811" + image: "dtagdevsec/elasticpot:1903" read_only: true volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log diff --git a/docker/elk/README.md b/docker/elk/README.md index c3d253d4..aeb4b266 100644 --- a/docker/elk/README.md +++ b/docker/elk/README.md @@ -1,11 +1,11 @@ # Elasticsearch -[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticsearch:1811.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticsearch:1811.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticsearch:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticsearch:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1903 "Get your own image badge on microbadger.com") # Logstash -[![](https://images.microbadger.com/badges/version/dtagdevsec/logstash:1811.svg)](https://microbadger.com/images/dtagdevsec/logstash:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/logstash:1811.svg)](https://microbadger.com/images/dtagdevsec/logstash:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/logstash:1903.svg)](https://microbadger.com/images/dtagdevsec/logstash:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/logstash:1903.svg)](https://microbadger.com/images/dtagdevsec/logstash:1903 "Get your own image badge on microbadger.com") # Kibana -[![](https://images.microbadger.com/badges/version/dtagdevsec/kibana:1811.svg)](https://microbadger.com/images/dtagdevsec/kibana:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/kibana:1811.svg)](https://microbadger.com/images/dtagdevsec/kibana:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/kibana:1903.svg)](https://microbadger.com/images/dtagdevsec/kibana:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/kibana:1903.svg)](https://microbadger.com/images/dtagdevsec/kibana:1903 "Get your own image badge on microbadger.com") # elk stack diff --git a/docker/elk/docker-compose.yml b/docker/elk/docker-compose.yml index 8f65b483..4b068b01 100644 --- a/docker/elk/docker-compose.yml +++ b/docker/elk/docker-compose.yml @@ -24,7 +24,7 @@ services: mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data @@ -39,7 +39,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" ## Logstash service logstash: @@ -51,7 +51,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf @@ -66,5 +66,5 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" + image: "dtagdevsec/head:1903" read_only: true diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile index 85ea4d86..9423f561 100644 --- a/docker/elk/elasticsearch/Dockerfile +++ b/docker/elk/elasticsearch/Dockerfile @@ -4,17 +4,19 @@ FROM alpine ADD dist/ /root/dist/ # Setup env and apt -RUN apk -U add \ +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ + aria2 \ bash \ curl \ - openjdk8-jre \ - wget && \ + nss \ + openjdk8-jre && \ # Get and install packages cd /root/dist/ && \ mkdir -p /usr/share/elasticsearch/ && \ - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.5.4.tar.gz && \ - tar xvfz elasticsearch-6.5.4.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \ + aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.2.tar.gz && \ + tar xvfz elasticsearch-6.6.2.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \ # Add and move files cd /root/dist/ && \ @@ -28,7 +30,7 @@ RUN apk -U add \ rm -rf /usr/share/elasticsearch/modules/x-pack-ml && \ # Clean up - apk del --purge wget && \ + apk del --purge aria2 && \ rm -rf /root/* && \ rm -rf /tmp/* && \ rm -rf /var/cache/apk/* diff --git a/docker/elk/elasticsearch/docker-compose.yml b/docker/elk/elasticsearch/docker-compose.yml index abd82ef2..a09ec66c 100644 --- a/docker/elk/elasticsearch/docker-compose.yml +++ b/docker/elk/elasticsearch/docker-compose.yml @@ -24,6 +24,6 @@ services: mem_limit: 2g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile index e8a93b3c..79de8b25 100644 --- a/docker/elk/kibana/Dockerfile +++ b/docker/elk/kibana/Dockerfile @@ -1,19 +1,19 @@ -FROM alpine +FROM node:10.15.2-alpine # Include dist ADD dist/ /root/dist/ # Setup env and apt -RUN apk -U add \ - curl \ - nodejs \ - wget && \ +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ + aria2 \ + curl && \ # Get and install packages cd /root/dist/ && \ mkdir -p /usr/share/kibana/ && \ - wget https://artifacts.elastic.co/downloads/kibana/kibana-6.5.4-linux-x86_64.tar.gz && \ - tar xvfz kibana-6.5.4-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \ + aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/kibana/kibana-6.6.2-linux-x86_64.tar.gz && \ + tar xvfz kibana-6.6.2-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \ # Kibana's bundled node does not work in alpine rm /usr/share/kibana/node/bin/node && \ @@ -26,38 +26,29 @@ RUN apk -U add \ cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon.ico && \ cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-16x16.png && \ cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-32x32.png && \ - cp create_kibana_index.js /usr/share/kibana/src/core_plugins/elasticsearch/lib/ && \ - -# Setup plugins, rebuild bundle - #cd /usr/share/kibana/plugins && \ - #wget https://github.com/dlumbrer/kbn_radar/releases/download/Kibana-6.X/kbn_radar.tar.gz && \ - #wget https://github.com/dlumbrer/kbn_network/releases/download/6.0.X-1/network_vis.tar.gz && \ - #tar xvfz kbn_radar.tar.gz && \ - #tar xvfz network_vis.tar.gz && \ - #rm *.tar.gz && \ - rm -rf /usr/share/kibana/optimize/bundles/* && \ # Setup user, groups and configs sed -i 's/#server.basePath: ""/server.basePath: "\/kibana"/' /usr/share/kibana/config/kibana.yml && \ sed -i 's/#kibana.defaultAppId: "home"/kibana.defaultAppId: "dashboards"/' /usr/share/kibana/config/kibana.yml && \ sed -i 's/#server.host: "localhost"/server.host: "0.0.0.0"/' /usr/share/kibana/config/kibana.yml && \ - sed -i 's/#elasticsearch.url: "http:\/\/localhost:9200"/elasticsearch.url: "http:\/\/elasticsearch:9200"/' /usr/share/kibana/config/kibana.yml && \ + sed -i 's/#elasticsearch.hosts: \["http:\/\/localhost:9200"\]/elasticsearch.hosts: \["http:\/\/elasticsearch:9200"\]/' /usr/share/kibana/config/kibana.yml && \ sed -i 's/#server.rewriteBasePath: false/server.rewriteBasePath: false/' /usr/share/kibana/config/kibana.yml && \ - sed -i "s/#005571/#e20074/g" /usr/share/kibana/src/ui/public/chrome/directives/global_nav/global_nav.less && \ - sed -i "s/globalColorBlue/globalColorMagenta/g" /usr/share/kibana/src/ui/public/chrome/directives/global_nav/global_nav_link/global_nav_link.less && \ - echo "@globalColorMagenta: #9E0051;" >> /usr/share/kibana/src/ui/public/styles/variables/colors.less && \ + sed -i "s/#005571/#e20074/g" /usr/share/kibana/src/legacy/core_plugins/kibana/public/index.css && \ + sed -i "s/#007ba4/#9e0051/g" /usr/share/kibana/src/legacy/core_plugins/kibana/public/index.css && \ + sed -i "s/#00465d/#4f0028/g" /usr/share/kibana/src/legacy/core_plugins/kibana/public/index.css && \ echo "xpack.infra.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ echo "xpack.logstash.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ echo "xpack.canvas.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ echo "xpack.spaces.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ echo "xpack.apm.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ + rm -rf /usr/share/kibana/optimize/bundles/* && \ /usr/share/kibana/bin/kibana --optimize && \ addgroup -g 2000 kibana && \ adduser -S -H -s /bin/ash -u 2000 -D -g 2000 kibana && \ chown -R kibana:kibana /usr/share/kibana/ && \ # Clean up - apk del --purge wget && \ + apk del --purge aria2 && \ rm -rf /root/* && \ rm -rf /tmp/* && \ rm -rf /var/cache/apk/* diff --git a/docker/elk/kibana/dist/create_kibana_index.js b/docker/elk/kibana/dist/create_kibana_index.js deleted file mode 100644 index 7eaf9468..00000000 --- a/docker/elk/kibana/dist/create_kibana_index.js +++ /dev/null @@ -1,38 +0,0 @@ -'use strict'; - -var _setup_error = require('./setup_error'); - -var _setup_error2 = _interopRequireDefault(_setup_error); - -function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } - -module.exports = function (server, mappings) { - var _server$plugins$elast = server.plugins.elasticsearch.getCluster('admin'); - - const callWithInternalUser = _server$plugins$elast.callWithInternalUser; - - const index = server.config().get('kibana.index'); - - function handleError(message) { - return function (err) { - throw new _setup_error2.default(server, message, err); - }; - } - - return callWithInternalUser('indices.create', { - index: index, - body: { - settings: { - number_of_shards: 1, - number_of_replicas: 0, - 'index.mapper.dynamic': false - }, - mappings - } - }).catch(handleError('Unable to create Kibana index "<%= kibana.index %>"')).then(function () { - return callWithInternalUser('cluster.health', { - waitForStatus: 'yellow', - index: index - }).catch(handleError('Waiting for Kibana index "<%= kibana.index %>" to come online failed.')); - }); -}; diff --git a/docker/elk/kibana/dist/kibana_6.2.x_vis_scaling_fixes.zip b/docker/elk/kibana/dist/kibana_6.2.x_vis_scaling_fixes.zip deleted file mode 100644 index 9e8c57db..00000000 Binary files a/docker/elk/kibana/dist/kibana_6.2.x_vis_scaling_fixes.zip and /dev/null differ diff --git a/docker/elk/kibana/docker-compose.yml b/docker/elk/kibana/docker-compose.yml index b2cb6131..3044a84f 100644 --- a/docker/elk/kibana/docker-compose.yml +++ b/docker/elk/kibana/docker-compose.yml @@ -12,4 +12,4 @@ services: # condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 8478c6dc..0139f8eb 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -4,25 +4,27 @@ FROM alpine ADD dist/ /root/dist/ # Setup env and apt -RUN apk -U add \ +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ + aria2 \ bash \ curl \ git \ libc6-compat \ libzmq \ - openjdk8-jre \ - wget && \ + nss \ + openjdk8-jre && \ # Get and install packages git clone --depth=1 https://github.com/dtag-dev-sec/listbot /etc/listbot && \ cd /root/dist/ && \ mkdir -p /usr/share/logstash/ && \ - wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.4.tar.gz && \ - wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz && \ - tar xvfz logstash-6.5.4.tar.gz --strip-components=1 -C /usr/share/logstash/ && \ + aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-6.6.2.tar.gz && \ + tar xvfz logstash-6.6.2.tar.gz --strip-components=1 -C /usr/share/logstash/ && \ /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \ /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \ - tar xvfz GeoLite2-ASN.tar.gz --strip-components=1 -C /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/ && \ + aria2c -s 16 -x 16 -o GeoLite2-ASN.tar.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz && \ + tar xvfz GeoLite2-ASN.tar.gz --strip-components=1 -C /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor && \ # Add and move files cd /root/dist/ && \ @@ -30,7 +32,7 @@ RUN apk -U add \ chmod u+x /usr/bin/update.sh && \ mkdir -p /etc/logstash/conf.d && \ cp logstash.conf /etc/logstash/conf.d/ && \ - cp elasticsearch-template-es6x.json /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.2.4-java/lib/logstash/outputs/elasticsearch/ && \ + cp elasticsearch-template-es6x.json /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/ && \ # Setup user, groups and configs addgroup -g 2000 logstash && \ @@ -40,7 +42,7 @@ RUN apk -U add \ chmod 755 /usr/bin/update.sh && \ # Clean up - apk del --purge wget && \ + apk del --purge aria2 && \ rm -rf /root/* && \ rm -rf /tmp/* && \ rm -rf /var/cache/apk/* @@ -50,4 +52,4 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' # Start logstash #USER logstash:logstash -CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --java-execution +CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index c7b13916..f291a6dd 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -76,6 +76,13 @@ input { type => "Heralding" } +# Honeypy + file { + path => ["/data/honeypy/log/json.log"] + codec => json + type => "Honeypy" + } + # Honeytrap file { path => ["/data/honeytrap/log/attackers.json"] @@ -131,6 +138,7 @@ filter { field => "[alert][signature_id]" destination => "[alert][cve_id]" dictionary_path => "/etc/listbot/cve.yaml" +# fallback => "-" } } @@ -265,6 +273,17 @@ filter { } } +# Honeypy + if [type] == "Honeypy" { + date { + match => [ "timestamp", "ISO8601" ] + remove_field => ["timestamp"] + remove_field => ["date"] + remove_field => ["time"] + remove_field => ["millisecond"] + } + } + # Honeytrap if [type] == "Honeytrap" { date { @@ -387,7 +406,7 @@ if "_grokparsefailure" in [tags] { drop {} } } # Add T-Pot hostname and external IP - if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { + if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { mutate { add_field => { "t-pot_ip_ext" => "${MY_EXTIP}" @@ -406,12 +425,12 @@ output { # document_type => "doc" } - if [type] == "Suricata" { - file { - file_mode => 0760 - path => "/data/suricata/log/suricata_ews.log" - } - } + #if [type] == "Suricata" { + # file { + # file_mode => 0760 + # path => "/data/suricata/log/suricata_ews.log" + # } + #} # Debug output #if [type] == "XYZ" { # stdout { diff --git a/docker/elk/logstash/docker-compose.yml b/docker/elk/logstash/docker-compose.yml index c1e0050f..c213a098 100644 --- a/docker/elk/logstash/docker-compose.yml +++ b/docker/elk/logstash/docker-compose.yml @@ -12,7 +12,7 @@ services: # condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf diff --git a/docker/ews/Dockerfile b/docker/ews/Dockerfile index 26e3b98d..f2224c3b 100644 --- a/docker/ews/Dockerfile +++ b/docker/ews/Dockerfile @@ -20,7 +20,7 @@ RUN apk -U --no-cache add \ py-requests \ py-setuptools && \ pip install --no-cache-dir -U pip && \ - pip install --no-use-pep517 --no-cache-dir pyOpenSSL && \ + pip install --no-cache-dir pyOpenSSL xmljson && \ # Setup ewsposter git clone --depth=1 https://github.com/rep/hpfeeds /opt/hpfeeds && \ @@ -36,6 +36,7 @@ RUN apk -U --no-cache add \ # Supply configs mv /root/dist/ews.cfg /opt/ewsposter/ && \ + mv /root/dist/*.pem /opt/ewsposter/ && \ # Clean up apk del build-base \ diff --git a/docker/ews/README.md b/docker/ews/README.md index 01eedab4..198a8405 100644 --- a/docker/ews/README.md +++ b/docker/ews/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/ewsposter:1811.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ewsposter:1811.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/ewsposter:1903.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ewsposter:1903.svg)](https://microbadger.com/images/dtagdevsec/ewsposter:1903 "Get your own image badge on microbadger.com") # ewsposter diff --git a/docker/ews/dist/ews.cfg b/docker/ews/dist/ews.cfg index a9c437c5..3bdf7bc0 100644 --- a/docker/ews/dist/ews.cfg +++ b/docker/ews/dist/ews.cfg @@ -18,12 +18,16 @@ rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMes ignorecert = false [HPFEED] -hpfeed = false -host = 0.0.0.0 -port = 0 -channels = 0 -ident = 0 -secret= 0 +hpfeed = %(EWS_HPFEEDS_ENABLE)s +host = %(EWS_HPFEEDS_HOST)s +port = %(EWS_HPFEEDS_PORT)s +channels = %(EWS_HPFEEDS_CHANNELS)s +ident = %(EWS_HPFEEDS_IDENT)s +secret= %(EWS_HPFEEDS_SECRET)s +# path/to/certificate for tls broker - or "false" for non-tls broker +tlscert = %(EWS_HPFEEDS_TLSCERT)s +# hpfeeds submission format: "ews" (xml) or "json" +hpfformat = %(EWS_HPFEEDS_FORMAT)s [EWSJSON] json = false @@ -95,7 +99,7 @@ logfile = /data/elasticpot/log/elasticpot.log [SURICATA] suricata = true nodeid = suricata-community-01 -logfile = /data/suricata/log/suricata_ews.log +logfile = /data/suricata/log/eve.json [MAILONEY] mailoney = true @@ -126,3 +130,8 @@ logfile = /data/ciscoasa/log/ciscoasa.log tanner = true nodeid = tanner-community-01 logfile = /data/tanner/log/tanner_report.json + +[GLUTTON] +glutton = true +nodeid = glutton-community-01 +logfile = /data/glutton/log/glutton.log diff --git a/docker/ews/dist/sissden.pem b/docker/ews/dist/sissden.pem new file mode 100644 index 00000000..ae822f5f --- /dev/null +++ b/docker/ews/dist/sissden.pem @@ -0,0 +1,70 @@ +-----BEGIN CERTIFICATE----- +MIIGBDCCA+ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnTEYMBYGA1UEAwwPU0lT +U0RFTiBSb290IENBMQswCQYDVQQGEwJQTDERMA8GA1UEBwwIV2Fyc3phd2ExLjAs +BgNVBAoMJU5hdWtvd2EgaSBBa2FkZW1pY2thIFNpZWMgS29tcHV0ZXJvd2ExEDAO +BgNVBAsMB1NJU1NERU4xHzAdBgkqhkiG9w0BCQEWEGFkbWluQHNpc3NkZW4uZXUw +HhcNMTcwNDExMTMxNDE2WhcNMjcwNDA5MTMxNDE2WjCBjTEbMBkGA1UEAwwSU0lT +U0RFTiBTZXJ2aWNlIENBMQswCQYDVQQGEwJQTDEfMB0GCSqGSIb3DQEJARYQYWRt +aW5Ac2lzc2Rlbi5ldTEuMCwGA1UECgwlTmF1a293YSBpIEFrYWRlbWlja2EgU2ll +YyBLb21wdXRlcm93YTEQMA4GA1UECwwHU0lTU0RFTjCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAPFLjU6cLQoGz1s73QMPiRxYISCMUh3CXFe52Uim9a60 +nkBDLfjMFW87MNhFCcE2xmxwdPPTz4+f5+DsEV3eZf0y63NxWx+RFV+UpODuEW5n +tWPFUDxmgKx6iAR/tyeLVNqmgtCnWzSthE0cg71dlil6onWvkMc+Wn5Kv6aXoz4e +5YVVhNsymhhrR0BntospY8EvtPm70hHAzOty957/zixOQ/MM+4SHRsWXTlKqv0K2 +udWpkUy1Ihs3bpea2KAvn9bBWejFwy7K4q3LyhSyqwpVCYjNi+s+9z4ipSMfvAlT +FvHrMrODv/Iz/TQOfypYSlpX2gBP9WKLgOQj3wulJnMDQlvG1XNgOAqKfEF52YGF +eUu21UraRgDAguIIhWxRwgXenmRo8ngWjfk9Q8734PzzXt8cwzbxJWiJLMew1SiW +I+Kg8uYNGNT4mdBeUMo92S17ZNMXVnkt1TYfxT0A0ZlTCrhXPiWITtsVZXAdqFtl +j5hASmEcRYNgXEUQHBn13O9IinEmks2PEcqbbbKbs2Je0DS/JvxBkqES51UdsaVQ +zITKw3deCk0pISG8WDWZ97LEeDCvAKA5l/ooKjDwfS5vWw11mTUCOdhCoF0m8Lao +TwE1fzzNbSaqMsT6JF/n0ACabfuvF2aqCmWsZC/Hpw8LQQS62zOouCLdcqizL9+z +AgMBAAGjXTBbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgHuMB0GA1UdDgQWBBQ4 +nurxBppBA5PTNvFFU/vhDr/NFzAfBgNVHSMEGDAWgBSDpRyQSgaBD5XvyFOA8YHH +tbUAbzANBgkqhkiG9w0BAQsFAAOCAgEAIvA2gkYsIVH7FGuoIo9RIxgwy7G/SHNC +Xllz6hyTx10UwbttJ+o4gdNt8WPuGnkmywFgsjL1//bFw2+fUO5IRvWKSmXzwx9N +faRJAjQT4JNx2uOW0ctw4USngPrLjXr3UrIQQlJFtZnEyT9u5VJXX8zkhfNJudyJ +N88YVrPEf6Gh1Q0P+yCX0rDEb3PlP2jsYyXZtcYA5kDQ6Qq7jpLT/zrjJdaPTmzh +2NUe7jJOBfZxPCoeev7meafY2vVOgqRqMz1+DZRoOgwq+ysczzRaXmd5a2p9Tabc +L1w5FXKNJQ4apszA0cEScI+4mBIIQ7VFT3GO098GOcYsC2MelRkgONAIyamm66AP +tvLQAKoiK/xz3sEHN4zaZvN/YVHaSYZEXUP0QHdyL62P62a92aCNyrHpzKURhEDA +n8cs6icxKrS4xuVa517m53zun0brjrfeltfbO7z1A2TstFYu9BHKzRuhwV9cGRHP +EDcb7PkfA/08sDHsyfsWtzIysNo3hwCmQ6gtOW5xlrGplFfwSsXmPG4SR3ByW379 +RA5h3zzrO0g7iCvbLclqHoqLTJTMS+6U43qXjnQ7DJ+mcbhRGcMHcZVKqO3QmLm+ +mmkDNzNYfTgY52D5mXJqUK50750mQ8dwMSkD2TufSAPmAPUp90LdQ8u9CIv6gQ+x +A08hDHJ1cdY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGHDCCBASgAwIBAgIJAPZqsOOroxaHMA0GCSqGSIb3DQEBCwUAMIGdMRgwFgYD +VQQDDA9TSVNTREVOIFJvb3QgQ0ExCzAJBgNVBAYTAlBMMREwDwYDVQQHDAhXYXJz +emF3YTEuMCwGA1UECgwlTmF1a293YSBpIEFrYWRlbWlja2EgU2llYyBLb21wdXRl +cm93YTEQMA4GA1UECwwHU0lTU0RFTjEfMB0GCSqGSIb3DQEJARYQYWRtaW5Ac2lz +c2Rlbi5ldTAeFw0xNzA0MTExMzA3NTZaFw0yNzA0MDkxMzA3NTZaMIGdMRgwFgYD +VQQDDA9TSVNTREVOIFJvb3QgQ0ExCzAJBgNVBAYTAlBMMREwDwYDVQQHDAhXYXJz +emF3YTEuMCwGA1UECgwlTmF1a293YSBpIEFrYWRlbWlja2EgU2llYyBLb21wdXRl +cm93YTEQMA4GA1UECwwHU0lTU0RFTjEfMB0GCSqGSIb3DQEJARYQYWRtaW5Ac2lz +c2Rlbi5ldTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANKT77EYYEhV +tJUnfnvQtGttfgqIzKIV2W6nPK9aDsKRTX5BVDHF6P5ZAF1u/52ATwdyTK7+LD66 +Q/nCzyyA2kqTgdruX6VGucpD2DVVSVF6nZhV9PcISNaMXytoG2HHlqrim53E/rVa +rskColfs7oCxama6lPKZ/rqrJlVjA1Pl5ZtxR0IORjpOyZjSbSzKQwLp/JxHPMCU +2cVirS7aEu5UGj+Q7Ibg0AEyoAu5tnHBKun4hmIoo7LtKWNEe1TdboxOSboGJ5wd +UTEmNH+7izZ5FAogTUINjubkf2zZ65xEnN7DT/zFS30vYU1EclqCTp96EKPANogV +ZeBKntEN6M5azM6Q6+nFI56TV5DWHTIXm85zzeDj5JM7TQlIGTh8A5APHpr0YyUP +AiIUrixV2lqSDrjewey5qQcWV6WbjMS72OFKh/x7+UJICJhoUw+KwnPmWSq1WAlt +n7C+W0raSQzt7puI30LUkInKL6iEQebMoYg0eDRI5vsRIpbo+PzflIuk/Vea/D1Y +twgRc8ujoKI9GpPJyP4yO4nY7BkShLqKJ251lEJZnxq8LiFVi8aN6ZHt//OGEtVs +6L97cPzqFx7qx8vnyLBFk23lb8pilHK1G0nqxCCjakTruT/JgkLXnZcLu/IDSqd3 +QLjJL0rmU9q6+RTH8A782pcBUNzeLKnlAgMBAAGjXTBbMAwGA1UdEwQFMAMBAf8w +CwYDVR0PBAQDAgHuMB0GA1UdDgQWBBSDpRyQSgaBD5XvyFOA8YHHtbUAbzAfBgNV +HSMEGDAWgBSDpRyQSgaBD5XvyFOA8YHHtbUAbzANBgkqhkiG9w0BAQsFAAOCAgEA +IA0U6znfPykr5PoQlXb/Wr4L5mY/ZtNAJsvJ8jwNMsj3ZlqLOJfnHHoG5LHkb2b/ +xfM1Ee2ojmYBt4VDARqrHLLbup38Ivqt0aEco3Qx/WqbIR4IlvZBF+/qKF/wIUuc +CuBYNIy12PcLzafT+SJosj1BJ+XiUCj/RsVXIT5CxsdXIABWC+5b3T3/PrAtKk+C +sVjA/ck1KAHDd+3VUyRjLAAekYWA9C/hek3YwWQ3OvmyHos5gxifqMMDj6bx5qgv +AuIs4mYJlBlHE19GxRmo2TDwE0eZiUoUdavdRBbl9v7dex+AF2GegmnC1ouYc9kv +9moNBcuPFXuJMCOCU44aTpgEKRm3QTZTvVcUza251T+4kgT2wlFyzPqQ8hcpih4t +knlqHhNc9ibL3/qzWr093AgC9uNaNRqmqu1WAu3vs9g3DVb/RSMrUG/V0YS1GgPq +E+nVJ1AIJoee8YaxHztRfjPsmu1R3pp633lfcRPUKCkz52dZDFRPuQP36DuJzl2M +itTra0MtDUuRCsuJfVGe1op2wFprswLI0qy7O9N21D4Ab8g0ik+lhmpOf5DpYxmx +C2Xpe4d/5Xlg3wIYhEs5MnfeEy4lSMA4cxwJs11gVYHba62L7/5lqzpPmHdRYHu3 +Vf0pM/6zniQpy58Pf9+9CNU15I3iWF5K3zmevFArd6s= +-----END CERTIFICATE----- diff --git a/docker/ews/docker-compose.yml b/docker/ews/docker-compose.yml index 2ee17a24..2b5d2110 100644 --- a/docker/ews/docker-compose.yml +++ b/docker/ews/docker-compose.yml @@ -12,9 +12,19 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=/opt/ewsposter/ca.pem + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + diff --git a/docker/glastopf/Dockerfile b/docker/glastopf/Dockerfile index 18842cfc..269e959e 100644 --- a/docker/glastopf/Dockerfile +++ b/docker/glastopf/Dockerfile @@ -8,7 +8,7 @@ RUN apk -U --no-cache add \ autoconf \ bind-tools \ build-base \ - cython \ +# cython \ git \ libffi \ libffi-dev \ @@ -17,6 +17,7 @@ RUN apk -U --no-cache add \ make \ php7 \ php7-dev \ + openssl-dev \ py-mysqldb \ py-openssl \ py-pip \ diff --git a/docker/glastopf/README.md b/docker/glastopf/README.md index a11d9aeb..632b6e63 100644 --- a/docker/glastopf/README.md +++ b/docker/glastopf/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/glastopf:1811.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glastopf:1811.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own image badge on microbadger.com") # glastopf diff --git a/docker/glastopf/docker-compose.yml b/docker/glastopf/docker-compose.yml index cc2e1eec..5d67d6fc 100644 --- a/docker/glastopf/docker-compose.yml +++ b/docker/glastopf/docker-compose.yml @@ -15,8 +15,8 @@ services: networks: - glastopf_local ports: - - "80:80" - image: "dtagdevsec/glastopf:1811" + - "8081:80" + image: "dtagdevsec/glastopf:1903" read_only: true volumes: - /data/glastopf/db:/tmp/glastopf/db diff --git a/docker/glutton/README.md b/docker/glutton/README.md index f1e536f2..25ce9be5 100644 --- a/docker/glutton/README.md +++ b/docker/glutton/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/glutton:1811.svg)](https://microbadger.com/images/dtagdevsec/glutton:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glutton:1811.svg)](https://microbadger.com/images/dtagdevsec/glutton:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/glutton:1903.svg)](https://microbadger.com/images/dtagdevsec/glutton:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glutton:1903.svg)](https://microbadger.com/images/dtagdevsec/glutton:1903 "Get your own image badge on microbadger.com") # glutton diff --git a/docker/glutton/docker-compose.yml b/docker/glutton/docker-compose.yml index d207da3d..c75eec3e 100644 --- a/docker/glutton/docker-compose.yml +++ b/docker/glutton/docker-compose.yml @@ -12,7 +12,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/glutton:1811" + image: "dtagdevsec/glutton:1903" read_only: true volumes: - /data/glutton/log:/var/log/glutton diff --git a/docker/heralding/Dockerfile b/docker/heralding/Dockerfile index 4f1c3b2f..5ab3adcb 100644 --- a/docker/heralding/Dockerfile +++ b/docker/heralding/Dockerfile @@ -9,7 +9,7 @@ RUN apk -U --no-cache add \ git \ libcap \ libffi-dev \ - libressl-dev \ + openssl-dev \ libzmq \ postgresql-dev \ python3 \ diff --git a/docker/heralding/README.md b/docker/heralding/README.md index ca92c45a..470cdd37 100644 --- a/docker/heralding/README.md +++ b/docker/heralding/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/heralding:1811.svg)](https://microbadger.com/images/dtagdevsec/heralding:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/heralding:1811.svg)](https://microbadger.com/images/dtagdevsec/heralding:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/heralding:1903.svg)](https://microbadger.com/images/dtagdevsec/heralding:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/heralding:1903.svg)](https://microbadger.com/images/dtagdevsec/heralding:1903 "Get your own image badge on microbadger.com") # heralding diff --git a/docker/heralding/dist/heralding.yml b/docker/heralding/dist/heralding.yml index 8e03ef27..0dec4342 100644 --- a/docker/heralding/dist/heralding.yml +++ b/docker/heralding/dist/heralding.yml @@ -150,3 +150,8 @@ capabilities: enabled: true port: 5900 timeout: 30 + + socks5: + enabled: true + port: 1080 + timeout: 30 diff --git a/docker/heralding/docker-compose.yml b/docker/heralding/docker-compose.yml index da519fbc..392d5673 100644 --- a/docker/heralding/docker-compose.yml +++ b/docker/heralding/docker-compose.yml @@ -25,9 +25,10 @@ services: - "443:443" - "993:993" - "995:995" + - "1080:1080" - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding diff --git a/docker/honeypy/Dockerfile b/docker/honeypy/Dockerfile new file mode 100644 index 00000000..762fceae --- /dev/null +++ b/docker/honeypy/Dockerfile @@ -0,0 +1,54 @@ +FROM alpine + +# Include dist +ADD dist/ /root/dist/ + +# Install packages +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ + build-base \ + git \ + libcap \ + python2 \ + python2-dev \ + py2-pip && \ + +# Upgrade pip, install virtualenv + pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir virtualenv && \ + +# Clone honeypy from git + git clone --depth=1 https://github.com/foospidy/HoneyPy /opt/honeypy && \ + cd /opt/honeypy && \ + sed -i 's/local_host/dest_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/local_port/dest_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/remote_host/src_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/remote_port/src_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/service/proto/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/event/event_type/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/bytes/size/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/date_time/timestamp/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + sed -i 's/data,/data.decode("hex"),/g' /opt/honeypy/loggers/file/honeypy_file.py && \ + virtualenv env && \ + cp /root/dist/services.cfg /opt/honeypy/etc && \ + cp /root/dist/honeypy.cfg /opt/honeypy/etc && \ + /opt/honeypy/env/bin/pip install -r /opt/honeypy/requirements.txt && \ + +# Setup user, groups and configs + addgroup -g 2000 honeypy && \ + adduser -S -H -s /bin/ash -u 2000 -D -g 2000 honeypy && \ + chown -R honeypy:honeypy /opt/honeypy && \ + setcap cap_net_bind_service=+ep /opt/honeypy/env/bin/python2 && \ + +# Clean up + apk del --purge build-base \ + git \ + python2-dev \ + py2-pip && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* + +# Set workdir and start mailoney +USER honeypy:honeypy +WORKDIR /opt/honeypy +CMD ["/opt/honeypy/env/bin/python2", "/opt/honeypy/Honey.py", "-d"] diff --git a/docker/honeypy/dist/honeypy.cfg b/docker/honeypy/dist/honeypy.cfg new file mode 100644 index 00000000..a063451f --- /dev/null +++ b/docker/honeypy/dist/honeypy.cfg @@ -0,0 +1,117 @@ +# HoneyPy/etc/honeypy.cfg +# https://github.com/foospidy/HoneyPy + +[honeypy] +# select any name for this HoneyPy node, it can be anything you want (default is: honeypy). +# It will be displayed in tweets, Slack messages, and other integrations. +nodename = honeypy + +#add a comma seperated list of ip addresses to supress logging of your local scanners +#whitelist = 192.168.0.5, 192.168.0.21 + +#include the following service profiles (comma seperated), all services will be combined. +#enabling this will disable the use of service.cfg, which will not be processed +#service_profiles = services.databases.profile, services.linux.profile + +# Limit internal log files to a single day. Useful for deployments with limited disk space. +limit_internal_logs = No + +# Directory for internal HoneyPy logs (not external loggers). +# Use leading slash for absolute path, or omit for relative path +internal_log_dir = log/ + +# Tweet events on Twitter. Having a dedicated Twitter account for this purpose is recommended. +# You will need to Twitter API credentials for this to work. See https://dev.twitter.com/oauth/application-only +[twitter] +enabled = No +consumerkey = +consumersecret = +oauthtoken = +oauthsecret = + +######################################################################################################## +# Animus is dead! (http://morris.guru/the-life-and-death-of-animus/) This feature should be use no more. +# enable tweats to include querying Animus Threat Bot (https://github.com/threatbot) +# ask_animus = No +######################################################################################################## +# +# Animus rises from the ashes! https://animus.io/ +# +######################################################################################################## +# +# Animus falls again. https://github.com/hslatman/awesome-threat-intelligence/pull/101 +# +######################################################################################################## + +# Post your events to HoneyDB. Your HoneyPy honepots can contribute threat information to HoneyDB. +# You will need to create API credentails for this to work. See https://riskdiscovery.com/honeydb/#threats +[honeydb] +enabled = No +api_id = +api_key = + +# Post your events to a Slack channel. Having a dedicated Slack channel for this is recommended. +# For setting up your Slack webhook see https://api.slack.com/incoming-webhooks +[slack] +enabled = No +webhook_url = + +[logstash] +enabled = No +host = +port = + +[elasticsearch] +enabled = No +# Elasticsearch url should include ":port/index/type +# example: http://localhost:9200/honeypot/honeypy +es_url = + +[telegram] +# You need to add your bot to channel or group, and get the bot token see https://core.telegram.org/bots +enabled = No +# Telegram bot HTTP API Token +bot_id = + +[sumologic] +enabled = No +# create a http collector source and use the url provided +# https://help.sumologic.com/Send-Data/Sources/02Sources-for-Hosted-Collectors/HTTP-Source/Upload-Data-to-an-HTTP-Source +url = +custom_source_host = +custom_source_name = +custom_source_category = + +[splunk] +enabled = No +# /services/receivers/simple api endpoint +url = https://localhost:8089/services/receivers/simple +username = +password = + +[rabbitmq] +enabled = No +# Here you need create rabbitmq config url to be used with pika python lib +# For ex. 1) amqp://username:password@rabbitmq_host/%2f +# 2) amqp://username:password@127.0.0.1/%2f +url_param = +# Name of the Rabbitmq Exchange +# Ex. mycoolexchange +exchange = +# Rabbitmq routing Key if not configured in rabbitmq leave it +# Ex. honeypy +routing_key = + +[file] +enabled = Yes +filename = log/json.log + +[hpfeeds] +enabled = No +persistent = Yes +server = 127.0.0.1 +port = 20000 +ident = ident +secret = secret +channel = channel +serverid = id diff --git a/docker/honeypy/dist/services.cfg b/docker/honeypy/dist/services.cfg new file mode 100644 index 00000000..d333c5ba --- /dev/null +++ b/docker/honeypy/dist/services.cfg @@ -0,0 +1,67 @@ +# HoneyPy Copyright (C) 2013-2017 foospidy +# services.default.profile +# Important: service names must not contain spaces. +# Important: use port redirecting for services that listen on ports below 1024 (see https://github.com/foospidy/ipt-kit). + +[Echo] +plugin = Echo +low_port = tcp:7 +port = tcp:7 +description = Echo back data received via tcp. +enabled = Yes + +[Echo.udp] +plugin = Echo_udp +low_port = udp:7 +port = udp:7 +description = Echo back data received via udp. +enabled = Yes + +[MOTD] +plugin = MOTD +low_port = tcp:8 +port = tcp:8 +description = Send a message via tcp and close connection. +enabled = Yes + +[MOTD.udp] +plugin = MOTD_udp +low_port = udp:8 +port = udp:8 +description = Send a message via udp. +enabled = Yes + +[Telnet] +plugin = TelnetUnix +low_port = tcp:2323 +port = tcp:2323 +description = Emulate Debian telnet login via tcp. +enabled = Yes + +[Telnet.Windows] +plugin = TelnetWindows +low_port = tcp:2324 +port = tcp:2324 +description = Emulate Windows telnet login via tcp. +enabled = Yes + +[Random] +plugin = Random +low_port = tcp:2048 +port = tcp:2048 +description = Send random data via tcp. +enabled = Yes + +[HashCountRandom] +plugin = HashCountRandom +low_port = tcp:4096 +port = tcp:4096 +description = Send random data prefixed with a hash of a counter via tcp. +enabled = Yes + +[Elasticsearch] +plugin = Elasticsearch +low_port = tcp:9200 +port = tcp:9200 +description = Send basic elasticsearch like replies +enabled = Yes diff --git a/docker/honeypy/docker-compose.yml b/docker/honeypy/docker-compose.yml new file mode 100644 index 00000000..3550622a --- /dev/null +++ b/docker/honeypy/docker-compose.yml @@ -0,0 +1,26 @@ +version: '2.3' + +networks: + honeypy_local: + +services: + +# HoneyPy service + honeypy: + build: . + container_name: honeypy + restart: always + networks: + - honeypy_local + ports: + - "7:7" + - "8:8" + - "2048:2048" + - "2323:2323" + - "2324:2324" + - "4096:4096" + - "9200:9200" + image: "dtagdevsec/honeypy:1903" + read_only: true + volumes: + - /data/honeypy/log:/opt/honeypy/log diff --git a/docker/honeytrap/docker-compose.yml b/docker/honeytrap/docker-compose.yml index 5073ab0a..15eb3d73 100644 --- a/docker/honeytrap/docker-compose.yml +++ b/docker/honeytrap/docker-compose.yml @@ -12,7 +12,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" + image: "dtagdevsec/honeytrap:1903" read_only: true volumes: - /data/honeytrap/attacks:/opt/honeytrap/var/attacks diff --git a/docker/mailoney/README.md b/docker/mailoney/README.md index fab0323f..794c7cc6 100644 --- a/docker/mailoney/README.md +++ b/docker/mailoney/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/mailoney:1811.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/mailoney:1811.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/mailoney:1903.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/mailoney:1903.svg)](https://microbadger.com/images/dtagdevsec/mailoney:1903 "Get your own image badge on microbadger.com") # mailoney diff --git a/docker/mailoney/docker-compose.yml b/docker/mailoney/docker-compose.yml index 74c09a41..d0faba6f 100644 --- a/docker/mailoney/docker-compose.yml +++ b/docker/mailoney/docker-compose.yml @@ -20,7 +20,7 @@ services: - mailoney_local ports: - "25:25" - image: "dtagdevsec/mailoney:1811" + image: "dtagdevsec/mailoney:1903" read_only: true volumes: - /data/mailoney/log:/opt/mailoney/logs diff --git a/docker/medpot/Dockerfile b/docker/medpot/Dockerfile index b92d58b7..d6ed240c 100644 --- a/docker/medpot/Dockerfile +++ b/docker/medpot/Dockerfile @@ -17,6 +17,7 @@ RUN apk -U --no-cache add \ go get -d -v github.com/mozillazg/request && \ go get -d -v go.uber.org/zap && \ cd medpot && \ + cp dist/etc/ews.cfg /etc/ && \ go build medpot && \ # Setup medpot diff --git a/docker/medpot/README.md b/docker/medpot/README.md index 8cac7d01..8a8c8b47 100644 --- a/docker/medpot/README.md +++ b/docker/medpot/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/medpot:1811.svg)](https://microbadger.com/images/dtagdevsec/medpot:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/medpot:1811.svg)](https://microbadger.com/images/dtagdevsec/medpot:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/medpot:1903.svg)](https://microbadger.com/images/dtagdevsec/medpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/medpot:1903.svg)](https://microbadger.com/images/dtagdevsec/medpot:1903 "Get your own image badge on microbadger.com") # Medpot diff --git a/docker/medpot/docker-compose.yml b/docker/medpot/docker-compose.yml index b665487d..6d147739 100644 --- a/docker/medpot/docker-compose.yml +++ b/docker/medpot/docker-compose.yml @@ -14,7 +14,7 @@ services: - medpot_local ports: - "2575:2575" - image: "dtagdevsec/medpot:1811" + image: "dtagdevsec/medpot:1903" read_only: true volumes: - /data/medpot/log/:/var/log/medpot diff --git a/docker/nginx/Dockerfile.future b/docker/nginx/Dockerfile.future deleted file mode 100644 index b1142396..00000000 --- a/docker/nginx/Dockerfile.future +++ /dev/null @@ -1,26 +0,0 @@ -FROM alpine - -# Include dist -ADD dist/ /root/dist/ - -# Get and install dependencies & packages -RUN rm -rf /etc/ssl/openssl.cnf && \ - apk add --no-cache -U -X http://dl-3.alpinelinux.org/alpine/edge/testing/ \ - nginx \ - nginx-mod-http-headers-more \ - openssl1.1 || : && \ - -# Setup configs - mkdir -p /run/nginx && \ - rm -rf /etc/nginx/conf.d/* /usr/share/nginx/html/* && \ - cp /root/dist/conf/nginx.conf /etc/nginx/ && \ - cp -R /root/dist/conf/ssl /etc/nginx/ && \ - cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \ - cp -R /root/dist/html/ /var/lib/nginx/ && \ - -# Clean up - rm -rf /root/* && \ - rm -rf /var/cache/apk/* - -# Start nginx -CMD exec nginx -g 'daemon off;' diff --git a/docker/nginx/dist/conf/nginx.conf b/docker/nginx/dist/conf/nginx.conf index 24d24d4d..70c4d552 100644 --- a/docker/nginx/dist/conf/nginx.conf +++ b/docker/nginx/dist/conf/nginx.conf @@ -31,7 +31,8 @@ http { # SSL Settings ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## @@ -73,25 +74,3 @@ http { include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf index 380a4a46..fa15a49c 100644 --- a/docker/nginx/dist/conf/tpotweb.conf +++ b/docker/nginx/dist/conf/tpotweb.conf @@ -9,7 +9,7 @@ server { ######################### listen 64297 ssl http2; index tpotweb.html; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.3; server_name example.com; error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; diff --git a/docker/nginx/docker-compose.yml b/docker/nginx/docker-compose.yml index b8d0a907..2443efe7 100644 --- a/docker/nginx/docker-compose.yml +++ b/docker/nginx/docker-compose.yml @@ -17,7 +17,7 @@ services: network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1811" + image: "dtagdevsec/nginx:1903" read_only: true volumes: - /data/nginx/cert/:/etc/nginx/cert/:ro diff --git a/docker/p0f/docker-compose.yml b/docker/p0f/docker-compose.yml index 289e794f..658ed924 100644 --- a/docker/p0f/docker-compose.yml +++ b/docker/p0f/docker-compose.yml @@ -8,7 +8,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f diff --git a/docker/rdpy/Dockerfile b/docker/rdpy/Dockerfile index 71c4fe12..55f717b6 100644 --- a/docker/rdpy/Dockerfile +++ b/docker/rdpy/Dockerfile @@ -34,7 +34,7 @@ RUN apk -U --no-cache add \ pyasn1 && \ # Install rdpy from git - mkdir /opt && \ + mkdir -p /opt && \ cd /opt && \ git clone --depth=1 https://github.com/t3chn0m4g3/rdpy && \ cd rdpy && \ diff --git a/docker/rdpy/README.md b/docker/rdpy/README.md index c7215202..a15e6a10 100644 --- a/docker/rdpy/README.md +++ b/docker/rdpy/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/rdpy:1811.svg)](https://microbadger.com/images/dtagdevsec/rdpy:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/rdpy:1811.svg)](https://microbadger.com/images/dtagdevsec/rdpy:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/rdpy:1903.svg)](https://microbadger.com/images/dtagdevsec/rdpy:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/rdpy:1903.svg)](https://microbadger.com/images/dtagdevsec/rdpy:1903 "Get your own image badge on microbadger.com") # rdpy diff --git a/docker/rdpy/docker-compose.yml b/docker/rdpy/docker-compose.yml index dd606c3c..8f2da9a9 100644 --- a/docker/rdpy/docker-compose.yml +++ b/docker/rdpy/docker-compose.yml @@ -22,7 +22,7 @@ services: - rdpy_local ports: - "3389:3389" - image: "dtagdevsec/rdpy:1811" + image: "dtagdevsec/rdpy:1903" read_only: true volumes: - /data/rdpy/log:/var/log/rdpy diff --git a/docker/spiderfoot/Dockerfile b/docker/spiderfoot/Dockerfile index 51db10f7..fdfc40d5 100644 --- a/docker/spiderfoot/Dockerfile +++ b/docker/spiderfoot/Dockerfile @@ -1,7 +1,8 @@ FROM alpine # Get and install dependencies & packages -RUN apk -U --no-cache add \ +RUN sed -i 's/dl-cdn/dl-4/g' /etc/apk/repositories && \ + apk -U --no-cache add \ build-base \ curl \ git \ @@ -13,26 +14,21 @@ RUN apk -U --no-cache add \ openssl-dev \ python \ python-dev \ - py-lxml \ - py-netaddr \ - py-mako \ - py-markupsafe \ + py-future \ py-pip \ - py-setuptools \ - py-requests \ swig && \ - pip install --no-cache-dir --upgrade pip && \ - pip install --no-cache-dir \ - cherrypy \ - bs4 \ - m2crypto && \ # Setup user addgroup -g 2000 spiderfoot && \ adduser -S -s /bin/ash -u 2000 -D -g 2000 spiderfoot && \ # Install spiderfoot - git clone --depth=1 https://github.com/smicallef/spiderfoot -b v2.12.0-final /home/spiderfoot && \ +# git clone --depth=1 https://github.com/smicallef/spiderfoot -b v2.12.0-final /home/spiderfoot && \ + git clone --depth=1 https://github.com/smicallef/spiderfoot /home/spiderfoot && \ + cd /home/spiderfoot && \ + pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir wheel && \ + pip install --no-cache-dir -r requirements.txt && \ chown -R spiderfoot:spiderfoot /home/spiderfoot && \ sed -i "s#'__docroot': ''#'__docroot': '\/spiderfoot'#" /home/spiderfoot/sf.py && \ sed -i 's#raise cherrypy.HTTPRedirect("\/")#raise cherrypy.HTTPRedirect("\/spiderfoot")#' /home/spiderfoot/sfwebui.py && \ diff --git a/docker/spiderfoot/README.md b/docker/spiderfoot/README.md index 84111cf4..084d8ce2 100644 --- a/docker/spiderfoot/README.md +++ b/docker/spiderfoot/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/spiderfoot:1811.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/spiderfoot:1811.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/spiderfoot:1903.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/spiderfoot:1903.svg)](https://microbadger.com/images/dtagdevsec/spiderfoot:1903 "Get your own image badge on microbadger.com") [spiderfoot](https://github.com/smicallef/spiderfoot) the open source footprinting and intelligence-gathering tool. diff --git a/docker/spiderfoot/docker-compose.yml b/docker/spiderfoot/docker-compose.yml index dcfedff9..475386ad 100644 --- a/docker/spiderfoot/docker-compose.yml +++ b/docker/spiderfoot/docker-compose.yml @@ -14,6 +14,6 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" + image: "dtagdevsec/spiderfoot:1903" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile index 5c8746ad..44c900fd 100644 --- a/docker/suricata/Dockerfile +++ b/docker/suricata/Dockerfile @@ -4,20 +4,91 @@ FROM alpine ADD dist/ /root/dist/ # Install packages -RUN apk -U --no-cache add \ +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ ca-certificates \ curl \ file \ - libcap \ - wget && \ - apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \ - suricata && \ + geoip \ + hiredis \ + jansson \ + libcap-ng \ + libhtp \ + libmagic \ + libnet \ + libnetfilter_queue \ + libnfnetlink \ + libpcap \ + luajit \ + lz4-libs \ + musl \ + nspr \ + nss \ + pcre \ + yaml \ + wget \ + automake \ + autoconf \ + build-base \ + cargo \ + file-dev \ + geoip-dev \ + hiredis-dev \ + jansson-dev \ + libtool \ + libhtp-dev \ + libcap-ng-dev \ + luajit-dev \ + libpcap-dev \ + libnet-dev \ + libnetfilter_queue-dev \ + libnfnetlink-dev \ + lz4-dev \ + nss-dev \ + nspr-dev \ + pcre-dev \ + python2 \ + py2-pip \ + rust \ + yaml-dev && \ + +# Upgrade pip, install virtualenv + pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir suricata-update && \ + +# Get and build Suricata + mkdir -p /opt/builder/ && \ + wget https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz && \ + tar xvfz suricata-4.1.3.tar.gz --strip-components=1 -C /opt/builder/ && \ + rm suricata-4.1.3.tar.gz && \ + cd /opt/builder && \ + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var \ + --enable-non-bundled-htp \ + --enable-nfqueue \ + --enable-rust \ + --disable-gccmarch-native \ + --enable-hiredis \ + --enable-geoip \ + --enable-gccprotect \ + --enable-pie \ + --enable-luajit && \ + make && \ + make check && \ + make install && \ + make install-full && \ # Setup user, groups and configs addgroup -g 2000 suri && \ adduser -S -H -u 2000 -D -g 2000 suri && \ + chmod 644 /etc/suricata/*.config && \ cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ cp /root/dist/*.bpf /etc/suricata/ && \ + mkdir -p /etc/suricata/rules && \ + cp /opt/builder/rules/* /etc/suricata/rules/ && \ # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules cp /root/dist/update.sh /usr/bin/ && \ @@ -25,6 +96,32 @@ RUN apk -U --no-cache add \ update.sh OPEN && \ # Clean up + apk del --purge \ + automake \ + autoconf \ + build-base \ + cargo \ + file-dev \ + geoip-dev \ + hiredis-dev \ + jansson-dev \ + libtool \ + libhtp-dev \ + libcap-ng-dev \ + luajit-dev \ + libpcap-dev \ + libnet-dev \ + libnetfilter_queue-dev \ + libnfnetlink-dev \ + lz4-dev \ + nss-dev \ + nspr-dev \ + pcre-dev \ + python2 \ + py2-pip \ + rust \ + yaml-dev && \ + rm -rf /opt/builder && \ rm -rf /root/* && \ rm -rf /var/cache/apk/* diff --git a/docker/suricata/README.md b/docker/suricata/README.md index 2c5bb1f2..828004a1 100644 --- a/docker/suricata/README.md +++ b/docker/suricata/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/suricata:1811.svg)](https://microbadger.com/images/dtagdevsec/suricata:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/suricata:1811.svg)](https://microbadger.com/images/dtagdevsec/suricata:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/suricata:1903.svg)](https://microbadger.com/images/dtagdevsec/suricata:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/suricata:1903.svg)](https://microbadger.com/images/dtagdevsec/suricata:1903 "Get your own image badge on microbadger.com") # dockerized suricata diff --git a/docker/suricata/dist/capture-filter.bpf b/docker/suricata/dist/capture-filter.bpf index e2c35df5..80fa12d1 100644 --- a/docker/suricata/dist/capture-filter.bpf +++ b/docker/suricata/dist/capture-filter.bpf @@ -1,3 +1,4 @@ not (host sicherheitstacho.eu or community.sicherheitstacho.eu) and not (host archive.ubuntu.com or security.ubuntu.com) and -not (host index.docker.io or docker.io) +not (host index.docker.io or docker.io) and +not (host hpfeeds.sissden.eu) diff --git a/docker/suricata/dist/suricata.yaml b/docker/suricata/dist/suricata.yaml index d05d99ff..834f78fd 100644 --- a/docker/suricata/dist/suricata.yaml +++ b/docker/suricata/dist/suricata.yaml @@ -3,14 +3,14 @@ # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml +# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html ## ## Step 1: inform Suricata about your network ## vars: - # more specifc is better for alert accuracy and performance + # more specific is better for alert accuracy and performance address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" #HOME_NET: "[192.168.0.0/16]" @@ -27,6 +27,7 @@ vars: DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" @@ -41,76 +42,11 @@ vars: SSH_PORTS: "22,64295" DNP3_PORTS: 20000 MODBUS_PORTS: 502 - + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 ## -## Step 2: select the rules to enable or disable -## - -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - botcc.portgrouped.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules - - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-info.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules -# - emerging-scada_special.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - - modbus-events.rules # available in suricata sources under rules dir - - app-layer-events.rules # available in suricata sources under rules dir - - dnp3-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/rules/classification.config -reference-config-file: /etc/suricata/rules/reference.config -# threshold-file: /etc/suricata/threshold.config - - -## -## Step 3: select outputs to enable +## Step 2: select outputs to enable ## # The default logging directory. Any log or output file will be @@ -124,6 +60,13 @@ stats: # The interval field (in seconds) controls at what interval # the loggers are invoked. interval: 8 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false # Configure the type of alert (and other) logging you would like. outputs: @@ -148,7 +91,10 @@ outputs: #redis: # server: 127.0.0.1 # port: 6379 - # mode: list ## possible values: list (default), channel + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish # key: suricata ## key or channel to use (default to suricata) # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network @@ -157,54 +103,100 @@ outputs: # pipelining: # enabled: yes ## set enable to yes to enable query pipelining # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: false + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: yes + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + types: - alert: - # payload: yes # enable dumping payload in Base64 + payload: yes # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields - dnp3: yes # enable dumping of DNP3 fields + http-body: yes # enable dumping of http body in Base64 + http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes # Enable the logging of tagged packets for rules using the # "tag" keyword. tagged-packets: yes - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: yes - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - http: extended: yes # enable this for extended logging information # custom allows additional http fields to be included in eve-log # the example below adds three additional fields when uncommented custom: [Accept-Encoding, Accept-Language, Authorization, Forwarded, From, Referer, Via] - dns: - # control logging of queries and answers - # default yes, no to disable - query: yes # enable logging of DNS queries - answer: no # enable logging of DNS answers - # control which RR types are logged - # all enabled if custom not specified - #custom: [a, aaaa, cname, mx, ns, ptr, txt] + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] - tls: extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3] - files: force-magic: yes # force logging magic on all logged files # force logging of checksums, available hash functions are md5, @@ -227,16 +219,34 @@ outputs: # to yes md5: [body, subject] + - dnp3 + - nfs + - smb + - tftp + - ikev2 + - krb5 + - dhcp: + # DHCP logging requires Rust. + enabled: no + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + extended: no - ssh - #- stats: - # totals: no # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values # bi-directional flows #- flow # uni-directional flows #- netflow - #- dnp3 + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata # alert output for use with Barnyard2 - unified2-alert: @@ -247,6 +257,11 @@ outputs: # is parsed as bytes. #limit: 32mb + # By default unified2 log files have the file creation time (in + # unix epoch format) appended to the filename. Set this to yes to + # disable this behaviour. + #nostamp: no + # Sensor ID field of unified2 alerts. #sensor-id: 0 @@ -260,7 +275,7 @@ outputs: # This is helpful when reviewing alerts for traffic that is being reverse # or forward proxied. xff: - enabled: no + enabled: yes # Two operation modes are available, "extra-data" and "overwrite". Note # that in the "overwrite" mode, if the reported IP address in the HTTP # X-Forwarded-For header is of a different version of the packet @@ -290,8 +305,13 @@ outputs: enabled: no # Log TLS connections. filename: tls.log # File to store TLS logs. append: yes + #extended: yes # Log extended information like fingerprint + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no # output module to store certificates chain to disk - tls-store: @@ -299,6 +319,7 @@ outputs: #certs-log-dir: certs # directory to store the certificates files # a line based log of DNS requests and/or replies (no alerts) + # Note: not available when Rust is enabled (--enable-rust). - dns-log: enabled: no filename: dns.log @@ -346,6 +367,17 @@ outputs: # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" max-files: 2000 + # Compression algorithm for pcap files. Possible values: none, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + mode: normal # normal, multi or sguil. # Directory to place pcap files. If not provided the default log @@ -364,7 +396,7 @@ outputs: append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # alert output to prelude (http://www.prelude-technologies.com/) only + # alert output to prelude (https://www.prelude-siem.org/) only # available if Suricata has been compiled with --enable-prelude - alert-prelude: enabled: no @@ -372,10 +404,11 @@ outputs: log-packet-content: no log-packet-header: yes - # Stats.log contains data from various counters of the suricata engine. + # Stats.log contains data from various counters of the Suricata engine. - stats: enabled: no filename: stats.log + append: yes # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats #null-values: yes # print counters that have value 0 @@ -397,11 +430,80 @@ outputs: append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output module to store extracted files to disk + # Output module for storing files on disk. Files are stored in a + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the existing file is touched to + # have its timestamps updated. + # + # Unlike the older filestore, metadata is not written out by default + # as each file should already have a "fileinfo" record in the + # eve.log. If write-fileinfo is set to yes, the each file will have + # one more associated .json files that consists of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. If the path is not + # absolute will be be relative to the default-log-dir. + #dir: filestore + + # Write out a fileinfo record for each occurrence of a + # file. Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + + # Force logging of checksums, available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # output module to store extracted files to disk (old style, deprecated) # # The files are stored to the log-dir in a format "file." where is # an incrementing number starting at 1. For each file "file." a meta - # file "file..meta" is created. + # file "file..meta" is created. Before they are finalized, they will + # have a ".tmp" suffix to indicate that they are still being processed. + # + # If include-pid is yes, then the files are instead "file..", with + # meta files named as "file...meta" # # File extraction depends on a lot of things to be fully done: # - file-store stream-depth. For optimal results, set this to 0 (unlimited) @@ -419,8 +521,15 @@ outputs: # perform file extraction. Set to 0 for unlimited. #stream-depth: 0 #waldo: file.waldo # waldo file to store the file_id across runs + # uncomment to disable meta file writing + #write-meta: no + # uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + include-pid: no # set to yes to include pid in file names - # output module to log files tracked in a easily parsable json format + # output module to log files tracked in a easily parsable JSON format - file-log: enabled: no filename: files-json.log @@ -457,7 +566,7 @@ outputs: # Lua Output Support - execute lua script to generate alert and event # output. # Documented at: - # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output + # https://suricata.readthedocs.io/en/latest/output/lua-output.html - lua: enabled: no #scripts-dir: /etc/suricata/lua-output/ @@ -471,20 +580,20 @@ logging: # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # - # This value is overriden by the SC_LOG_LEVEL env var. + # This value is overridden by the SC_LOG_LEVEL env var. default-log-level: notice # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an + # something reasonable if not provided. Can be overridden in an # output section. You can leave this out to get the default. # - # This value is overriden by the SC_LOG_FORMAT env var. + # This value is overridden by the SC_LOG_FORMAT env var. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # - # This value is overriden by the SC_LOG_OP_FILTER env var. + # This value is overridden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all @@ -510,7 +619,7 @@ logging: ## ## See "Advanced Capture Options" below for more options, including NETMAP ## and PF_RING. -##" +## # Linux high speed capture support af-packet: @@ -531,6 +640,8 @@ af-packet: # Requires at least Linux 3.14. # * cluster_rollover: kernel rotates between sockets filling each socket before moving # to the next. Requires at least Linux 3.10. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for + # more info. # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system # with capture card using RSS (require cpu affinity tuning and system irq tuning) cluster-type: cluster_flow @@ -543,10 +654,11 @@ af-packet: #rollover: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes #use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock + # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock # your system #mmap-locked: yes - # Use experimental tpacket_v3 capture mode, only active if use-mmap is true + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency #tpacket-v3: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting @@ -588,6 +700,8 @@ af-packet: # will not be copied. #copy-mode: ips #copy-iface: eth1 + # For eBPF and XDP setup including bypass, filter and load balancing, please + # see doc/userguide/capture/ebpf-xdt.rst for more info. # Put default values here. These will be used for an interface that is not # in the list above. @@ -611,7 +725,7 @@ pcap: # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when + # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto @@ -634,7 +748,7 @@ pcap-file: # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when + # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have checksum tested checksum-checks: auto @@ -655,20 +769,37 @@ pcap-file: # "detection-only" enables protocol detection only (parser disabled). app-layer: protocols: + krb5: + enabled: yes + ikev2: + enabled: yes tls: enabled: yes detection-ports: - dp: "443,64297" + dp: 443 + + # Generate JA3 fingerprint from client hello + ja3-fingerprints: yes + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encrypt-handling: default - # Completely stop processing TLS/SSL session after the handshake - # completed. If bypass is enabled this will also trigger flow - # bypass. If disabled (the default), TLS/SSL session is still - # tracked for Heartbleed and other anomalies. - #no-reassemble: yes dcerpc: enabled: yes ftp: enabled: yes + # memcap: 64mb ssh: enabled: yes smtp: @@ -703,17 +834,26 @@ app-layer: enabled: detection-only msn: enabled: detection-only + # Note: --enable-rust is required for full SMB1/2 support. W/o rust + # only minimal SMB1 support is available. smb: enabled: yes detection-ports: - dp: "137, 138, 139, 445" - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + # Note: NFS parser depends on Rust support: pass --enable-rust + # to configure. + nfs: + enabled: yes + tftp: + enabled: yes dns: # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb + global-memcap: 16mb + state-memcap: 512kb # How many unreplied DNS requests are considered a flood. # If the limit is reached, app-layer-event:dns.flooded; will match. @@ -744,7 +884,7 @@ app-layer: # decompressed. Defaults to 2. # # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block + # address: List of IP addresses or networks for this block # personalitiy: List of personalities used by this block # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. @@ -793,6 +933,20 @@ app-layer: # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 0 + decompress-depth: 0 + # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. @@ -861,11 +1015,18 @@ app-layer: # SCADA EtherNet/IP and CIP protocol support enip: - enabled: yes + enabled: no detection-ports: dp: 44818 sp: 44818 + # Note: parser depends on Rust support + ntp: + enabled: yes + + dhcp: + enabled: no + # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 @@ -881,16 +1042,17 @@ asn1-max-frames: 256 ## # Run suricata as user and group. -run-as: - user: suri - group: suri +#run-as: +# user: suri +# group: suri # Some logging module will use that name in event as identifier. The default # value is the hostname #sensor-name: suricata -# Default pid file. -# Will use this file if no --pidfile in command options. +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. #pid-file: /var/run/suricata.pid # Daemon working directory @@ -898,6 +1060,11 @@ run-as: # Default: "/" #daemon-directory: "/" +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -910,20 +1077,16 @@ run-as: coredump: max-dump: unlimited -# If suricata box is a router for the sniffed networks, set it to 'router'. If +# If Suricata box is a router for the sniffed networks, set it to 'router'. If # it is a pure sniffing setup, set it to 'sniffer-only'. # If set to auto, the variable is internally switch to 'router' in IPS mode # and 'sniffer-only' in IDS mode. # This feature is currently only used by the reject* keywords. host-mode: auto -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively # impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. #max-pending-packets: 1024 # Runmode the engine should use. Please check --list-runmodes to get the available @@ -938,7 +1101,7 @@ host-mode: auto # round-robin - Flows assigned to threads in a round robin fashion. # active-packets - Flows assigned to threads that have the lowest number of # unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random +# hash - Flow allocated using the address hash. More of a random # technique. Was the default in Suricata 1.2.1 and older. # #autofp-scheduler: active-packets @@ -948,8 +1111,8 @@ host-mode: auto # packet size (MTU + hardware header) on your system. #default-packet-size: 1514 -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata +# Unix command socket can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata # or trigger some modifications of the engine. Set enabled to yes # to activate the feature. In auto mode, the feature will only be # activated in live capture mode. You can use the filename variable to set @@ -960,7 +1123,7 @@ unix-command: # Magic file. The extension .mgc is added to the value here. #magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc +magic-file: /usr/share/misc/magic.mgc legacy: uricontent: enabled @@ -969,7 +1132,7 @@ legacy: ## Detection settings ## -# Set the order of alerts bassed on actions +# Set the order of alerts based on actions # The default order is pass, drop, reject, alert # action-order: # - pass @@ -1057,10 +1220,10 @@ defrag: # emergency-recovery is the percentage of flows that the engine need to # prune before unsetting the emergency state. The emergency state is activated # when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). +# pruning them with the emergency timeouts (they are defined below). # If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. # If that doesn't work, then it will try to kill the last time seen flows # not in use. # The memcap can be specified in kb, mb, gb. Just a number indicates it's @@ -1083,7 +1246,7 @@ vlan: # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or +# protocol. The value of "new" determine the seconds to wait after a handshake or # stream startup before the engine free the data of that flow it doesn't # change the state to established (usually if we don't receive more packets # of that flow). The value of "established" is the amount of @@ -1144,7 +1307,7 @@ flow-timeouts: # # packet. If csum validation is specified as # # "yes", then packet with invalid csum will not # # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be +# # Warning: locally generated traffic can be # # generated without checksum due to hardware offload # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' @@ -1153,6 +1316,7 @@ flow-timeouts: # midstream: false # don't allow midstream session pickups # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode +# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine # max-synack-queued: 5 # Max different SYN/ACKs to queue # bypass: no # Bypass packets when stream.depth is reached # @@ -1164,11 +1328,9 @@ flow-timeouts: # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. # # This lower the risk of some evasion technics but could lead # # detection change between runs. It is set to 'yes' by default. @@ -1182,17 +1344,15 @@ flow-timeouts: # # raw is for content inspection by detection # # engine. # -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# zero-copy-size: 128 # This option sets in bytes the value at -# # which segment data is passed to the app -# # layer API directly. Data sizes equal to -# # and higher than the value set are passed -# # on directly. +# segment-prealloc: 2048 # number of segments preallocated per thread +# +# check-overlap-different-data: true|false +# # check if a segment contains different data +# # than what we've already seen for that +# # position in the stream. +# # This is enabled automatically if inline mode +# # is used or when stream-event:reassembly_overlap_different_data; +# # is used in a rule. # stream: memcap: 64mb @@ -1206,27 +1366,8 @@ stream: randomize-chunk-size: yes #randomize-chunk-range: 10 #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # 'from_mtu' means that the size is mtu - 40, - # or 1460 if mtu couldn't be determined. - # - size: from_mtu - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - #zero-copy-size: 128 + #segment-prealloc: 2048 + #check-overlap-different-data: true # Host table: # @@ -1246,6 +1387,14 @@ host: # prealloc: 1000 # memcap: 32mb +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + ## ## Performance tuning and profiling @@ -1312,7 +1461,6 @@ detect: # The supported algorithms are: # "ac" - Aho-Corasick, default implementation # "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-cuda" - Aho-Corasick, CUDA implementation # "ac-ks" - Aho-Corasick, "Ken Steele" variant # "hs" - Hyperscan, available when built with Hyperscan support # @@ -1325,10 +1473,6 @@ detect: # to be set to "single", because of ac's memory requirements, unless the # ruleset is small enough to fit in one's memory, in which case one can # use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. mpm-algo: auto @@ -1357,9 +1501,9 @@ threading: # cpu-affinity: - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings + cpu: [ 0 ] # include only these CPUs in affinity settings - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings + cpu: [ 0 ] # include only these CPUs in affinity settings - worker-cpu-set: cpu: [ "all" ] mode: "exclusive" @@ -1409,28 +1553,34 @@ profiling: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. - enabled: yes + enabled: no filename: rule_perf.log append: yes # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks + # If commented out all the sort options will be used. + #sort: avgticks - # Limit the number of items printed at exit (ignored for json). - limit: 100 + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 # output to json json: yes # per keyword profiling keywords: - enabled: yes + enabled: no filename: keyword_perf.log append: yes + prefilter: + enabled: no + filename: prefilter_perf.log + append: yes + # per rulegroup profiling rulegroups: - enabled: yes + enabled: no filename: rule_group_perf.log append: yes @@ -1439,7 +1589,7 @@ profiling: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. - enabled: yes + enabled: no filename: packet_stats.log append: yes @@ -1469,7 +1619,7 @@ profiling: # When running in NFQ inline mode, it is possible to use a simulated # non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: +# This permit to do send all needed packet to Suricata via this a rule: # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE # And below, you can have your standard filtering ruleset. To activate # this mode, you need to set mode to 'repeat' @@ -1478,7 +1628,7 @@ profiling: # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance # by processing several packets before sending a verdict (worker runmode only). # On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. +# accept the packet if Suricata is not able to keep pace. # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask # on packet of a flow that need to be bypassed. The Nefilter ruleset has to @@ -1516,17 +1666,17 @@ nflog: # general settings affecting packet capture capture: - # disable NIC offloading. It's restored when Suricata exists. - # Enabled by default + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. #disable-offloading: false # # disable checksum validation. Same as setting '-k none' on the - # commandline + # commandline. #checksum-validation: none # Netmap support # -# Netmap operates with NIC directly in driver, so you need FreeBSD wich have +# Netmap operates with NIC directly in driver, so you need FreeBSD which have # built-in netmap support or compile and install netmap module and appropriate # NIC driver on your Linux system. # To reach maximum throughput disable all receive-, segmentation-, @@ -1561,7 +1711,7 @@ netmap: # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when + # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto @@ -1578,9 +1728,9 @@ netmap: # for more info see http://www.ntop.org/products/pf_ring/ pfring: - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 + # Number of receive threads. If set to 'auto' Suricata will first try + # to use CPU (core) count and otherwise RSS queue count. + threads: auto # Default clusterid. PF_RING will load balance packets based on flow. # All threads/processes that will participate need to have the same @@ -1590,8 +1740,15 @@ pfring: # Default PF_RING cluster type. PF_RING can load balance per flow. # Possible values are cluster_flow or cluster_round_robin. cluster-type: cluster_flow + # bpf filter for this interface #bpf-filter: tcp + + # If bypass is set then the PF_RING hw bypass is activated, when supported + # by the interface in use. Suricata will instruct the interface to bypass + # all future packets for a flow that need to be bypassed. + #bypass: yes + # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. @@ -1599,7 +1756,7 @@ pfring: # - rxonly: only compute checksum for packets received by network card. # - yes: checksum validation is forced # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when + # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto @@ -1642,6 +1799,8 @@ ipfw: napatech: # The Host Buffer Allowance for all streams # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + # This may be enabled when sharing streams with another application. + # Otherwise, it should be turned off. hba: -1 # use_all_streams set to "yes" will query the Napatech service for all configured @@ -1649,8 +1808,11 @@ napatech: # will be used. use-all-streams: yes - # The streams to listen on - streams: [1, 2, 3] + # The streams to listen on. This can be either: + # a list of individual streams (e.g. streams: [0,1,2,3]) + # or + # a range of streams (e.g. streams: ["0-3"]) + streams: ["0-3"] # Tilera mpipe configuration. for use on Tilera TILE-Gx. mpipe: @@ -1680,39 +1842,92 @@ mpipe: size16384: 0 ## -## Hardware accelaration +## Configure Suricata to load Suricata-Update managed rules. +## +## If this section is completely commented out move down to the "Advanced rule +## file configuration". ## -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 +#default-rule-path: /var/lib/suricata/rules +#rule-files: +# - suricata.rules + +## +## Advanced rule file configuration. +## +## If this section is completely commented out then your configuration +## is setup for suricata-update as it was most likely bundled and +## installed with Suricata. +## + +default-rule-path: /etc/suricata/rules + +rule-files: + - botcc.rules + - botcc.portgrouped.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules + - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules + - emerging-games.rules + - emerging-icmp_info.rules + - emerging-icmp.rules + - emerging-imap.rules + - emerging-inappropriate.rules + - emerging-info.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules + #- emerging-scada_special.rules + - emerging-scan.rules + - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules + - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules + - decoder-events.rules # available in suricata sources under rules dir + - stream-events.rules # available in suricata sources under rules dir + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir + - modbus-events.rules # available in suricata sources under rules dir + - app-layer-events.rules # available in suricata sources under rules dir + - dnp3-events.rules # available in suricata sources under rules dir + - ntp-events.rules # available in suricata sources under rules dir + - ipsec-events.rules # available in suricata sources under rules dir + - kerberos-events.rules # available in suricata sources under rules dir + +## +## Auxiliary configuration files. +## + +classification-file: /etc/suricata/rules/classification.config +reference-config-file: /etc/suricata/reference.config +# threshold-file: /etc/suricata/threshold.config ## ## Include other configs diff --git a/docker/suricata/docker-compose.yml b/docker/suricata/docker-compose.yml index 620587f8..b1913e58 100644 --- a/docker/suricata/docker-compose.yml +++ b/docker/suricata/docker-compose.yml @@ -15,6 +15,6 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata diff --git a/docker/tanner/README.md b/docker/tanner/README.md index 49c0cb60..fca244a7 100644 --- a/docker/tanner/README.md +++ b/docker/tanner/README.md @@ -1,4 +1,4 @@ -[![](https://images.microbadger.com/badges/version/dtagdevsec/tanner:1811.svg)](https://microbadger.com/images/dtagdevsec/tanner:1811 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/tanner:1811.svg)](https://microbadger.com/images/dtagdevsec/tanner:1811 "Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/dtagdevsec/tanner:1903.svg)](https://microbadger.com/images/dtagdevsec/tanner:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/tanner:1903.svg)](https://microbadger.com/images/dtagdevsec/tanner:1903 "Get your own image badge on microbadger.com") # Snare / Tanner diff --git a/docker/tanner/docker-compose.yml b/docker/tanner/docker-compose.yml index 8d3ee56a..703946d3 100644 --- a/docker/tanner/docker-compose.yml +++ b/docker/tanner/docker-compose.yml @@ -14,7 +14,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/redis:1811" + image: "dtagdevsec/redis:1903" read_only: true # PHP Sandbox service @@ -26,7 +26,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/phpox:1811" + image: "dtagdevsec/phpox:1903" read_only: true # Tanner API Service @@ -40,7 +40,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" read_only: true volumes: - /data/tanner/log:/var/log/tanner @@ -59,7 +59,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tannerweb read_only: true volumes: @@ -78,7 +78,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tanner read_only: true volumes: @@ -100,6 +100,6 @@ services: - tanner_local ports: - "80:80" - image: "dtagdevsec/snare:1811" + image: "dtagdevsec/snare:1903" depends_on: - tanner diff --git a/etc/compose/collector.yml b/etc/compose/collector.yml index dd5a7f41..5505bb93 100644 --- a/etc/compose/collector.yml +++ b/etc/compose/collector.yml @@ -33,9 +33,10 @@ services: - "443:443" - "993:993" - "995:995" + - "1080:1080" - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding @@ -49,7 +50,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" + image: "dtagdevsec/honeytrap:1903" read_only: true volumes: - /data/honeytrap/attacks:/opt/honeytrap/var/attacks @@ -66,7 +67,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f @@ -83,7 +84,7 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata @@ -100,7 +101,7 @@ services: - cyberchef_local ports: - "127.0.0.1:64299:8000" - image: "dtagdevsec/cyberchef:1811" + image: "dtagdevsec/cyberchef:1903" read_only: true #### ELK @@ -124,7 +125,7 @@ services: mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data @@ -137,7 +138,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" ## Logstash service logstash: @@ -148,7 +149,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data @@ -161,7 +162,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" + image: "dtagdevsec/head:1903" read_only: true # Ewsposter service @@ -170,9 +171,18 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -191,7 +201,7 @@ services: network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1811" + image: "dtagdevsec/nginx:1903" read_only: true volumes: - /data/nginx/cert/:/etc/nginx/cert/:ro @@ -206,6 +216,6 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" + image: "dtagdevsec/spiderfoot:1903" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/etc/compose/industrial.yml b/etc/compose/industrial.yml index d5d0b200..142892da 100644 --- a/etc/compose/industrial.yml +++ b/etc/compose/industrial.yml @@ -47,7 +47,7 @@ services: - "21:21" - "44818:44818" - "47808:47808" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -69,7 +69,7 @@ services: ports: # - "161:161" - "2404:2404" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -90,7 +90,7 @@ services: - conpot_local_guardian_ast ports: - "10001:10001" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -111,7 +111,7 @@ services: - conpot_local_ipmi ports: - "623:623" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -133,7 +133,7 @@ services: ports: - "1025:1025" - "50100:50100" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -150,7 +150,7 @@ services: ports: - "22:22" - "23:23" - image: "dtagdevsec/cowrie:1811" + image: "dtagdevsec/cowrie:1903" read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl @@ -179,7 +179,7 @@ services: # - "995:995" # - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding @@ -193,7 +193,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" + image: "dtagdevsec/honeytrap:1903" read_only: true volumes: - /data/honeytrap/attacks:/opt/honeytrap/var/attacks @@ -208,7 +208,7 @@ services: - medpot_local ports: - "2575:2575" - image: "dtagdevsec/medpot:1811" + image: "dtagdevsec/medpot:1903" read_only: true volumes: - /data/medpot/log/:/var/log/medpot @@ -229,7 +229,7 @@ services: - rdpy_local ports: - "3389:3389" - image: "dtagdevsec/rdpy:1811" + image: "dtagdevsec/rdpy:1903" read_only: true volumes: - /data/rdpy/log:/var/log/rdpy @@ -244,7 +244,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f @@ -261,7 +261,7 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata @@ -278,7 +278,7 @@ services: - cyberchef_local ports: - "127.0.0.1:64299:8000" - image: "dtagdevsec/cyberchef:1811" + image: "dtagdevsec/cyberchef:1903" read_only: true #### ELK @@ -302,7 +302,7 @@ services: mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data @@ -315,7 +315,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" ## Logstash service logstash: @@ -326,7 +326,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data @@ -339,7 +339,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" + image: "dtagdevsec/head:1903" read_only: true # Ewsposter service @@ -348,9 +348,18 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -369,7 +378,7 @@ services: network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1811" + image: "dtagdevsec/nginx:1903" read_only: true volumes: - /data/nginx/cert/:/etc/nginx/cert/:ro @@ -384,6 +393,6 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" + image: "dtagdevsec/spiderfoot:1903" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/etc/compose/legacy.yml b/etc/compose/legacy.yml deleted file mode 100644 index 6af8520a..00000000 --- a/etc/compose/legacy.yml +++ /dev/null @@ -1,329 +0,0 @@ -# T-Pot (Legacy) -# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) -version: '2.3' - -networks: - cowrie_local: - elasticpot_local: - glastopf_local: - heralding_local: - mailoney_local: - rdpy_local: - ewsposter_local: - spiderfoot_local: - -services: - -################## -#### Honeypots -################## - -# Cowrie service - cowrie: - container_name: cowrie - restart: always - tmpfs: - - /tmp/cowrie:uid=2000,gid=2000 - - /tmp/cowrie/data:uid=2000,gid=2000 - networks: - - cowrie_local - ports: - - "22:22" - - "23:23" - image: "dtagdevsec/cowrie:1811" - read_only: true - volumes: - - /data/cowrie/downloads:/home/cowrie/cowrie/dl - - /data/cowrie/keys:/home/cowrie/cowrie/etc - - /data/cowrie/log:/home/cowrie/cowrie/log - - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty - -# Dionaea service - dionaea: - container_name: dionaea - stdin_open: true - tty: true - restart: always - network_mode: "host" - ports: - - "20:20" - - "21:21" - - "42:42" - - "69:69/udp" - - "81:81" - - "135:135" - - "443:443" - - "445:445" - - "1433:1433" - - "1723:1723" - - "1883:1883" - - "3306:3306" - - "5060:5060" - - "5060:5060/udp" - - "5061:5061" - - "27017:27017" - image: "dtagdevsec/dionaea:1811" - read_only: true - volumes: - - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp - - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp - - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www - - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp - - /data/dionaea:/opt/dionaea/var/dionaea - - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries - - /data/dionaea/log:/opt/dionaea/var/log - - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp - -# Elasticpot service - elasticpot: - container_name: elasticpot - restart: always - networks: - - elasticpot_local - ports: - - "9200:9200" - image: "dtagdevsec/elasticpot:1811" - read_only: true - volumes: - - /data/elasticpot/log:/opt/ElasticpotPY/log - -# Glastopf service - glastopf: - container_name: glastopf - tmpfs: - - /tmp/glastopf:uid=2000,gid=2000 - restart: always - networks: - - glastopf_local - ports: - - "80:80" - image: "dtagdevsec/glastopf:1811" - read_only: true - volumes: - - /data/glastopf/db:/tmp/glastopf/db - - /data/glastopf/log:/tmp/glastopf/log - -# Heralding service - heralding: - container_name: heralding - restart: always - tmpfs: - - /tmp/heralding:uid=2000,gid=2000 - networks: - - heralding_local - ports: - # - "21:21" - # - "22:22" - # - "23:23" - # - "25:25" - # - "80:80" - # - "110:110" - # - "143:143" - # - "443:443" - # - "993:993" - # - "995:995" - # - "5432:5432" - - "5900:5900" - image: "dtagdevsec/heralding:1811" - read_only: true - volumes: - - /data/heralding/log:/var/log/heralding - -# Honeytrap service - honeytrap: - container_name: honeytrap - restart: always - tmpfs: - - /tmp/honeytrap:uid=2000,gid=2000 - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" - read_only: true - volumes: - - /data/honeytrap/attacks:/opt/honeytrap/var/attacks - - /data/honeytrap/downloads:/opt/honeytrap/var/downloads - - /data/honeytrap/log:/opt/honeytrap/var/log - -# Mailoney service - mailoney: - container_name: mailoney - restart: always - environment: - - HPFEEDS_SERVER= - - HPFEEDS_IDENT=user - - HPFEEDS_SECRET=pass - - HPFEEDS_PORT=20000 - - HPFEEDS_CHANNELPREFIX=prefix - networks: - - mailoney_local - ports: - - "25:25" - image: "dtagdevsec/mailoney:1811" - read_only: true - volumes: - - /data/mailoney/log:/opt/mailoney/logs - -# Rdpy service - rdpy: - container_name: rdpy - extra_hosts: - - hpfeeds.example.com:127.0.0.1 - restart: always - environment: - - HPFEEDS_SERVER=hpfeeds.example.com - - HPFEEDS_IDENT=user - - HPFEEDS_SECRET=pass - - HPFEEDS_PORT=65000 - - SERVERID=id - networks: - - rdpy_local - ports: - - "3389:3389" - image: "dtagdevsec/rdpy:1811" - read_only: true - volumes: - - /data/rdpy/log:/var/log/rdpy - - -################## -#### NSM -################## - -# P0f service - p0f: - container_name: p0f - restart: always - network_mode: "host" - image: "dtagdevsec/p0f:1811" - read_only: true - volumes: - - /data/p0f/log:/var/log/p0f - -# Suricata service - suricata: - container_name: suricata - restart: always - environment: - # For ET Pro ruleset replace "OPEN" with your OINKCODE - - OINKCODE=OPEN - network_mode: "host" - cap_add: - - NET_ADMIN - - SYS_NICE - - NET_RAW - image: "dtagdevsec/suricata:1811" - volumes: - - /data/suricata/log:/var/log/suricata - - -################## -#### Tools -################## - -#### ELK -## Elasticsearch service - elasticsearch: - container_name: elasticsearch - restart: always - environment: - - bootstrap.memory_lock=true - - ES_JAVA_OPTS=-Xms1024m -Xmx1024m - - ES_TMPDIR=/tmp - cap_add: - - IPC_LOCK - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - mem_limit: 4g - ports: - - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" - volumes: - - /data:/data - -## Kibana service - kibana: - container_name: kibana - restart: always - depends_on: - elasticsearch: - condition: service_healthy - ports: - - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" - -## Logstash service - logstash: - container_name: logstash - restart: always - depends_on: - elasticsearch: - condition: service_healthy - env_file: - - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" - volumes: - - /data:/data - -## Elasticsearch-head service - head: - container_name: head - restart: always - depends_on: - elasticsearch: - condition: service_healthy - ports: - - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" - read_only: true - -# Ewsposter service - ewsposter: - container_name: ewsposter - restart: always - networks: - - ewsposter_local - env_file: - - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" - volumes: - - /data:/data - - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - -# Nginx service - nginx: - container_name: nginx - restart: always - tmpfs: - - /var/tmp/nginx/client_body - - /var/tmp/nginx/proxy - - /var/tmp/nginx/fastcgi - - /var/tmp/nginx/uwsgi - - /var/tmp/nginx/scgi - - /run - network_mode: "host" - ports: - - "64297:64297" - image: "dtagdevsec/nginx:1811" - read_only: true - volumes: - - /data/nginx/cert/:/etc/nginx/cert/:ro - - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - - /data/nginx/log/:/var/log/nginx/ - -# Spiderfoot service - spiderfoot: - container_name: spiderfoot - restart: always - networks: - - spiderfoot_local - ports: - - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" - volumes: - - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/etc/compose/nextgen.yml b/etc/compose/nextgen.yml index 370a9a64..ec037eec 100644 --- a/etc/compose/nextgen.yml +++ b/etc/compose/nextgen.yml @@ -10,8 +10,8 @@ networks: conpot_local_kamstrup_382: cowrie_local: cyberchef_local: - elasticpot_local: heralding_local: + honeypy_local: mailoney_local: medpot_local: rdpy_local: @@ -33,7 +33,7 @@ services: - adbhoney_local ports: - "5555:5555" - image: "dtagdevsec/adbhoney:1811" + image: "dtagdevsec/adbhoney:1903" read_only: true volumes: - /data/adbhoney/log:/opt/adbhoney/log @@ -49,7 +49,7 @@ services: ports: - "5000:5000/udp" - "8443:8443" - image: "dtagdevsec/ciscoasa:1811" + image: "dtagdevsec/ciscoasa:1903" read_only: true volumes: - /data/ciscoasa/log:/var/log/ciscoasa @@ -71,7 +71,7 @@ services: ports: - "161:161" - "2404:2404" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -92,7 +92,7 @@ services: - conpot_local_guardian_ast ports: - "10001:10001" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -113,7 +113,7 @@ services: - conpot_local_ipmi ports: - "623:623" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -135,7 +135,7 @@ services: ports: - "1025:1025" - "50100:50100" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -152,7 +152,7 @@ services: ports: - "22:22" - "23:23" - image: "dtagdevsec/cowrie:1811" + image: "dtagdevsec/cowrie:1903" read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl @@ -184,7 +184,7 @@ services: - "5060:5060/udp" - "5061:5061" - "27017:27017" - image: "dtagdevsec/dionaea:1811" + image: "dtagdevsec/dionaea:1903" read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp @@ -196,18 +196,22 @@ services: - /data/dionaea/log:/opt/dionaea/var/log - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp -# Elasticpot service - elasticpot: - container_name: elasticpot +# Glutton service + glutton: + build: . + container_name: glutton restart: always - networks: - - elasticpot_local - ports: - - "9200:9200" - image: "dtagdevsec/elasticpot:1811" + tmpfs: + - /var/lib/glutton:uid=2000,gid=2000 + - /run:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/glutton:1903" read_only: true volumes: - - /data/elasticpot/log:/opt/ElasticpotPY/log + - /data/glutton/log:/var/log/glutton +# - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml # Heralding service heralding: @@ -228,29 +232,33 @@ services: # - "443:443" - "993:993" - "995:995" + - "1080:1080" - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding -# Glutton service - glutton: +# HoneyPy service + honeypy: build: . - container_name: glutton + container_name: honeypy restart: always - tmpfs: - - /var/lib/glutton:uid=2000,gid=2000 - - /run:uid=2000,gid=2000 - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/glutton:1811" + networks: + - honeypy_local + ports: + - "7:7" + - "8:8" + - "2048:2048" + - "2323:2323" + - "2324:2324" + - "4096:4096" + - "9200:9200" + image: "dtagdevsec/honeypy:1903" read_only: true volumes: - - /data/glutton/log:/var/log/glutton -# - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml + - /data/honeypy/log:/opt/honeypy/log # Mailoney service mailoney: @@ -266,7 +274,7 @@ services: - mailoney_local ports: - "25:25" - image: "dtagdevsec/mailoney:1811" + image: "dtagdevsec/mailoney:1903" read_only: true volumes: - /data/mailoney/log:/opt/mailoney/logs @@ -279,7 +287,7 @@ services: - medpot_local ports: - "2575:2575" - image: "dtagdevsec/medpot:1811" + image: "dtagdevsec/medpot:1903" read_only: true volumes: - /data/medpot/log/:/var/log/medpot @@ -300,7 +308,7 @@ services: - rdpy_local ports: - "3389:3389" - image: "dtagdevsec/rdpy:1811" + image: "dtagdevsec/rdpy:1903" read_only: true volumes: - /data/rdpy/log:/var/log/rdpy @@ -313,7 +321,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/redis:1811" + image: "dtagdevsec/redis:1903" read_only: true ## PHP Sandbox service @@ -323,7 +331,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/phpox:1811" + image: "dtagdevsec/phpox:1903" read_only: true ## Tanner API Service @@ -335,7 +343,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" read_only: true volumes: - /data/tanner/log:/var/log/tanner @@ -352,7 +360,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tannerweb read_only: true volumes: @@ -369,7 +377,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tanner read_only: true volumes: @@ -389,7 +397,7 @@ services: - tanner_local ports: - "80:80" - image: "dtagdevsec/snare:1811" + image: "dtagdevsec/snare:1903" depends_on: - tanner @@ -403,7 +411,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f @@ -420,7 +428,7 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata @@ -437,7 +445,7 @@ services: - cyberchef_local ports: - "127.0.0.1:64299:8000" - image: "dtagdevsec/cyberchef:1811" + image: "dtagdevsec/cyberchef:1903" read_only: true #### ELK @@ -461,7 +469,7 @@ services: mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data @@ -474,7 +482,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" ## Logstash service logstash: @@ -485,7 +493,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data @@ -498,7 +506,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" + image: "dtagdevsec/head:1903" read_only: true # Ewsposter service @@ -507,9 +515,18 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -528,7 +545,7 @@ services: network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1811" + image: "dtagdevsec/nginx:1903" read_only: true volumes: - /data/nginx/cert/:/etc/nginx/cert/:ro @@ -543,6 +560,6 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" + image: "dtagdevsec/spiderfoot:1903" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/etc/compose/sensor.yml b/etc/compose/sensor.yml index b631a9d2..17e76d2f 100644 --- a/etc/compose/sensor.yml +++ b/etc/compose/sensor.yml @@ -32,7 +32,7 @@ services: - adbhoney_local ports: - "5555:5555" - image: "dtagdevsec/adbhoney:1811" + image: "dtagdevsec/adbhoney:1903" read_only: true volumes: - /data/adbhoney/log:/opt/adbhoney/log @@ -48,7 +48,7 @@ services: ports: - "5000:5000/udp" - "8443:8443" - image: "dtagdevsec/ciscoasa:1811" + image: "dtagdevsec/ciscoasa:1903" read_only: true volumes: - /data/ciscoasa/log:/var/log/ciscoasa @@ -70,7 +70,7 @@ services: ports: - "161:161" - "2404:2404" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -91,7 +91,7 @@ services: - conpot_local_guardian_ast ports: - "10001:10001" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -112,7 +112,7 @@ services: - conpot_local_ipmi ports: - "623:623" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -134,7 +134,7 @@ services: ports: - "1025:1025" - "50100:50100" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -151,7 +151,7 @@ services: ports: - "22:22" - "23:23" - image: "dtagdevsec/cowrie:1811" + image: "dtagdevsec/cowrie:1903" read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl @@ -183,7 +183,7 @@ services: - "5060:5060/udp" - "5061:5061" - "27017:27017" - image: "dtagdevsec/dionaea:1811" + image: "dtagdevsec/dionaea:1903" read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp @@ -203,7 +203,7 @@ services: - elasticpot_local ports: - "9200:9200" - image: "dtagdevsec/elasticpot:1811" + image: "dtagdevsec/elasticpot:1903" read_only: true volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log @@ -227,9 +227,10 @@ services: # - "443:443" - "993:993" - "995:995" + - "1080:1080" - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding @@ -243,7 +244,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" + image: "dtagdevsec/honeytrap:1903" read_only: true volumes: - /data/honeytrap/attacks:/opt/honeytrap/var/attacks @@ -264,7 +265,7 @@ services: - mailoney_local ports: - "25:25" - image: "dtagdevsec/mailoney:1811" + image: "dtagdevsec/mailoney:1903" read_only: true volumes: - /data/mailoney/log:/opt/mailoney/logs @@ -277,7 +278,7 @@ services: - medpot_local ports: - "2575:2575" - image: "dtagdevsec/medpot:1811" + image: "dtagdevsec/medpot:1903" read_only: true volumes: - /data/medpot/log/:/var/log/medpot @@ -298,7 +299,7 @@ services: - rdpy_local ports: - "3389:3389" - image: "dtagdevsec/rdpy:1811" + image: "dtagdevsec/rdpy:1903" read_only: true volumes: - /data/rdpy/log:/var/log/rdpy @@ -311,7 +312,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/redis:1811" + image: "dtagdevsec/redis:1903" read_only: true ## PHP Sandbox service @@ -321,7 +322,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/phpox:1811" + image: "dtagdevsec/phpox:1903" read_only: true ## Tanner API Service @@ -333,7 +334,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" read_only: true volumes: - /data/tanner/log:/var/log/tanner @@ -350,7 +351,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tannerweb read_only: true volumes: @@ -367,7 +368,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tanner read_only: true volumes: @@ -387,7 +388,7 @@ services: - tanner_local ports: - "80:80" - image: "dtagdevsec/snare:1811" + image: "dtagdevsec/snare:1903" depends_on: - tanner @@ -401,7 +402,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f @@ -418,7 +419,7 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata @@ -433,9 +434,18 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip diff --git a/etc/compose/standard.yml b/etc/compose/standard.yml index 27f02022..be0c2e3f 100644 --- a/etc/compose/standard.yml +++ b/etc/compose/standard.yml @@ -33,7 +33,7 @@ services: - adbhoney_local ports: - "5555:5555" - image: "dtagdevsec/adbhoney:1811" + image: "dtagdevsec/adbhoney:1903" read_only: true volumes: - /data/adbhoney/log:/opt/adbhoney/log @@ -49,7 +49,7 @@ services: ports: - "5000:5000/udp" - "8443:8443" - image: "dtagdevsec/ciscoasa:1811" + image: "dtagdevsec/ciscoasa:1903" read_only: true volumes: - /data/ciscoasa/log:/var/log/ciscoasa @@ -71,7 +71,7 @@ services: ports: - "161:161" - "2404:2404" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -92,7 +92,7 @@ services: - conpot_local_guardian_ast ports: - "10001:10001" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -113,7 +113,7 @@ services: - conpot_local_ipmi ports: - "623:623" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -135,7 +135,7 @@ services: ports: - "1025:1025" - "50100:50100" - image: "dtagdevsec/conpot:1811" + image: "dtagdevsec/conpot:1903" read_only: true volumes: - /data/conpot/log:/var/log/conpot @@ -152,7 +152,7 @@ services: ports: - "22:22" - "23:23" - image: "dtagdevsec/cowrie:1811" + image: "dtagdevsec/cowrie:1903" read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl @@ -184,7 +184,7 @@ services: - "5060:5060/udp" - "5061:5061" - "27017:27017" - image: "dtagdevsec/dionaea:1811" + image: "dtagdevsec/dionaea:1903" read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp @@ -204,7 +204,7 @@ services: - elasticpot_local ports: - "9200:9200" - image: "dtagdevsec/elasticpot:1811" + image: "dtagdevsec/elasticpot:1903" read_only: true volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log @@ -228,9 +228,10 @@ services: # - "443:443" - "993:993" - "995:995" + - "1080:1080" - "5432:5432" - "5900:5900" - image: "dtagdevsec/heralding:1811" + image: "dtagdevsec/heralding:1903" read_only: true volumes: - /data/heralding/log:/var/log/heralding @@ -244,7 +245,7 @@ services: network_mode: "host" cap_add: - NET_ADMIN - image: "dtagdevsec/honeytrap:1811" + image: "dtagdevsec/honeytrap:1903" read_only: true volumes: - /data/honeytrap/attacks:/opt/honeytrap/var/attacks @@ -265,7 +266,7 @@ services: - mailoney_local ports: - "25:25" - image: "dtagdevsec/mailoney:1811" + image: "dtagdevsec/mailoney:1903" read_only: true volumes: - /data/mailoney/log:/opt/mailoney/logs @@ -278,7 +279,7 @@ services: - medpot_local ports: - "2575:2575" - image: "dtagdevsec/medpot:1811" + image: "dtagdevsec/medpot:1903" read_only: true volumes: - /data/medpot/log/:/var/log/medpot @@ -299,7 +300,7 @@ services: - rdpy_local ports: - "3389:3389" - image: "dtagdevsec/rdpy:1811" + image: "dtagdevsec/rdpy:1903" read_only: true volumes: - /data/rdpy/log:/var/log/rdpy @@ -312,7 +313,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/redis:1811" + image: "dtagdevsec/redis:1903" read_only: true ## PHP Sandbox service @@ -322,7 +323,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/phpox:1811" + image: "dtagdevsec/phpox:1903" read_only: true ## Tanner API Service @@ -334,7 +335,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" read_only: true volumes: - /data/tanner/log:/var/log/tanner @@ -351,7 +352,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tannerweb read_only: true volumes: @@ -368,7 +369,7 @@ services: tty: true networks: - tanner_local - image: "dtagdevsec/tanner:1811" + image: "dtagdevsec/tanner:1903" command: tanner read_only: true volumes: @@ -388,7 +389,7 @@ services: - tanner_local ports: - "80:80" - image: "dtagdevsec/snare:1811" + image: "dtagdevsec/snare:1903" depends_on: - tanner @@ -402,7 +403,7 @@ services: container_name: p0f restart: always network_mode: "host" - image: "dtagdevsec/p0f:1811" + image: "dtagdevsec/p0f:1903" read_only: true volumes: - /data/p0f/log:/var/log/p0f @@ -419,7 +420,7 @@ services: - NET_ADMIN - SYS_NICE - NET_RAW - image: "dtagdevsec/suricata:1811" + image: "dtagdevsec/suricata:1903" volumes: - /data/suricata/log:/var/log/suricata @@ -436,7 +437,7 @@ services: - cyberchef_local ports: - "127.0.0.1:64299:8000" - image: "dtagdevsec/cyberchef:1811" + image: "dtagdevsec/cyberchef:1903" read_only: true #### ELK @@ -460,7 +461,7 @@ services: mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1811" + image: "dtagdevsec/elasticsearch:1903" volumes: - /data:/data @@ -473,7 +474,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1811" + image: "dtagdevsec/kibana:1903" ## Logstash service logstash: @@ -484,7 +485,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1811" + image: "dtagdevsec/logstash:1903" volumes: - /data:/data @@ -497,7 +498,7 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1811" + image: "dtagdevsec/head:1903" read_only: true # Ewsposter service @@ -506,9 +507,18 @@ services: restart: always networks: - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1811" + image: "dtagdevsec/ewsposter:1903" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -527,7 +537,7 @@ services: network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1811" + image: "dtagdevsec/nginx:1903" read_only: true volumes: - /data/nginx/cert/:/etc/nginx/cert/:ro @@ -542,6 +552,6 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1811" + image: "dtagdevsec/spiderfoot:1903" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db diff --git a/etc/logrotate/logrotate.conf b/etc/logrotate/logrotate.conf index 5d2b44c1..556ca096 100644 --- a/etc/logrotate/logrotate.conf +++ b/etc/logrotate/logrotate.conf @@ -22,6 +22,7 @@ /data/glutton/log/*.err /data/heralding/log/*.log /data/heralding/log/*.csv +/data/honeypy/log/*.log /data/honeytrap/log/*.log /data/honeytrap/log/*.json /data/honeytrap/attacks.tgz diff --git a/etc/objects/elkbase.tgz b/etc/objects/elkbase.tgz index 4332bffa..b26dfc83 100644 Binary files a/etc/objects/elkbase.tgz and b/etc/objects/elkbase.tgz differ diff --git a/etc/objects/kibana-objects.tgz b/etc/objects/kibana-objects.tgz index f4bba79f..62b5bbe1 100644 Binary files a/etc/objects/kibana-objects.tgz and b/etc/objects/kibana-objects.tgz differ diff --git a/etc/objects/kibana_export.json b/etc/objects/kibana_export.json deleted file mode 100644 index 47e3b1a6..00000000 --- a/etc/objects/kibana_export.json +++ /dev/null @@ -1,4813 +0,0 @@ -[ - { - "_id": "Dionaea-Transport", - "_type": "visualization", - "_source": { - "title": "Dionaea Transport", - "visState": "{\"title\":\"Dionaea Transport\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.transport.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "895645f0-6356-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner Detection Type Pie - Top 10", - "visState": "{\"title\":\"Tanner Detection Type Pie - Top 10\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"response_msg.response.message.detection.name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c1c8a3a0-6352-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner HTTP Hostname Pie - Top 10", - "visState": "{\"title\":\"Tanner HTTP Hostname Pie - Top 10\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"headers.host.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a6ccd530-6352-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner HTTP User Agent Pie - Top 10", - "visState": "{\"title\":\"Tanner HTTP User Agent Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"headers.user-agent.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7c5959b0-4889-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Password Tagcloud", - "visState": "{\"title\":\"Heralding Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":16,\"maxFontSize\":64,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Version-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "Cowrie Version Pie - Top 10", - "visState": "{\"title\":\"Cowrie Version Pie - Top 10\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Event-Type", - "_type": "visualization", - "_source": { - "title": "Conpot Event Type", - "visState": "{\"title\":\"Conpot Event Type\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Input-Top-10", - "_type": "visualization", - "_source": { - "title": "Cowrie Input - Top 10", - "visState": "{\"title\":\"Cowrie Input - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"input.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command Line Input\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Protocol", - "_type": "visualization", - "_source": { - "title": "Conpot Protocol", - "visState": "{\"title\":\"Conpot Protocol\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"data_type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a001a350-e85b-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Payload Hex - Top 10", - "visState": "{\"title\":\"Glutton Payload Hex - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"payload_hex.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Payload Hex\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Input-Top-10", - "_type": "visualization", - "_source": { - "title": "Conpot Input - Top 10", - "visState": "{\"title\":\"Conpot Input - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Input\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "cb2a3a00-8b56-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy Password Tagcloud", - "visState": "{\"title\":\"Rdpy Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Username-Tagcloud-Large", - "_type": "visualization", - "_source": { - "title": "Cowrie Username Tagcloud", - "visState": "{\"title\":\"Cowrie Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Password-Tagcloud-Large", - "_type": "visualization", - "_source": { - "title": "Cowrie Password Tagcloud", - "visState": "{\"title\":\"Cowrie Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e624bc50-7dd6-11e7-bee2-c98307c16efa", - "_type": "visualization", - "_source": { - "title": "Suricata Alert Category Histogram", - "visState": "{\"title\":\"Suricata Alert Category Histogram\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"alert.category.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Password-Tagcloud-Large", - "_type": "visualization", - "_source": { - "title": "Dionaea Password Tagcloud", - "visState": "{\"title\":\"Dionaea Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"sqrt\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Response-Top-10", - "_type": "visualization", - "_source": { - "title": "Conpot Response - Top 10", - "visState": "{\"title\":\"Conpot Response - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Username-Tagcloud-Large", - "_type": "visualization", - "_source": { - "title": "Dionaea Username Tagcloud", - "visState": "{\"title\":\"Dionaea Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"fromDegree\":0,\"maxFontSize\":64,\"minFontSize\":16,\"orientations\":1,\"spiral\":\"rectangular\",\"textScale\":\"sqrt\",\"timeInterval\":500,\"toDegree\":0,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Type", - "_type": "visualization", - "_source": { - "title": "Dionaea Type", - "visState": "{\"title\":\"Dionaea Type\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e9e534d0-6356-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner URI - Top 10", - "visState": "{\"title\":\"Tanner URI - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ef227eb0-7e9d-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Honeypot Histogram", - "visState": "{\"title\":\"Attacks by Honeypot Histogram\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "bf6f6000-8598-11e7-8f60-4f4666b0a88e", - "_type": "visualization", - "_source": { - "title": "Suricata Events Bar", - "visState": "{\"title\":\"Suricata Events Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Suricata\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Events\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Suricata\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "762f66c0-7e9e-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Honeypot Attacks Histogram", - "visState": "{\"title\":\"Honeypot Attacks Histogram\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Source IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Source IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0d947000-7ebd-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Honeypot", - "visState": "{\"title\":\"Attacks by Honeypot\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "32814dd0-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Attacks Bar", - "visState": "{\"title\":\"Glutton Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Honeytrap\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "87428ba0-7e9d-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Honeypot Attacks Bar", - "visState": "{\"title\":\"Honeypot Attacks Bar\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Honeypots\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":15,\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Honeypots\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Query-Top-10", - "_type": "visualization", - "_source": { - "title": "ElasticPot Query - Top 10", - "visState": "{\"title\":\"ElasticPot Query - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"honeypot.query.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d01a6390-827e-11e7-afbf-a7491fba5d8a", - "_type": "visualization", - "_source": { - "title": "ElasticPot Attacks Bar", - "visState": "{\"title\":\"ElasticPot Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"ElasticPot\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ElasticPot\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "6ee70b90-8374-11e7-9adb-2955c2136c8c", - "_type": "visualization", - "_source": { - "title": "Honeytrap Attacks Bar", - "visState": "{\"title\":\"Honeytrap Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Honeytrap\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "307afd60-82a9-11e7-bcbe-2b6958a9c888", - "_type": "visualization", - "_source": { - "title": "Glastopf Attacks Bar", - "visState": "{\"title\":\"Glastopf Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Glastopf\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "62fde9a0-858d-11e7-a686-392ac617767d", - "_type": "visualization", - "_source": { - "title": "Conpot Attacks Bar", - "visState": "{\"title\":\"Conpot Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"ConPot\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Conpot\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "b9343070-80e9-11e7-a689-67e589a14a8a", - "_type": "visualization", - "_source": { - "title": "Dionaea Attacks Bar", - "visState": "{\"title\":\"Dionaea Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Dionaea\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dionaea\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c1ef91c0-7dc2-11e7-8268-ed048f6272e0", - "_type": "visualization", - "_source": { - "title": "Cowrie Attacks Bar", - "visState": "{\"title\":\"Cowrie Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Cowrie\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cowrie\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a51e9ae0-6350-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner - Attacker Src IP Reputation", - "visState": "{\"title\":\"Tanner - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "cac48440-8b5f-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Mailoney - Attacker Src IP Reputation", - "visState": "{\"title\":\"Mailoney - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d77bbba0-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa - Attacker Src IP Reputation", - "visState": "{\"title\":\"Ciscoasa - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-HTTP-User-Agent-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX HTTP User Agent Pie - Top 10", - "visState": "{\"title\":\"NGINX HTTP User Agent Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http_user_agent.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "NGINX Events by Country Histogram", - "visState": "{\"title\":\"NGINX Events by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Fileinfo-Magic-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata Fileinfo Magic - Top 10", - "visState": "{\"title\":\"Suricata Fileinfo Magic - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"fileinfo.magic.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX Countries - Top 10", - "visState": "{\"title\":\"NGINX Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "P0f-OS-Top-10", - "_type": "visualization", - "_source": { - "title": "P0f OS Distribution", - "visState": "{\"title\":\"P0f OS Distribution\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "P0f-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata Source IP - Top 10", - "visState": "{\"title\":\"Suricata Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX Source IP - Top 10", - "visState": "{\"title\":\"NGINX Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Suricata Events Histogram", - "visState": "{\"title\":\"Suricata Events Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Events\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Username-Tagcloud", - "_type": "visualization", - "_source": { - "title": "NGINX Username Tagcloud", - "visState": "{\"title\":\"NGINX Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":0,\"toDegree\":0,\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":500,\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"remote_user.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "2fc62270-e872-11e8-a876-6bccfb9086f2", - "_type": "visualization", - "_source": { - "title": "Medpot Data - Top 10", - "visState": "{\"title\":\"Medpot Data - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"data.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-HTTP-Status-Code-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX HTTP Status Code Pie - Top 10", - "visState": "{\"title\":\"NGINX HTTP Status Code Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"status\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-HTTP-Method-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX HTTP Method Pie - Top 10", - "visState": "{\"title\":\"NGINX HTTP Method Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"request_method.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-SSH-Client-Software-Version-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata SSH Client Software Version Pie - Top 10", - "visState": "{\"title\":\"Suricata SSH Client Software Version Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.client.software_version.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-HTTP-User-Agent-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata HTTP User Agent Pie - Top 10", - "visState": "{\"title\":\"Suricata HTTP User Agent Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.http_user_agent.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "885928c0-7ebe-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Country Histogram", - "visState": "{\"title\":\"Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-HTTP-Method-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata HTTP Method Pie - Top 10", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.http_method.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true},\"title\":\"Suricata HTTP Method Pie - Top 10\",\"type\":\"pie\"}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Alert-Signature-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata Alert Signature - Top 10", - "visState": "{\"title\":\"Suricata Alert Signature - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature_id\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"ID\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-HTTP-Hostname-Pie-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata HTTP Hostname Pie - Top 10", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.hostname.keyword\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true},\"title\":\"Suricata HTTP Hostname Pie - Top 10\",\"type\":\"pie\"}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX", - "_type": "dashboard", - "_source": { - "title": "NGINX", - "hits": 0, - "description": "NGINX Dashboard", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"2\"},\"id\":\"NGINX-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":11,\"i\":\"3\"},\"id\":\"NGINX-HTTP-Method-Pie-Top-10\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":28,\"w\":12,\"h\":11,\"i\":\"4\"},\"id\":\"NGINX-HTTP-Status-Code-Pie-Top-10\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":36,\"y\":28,\"w\":12,\"h\":11,\"i\":\"5\"},\"id\":\"NGINX-HTTP-User-Agent-Pie-Top-10\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":17,\"w\":16,\"h\":11,\"i\":\"6\"},\"id\":\"NGINX-Username-Tagcloud\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":39,\"w\":24,\"h\":20,\"i\":\"7\"},\"id\":\"NGINX-ASN-Top-10\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":39,\"w\":24,\"h\":20,\"i\":\"8\"},\"id\":\"NGINX-Source-IP-Top-10\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[30.14512718337613,-0.87890625],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"9\"},\"id\":\"NGINX-Map\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":32,\"y\":17,\"w\":16,\"h\":11,\"i\":\"13\"},\"id\":\"NGINX-Events-by-Country-Histogram\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":11,\"i\":\"14\"},\"id\":\"NGINX-Countries-Top-10\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"15\"},\"id\":\"51ca6ee0-80d5-11e7-ab37-eb92b1bfb573\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":17,\"w\":16,\"h\":11,\"i\":\"16\"},\"id\":\"7dcaa2b0-8596-11e7-a686-392ac617767d\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"17\"},\"version\":\"6.4.3\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"id\":\"07581df0-e752-11e8-b4a6-215b0b97c069\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata", - "_type": "dashboard", - "_source": { - "title": "Suricata", - "hits": 0, - "description": "Suricata Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"Suricata-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"9\",\"w\":12,\"x\":36,\"y\":28},\"id\":\"Suricata-Countries-Top-10\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":39},\"id\":\"Suricata-Fileinfo-Magic-Top-10\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"14\",\"w\":12,\"x\":24,\"y\":28},\"id\":\"Suricata-HTTP-Content-Type-Top-10\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"15\",\"w\":12,\"x\":12,\"y\":28},\"id\":\"Suricata-HTTP-Hostname-Pie-Top-10\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"16\",\"w\":12,\"x\":24,\"y\":39},\"id\":\"Suricata-HTTP-Method-Pie-Top-10\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"18\",\"w\":12,\"x\":12,\"y\":39},\"id\":\"Suricata-HTTP-User-Agent-Pie-Top-10\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"19\",\"w\":12,\"x\":36,\"y\":39},\"id\":\"Suricata-SSH-Client-Software-Version-Pie-Top-10\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"22\",\"w\":16,\"x\":32,\"y\":17},\"id\":\"Suricata-Events-by-Country-Histogram\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[28.613459424004414,-3.33984375],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"23\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"Suricata-Map\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"24\",\"w\":8,\"x\":12,\"y\":50},\"id\":\"Suricata-Source-IP-Top-10\",\"panelIndex\":\"24\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"25\",\"w\":12,\"x\":0,\"y\":50},\"id\":\"Suricata-ASN-Top-10\",\"panelIndex\":\"25\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"26\",\"w\":20,\"x\":28,\"y\":50},\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":\"26\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"27\",\"w\":16,\"x\":0,\"y\":17},\"id\":\"e624bc50-7dd6-11e7-bee2-c98307c16efa\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":6,\"i\":\"28\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"bf6f6000-8598-11e7-8f60-4f4666b0a88e\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"29\",\"w\":16,\"x\":16,\"y\":17},\"id\":\"0e230290-859b-11e7-8f60-4f4666b0a88e\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"30\",\"w\":12,\"x\":0,\"y\":28},\"id\":\"b1a7f8d0-859b-11e7-8f60-4f4666b0a88e\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"31\",\"w\":8,\"x\":20,\"y\":50},\"id\":\"1a097850-7c22-11e7-aa1e-6bf93670d67b\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"32\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"4a60fe20-e75f-11e8-803c-59c072645505\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "14ebefd0-488f-11e8-9b3d-f36e8d4f5cb2", - "_type": "dashboard", - "_source": { - "title": "Heralding", - "hits": 0, - "description": "Heralding Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":6,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"2cf90930-47d3-11e8-a905-f74bbc7cbd2d\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"d3bb9bd0-4863-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":17},\"id\":\"d0dbe890-4870-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[25.799891182088334,16.875000000000004],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"94ae10e0-4871-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":17},\"id\":\"29f51af0-4876-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":28},\"id\":\"eca8e580-4877-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":28},\"id\":\"e1969e20-4878-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":28},\"id\":\"864b2f30-4883-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":16,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":39},\"id\":\"7c5959b0-4889-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":39},\"id\":\"1268af10-4889-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":55},\"id\":\"21ad1c80-488a-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":12,\"x\":12,\"y\":55},\"id\":\"844f33f0-488a-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":55},\"id\":\"124a1140-488e-11e8-9b3d-f36e8d4f5cb2\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"15\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"d500a3c0-e6b8-11e8-b727-735f5b0e1502\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea", - "_type": "dashboard", - "_source": { - "title": "Dionaea", - "hits": 0, - "description": "Dionaea Dashboard", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"2\"},\"id\":\"Dionaea-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":22,\"y\":28,\"w\":11,\"h\":11,\"i\":\"3\"},\"id\":\"Dionaea-Destination-Ports-Top-10\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":11,\"y\":17,\"w\":11,\"h\":11,\"i\":\"4\"},\"id\":\"Dionaea-Protocol\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":39,\"w\":24,\"h\":13,\"i\":\"8\"},\"id\":\"Dionaea-Password-Tagcloud-Large\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":33,\"y\":17,\"w\":15,\"h\":11,\"i\":\"10\"},\"id\":\"Dionaea-Events-by-Country-Histogram\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[26.073274367159797,8.357599969021976],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"11\"},\"id\":\"Dionaea-Map\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":20,\"i\":\"12\"},\"id\":\"Dionaea-ASN-Top-10\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":20,\"i\":\"13\"},\"id\":\"Dionaea-Source-IP-Top-10\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"14\"},\"id\":\"b9343070-80e9-11e7-a689-67e589a14a8a\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":17,\"w\":11,\"h\":11,\"i\":\"15\"},\"id\":\"cf8d0e40-80ea-11e7-a689-67e589a14a8a\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":22,\"y\":17,\"w\":11,\"h\":11,\"i\":\"16\"},\"id\":\"Dionaea-Countries-Top-10\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":28,\"w\":11,\"h\":11,\"i\":\"17\"},\"id\":\"Dionaea-Type\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":11,\"y\":28,\"w\":11,\"h\":11,\"i\":\"18\"},\"id\":\"Dionaea-Transport\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":33,\"y\":28,\"w\":15,\"h\":11,\"i\":\"19\"},\"id\":\"7e33e3d0-810c-11e7-8413-9fe5e30ade77\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"20\"},\"id\":\"465d9810-e5cf-11e8-b72a-b734d2b55cd4\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":39,\"w\":24,\"h\":13,\"i\":\"21\"},\"id\":\"Dionaea-Username-Tagcloud-Large\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot", - "_type": "dashboard", - "_source": { - "title": "ElasticPot", - "hits": 0, - "description": "ElasticPot Dashboard", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"2\"},\"id\":\"ElasticPot-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":17,\"w\":12,\"h\":11,\"i\":\"3\"},\"id\":\"ElasticPot-Countries-Top-10\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":11,\"i\":\"4\"},\"id\":\"ElasticPot-Events-by-Country-Histogram\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[28.92163128242129,1.7578125000000002],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"5\"},\"id\":\"ElasticPot-Map\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"gridData\":{\"x\":16,\"y\":28,\"w\":12,\"h\":20,\"i\":\"6\"},\"id\":\"ElasticPot-Source-IP-Top-10\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":28,\"w\":16,\"h\":20,\"i\":\"7\"},\"id\":\"ElasticPot-ASN-Top-10\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":20,\"i\":\"9\"},\"id\":\"ElasticPot-Query-Top-10\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"10\"},\"id\":\"d01a6390-827e-11e7-afbf-a7491fba5d8a\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"11\"},\"id\":\"59b9dd60-827f-11e7-afbf-a7491fba5d8a\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"12\"},\"id\":\"3814c570-e68e-11e8-b727-735f5b0e1502\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "83b11b50-e850-11e8-97df-bbc3de28ece0", - "_type": "dashboard", - "_source": { - "title": "Glutton", - "hits": 0, - "description": "Glutton Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":17,\"w\":18,\"h\":11,\"i\":\"16\"},\"id\":\"e055e240-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":39,\"w\":36,\"h\":11,\"i\":\"17\"},\"id\":\"133801c0-e852-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"18\"},\"id\":\"50aa1940-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":17,\"w\":18,\"h\":11,\"i\":\"19\"},\"id\":\"9d251bd0-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"20\"},\"id\":\"32814dd0-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[29.53522956294847,-3.1640625000000004],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"21\"},\"id\":\"63d0bf60-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"22\"},\"id\":\"3f646820-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":11,\"i\":\"23\"},\"id\":\"f66b9200-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":36,\"y\":28,\"w\":12,\"h\":11,\"i\":\"24\"},\"id\":\"0464b030-e852-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"24\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"25\"},\"id\":\"7e6121d0-e851-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"25\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":50,\"w\":12,\"h\":20,\"i\":\"26\"},\"id\":\"21c65b10-e852-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"26\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":50,\"w\":12,\"h\":20,\"i\":\"27\"},\"id\":\"41d04290-e852-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"27\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":11,\"i\":\"28\"},\"id\":\"7e9a7d20-e858-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":28,\"w\":12,\"h\":11,\"i\":\"29\"},\"id\":\"f4444100-e858-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":39,\"w\":12,\"h\":11,\"i\":\"30\"},\"id\":\"160f9cb0-e85b-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":20,\"i\":\"31\"},\"id\":\"a001a350-e85b-11e8-97df-bbc3de28ece0\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":50,\"w\":24,\"h\":20,\"i\":\"32\"},\"version\":\"6.4.3\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"id\":\"c80e9ff0-e866-11e8-95af-236f09a02fdb\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf", - "_type": "dashboard", - "_source": { - "title": "Glastopf", - "hits": 0, - "description": "Glastopf Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"Glastopf-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":17},\"id\":\"Glastopf-Countries-Top-10\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[27.994401411046148,-6.679687500000001],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"Glastopf-Map\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"id\":\"Glastop-Source-IP-Top-10\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":28},\"id\":\"Glastopf-ASN-Top-10\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":17},\"id\":\"Glastopf-Events-by-Country-Histogram\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":6,\"i\":\"10\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"307afd60-82a9-11e7-bcbe-2b6958a9c888\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"11\",\"w\":16,\"x\":0,\"y\":17},\"id\":\"59509e90-8590-11e7-a686-392ac617767d\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"12\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"409907c0-e6b5-11e8-b727-735f5b0e1502\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "faeb1340-6355-11e8-be86-73985bedf977", - "_type": "dashboard", - "_source": { - "title": "Tanner", - "hits": 0, - "description": "Tanner Dashboard", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":50,\"w\":12,\"h\":20,\"i\":\"1\"},\"id\":\"06628c70-6352-11e8-be86-73985bedf977\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[36.03133177633189,4.218750000000001],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"2\"},\"id\":\"f8e24f20-634e-11e8-be86-73985bedf977\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":17,\"w\":12,\"h\":11,\"i\":\"3\"},\"id\":\"d968d5e0-6350-11e8-be86-73985bedf977\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"4\"},\"id\":\"5014cee0-634e-11e8-be86-73985bedf977\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"5\"},\"id\":\"77bf1310-634e-11e8-be86-73985bedf977\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":11,\"i\":\"6\"},\"id\":\"6ee57da0-634f-11e8-be86-73985bedf977\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":28,\"w\":16,\"h\":11,\"i\":\"7\"},\"id\":\"c1c8a3a0-6352-11e8-be86-73985bedf977\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":32,\"y\":39,\"w\":16,\"h\":11,\"i\":\"8\"},\"id\":\"946dc4d0-6352-11e8-be86-73985bedf977\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":39,\"w\":16,\"h\":11,\"i\":\"9\"},\"id\":\"a6ccd530-6352-11e8-be86-73985bedf977\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":50,\"w\":12,\"h\":20,\"i\":\"10\"},\"id\":\"Cowrie-Source-IP-Top-10\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"11\"},\"id\":\"a51e9ae0-6350-11e8-be86-73985bedf977\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":32,\"y\":28,\"w\":16,\"h\":11,\"i\":\"12\"},\"id\":\"895645f0-6356-11e8-be86-73985bedf977\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":50,\"w\":24,\"h\":20,\"i\":\"13\"},\"id\":\"e9e534d0-6356-11e8-be86-73985bedf977\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":39,\"w\":16,\"h\":11,\"i\":\"14\"},\"id\":\"87cf3b50-6357-11e8-be86-73985bedf977\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":28,\"w\":16,\"h\":11,\"i\":\"15\"},\"id\":\"656df650-6357-11e8-be86-73985bedf977\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"16\"},\"version\":\"6.4.3\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"id\":\"535b0c80-e761-11e8-803c-59c072645505\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot", - "_type": "dashboard", - "_source": { - "title": "Conpot", - "hits": 0, - "description": "Conpot Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"ConPot-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":12,\"x\":12,\"y\":17},\"id\":\"ConPot-Countries-Top-10\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":28},\"id\":\"ConPot-Event-Type\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":12,\"x\":12,\"y\":28},\"id\":\"ConPot-Protocol\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":17},\"id\":\"ConPot-Events-by-Country-Histogram\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":21,\"i\":\"7\",\"w\":12,\"x\":24,\"y\":39},\"id\":\"ConPot-Input-Top-10\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":21,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":39},\"id\":\"ConPot-Response-Top-10\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":21,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":39},\"id\":\"ConPot-ASN-Top-10\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":17},\"id\":\"ffb284f0-80cd-11e7-ab37-eb92b1bfb573\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":21,\"i\":\"15\",\"w\":12,\"x\":12,\"y\":39},\"id\":\"082111a0-80cf-11e7-ab37-eb92b1bfb573\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":6,\"i\":\"16\",\"w\":13,\"x\":0,\"y\":0},\"id\":\"62fde9a0-858d-11e7-a686-392ac617767d\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[35.746512259918504,-16.171875000000004],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"ConPot-Map\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"18\",\"w\":11,\"x\":13,\"y\":0},\"id\":\"10e765a0-e51e-11e8-8a75-d5f374dbaebe\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":28},\"id\":\"a427e6c0-e521-11e8-8a75-d5f374dbaebe\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie", - "_type": "dashboard", - "_source": { - "title": "Cowrie", - "hits": 0, - "description": "Cowrie Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"22\"},\"id\":\"Cowrie-Events-Histogram\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":28,\"w\":12,\"h\":11,\"i\":\"28\"},\"id\":\"Cowrie-Countries-Top-10\",\"panelIndex\":\"28\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":32,\"y\":17,\"w\":16,\"h\":11,\"i\":\"29\"},\"id\":\"Cowrie-Events-by-Country-Histogram\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":11,\"i\":\"31\"},\"id\":\"Cowrie-Version-Pie-Top-10\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":39,\"w\":24,\"h\":16,\"i\":\"34\"},\"id\":\"Cowrie-Username-Tagcloud-Large\",\"panelIndex\":\"34\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":39,\"w\":24,\"h\":16,\"i\":\"35\"},\"id\":\"Cowrie-Password-Tagcloud-Large\",\"panelIndex\":\"35\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,6.855468750000001],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"36\"},\"id\":\"Cowrie-Map\",\"panelIndex\":\"36\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":55,\"w\":24,\"h\":20,\"i\":\"37\"},\"id\":\"Cowrie-Input-Top-10\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":55,\"w\":16,\"h\":20,\"i\":\"39\"},\"id\":\"Cowrie-ASN-Top-10\",\"panelIndex\":\"39\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":36,\"y\":28,\"w\":12,\"h\":11,\"i\":\"43\"},\"id\":\"Cowrie-Ports-Pie\",\"panelIndex\":\"43\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"44\"},\"id\":\"c1ef91c0-7dc2-11e7-8268-ed048f6272e0\",\"panelIndex\":\"44\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":11,\"i\":\"45\"},\"id\":\"bf39e000-80d5-11e7-ba6f-4542711dd148\",\"panelIndex\":\"45\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":17,\"w\":16,\"h\":11,\"i\":\"46\"},\"id\":\"f28b8c60-80e4-11e7-ba6f-4542711dd148\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":16,\"y\":17,\"w\":16,\"h\":11,\"i\":\"47\"},\"id\":\"2a6803f0-80e7-11e7-a689-67e589a14a8a\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"48\"},\"id\":\"45e32dc0-dec5-11e8-87cf-239397d2b8d3\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":16,\"y\":55,\"w\":8,\"h\":20,\"i\":\"49\"},\"version\":\"6.4.3\",\"panelIndex\":\"49\",\"type\":\"visualization\",\"id\":\"48d3dad0-e725-11e8-b4a6-215b0b97c069\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap", - "_type": "dashboard", - "_source": { - "title": "Honeytrap", - "hits": 0, - "description": "Honeytrap Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"Honeytrap-Events-Histogram\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":12,\"x\":12,\"y\":28},\"id\":\"Honeytrap-Countries-Top-10\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"6\",\"w\":18,\"x\":30,\"y\":17},\"id\":\"Honeytrap-Events-by-Country-Histogram\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"7\",\"w\":12,\"x\":0,\"y\":17},\"id\":\"Honeytrap-Destination-Ports-Top-10\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[28.613459424004414,-3.69140625],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"Honeytrap-Map\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":39},\"id\":\"Honeytrap-Source-IP-Top-10\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":39},\"id\":\"Honeytrap-ASN-Top-10\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":6,\"i\":\"11\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"6ee70b90-8374-11e7-9adb-2955c2136c8c\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"12\",\"w\":18,\"x\":12,\"y\":17},\"id\":\"ec53e470-8376-11e7-9adb-2955c2136c8c\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"13\",\"w\":12,\"x\":0,\"y\":28},\"id\":\"576a3cb0-82ae-11e7-bcbe-2b6958a9c888\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 450\":\"rgb(255,255,204)\",\"1350 - 1800\":\"rgb(254,201,101)\",\"1800 - 2250\":\"rgb(254,171,73)\",\"2250 - 2700\":\"rgb(253,141,60)\",\"2700 - 3150\":\"rgb(252,91,46)\",\"3150 - 3600\":\"rgb(237,47,34)\",\"3600 - 4050\":\"rgb(212,16,32)\",\"4050 - 4500\":\"rgb(176,0,38)\",\"450 - 900\":\"rgb(255,241,170)\",\"900 - 1350\":\"rgb(254,225,135)\"}}},\"gridData\":{\"h\":11,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":28},\"id\":\"4e2887d0-8379-11e7-97dc-15d31af3c77f\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"15\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"f5e74220-e725-11e8-b4a6-215b0b97c069\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "48f595c0-e7f8-11e8-9ac4-13ecd4ad8d70", - "_type": "dashboard", - "_source": { - "title": "Medpot", - "hits": 0, - "description": "Medpot Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"13\"},\"id\":\"65fdfd10-e7f8-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"14\"},\"id\":\"17130490-e7fb-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"15\"},\"id\":\"554c9550-e7fb-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[32.84267363195431,-5.273437500000001],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"16\"},\"id\":\"a81cba70-e7fc-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"17\"},\"id\":\"099c23d0-e7fd-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":17,\"w\":12,\"h\":11,\"i\":\"18\"},\"id\":\"15b696f0-e7fd-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":11,\"i\":\"19\"},\"id\":\"490b4e60-e7fd-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":20,\"i\":\"20\"},\"id\":\"5b69e990-e7fd-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":20,\"i\":\"21\"},\"id\":\"e3f00420-e7fd-11e8-9ac4-13ecd4ad8d70\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":20,\"i\":\"22\"},\"version\":\"6.4.3\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"id\":\"2fc62270-e872-11e8-a876-6bccfb9086f2\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "dd95c950-8b5d-11e7-ba35-0d8832ac304f", - "_type": "dashboard", - "_source": { - "title": "Mailoney", - "hits": 0, - "description": "Mailoney Dashboard", - "panelsJSON": "[{\"gridData\":{\"h\":6,\"i\":\"10\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"5234de80-8b5f-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"63672eb0-8b5f-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":17},\"id\":\"88d899e0-8b5f-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"13\",\"w\":12,\"x\":12,\"y\":17},\"id\":\"cac48440-8b5f-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"h\":11,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":17},\"id\":\"d2405e70-8b5e-11e7-ba35-0d8832ac304f\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":12,\"x\":0,\"y\":28},\"id\":\"ad6dcb50-8b5e-11e7-ba35-0d8832ac304f\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":12,\"x\":12,\"y\":28},\"id\":\"ba9d6280-8b5f-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":28},\"id\":\"0169b450-8b62-11e7-ba35-0d8832ac304f\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[29.22889003019423,-7.207031249999999],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"c0916430-8b5e-11e7-ba35-0d8832ac304f\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"19\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"f2742de0-e745-11e8-b4a6-215b0b97c069\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "54d8c6a0-dec0-11e8-87cf-239397d2b8d3", - "_type": "dashboard", - "_source": { - "title": "Ciscoasa", - "hits": 0, - "description": "Ciscoasa Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":6,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"id\":\"15f2c000-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":6},\"id\":\"8a455850-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":17},\"id\":\"a72ec5f0-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":17},\"id\":\"d77bbba0-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"gridData\":{\"h\":11,\"i\":\"6\",\"w\":12,\"x\":12,\"y\":17},\"id\":\"fe02b580-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"id\":\"1a80b720-4ad6-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":28},\"id\":\"2a543aa0-4ad6-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"embeddableConfig\":{\"mapCenter\":[42.032974332441405,0.703125],\"mapZoom\":2},\"gridData\":{\"h\":17,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":0},\"id\":\"b8745000-4ad5-11e8-ab1b-fdef76c312f4\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.4.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"10\",\"w\":10,\"x\":14,\"y\":0},\"id\":\"79a71e90-dec1-11e8-87cf-239397d2b8d3\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.2\"}]", - "optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "8d4e8300-ebde-11e8-9675-1b303bfb38ef", - "_type": "dashboard", - "_source": { - "title": ">T-Pot", - "hits": 0, - "description": "T-Pot Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":24,\"y\":36,\"w\":12,\"h\":15,\"i\":\"9\"},\"id\":\"P0f-OS-Top-10\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":28,\"y\":85,\"w\":20,\"h\":29,\"i\":\"21\"},\"id\":\"Suricata-Alert-Signature-Top-10\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":20,\"y\":85,\"w\":8,\"h\":29,\"i\":\"38\"},\"id\":\"1a097850-7c22-11e7-aa1e-6bf93670d67b\",\"panelIndex\":\"38\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":15,\"i\":\"43\"},\"id\":\"e624bc50-7dd6-11e7-bee2-c98307c16efa\",\"panelIndex\":\"43\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":85,\"w\":12,\"h\":29,\"i\":\"44\"},\"id\":\"d94ff2a0-7ec2-11e7-a286-9f03beba6417\",\"panelIndex\":\"44\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"gridData\":{\"x\":36,\"y\":36,\"w\":12,\"h\":15,\"i\":\"45\"},\"id\":\"50d82860-7ea0-11e7-a286-9f03beba6417\",\"panelIndex\":\"45\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":21,\"w\":16,\"h\":15,\"i\":\"46\"},\"id\":\"7b61a6a0-7ebf-11e7-a286-9f03beba6417\",\"panelIndex\":\"46\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":6,\"w\":16,\"h\":15,\"i\":\"47\"},\"id\":\"87428ba0-7e9d-11e7-a286-9f03beba6417\",\"panelIndex\":\"47\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":6,\"w\":16,\"h\":15,\"i\":\"48\"},\"id\":\"762f66c0-7e9e-11e7-a286-9f03beba6417\",\"panelIndex\":\"48\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"gridData\":{\"x\":12,\"y\":36,\"w\":12,\"h\":15,\"i\":\"49\"},\"id\":\"0d947000-7ebd-11e7-a286-9f03beba6417\",\"panelIndex\":\"49\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":32,\"y\":21,\"w\":16,\"h\":15,\"i\":\"50\"},\"id\":\"885928c0-7ebe-11e7-a286-9f03beba6417\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":16,\"y\":21,\"w\":16,\"h\":15,\"i\":\"51\"},\"id\":\"ef227eb0-7e9d-11e7-a286-9f03beba6417\",\"panelIndex\":\"51\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"mapCenter\":[24.5271348225978,-5.273437500000001],\"mapZoom\":1},\"gridData\":{\"x\":32,\"y\":6,\"w\":16,\"h\":15,\"i\":\"52\"},\"id\":\"d1aa9740-7e9e-11e7-a286-9f03beba6417\",\"panelIndex\":\"52\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":12,\"y\":85,\"w\":8,\"h\":29,\"i\":\"53\"},\"id\":\"772cb2b0-7ec3-11e7-a7c8-5f38ad5bf75f\",\"panelIndex\":\"53\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":36,\"w\":12,\"h\":15,\"i\":\"54\"},\"id\":\"349c11c0-7ea0-11e7-a286-9f03beba6417\",\"panelIndex\":\"54\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":15,\"i\":\"55\"},\"id\":\"f1a19000-7ebf-11e7-a286-9f03beba6417\",\"panelIndex\":\"55\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":6,\"i\":\"56\"},\"id\":\"e77bc660-e9d3-11e8-be2c-8fd05c77f582\",\"panelIndex\":\"56\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":66,\"w\":24,\"h\":19,\"i\":\"57\"},\"id\":\"56cdedf0-ec08-11e8-96db-ebfb2a58ccf6\",\"panelIndex\":\"57\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":66,\"w\":24,\"h\":19,\"i\":\"58\"},\"id\":\"9b89ddb0-ec07-11e8-96db-ebfb2a58ccf6\",\"panelIndex\":\"58\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":false}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "56cdedf0-ec08-11e8-96db-ebfb2a58ccf6", - "_type": "visualization", - "_source": { - "title": "Username Tagcloud", - "visState": "{\"title\":\"Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"fromDegree\":\"0\",\"maxFontSize\":64,\"minFontSize\":16,\"orientation\":\"single\",\"orientations\":1,\"scale\":\"linear\",\"showLabel\":false,\"spiral\":\"rectangular\",\"textScale\":\"sqrt\",\"timeInterval\":\"500\",\"toDegree\":\"0\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}}]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"(type.keyword:\\\"Cowrie\\\" AND system:\\\"ssh\\\") OR type.keyword:\\\"Dionaea\\\" OR type.keyword:\\\"Heralding\\\" OR type.keyword:\\\"RDPY\\\"\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "9b89ddb0-ec07-11e8-96db-ebfb2a58ccf6", - "_type": "visualization", - "_source": { - "title": "Password Tagcloud", - "visState": "{\"title\":\"Password Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"fromDegree\":0,\"maxFontSize\":64,\"minFontSize\":16,\"orientation\":\"single\",\"orientations\":1,\"scale\":\"linear\",\"showLabel\":false,\"spiral\":\"rectangular\",\"textScale\":\"sqrt\",\"timeInterval\":500,\"toDegree\":0},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"password.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(type:\\\"Cowrie\\\" AND system:\\\"ssh\\\") OR type:\\\"Dionaea\\\" OR type:\\\"Heralding\\\" OR type:\\\"RDPY\\\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "772cb2b0-7ec3-11e7-a7c8-5f38ad5bf75f", - "_type": "visualization", - "_source": { - "title": "Attacker Source IP - Top 10", - "visState": "{\"title\":\"Attacker Source IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-HTTP-Content-Type-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata HTTP Content Type - Top 10", - "visState": "{\"title\":\"Suricata HTTP Content Type - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":200}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.http_content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7b61a6a0-7ebf-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Destination Port Histogram", - "visState": "{\"title\":\"Attacks by Destination Port Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "124a1140-488e-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Top Credentials Per Protocol", - "visState": "{\"title\":\"Heralding Top Credentials Per Protocol\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"proto.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":3,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"password.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":3,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Password\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":null}}}}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f1a19000-7ebf-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Country and Port", - "visState": "{\"title\":\"Attacks by Country and Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "NGINX Events Histogram", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Src IPs\",\"field\":\"src_ip.keyword\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Events\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"NGINX Events Histogram\",\"type\":\"line\"}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Suricata Events by Country Histogram", - "visState": "{\"title\":\"Suricata Events by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0e230290-859b-11e7-8f60-4f4666b0a88e", - "_type": "visualization", - "_source": { - "title": "Suricata Destination Ports Histogram", - "visState": "{\"title\":\"Suricata Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "1a097850-7c22-11e7-aa1e-6bf93670d67b", - "_type": "visualization", - "_source": { - "title": "Suricata CVE - Top 10", - "visState": "{\"title\":\"Suricata CVE - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.cve_id.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"CVE ID\"}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata Countries - Top 10", - "visState": "{\"title\":\"Suricata Countries - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "51ca6ee0-80d5-11e7-ab37-eb92b1bfb573", - "_type": "visualization", - "_source": { - "title": "NGINX Events Bar", - "visState": "{\"title\":\"NGINX Events Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"NGINX\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Events\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NGINX\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "65fdfd10-e7f8-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot Attacks Bar", - "visState": "{\"title\":\"Medpot Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"ElasticPot\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ElasticPot\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "1268af10-4889-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Username Tagcloud", - "visState": "{\"title\":\"Heralding Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":16,\"maxFontSize\":64,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d94ff2a0-7ec2-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacker AS/N - Top 10", - "visState": "{\"title\":\"Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0de24040-8b52-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy Attacks Bar", - "visState": "{\"title\":\"Rdpy Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Rdpy\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rdpy\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "50d82860-7ea0-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacks by Country", - "visState": "{\"title\":\"Attacks by Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "133801c0-e852-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Heatmap", - "visState": "{\"title\":\"Glutton Heatmap\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":10,\"colorSchema\":\"Green to Red\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"square root\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"#555\",\"overwriteColor\":false}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 500\": \"rgb(0,104,55)\",\n \"500 - 1000\": \"rgb(26,151,80)\",\n \"1000 - 1500\": \"rgb(102,189,99)\",\n \"1500 - 2000\": \"rgb(166,217,106)\",\n \"2000 - 2500\": \"rgb(217,239,139)\",\n \"2500 - 3000\": \"rgb(255,255,190)\",\n \"3000 - 3500\": \"rgb(254,224,139)\",\n \"3500 - 4000\": \"rgb(253,174,97)\",\n \"4000 - 4500\": \"rgb(244,109,67)\",\n \"4500 - 5000\": \"rgb(214,47,39)\"\n }\n },\n \"spy\": {\n \"mode\": {\n \"name\": null,\n \"fill\": false\n }\n }\n}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "b1a7f8d0-859b-11e7-8f60-4f4666b0a88e", - "_type": "visualization", - "_source": { - "title": "Suricata - Attacker Src IP Reputation", - "visState": "{\"title\":\"Suricata - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "5234de80-8b5f-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Mailoney Attacks Bar", - "visState": "{\"title\":\"Mailoney Attacks Bar\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Mailoney\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Mailoney\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "ElasticPot Attacks Histogram", - "visState": "{\"title\":\"ElasticPot Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "59b9dd60-827f-11e7-afbf-a7491fba5d8a", - "_type": "visualization", - "_source": { - "title": "ElasticPot - Attacker Src IP Reputation", - "visState": "{\"title\":\"ElasticPot - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "5014cee0-634e-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner Attacks Bar", - "visState": "{\"title\":\"Tanner Attacks Bar\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":90,\"show\":false,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":false,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f66b9200-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacker Src IP Reputation", - "visState": "{\"title\":\"Glutton - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "59509e90-8590-11e7-a686-392ac617767d", - "_type": "visualization", - "_source": { - "title": "Glastopf - Attacker Src IP Reputation", - "visState": "{\"title\":\"Glastopf - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "576a3cb0-82ae-11e7-bcbe-2b6958a9c888", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacker Src IP Reputation", - "visState": "{\"title\":\"Honeytrap - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "099c23d0-e7fd-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot - Attacker Src IP Reputation", - "visState": "{\"title\":\"Medpot - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "ElasticPot - Attacks by Country Histogram", - "visState": "{\"title\":\"ElasticPot - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "349c11c0-7ea0-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Attacker Src IP Reputation", - "visState": "{\"title\":\"Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "bf39e000-80d5-11e7-ba6f-4542711dd148", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacker Src IP Reputation", - "visState": "{\"title\":\"Cowrie - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Honeytrap Attacks Histogram", - "visState": "{\"title\":\"Honeytrap Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacks by Country Histogram", - "visState": "{\"title\":\"Conpot - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacks by Country Histogram", - "visState": "{\"title\":\"Cowrie - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\",\"interpolate\":\"linear\",\"lineWidth\":2}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "554c9550-e7fb-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot Attacks Histogram", - "visState": "{\"title\":\"Medpot Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacks by Country Histogram", - "visState": "{\"title\":\"Honeytrap - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "8a455850-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa Attacks Histogram", - "visState": "{\"title\":\"Ciscoasa Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"*\"},\"label\":\"All\"},{\"input\":{\"query\":\"src_port:*\"},\"label\":\"Exploit\"}]}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a72ec5f0-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa - Attacks by Country Histogram", - "visState": "{\"title\":\"Ciscoasa - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "29f51af0-4876-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Protocols Histogram", - "visState": "{\"title\":\"Heralding Protocols Histogram\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Events\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"step-after\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proto.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "54213440-8b56-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy Username Tagcloud", - "visState": "{\"title\":\"Rdpy Username Tagcloud\",\"type\":\"tagcloud\",\"params\":{\"textScale\":\"linear\",\"orientations\":1,\"fromDegree\":\"0\",\"toDegree\":\"0\",\"font\":\"serif\",\"fontStyle\":\"normal\",\"fontWeight\":\"normal\",\"timeInterval\":\"500\",\"spiral\":\"rectangular\",\"minFontSize\":16,\"maxFontSize\":64,\"scale\":\"linear\",\"orientation\":\"single\",\"hideLabel\":false,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "656df650-6357-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner HTTP Encoding Pie - Top 10", - "visState": "{\"title\":\"Tanner HTTP Encoding Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"headers.accept-encoding.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "4e2887d0-8379-11e7-97dc-15d31af3c77f", - "_type": "visualization", - "_source": { - "title": "Honeytrap Heatmap", - "visState": "{\"title\":\"Honeytrap Heatmap\",\"type\":\"heatmap\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":10,\"colorSchema\":\"Green to Red\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"square root\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"color\":\"#555\",\"overwriteColor\":false}}],\"type\":\"heatmap\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 650\":\"rgb(0,104,55)\",\"650 - 1300\":\"rgb(26,151,80)\",\"1300 - 1950\":\"rgb(102,189,99)\",\"1950 - 2600\":\"rgb(166,217,106)\",\"2600 - 3250\":\"rgb(217,239,139)\",\"3250 - 3900\":\"rgb(255,255,190)\",\"3900 - 4550\":\"rgb(254,224,139)\",\"4550 - 5200\":\"rgb(253,174,97)\",\"5200 - 5850\":\"rgb(244,109,67)\",\"5850 - 6500\":\"rgb(214,47,39)\"}},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7dcaa2b0-8596-11e7-a686-392ac617767d", - "_type": "visualization", - "_source": { - "title": "NGINX Top Users Histogram", - "visState": "{\"title\":\"NGINX Top Users Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"remote_user.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7e9a7d20-e858-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Flow Direction", - "visState": "{\"title\":\"Glutton Flow Direction\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"direction.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "946dc4d0-6352-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner HTTP Method Pie - Top 10", - "visState": "{\"title\":\"Tanner HTTP Method Pie - Top 10\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "87cf3b50-6357-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner HTTP Language Pie - Top 10", - "visState": "{\"title\":\"Tanner HTTP Language Pie - Top 10\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"headers.accept-language.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Logs", - "_type": "search", - "_source": { - "title": "Dionaea-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Dionaea\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Logs", - "_type": "search", - "_source": { - "title": "Cowrie-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Cowrie\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d800f130-633f-11e8-be86-73985bedf977", - "_type": "search", - "_source": { - "title": "Tanner-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"type:\\\"Tanner\\\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Logs", - "_type": "search", - "_source": { - "title": "ConPot-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"ConPot\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "_type": "search", - "_source": { - "title": "Glutton-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"type:\\\"Glutton\\\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Logs", - "_type": "search", - "_source": { - "title": "NGINX-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"NGINX\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Logs", - "_type": "search", - "_source": { - "title": "Honeytrap-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Honeytrap\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "_type": "search", - "_source": { - "title": "Rdpy-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Rdpy\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Logs", - "_type": "search", - "_source": { - "title": "ElasticPot-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"ElasticPot\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "3290fa70-69a2-11e7-bcac-d3ee6f9c26fd", - "_type": "search", - "_source": { - "title": "NSM-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Suricata\\\" OR type:\\\"p0f\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Logs", - "_type": "search", - "_source": { - "title": "Suricata-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Suricata\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "baa53b00-b597-11e8-9a34-d951cebce834", - "_type": "search", - "_source": { - "title": "Medpot-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"type:\\\"Medpot\\\"\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-Logs", - "_type": "search", - "_source": { - "title": "Glastopf-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"Glastopf\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "_type": "search", - "_source": { - "title": "Ciscoasa-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"type:\\\"Ciscoasa\\\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "_type": "search", - "_source": { - "title": "Mailoney-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"type:\\\"Mailoney\\\"\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "P0f-Logs", - "_type": "search", - "_source": { - "title": "P0f-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":{\"query_string\":{\"query\":\"type:\\\"P0f\\\"\",\"analyze_wildcard\":true}},\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "_type": "search", - "_source": { - "title": "Heralding-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"type:\\\"Heralding\\\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c3b89bc0-69a7-11e7-bcac-d3ee6f9c26fd", - "_type": "search", - "_source": { - "title": "T-Pot-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"language\":\"lucene\",\"query\":\"type:\\\"Ciscoasa\\\" OR type:\\\"ConPot\\\" OR type:\\\"Cowrie\\\" OR type:\\\"Dionaea\\\" OR type:\\\"ElasticPot\\\" OR type:\\\"Glastopf\\\" OR type:\\\"Glutton\\\" OR type:\\\"Heralding\\\" OR type:\\\"Honeytrap\\\" OR type:\\\"Mailoney\\\" OR type:\\\"Medpot\\\" OR type:\\\"P0f\\\" OR type:\\\"Rdpy\\\" OR type:\\\"Suricata\\\" OR type:\\\"Tanner\\\"\"},\"highlightAll\":true,\"version\":true,\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f4444100-e858-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Handler", - "visState": "{\"title\":\"Glutton Handler\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"handler.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c80e9ff0-e866-11e8-95af-236f09a02fdb", - "_type": "visualization", - "_source": { - "title": "Glutton Msg - Top 10", - "visState": "{\"title\":\"Glutton Msg - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Msg\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Protocol", - "_type": "visualization", - "_source": { - "title": "Dionaea Protocol", - "visState": "{\"title\":\"Dionaea Protocol\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"connection.protocol.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0169b450-8b62-11e7-ba35-0d8832ac304f", - "_type": "visualization", - "_source": { - "title": "Mailoney SMTP Input - Top 10", - "visState": "{\"title\":\"Mailoney SMTP Input - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp_input.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMTP Input\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "160f9cb0-e85b-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Method", - "visState": "{\"title\":\"Glutton Method\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"method.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e05aac20-8b51-11e7-b92d-d39e43e3de0f", - "_type": "dashboard", - "_source": { - "title": "Rdpy", - "hits": 0, - "description": "Rdpy Dashboard", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":6,\"i\":\"10\"},\"id\":\"0de24040-8b52-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"11\"},\"id\":\"c90f1f00-8b52-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":11,\"i\":\"12\"},\"id\":\"da489b20-8b52-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"mapCenter\":[30.44867367928756,-5.44921875],\"mapZoom\":2},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"13\"},\"id\":\"e4b7cf40-8b52-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"14\"},\"id\":\"051c59e0-8b53-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":12,\"y\":17,\"w\":12,\"h\":11,\"i\":\"15\"},\"id\":\"51c331f0-8b54-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":39,\"w\":24,\"h\":20,\"i\":\"16\"},\"id\":\"73364660-8b54-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":39,\"w\":24,\"h\":20,\"i\":\"17\"},\"id\":\"874be060-8b54-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":11,\"i\":\"18\"},\"id\":\"54213440-8b56-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":11,\"i\":\"19\"},\"id\":\"cb2a3a00-8b56-11e7-b92d-d39e43e3de0f\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.4.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":0,\"w\":9,\"h\":6,\"i\":\"20\"},\"id\":\"94e13130-e756-11e8-b4a6-215b0b97c069\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.4.3\"}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"match_all\":{}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0f9b72a0-fa30-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Attack Map", - "visState": "{\n \"title\": \"Adbhoney Attack Map\",\n \"type\": \"tile_map\",\n \"params\": {\n \"mapType\": \"Shaded Circle Markers\",\n \"isDesaturated\": true,\n \"addTooltip\": true,\n \"heatMaxZoom\": 16,\n \"heatMinOpacity\": 0.1,\n \"heatRadius\": 25,\n \"heatBlur\": 15,\n \"heatNormalizeData\": true,\n \"wms\": {\n \"enabled\": false,\n \"url\": \"http://ows.terrestris.de/osm/service\",\n \"options\": {\n \"version\": \"1.3.0\",\n \"layers\": \"OSM-WMS\",\n \"format\": \"image/png\",\n \"transparent\": true,\n \"attribution\": \"© OpenStreetMap contributors\",\n \"styles\": \"\"\n },\n \"baseLayersAreLoaded\": {},\n \"tmsLayers\": [\n {\n \"id\": \"road_map\",\n \"url\": \"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\n \"minZoom\": 0,\n \"maxZoom\": 18,\n \"attribution\": \"

© OpenStreetMap contributors | Elastic Maps Service

\",\n \"subdomains\": []\n }\n ],\n \"selectedTmsLayer\": {\n \"id\": \"road_map\",\n \"url\": \"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\n \"minZoom\": 0,\n \"maxZoom\": 18,\n \"attribution\": \"

© OpenStreetMap contributors | Elastic Maps Service

\",\n \"subdomains\": []\n }\n },\n \"legendPosition\": \"bottomright\",\n \"mapZoom\": 2,\n \"mapCenter\": [\n 0,\n 0\n ],\n \"colorSchema\": \"Yellow to Red\",\n \"heatClusterSize\": 1.5\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"geohash_grid\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"geoip.location\",\n \"autoPrecision\": true,\n \"isFilteredByCollar\": true,\n \"useGeocentroid\": true,\n \"mapZoom\": 2,\n \"mapCenter\": {\n \"lon\": 0.17578125,\n \"lat\": -0.17578097424708533\n },\n \"precision\": 2\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e18823d0-fa30-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney - Attacks by Country Histogram", - "visState": "{\n \"title\": \"Adbhoney - Attacks by Country Histogram\",\n \"type\": \"area\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"labels\": {\n \"filter\": true,\n \"show\": true,\n \"truncate\": 100\n },\n \"position\": \"bottom\",\n \"scale\": {\n \"type\": \"linear\"\n },\n \"show\": true,\n \"style\": {},\n \"title\": {\n \"text\": \"Timestamp\"\n },\n \"type\": \"category\"\n }\n ],\n \"defaultYExtents\": false,\n \"drawLinesBetweenPoints\": true,\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"interpolate\": \"linear\",\n \"legendPosition\": \"right\",\n \"radiusRatio\": 9,\n \"scale\": \"square root\",\n \"seriesParams\": [\n {\n \"data\": {\n \"id\": \"1\",\n \"label\": \"Attacks\"\n },\n \"drawLinesBetweenPoints\": true,\n \"mode\": \"normal\",\n \"show\": \"true\",\n \"showCircles\": true,\n \"type\": \"area\",\n \"valueAxis\": \"ValueAxis-1\",\n \"interpolate\": \"linear\",\n \"lineWidth\": 2\n }\n ],\n \"setYExtents\": false,\n \"shareYAxis\": true,\n \"showCircles\": true,\n \"smoothLines\": false,\n \"times\": [],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"labels\": {\n \"filter\": false,\n \"rotate\": 0,\n \"show\": true,\n \"truncate\": 100\n },\n \"name\": \"LeftAxis-1\",\n \"position\": \"left\",\n \"scale\": {\n \"mode\": \"normal\",\n \"type\": \"square root\"\n },\n \"show\": true,\n \"style\": {},\n \"title\": {\n \"text\": \"\"\n },\n \"type\": \"value\"\n }\n ],\n \"yAxis\": {},\n \"type\": \"area\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Attacks\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"geoip.country_name.keyword\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"date_histogram\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"useNormalizedEsInterval\": true,\n \"interval\": \"auto\",\n \"time_zone\": \"Europe/Berlin\",\n \"drop_partials\": false,\n \"customInterval\": \"2h\",\n \"min_doc_count\": 1,\n \"extended_bounds\": {},\n \"customLabel\": \"Timestamp\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "eaedcca0-fa2f-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Attacks Histogram", - "visState": "{\n \"title\": \"Adbhoney Attacks Histogram\",\n \"type\": \"line\",\n \"params\": {\n \"addLegend\": true,\n \"addTimeMarker\": false,\n \"addTooltip\": true,\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"labels\": {\n \"filter\": true,\n \"rotate\": 0,\n \"show\": true,\n \"truncate\": 100\n },\n \"position\": \"bottom\",\n \"scale\": {\n \"type\": \"linear\"\n },\n \"show\": true,\n \"style\": {},\n \"title\": {\n \"text\": \"Timestamp\"\n },\n \"type\": \"category\"\n }\n ],\n \"defaultYExtents\": false,\n \"drawLinesBetweenPoints\": true,\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"interpolate\": \"linear\",\n \"legendPosition\": \"right\",\n \"radiusRatio\": 9,\n \"scale\": \"square root\",\n \"seriesParams\": [\n {\n \"data\": {\n \"id\": \"1\",\n \"label\": \"Attacks\"\n },\n \"drawLinesBetweenPoints\": true,\n \"interpolate\": \"linear\",\n \"lineWidth\": 2,\n \"mode\": \"normal\",\n \"show\": true,\n \"showCircles\": true,\n \"type\": \"line\",\n \"valueAxis\": \"ValueAxis-1\"\n },\n {\n \"data\": {\n \"id\": \"3\",\n \"label\": \"Unique Src IPs\"\n },\n \"drawLinesBetweenPoints\": true,\n \"interpolate\": \"linear\",\n \"lineWidth\": 2,\n \"mode\": \"normal\",\n \"show\": true,\n \"showCircles\": true,\n \"type\": \"line\",\n \"valueAxis\": \"ValueAxis-1\"\n }\n ],\n \"setYExtents\": false,\n \"shareYAxis\": true,\n \"showCircles\": true,\n \"smoothLines\": false,\n \"times\": [],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"labels\": {\n \"filter\": false,\n \"rotate\": 0,\n \"show\": true,\n \"truncate\": 100\n },\n \"name\": \"LeftAxis-1\",\n \"position\": \"left\",\n \"scale\": {\n \"mode\": \"normal\",\n \"type\": \"square root\"\n },\n \"show\": true,\n \"style\": {},\n \"title\": {\n \"text\": \"\"\n },\n \"type\": \"value\"\n }\n ],\n \"yAxis\": {},\n \"type\": \"line\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Attacks\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"src_ip.keyword\",\n \"customLabel\": \"Unique Src IPs\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"date_histogram\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"useNormalizedEsInterval\": true,\n \"interval\": \"auto\",\n \"time_zone\": \"Europe/Berlin\",\n \"drop_partials\": false,\n \"customInterval\": \"2h\",\n \"min_doc_count\": 1,\n \"extended_bounds\": {},\n \"customLabel\": \"Timestamp\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"legendOpen\": true\n }\n}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a3500f20-fa2f-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Attacks Bar", - "visState": "{\n \"title\": \"Adbhoney Attacks Bar\",\n \"type\": \"histogram\",\n \"params\": {\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"left\",\n \"show\": false,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": false,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 200\n },\n \"title\": {\n \"text\": \"Cowrie\"\n }\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"BottomAxis-1\",\n \"type\": \"value\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"square root\",\n \"mode\": \"normal\"\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": true,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": true,\n \"type\": \"histogram\",\n \"mode\": \"normal\",\n \"data\": {\n \"label\": \"Attacks\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\",\n \"drawLinesBetweenPoints\": true,\n \"showCircles\": true\n },\n {\n \"show\": true,\n \"mode\": \"normal\",\n \"type\": \"histogram\",\n \"drawLinesBetweenPoints\": true,\n \"showCircles\": true,\n \"interpolate\": \"linear\",\n \"lineWidth\": 2,\n \"data\": {\n \"id\": \"3\",\n \"label\": \"Unique Src IPs\"\n },\n \"valueAxis\": \"ValueAxis-1\"\n }\n ],\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"times\": [],\n \"addTimeMarker\": false,\n \"type\": \"histogram\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Attacks\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"type.keyword\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Cowrie\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"src_ip.keyword\",\n \"customLabel\": \"Unique Src IPs\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "fcf68d60-fa34-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney - Attacker AS/N - Top 10", - "visState": "{\n \"title\": \"Adbhoney - Attacker AS/N - Top 10\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"CNT\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"geoip.asn\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"AS\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"geoip.as_org.keyword\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"ASN\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "20d12bf0-fa35-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney - Attacker Src IP - Top 10", - "visState": "{\n \"title\": \"Adbhoney - Attacker Src IP - Top 10\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"CNT\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"src_ip.keyword\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Source IP\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacks by Country", - "visState": "{\"title\":\"Honeytrap - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "88d899e0-8b5f-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Mailoney - Attacks by Country Histogram", - "visState": "{\"title\":\"Mailoney - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Events\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacks by Country", - "visState": "{\"title\":\"Cowrie - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "50aa1940-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Attacks Histogram", - "visState": "{\"title\":\"Glutton Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "6ee57da0-634f-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner - Attacks by Country Histogram", - "visState": "{\"title\":\"Tanner - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\",\"interpolate\":\"linear\",\"lineWidth\":2}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e1969e20-4878-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacks by Country", - "visState": "{\"title\":\"Heralding - Attacks by Country\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "fe02b580-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa - Attacks by Country", - "visState": "{\"title\":\"Ciscoasa - Attacks by Country\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "490b4e60-e7fd-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot - Attacks by Country Histogram", - "visState": "{\"title\":\"Medpot - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Attacks\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Glastopf - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Glastopf - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Cowrie - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Conpot - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "1a80b720-4ad6-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Ciscoasa - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "2a6803f0-80e7-11e7-a689-67e589a14a8a", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacks by Destination Ports Histogram", - "visState": "{\"title\":\"Cowrie - Attacks by Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f28b8c60-80e4-11e7-ba6f-4542711dd148", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacks by Destination Ports Histogram Incoming", - "visState": "{\"title\":\"Cowrie - Attacks by Destination Ports Histogram Incoming\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"dest_port:22\"},\"label\":\"SSH\"},{\"input\":{\"query\":\"dest_port:23\"},\"label\":\"Telnet\"}]}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "NGINX - AS/N - Top 10", - "visState": "{\"title\":\"NGINX - AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Ports-Pie", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacks by Port", - "visState": "{\"title\":\"Cowrie - Attacks by Port\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"segment\",\"params\":{\"filters\":[{\"input\":{\"query\":\"dest_port:22\"},\"label\":\"SSH\"},{\"input\":{\"query\":\"dest_port:23\"},\"label\":\"Telnet\"}]}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "9d251bd0-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacks by Destination Ports Histogram", - "visState": "{\"title\":\"Glutton - Attacks by Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ec53e470-8376-11e7-9adb-2955c2136c8c", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacks by Destination Ports Histogram", - "visState": "{\"title\":\"Honeytrap - Attacks by Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7e33e3d0-810c-11e7-8413-9fe5e30ade77", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacks by Destination Ports Histogram", - "visState": "{\"title\":\"Dionaea - Attacks by Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Timestamp\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Destination-Ports-Top-10", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacks by Port", - "visState": "{\"title\":\"Honeytrap - Attacks by Port\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "63d0bf60-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Attack Map", - "visState": "{\"title\":\"Glutton Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a81cba70-e7fc-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot Attack Map", - "visState": "{\"title\":\"Medpot Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "b8745000-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa Attack Map", - "visState": "{\"title\":\"Ciscoasa Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.5,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true,\"layers\":\"OSM-WMS\",\"version\":\"1.3.0\",\"styles\":\"\",\"attribution\":\"© OpenStreetMap contributors\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]},\"url\":\"http://ows.terrestris.de/osm/service\"},\"colorSchema\":\"Yellow to Red\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":2.2851562500000004,\"lat\":37.85750715625203},\"precision\":2}}]}", - "uiStateJSON": "{\"mapZoom\":2,\"mapCenter\":[37.782941450067156,2.458449960686267]}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e77bc660-e9d3-11e8-be2c-8fd05c77f582", - "_type": "visualization", - "_source": { - "title": "Honeypot Attacks - Top 10", - "visState": "{\"title\":\"Honeypot Attacks - Top 10\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"type.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "94ae10e0-4871-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Attack Map", - "visState": "{\"title\":\"Heralding Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.5,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true,\"layers\":\"OSM-WMS\",\"version\":\"1.3.0\",\"attribution\":\"© OpenStreetMap contributors\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]},\"url\":\"http://ows.terrestris.de/osm/service\"},\"colorSchema\":\"Yellow to Red\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e4b7cf40-8b52-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy Attack Map", - "visState": "{\"title\":\"Rdpy Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f8e24f20-634e-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner Attack Map", - "visState": "{\"title\":\"Tanner Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.4\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"heatClusterSize\":1.5,\"colorSchema\":\"Yellow to Red\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Map", - "_type": "visualization", - "_source": { - "title": "ElasticPot Attack Map", - "visState": "{\"title\":\"ElasticPot Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Map", - "_type": "visualization", - "_source": { - "title": "Honeytrap Attack Map", - "visState": "{\"title\":\"Honeytrap Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d1aa9740-7e9e-11e7-a286-9f03beba6417", - "_type": "visualization", - "_source": { - "title": "Honeypot Attack Map", - "visState": "{\"title\":\"Honeypot Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.2&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.2&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":3}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeypot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-Map", - "_type": "visualization", - "_source": { - "title": "Suricata Attack Map", - "visState": "{\"title\":\"Suricata Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Map", - "_type": "visualization", - "_source": { - "title": "Cowrie Attack Map", - "visState": "{\"title\":\"Cowrie Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Map", - "_type": "visualization", - "_source": { - "title": "Dionaea Attack Map", - "visState": "{\"title\":\"Dionaea Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "10e765a0-e51e-11e8-8a75-d5f374dbaebe", - "_type": "visualization", - "_source": { - "title": "Conpot Attacks", - "visState": "{\"title\":\"Conpot Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "79a71e90-dec1-11e8-87cf-239397d2b8d3", - "_type": "visualization", - "_source": { - "title": "Ciscoasa Attacks", - "visState": "{\"title\":\"Ciscoasa Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "15f2c000-4ad5-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa Attacks Bar", - "visState": "{\"title\":\"Ciscoasa Attacks Bar\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "2cf90930-47d3-11e8-a905-f74bbc7cbd2d", - "_type": "visualization", - "_source": { - "title": "Heralding Attacks Bar", - "visState": "{\"title\":\"Heralding Attacks Bar\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":90,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "17130490-e7fb-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot Attacks", - "visState": "{\"title\":\"Medpot Attacks\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "3814c570-e68e-11e8-b727-735f5b0e1502", - "_type": "visualization", - "_source": { - "title": "ElasticPot Attacks", - "visState": "{\"title\":\"ElasticPot Attacks\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "45e32dc0-dec5-11e8-87cf-239397d2b8d3", - "_type": "visualization", - "_source": { - "title": "Cowrie Attacks", - "visState": "{\"title\":\"Cowrie Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "465d9810-e5cf-11e8-b72a-b734d2b55cd4", - "_type": "visualization", - "_source": { - "title": "Dionaea Attacks", - "visState": "{\"title\":\"Dionaea Attacks\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d500a3c0-e6b8-11e8-b727-735f5b0e1502", - "_type": "visualization", - "_source": { - "title": "Heralding Attacks", - "visState": "{\"title\":\"Heralding Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f2742de0-e745-11e8-b4a6-215b0b97c069", - "_type": "visualization", - "_source": { - "title": "Mailoney Attacks", - "visState": "{\"title\":\"Mailoney Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "3f646820-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton Attacks", - "visState": "{\"title\":\"Glutton Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "535b0c80-e761-11e8-803c-59c072645505", - "_type": "visualization", - "_source": { - "title": "Tanner Attacks", - "visState": "{\"title\":\"Tanner Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacks by Country Histogram", - "visState": "{\"title\":\"Dionaea - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "2a543aa0-4ad6-11e8-ab1b-fdef76c312f4", - "_type": "visualization", - "_source": { - "title": "Ciscoasa - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Ciscoasa - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "2934abc0-4ad4-11e8-ab1b-fdef76c312f4", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "ElasticPot - Attacker Src IP - Top 10", - "visState": "{\"title\":\"ElasticPot - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Dionaea - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Honeytrap - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastop-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "Glastopf - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Glastopf - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ba9d6280-8b5f-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Mailoney - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Mailoney - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Source-IP-Top-10", - "_type": "visualization", - "_source": { - "title": "Tanner - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Tanner - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "21c65b10-e852-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Glutton - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "48d3dad0-e725-11e8-b4a6-215b0b97c069", - "_type": "visualization", - "_source": { - "title": "Cowrie - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Cowrie - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "844f33f0-488a-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Heralding - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "5b69e990-e7fd-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Medpot - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e3f00420-e7fd-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Medpot - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ad6dcb50-8b5e-11e7-ba35-0d8832ac304f", - "_type": "visualization", - "_source": { - "title": "Mailoney - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Mailoney - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "874be060-8b54-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Rdpy - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "a427e6c0-e521-11e8-8a75-d5f374dbaebe", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacks by Destination Ports Histogram", - "visState": "{\"title\":\"Conpot - Attacks by Destination Ports Histogram\",\"type\":\"area\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"step-after\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dest_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "73364660-8b54-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Rdpy - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "ElasticPot - Attacker AS/N - Top 10", - "visState": "{\"title\":\"ElasticPot - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "06628c70-6352-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Tanner - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Suricata-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Suricata - AS/N - Top 10", - "visState": "{\"title\":\"Suricata - AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Dionaea - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "7e6121d0-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacks by Port", - "visState": "{\"title\":\"Glutton - Attacks by Port\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "864b2f30-4883-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacks by Port", - "visState": "{\"title\":\"Heralding - Attacks by Port\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Destination-Ports-Top-10", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacks by Port", - "visState": "{\"title\":\"Dionaea - Attacks by Port\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-Map", - "_type": "visualization", - "_source": { - "title": "Glastopf Attack Map", - "visState": "{\"title\":\"Glastopf Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c0916430-8b5e-11e7-ba35-0d8832ac304f", - "_type": "visualization", - "_source": { - "title": "Mailoney Attack Map", - "visState": "{\"title\":\"Mailoney Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Map", - "_type": "visualization", - "_source": { - "title": "Conpot Attack Map", - "visState": "{\"title\":\"Conpot Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "94e13130-e756-11e8-b4a6-215b0b97c069", - "_type": "visualization", - "_source": { - "title": "Rdpy Attacks", - "visState": "{\"title\":\"Rdpy Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "07581df0-e752-11e8-b4a6-215b0b97c069", - "_type": "visualization", - "_source": { - "title": "NGINX Events", - "visState": "{\"title\":\"NGINX Events\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "f5e74220-e725-11e8-b4a6-215b0b97c069", - "_type": "visualization", - "_source": { - "title": "Honeytrap Attacks", - "visState": "{\"title\":\"Honeytrap Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "409907c0-e6b5-11e8-b727-735f5b0e1502", - "_type": "visualization", - "_source": { - "title": "Glastopf Attacks", - "visState": "{\"title\":\"Glastopf Attacks\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "4a60fe20-e75f-11e8-803c-59c072645505", - "_type": "visualization", - "_source": { - "title": "Suricata Events", - "visState": "{\"title\":\"Suricata Events\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Events\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Suricata-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"index\":\"logstash-*\"}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ffb284f0-80cd-11e7-ab37-eb92b1bfb573", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacker Src IP Reputation", - "visState": "{\"title\":\"Conpot - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "51c331f0-8b54-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy - Attacks by Country", - "visState": "{\"title\":\"Rdpy - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacks by Country", - "visState": "{\"title\":\"Dionaea - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "0464b030-e852-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacks by Country", - "visState": "{\"title\":\"Glutton - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Cowrie-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Cowrie Attacks Histogram", - "visState": "{\"title\":\"Cowrie Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "savedSearchId": "Cowrie-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Glastopf Attacks Histogram", - "visState": "{\"title\":\"Glastopf Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\",\"interpolate\":\"linear\",\"lineWidth\":2},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "051c59e0-8b53-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy - Attacker Src IP Reputation", - "visState": "{\"title\":\"Rdpy - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Glastopf - Attacks by Country", - "visState": "{\"title\":\"Glastopf - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "63672eb0-8b5f-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Mailoney Attacks Histogram", - "visState": "{\"title\":\"Mailoney Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "cf8d0e40-80ea-11e7-a689-67e589a14a8a", - "_type": "visualization", - "_source": { - "title": "Dionaea - Attacker Src IP Reputation", - "visState": "{\"title\":\"Dionaea - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d3bb9bd0-4863-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding Attacks Histogram", - "visState": "{\"title\":\"Heralding Attacks Histogram\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":false},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"2\",\"label\":\"Unique Src IPs\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeytrap-ASN-Top-10", - "_type": "visualization", - "_source": { - "title": "Honeytrap - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Honeytrap - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "Honeytrap-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacks by Country", - "visState": "{\"title\":\"Conpot - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d968d5e0-6350-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner - Attacks by Country", - "visState": "{\"title\":\"Tanner - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "e055e240-e851-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacks by Country Histogram", - "visState": "{\"title\":\"Glutton - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d0dbe890-4870-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacks by Country Histogram", - "visState": "{\"title\":\"Heralding - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Attacks\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "d2405e70-8b5e-11e7-ba35-0d8832ac304f", - "_type": "visualization", - "_source": { - "title": "Mailoney - Attacks by Country", - "visState": "{\"title\":\"Mailoney - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "9c35dd90-6977-11e7-9c11-8d9c11943fa0", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c90f1f00-8b52-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy Attacks Histogram", - "visState": "{\"title\":\"Rdpy Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "eca8e580-4877-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacker Src IP Reputation", - "visState": "{\"title\":\"Heralding - Attacker Src IP Reputation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_rep.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "15b696f0-e7fd-11e8-9ac4-13ecd4ad8d70", - "_type": "visualization", - "_source": { - "title": "Medpot - Attacks by Country", - "visState": "{\"title\":\"Medpot - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "baa53b00-b597-11e8-9a34-d951cebce834", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "da489b20-8b52-11e7-b92d-d39e43e3de0f", - "_type": "visualization", - "_source": { - "title": "Rdpy - Attacks by Country Histogram", - "visState": "{\"title\":\"Rdpy - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "aa750980-8ab5-11e7-8fef-33e989079c7d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Dionaea-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Dionaea Attacks Histogram", - "visState": "{\"title\":\"Dionaea Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Dionaea-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "77bf1310-634e-11e8-be86-73985bedf977", - "_type": "visualization", - "_source": { - "title": "Tanner Attacks Histogram", - "visState": "{\"title\":\"Tanner Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "savedSearchId": "d800f130-633f-11e8-be86-73985bedf977", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ConPot-Events-Histogram", - "_type": "visualization", - "_source": { - "title": "Conpot Attacks Histogram", - "visState": "{\"title\":\"Conpot Attacks Histogram\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Unique Src IPs\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"src_ip.keyword\",\"customLabel\":\"Unique Src IPs\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "ElasticPot-Countries-Top-10", - "_type": "visualization", - "_source": { - "title": "ElasticPot - Attacks by Country", - "visState": "{\"title\":\"ElasticPot - Attacks by Country\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ElasticPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "21ad1c80-488a-11e8-9b3d-f36e8d4f5cb2", - "_type": "visualization", - "_source": { - "title": "Heralding - Attacker AS/N - Top 10", - "visState": "{\"title\":\"Heralding - Attacker AS/N - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.asn\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"geoip.as_org.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ASN\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "c2bea500-47ca-11e8-a905-f74bbc7cbd2d", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "41d04290-e852-11e8-97df-bbc3de28ece0", - "_type": "visualization", - "_source": { - "title": "Glutton - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Glutton - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "385ea460-ad22-11e8-942c-a39712fa9ddf", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "NGINX-Map", - "_type": "visualization", - "_source": { - "title": "NGINX Attack Map", - "visState": "{\"title\":\"NGINX Attack Map\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"http://ows.terrestris.de/osm/service\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"OSM-WMS\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"© OpenStreetMap contributors\",\"styles\":\"\"},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.3&license=9fb155de-424a-423c-a59a-07b920363565\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"subdomains\":[]}},\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":{\"lon\":0.17578125,\"lat\":-0.17578097424708533},\"precision\":2}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "NGINX-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Glastopf-Events-by-Country-Histogram", - "_type": "visualization", - "_source": { - "title": "Glastopf - Attacks by Country Histogram", - "visState": "{\"title\":\"Glastopf - Attacks by Country Histogram\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Attacks\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}],\"yAxis\":{},\"type\":\"area\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Attacks\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"geoip.country_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Timestamp\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "Glastopf-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "082111a0-80cf-11e7-ab37-eb92b1bfb573", - "_type": "visualization", - "_source": { - "title": "Conpot - Attacker Src IP - Top 10", - "visState": "{\"title\":\"Conpot - Attacker Src IP - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "ConPot-Logs", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "Honeypot-Logs", - "_type": "search", - "_source": { - "title": "Honeypot-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"query\":{\"query\":\"type:\\\"Adbhoney\\\" OR type:\\\"Ciscoasa\\\" OR type:\\\"ConPot\\\" OR type:\\\"Cowrie\\\" OR type:\\\"Dionaea\\\" OR type:\\\"ElasticPot\\\" OR type:\\\"Glastopf\\\" OR type:\\\"Glutton\\\" OR type:\\\"Heralding\\\" OR type:\\\"Honeytrap\\\" OR type:\\\"Mailoney\\\" OR type:\\\"Medpot\\\" OR type:\\\"Rdpy\\\" OR type:\\\"Tanner\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "_type": "search", - "_source": { - "title": "Adbhoney-Logs", - "description": "", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"logstash-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"type:\\\"Adbhoney\\\"\",\"language\":\"kuery\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "c8e83c30-fa2f-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Attacks", - "visState": "{\n \"title\": \"Adbhoney Attacks\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"metric\",\n \"metric\": {\n \"percentageMode\": false,\n \"useRanges\": false,\n \"colorSchema\": \"Green to Red\",\n \"metricColorMode\": \"None\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 10000\n }\n ],\n \"labels\": {\n \"show\": true\n },\n \"invertColors\": false,\n \"style\": {\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\",\n \"fontSize\": 30\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Attacks\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"src_ip.keyword\",\n \"customLabel\": \"Unique Src IPs\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": [],\n \"index\": \"logstash-*\"\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "621f1ae0-fa30-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney - Attacker Src IP Reputation", - "visState": "{\n \"title\": \"Adbhoney - Attacker Src IP Reputation\",\n \"type\": \"pie\",\n \"params\": {\n \"addLegend\": true,\n \"addTooltip\": true,\n \"isDonut\": true,\n \"legendPosition\": \"right\",\n \"shareYAxis\": true,\n \"type\": \"pie\",\n \"labels\": {\n \"show\": false,\n \"values\": true,\n \"last_level\": true,\n \"truncate\": 100\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"ip_rep.keyword\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "bd5e53d0-fa30-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney - Attacks by Country", - "visState": "{\n \"title\": \"Adbhoney - Attacks by Country\",\n \"type\": \"pie\",\n \"params\": {\n \"shareYAxis\": true,\n \"addTooltip\": true,\n \"addLegend\": true,\n \"isDonut\": true,\n \"legendPosition\": \"right\",\n \"type\": \"pie\",\n \"labels\": {\n \"show\": false,\n \"values\": true,\n \"last_level\": true,\n \"truncate\": 100\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"geoip.country_name.keyword\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\"\n }\n }\n ]\n}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "62efe620-fa35-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Input - Top 10", - "visState": "{\n \"title\": \"Adbhoney Input - Top 10\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\",\n \"showMetricsAtAllLevels\": false\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"CNT\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"input.keyword\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"otherBucket\": false,\n \"otherBucketLabel\": \"Other\",\n \"missingBucket\": false,\n \"missingBucketLabel\": \"Missing\",\n \"customLabel\": \"Command Line Input\"\n }\n }\n ]\n}", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "logstash-*", - "_type": "index-pattern", - "_source": { - "title": "logstash-*", - "timeFieldName": "@timestamp", - "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ConnectionResetError\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ConnectionResetError.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"NameError\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"NameError.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ValueError\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ValueError.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.cve_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.cve_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.rev\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert.signature_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"app_proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"app_proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"attack_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attack_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"attack_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"attack_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attack_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"attack_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attack_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"attack_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attack_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"body_bytes_sent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"body_bytes_sent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.transport\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.transport.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookies. cockpit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookies. cockpit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookies. sess_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookies. sess_uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookies.cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookies.cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookies.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookies.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookies.sess_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookies.sess_uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destfile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destfile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dist\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dist.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.rrname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.rrname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.rrtype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.rrtype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"download_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"download_tries\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.body_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.body_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.subject_md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.subject_md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"email.x_mailer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"email.x_mailer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"end_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"eventid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"eventid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fileinfo.filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.gaps\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.magic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fileinfo.magic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fileinfo.md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fileinfo.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.stored\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileinfo.tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.commands.arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.commands.arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.commands.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.commands.command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.as_org\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.as_org.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.asn\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"geoip.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"handle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"handle.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"handler\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"handler.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.accept\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.accept-charset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.accept-charset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.accept-encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.accept-encoding.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.accept-language\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.accept-language.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.accept.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.authorization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.authorization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.cache-control\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.cache-control.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.connection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.connection.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.content-length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.content-length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.content-type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.content-type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.dnt\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.dnt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.expires\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.expires.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.icy-metadata\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.icy-metadata.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.if\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.if-modified-since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.if-modified-since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.if.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.keep-alive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.keep-alive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.max-forwards\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.max-forwards.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.mime-version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.mime-version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.origin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.origin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.pragma\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.pragma.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.proxy-connection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.proxy-connection.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.range\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.range.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.referer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.referer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.tagid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.tagid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.te\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.te.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.upgrade-insecure-requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.upgrade-insecure-requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.user-agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.user-agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.via\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.via.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.x-forwarded-for\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.x-forwarded-for.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.x-insight\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.x-insight.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.x-loop-control\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.x-loop-control.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.x-vermeer-content-type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.x-vermeer-content-type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"headers.x-via\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"headers.x-via.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"honeypot.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"honeypot.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"honeypot.nodeid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"honeypot.nodeid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"honeypot.postdata\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"honeypot.postdata.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"honeypot.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"honeypot.query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"honeypot.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"honeypot.raw.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.accept_encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.accept_encoding.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.accept_language\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.accept_language.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.authorization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.authorization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.http_content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.http_content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.http_refer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.http_refer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.redirect\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.redirect.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.via\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.via.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.xff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.xff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http_referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http_referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http_uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http_uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http_user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http_user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icmp_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icmp_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_iface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_iface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_rep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ip_rep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"isError\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_virtual\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kexAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kexAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyAlgs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyAlgs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lang\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lang.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"langCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"langCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"link\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"link.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"login.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"login.password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"login.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"login.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"macCS\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"macCS.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"messageBadHTTP/0.9requesttype(\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"messageBadHTTP/0.9requesttype(.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mod\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mod.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation_mode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"outfile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"outfile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"params.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload_hex\",\"type\":\"string\",\"count\":2,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"payload_printable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"payload_printable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.-7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.-7.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.-77\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.-77.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.0.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.0o0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.0o0.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.123\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.123.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.123456\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.123456.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.180217\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.180217.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.1989\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.1989.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.23051831\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.23051831.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.258\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.258.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.321\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.321.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.4.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.4875\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.4875.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.520\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.520.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.5201314\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.5201314.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.905\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.905.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.92\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.92.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.a\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.a.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.aaaa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.aaaa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.adc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.adc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.admin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.admin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.ajax\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.ajax.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.ak10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.ak10.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.angge\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.angge.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.aotu177\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.aotu177.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.authenticity_token\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.authenticity_token.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.aw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.aw.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.axa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.axa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.bbs\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.bbs.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.blog_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.blog_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.byshanhun\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.byshanhun.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.c\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.c.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.caonma\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.caonma.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.cc123\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.cc123.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.cc1362308\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.cc1362308.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.cnm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.cnm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.commit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.commit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.conflg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.conflg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.daoen\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.daoen.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.diyworld\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.diyworld.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.email.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.email_confirmation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.email_confirmation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.erwa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.erwa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.eval\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.eval.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.excerpt\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.excerpt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.f11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.f11.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.feixiang\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.feixiang.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.firstname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.firstname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.form_build_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.form_build_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.form_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.form_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.fusheng\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.fusheng.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.godkey\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.godkey.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.h\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.h.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.hacker\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.hacker.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.hello\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.hello.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.hide_mail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.hide_mail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.hm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.hm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.js\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.js.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.json\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.json.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.king\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.king.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.l\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.l.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.language\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.language.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.lastname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.lastname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.leng\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.leng.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.lindex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.lindex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.login\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.login.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.lz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.lz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.m\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.m.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.mail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.mail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.miao\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.miao.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.mmp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.mmp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.mx\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.mx.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.nidie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.nidie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.none\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.none.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.nuoxi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.nuoxi.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.op\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.op.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.p1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.p1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.pass\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.pass.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.password_confirmation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.password_confirmation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.ppx\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.ppx.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.q\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.q.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.qiurong\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.qiurong.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.qw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.qw.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.qwer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.qwer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.remember_me\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.remember_me.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.requesttoken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.requesttoken.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.sdf\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.sdf.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.sean\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.sean.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.sha\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.sha.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.submit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.submit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.timezone-offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.timezone-offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.tomkey\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.tomkey.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.utf8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.utf8.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.wanan\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.wanan.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.weixiao\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.weixiao.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.wen\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.wen.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.x\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.x.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.xiao\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.xiao.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.xiaodai\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.xiaodai.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.xiaoer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.xiaoer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.xiaopang\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.xiaopang.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.xx\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.xx.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"post_data.zuo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"post_data.zuo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.local_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.payload.data_hex\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.payload.data_hex.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.payload.length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.payload.md5_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.payload.md5_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.payload.sha512_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.payload.sha512_hash.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxy_connection.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxy_connection.remote_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"public_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"public_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"raw_freq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"raw_freq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"raw_hits\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"raw_hits.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"raw_mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"raw_mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"raw_sig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"raw_sig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"remote_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.order\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.payload.headers.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.payload.headers.email.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.payload.headers.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.payload.headers.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.payload.page\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.payload.page.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.payload.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.payload.value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.detection.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.detection.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.response.message.sess_uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.response.message.sess_uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_msg.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_msg.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensorID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensorID.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensorid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensorid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"session_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"session_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"shasum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"shasum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.rcpt_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.rcpt_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp_input\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp_input.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"src_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.client.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.client.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.server.proto_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.proto_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.server.software_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.software_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.SSLError\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.SSLError.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"struct.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"struct.error.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"t-pot_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"t-pot_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"t-pot_ip_ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"t-pot_ip_ext.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"t-pot_ip_int\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"t-pot_ip_int.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.fingerprint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.fingerprint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.issuerdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.issuerdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.notafter\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.notbefore\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.session_resumed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.sni\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.sni.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttylog\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ttylog.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.dest_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.dest_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.dest_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.proto.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.src_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.src_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel.src_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tx_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uptime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uptime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"v=self.send(byte_view.count\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"v=self.send(byte_view.count.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"vnc_handshake\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"vnc_handshake.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"xff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", - "fieldFormatMap": "{\"src_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.talosintelligence.com/reputation_center/lookup?search={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.talosintelligence.com/reputation_center/lookup?search={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"src_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.speedguide.net/port.php?port={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"alert.signature_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://doc.emergingthreats.net/bin/view/Main/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.talosintelligence.com/reputation_center/lookup?search={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.status\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"os\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"event_type\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.version\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"src_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"geoip.country_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"geoip.city_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"status.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://httpstatuses.com/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.number.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}&run=toolpage\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"geoip.real_region_name.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://en.wikipedia.org/w/index.php?search={{value}}&title=Special:Search&go=Go\",\"labelTemplate\":\"{{value}}\"}},\"event_type.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dest_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.remote_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"proxy_connection.local_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"dst_ip.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"os.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"link.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"tls.version.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://duckduckgo.com/?q={{value}}&t=h_&ia=web\",\"labelTemplate\":\"{{value}}\"}},\"dns.rrname.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://www.senderbase.org/lookup/?search_string={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"tls.sni.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.ssllabs.com/ssltest/analyze.html?d={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"http.http_user_agent.raw\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"http://ua.theafh.net/list.php?s={{value}}&include=yes&class=abr&do=desc\",\"labelTemplate\":\"{{value}}\"}},\"alert.cve_id.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.cvedetails.com/cve/{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"src_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://www.talosintelligence.com/reputation_center/lookup?search={{value}}\",\"labelTemplate\":\"{{value}}\"}},\"geoip.asn\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://mxtoolbox.com/SuperTool.aspx?action=asn%3a{{value}}\",\"labelTemplate\":\"{{value}}\"}},\"input\":{},\"type\":{}}" - }, - "_meta": { - "savedObjectVersion": 2 - }, - "_migrationVersion": { - "index-pattern": "6.5.0" - } - }, - { - "_id": "f1f14c10-fa3a-11e8-838f-fff066e21110", - "_type": "visualization", - "_source": { - "title": "Adbhoney Samples - Top 10", - "visState": "{\"title\":\"Adbhoney Samples - Top 10\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"CNT\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"outfile.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Captured Samples\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "description": "", - "savedSearchId": "557c7d60-f8ae-11e8-ad78-0555bc917463", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - }, - { - "_id": "891769a0-fa2f-11e8-838f-fff066e21110", - "_type": "dashboard", - "_source": { - "title": "Adbhoney", - "hits": 0, - "description": "Adbhoney Dashboard", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":6,\"i\":\"50\"},\"id\":\"a3500f20-fa2f-11e8-838f-fff066e21110\",\"panelIndex\":\"50\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":6,\"i\":\"51\"},\"id\":\"c8e83c30-fa2f-11e8-838f-fff066e21110\",\"panelIndex\":\"51\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":6,\"w\":24,\"h\":11,\"i\":\"52\"},\"id\":\"eaedcca0-fa2f-11e8-838f-fff066e21110\",\"panelIndex\":\"52\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"53\"},\"id\":\"0f9b72a0-fa30-11e8-838f-fff066e21110\",\"panelIndex\":\"53\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":17,\"w\":12,\"h\":11,\"i\":\"54\"},\"id\":\"621f1ae0-fa30-11e8-838f-fff066e21110\",\"panelIndex\":\"54\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":12,\"y\":17,\"w\":12,\"h\":11,\"i\":\"55\"},\"id\":\"bd5e53d0-fa30-11e8-838f-fff066e21110\",\"panelIndex\":\"55\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":11,\"i\":\"56\"},\"id\":\"e18823d0-fa30-11e8-838f-fff066e21110\",\"panelIndex\":\"56\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":9,\"h\":22,\"i\":\"57\"},\"id\":\"fcf68d60-fa34-11e8-838f-fff066e21110\",\"panelIndex\":\"57\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":9,\"y\":28,\"w\":8,\"h\":22,\"i\":\"58\"},\"id\":\"20d12bf0-fa35-11e8-838f-fff066e21110\",\"panelIndex\":\"58\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":17,\"y\":28,\"w\":13,\"h\":22,\"i\":\"59\"},\"id\":\"62efe620-fa35-11e8-838f-fff066e21110\",\"panelIndex\":\"59\",\"type\":\"visualization\",\"version\":\"6.5.1\"},{\"gridData\":{\"x\":30,\"y\":28,\"w\":18,\"h\":22,\"i\":\"60\"},\"version\":\"6.5.1\",\"panelIndex\":\"60\",\"type\":\"visualization\",\"id\":\"f1f14c10-fa3a-11e8-838f-fff066e21110\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" - } - }, - "_meta": { - "savedObjectVersion": 2 - } - } -] \ No newline at end of file diff --git a/etc/objects/kibana_export.json.zip b/etc/objects/kibana_export.json.zip new file mode 100644 index 00000000..94136e42 Binary files /dev/null and b/etc/objects/kibana_export.json.zip differ diff --git a/host/etc/dialogrc b/host/etc/dialogrc deleted file mode 100644 index bb53e1b8..00000000 --- a/host/etc/dialogrc +++ /dev/null @@ -1,144 +0,0 @@ -# -# Run-time configuration file for dialog -# -# Automatically generated by "dialog --create-rc " -# -# -# Types of values: -# -# Number - -# String - "string" -# Boolean - -# Attribute - (foreground,background,highlight?) - -# Set aspect-ration. -aspect = 0 - -# Set separator (for multiple widgets output). -separate_widget = "" - -# Set tab-length (for textbox tab-conversion). -tab_len = 0 - -# Make tab-traversal for checklist, etc., include the list. -visit_items = OFF - -# Shadow dialog boxes? This also turns on color. -use_shadow = ON - -# Turn color support ON or OFF -use_colors = ON - -# Screen color -screen_color = (WHITE,MAGENTA,ON) - -# Shadow color -shadow_color = (BLACK,BLACK,ON) - -# Dialog box color -dialog_color = (BLACK,WHITE,OFF) - -# Dialog box title color -title_color = (MAGENTA,WHITE,OFF) - -# Dialog box border color -border_color = (WHITE,WHITE,ON) - -# Active button color -button_active_color = (WHITE,MAGENTA,OFF) - -# Inactive button color -button_inactive_color = dialog_color - -# Active button key color -button_key_active_color = button_active_color - -# Inactive button key color -button_key_inactive_color = (RED,WHITE,OFF) - -# Active button label color -button_label_active_color = (YELLOW,MAGENTA,ON) - -# Inactive button label color -button_label_inactive_color = (BLACK,WHITE,OFF) - -# Input box color -inputbox_color = dialog_color - -# Input box border color -inputbox_border_color = dialog_color - -# Search box color -searchbox_color = dialog_color - -# Search box title color -searchbox_title_color = title_color - -# Search box border color -searchbox_border_color = border_color - -# File position indicator color -position_indicator_color = title_color - -# Menu box color -menubox_color = dialog_color - -# Menu box border color -menubox_border_color = border_color - -# Item color -item_color = dialog_color - -# Selected item color -item_selected_color = button_active_color - -# Tag color -tag_color = title_color - -# Selected tag color -tag_selected_color = button_label_active_color - -# Tag key color -tag_key_color = button_key_inactive_color - -# Selected tag key color -tag_key_selected_color = (RED,MAGENTA,ON) - -# Check box color -check_color = dialog_color - -# Selected check box color -check_selected_color = button_active_color - -# Up arrow color -uarrow_color = (MAGENTA,WHITE,ON) - -# Down arrow color -darrow_color = uarrow_color - -# Item help-text color -itemhelp_color = (WHITE,BLACK,OFF) - -# Active form text color -form_active_text_color = button_active_color - -# Form text color -form_text_color = (WHITE,CYAN,ON) - -# Readonly form item color -form_item_readonly_color = (CYAN,WHITE,ON) - -# Dialog box gauge color -gauge_color = title_color - -# Dialog box border2 color -border2_color = dialog_color - -# Input box border2 color -inputbox_border2_color = dialog_color - -# Search box border2 color -searchbox_border2_color = dialog_color - -# Menu box border2 color -menubox_border2_color = dialog_color diff --git a/host/etc/issue b/host/etc/issue deleted file mode 100644 index 16398223..00000000 --- a/host/etc/issue +++ /dev/null @@ -1,21 +0,0 @@ - -┌────────────────────────────────────────────┐ -│ _____ ____ _ _ ___ _ _ │ -│|_ _| | _ \\ ___ | |_ / |( _ ) / / |│ -│ | |_____| |_) / _ \\| __| | |/ _ \\ | | |│ -│ | |_____| __/ (_) | |_ | | (_) || | |│ -│ |_| |_| \\___/ \\__| |_|\\___(_)_|_|│ -│ │ -└────────────────────────────────────────────┘ - - -,---- [ \n ] [ \d ] [ \t ] -| -| IP: -| SSH: -| WEB: -| ADMIN: -| -`---- - - diff --git a/iso/installer/dialogrc b/iso/installer/dialogrc deleted file mode 100644 index bb53e1b8..00000000 --- a/iso/installer/dialogrc +++ /dev/null @@ -1,144 +0,0 @@ -# -# Run-time configuration file for dialog -# -# Automatically generated by "dialog --create-rc " -# -# -# Types of values: -# -# Number - -# String - "string" -# Boolean - -# Attribute - (foreground,background,highlight?) - -# Set aspect-ration. -aspect = 0 - -# Set separator (for multiple widgets output). -separate_widget = "" - -# Set tab-length (for textbox tab-conversion). -tab_len = 0 - -# Make tab-traversal for checklist, etc., include the list. -visit_items = OFF - -# Shadow dialog boxes? This also turns on color. -use_shadow = ON - -# Turn color support ON or OFF -use_colors = ON - -# Screen color -screen_color = (WHITE,MAGENTA,ON) - -# Shadow color -shadow_color = (BLACK,BLACK,ON) - -# Dialog box color -dialog_color = (BLACK,WHITE,OFF) - -# Dialog box title color -title_color = (MAGENTA,WHITE,OFF) - -# Dialog box border color -border_color = (WHITE,WHITE,ON) - -# Active button color -button_active_color = (WHITE,MAGENTA,OFF) - -# Inactive button color -button_inactive_color = dialog_color - -# Active button key color -button_key_active_color = button_active_color - -# Inactive button key color -button_key_inactive_color = (RED,WHITE,OFF) - -# Active button label color -button_label_active_color = (YELLOW,MAGENTA,ON) - -# Inactive button label color -button_label_inactive_color = (BLACK,WHITE,OFF) - -# Input box color -inputbox_color = dialog_color - -# Input box border color -inputbox_border_color = dialog_color - -# Search box color -searchbox_color = dialog_color - -# Search box title color -searchbox_title_color = title_color - -# Search box border color -searchbox_border_color = border_color - -# File position indicator color -position_indicator_color = title_color - -# Menu box color -menubox_color = dialog_color - -# Menu box border color -menubox_border_color = border_color - -# Item color -item_color = dialog_color - -# Selected item color -item_selected_color = button_active_color - -# Tag color -tag_color = title_color - -# Selected tag color -tag_selected_color = button_label_active_color - -# Tag key color -tag_key_color = button_key_inactive_color - -# Selected tag key color -tag_key_selected_color = (RED,MAGENTA,ON) - -# Check box color -check_color = dialog_color - -# Selected check box color -check_selected_color = button_active_color - -# Up arrow color -uarrow_color = (MAGENTA,WHITE,ON) - -# Down arrow color -darrow_color = uarrow_color - -# Item help-text color -itemhelp_color = (WHITE,BLACK,OFF) - -# Active form text color -form_active_text_color = button_active_color - -# Form text color -form_text_color = (WHITE,CYAN,ON) - -# Readonly form item color -form_item_readonly_color = (CYAN,WHITE,ON) - -# Dialog box gauge color -gauge_color = title_color - -# Dialog box border2 color -border2_color = dialog_color - -# Input box border2 color -inputbox_border2_color = dialog_color - -# Search box border2 color -searchbox_border2_color = dialog_color - -# Menu box border2 color -menubox_border2_color = dialog_color diff --git a/iso/installer/install.sh b/iso/installer/install.sh index c828c35f..132f775f 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -1,35 +1,338 @@ #!/bin/bash # T-Pot Universal Installer -################################## -# Extract command line arguments # -################################## +################## +# I. Global vars # +################## -myLSB=$(lsb_release -r | awk '{ print $2 }') -myLSB_SUPPORTED="18.04" +myBACKTITLE="T-Pot-Installer" +myCONF_FILE="/root/installer/iso.conf" +myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" +mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" +myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" +myLSB_STABLE_SUPPORTED="stretch" +myLSB_TESTING_SUPPORTED="sid" +myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" +myPREINSTALLPACKAGES="apache2-utils curl dialog figlet grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet" +myINSTALLPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" myINFO="\ -############################################ -### T-Pot Installer for Ubuntu $myLSB_SUPPORTED LTS ### -############################################ +######################################## +### T-Pot Installer for Debian (Sid) ### +######################################## Disclaimer: -This script will install T-Pot on this system, by running the script you know what you are doing: -1. SSH will be reconfigured to tcp/64295 -2. Some packages will be installed, some will be upgraded +This script will install T-Pot on this system. +By running the script you know what you are doing: +1. SSH will be reconfigured to tcp/64295. +2. Your Debian installation will be upgraded to Sid / unstable. 3. Please ensure other means of access to this system in case something goes wrong. -4. At best this script well be executed on the console instead through a SSH session. +4. At best this script will be executed on the console instead through a SSH session. -########################################### +######################################## Usage: $0 --help - Help. Example: $0 --type=user - Best option for most users." +myNETWORK_INTERFACES=" +wpa-driver wired +wpa-conf /etc/wpa_supplicant/wired8021x.conf -if [ "$myLSB" != "$myLSB_SUPPORTED" ]; +### Example wireless config for 802.1x +### This configuration was tested with the IntelNUC series +### If problems occur you can try and change wpa-driver to \"iwlwifi\" +### Do not forget to enter a ssid in /etc/wpa_supplicant/wireless8021x.conf +### The Intel NUC uses wlpXsY notation instead of wlanX +# +#auto wlp2s0 +#iface wlp2s0 inet dhcp +# wpa-driver wext +# wpa-conf /etc/wpa_supplicant/wireless8021x.conf +" +myNETWORK_WIRED8021x="ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=root +eapol_version=1 +ap_scan=1 +network={ + key_mgmt=IEEE8021X + eap=TLS + identity=\"host/$myCONF_PFX_HOST_ID\" + private_key=\"/etc/wpa_supplicant/8021x.pfx\" + private_key_passwd=\"$myCONF_PFX_PW\" +} +" +myNETWORK_WLAN8021x="ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=root +eapol_version=1 +ap_scan=1 +network={ + ssid=\"\" + key_mgmt=WPA-EAP + pairwise=CCMP + group=CCMP + eap=TLS + identity=\"host/$myCONF_PFX_HOST_ID\" + private_key=\"/etc/wpa_supplicant/8021x.pfx\" + private_key_passwd=\"$myCONF_PFX_PW\" +} +" +myNETWORK_WLANEXAMPLE=" +### Example static ip config +### Replace with the name of your physical interface name +# +#auto eth0 +#iface eth0 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 +# network 192.168.1.0 +# broadcast 192.168.1.255 +# gateway 192.168.1.1 +# dns-nameservers 192.168.1.1 + +### Example wireless config without 802.1x +### This configuration was tested with the IntelNUC series +### If problems occur you can try and change wpa-driver to \"iwlwifi\" +# +#auto wlan0 +#iface wlan0 inet dhcp +# wpa-driver wext +# wpa-ssid +# wpa-ap-scan 1 +# wpa-proto RSN +# wpa-pairwise CCMP +# wpa-group CCMP +# wpa-key-mgmt WPA-PSK +# wpa-psk \"\" +" +myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\"; +APT::Periodic::Download-Upgradeable-Packages \"0\"; +APT::Periodic::AutocleanInterval \"7\"; +" +mySYSCTLCONF=" +# Reboot after kernel panic, check via /proc/sys/kernel/panic[_on_oops] +# Set required map count for ELK +kernel.panic = 1 +kernel.panic_on_oops = 1 +vm.max_map_count = 262144 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 +" +myFAIL2BANCONF="[DEFAULT] +ignore-ip = 127.0.0.1/8 +bantime = 3600 +findtime = 600 +maxretry = 5 + +[nginx-http-auth] +enabled = true +filter = nginx-http-auth +port = 64297 +logpath = /data/nginx/log/error.log + +[pam-generic] +enabled = true +port = 64294 +filter = pam-generic +logpath = /var/log/auth.log + +[sshd] +enabled = true +port = 64295 +filter = sshd +logpath = /var/log/auth.log +" +mySYSTEMDFIX="[Link] +NamePolicy=kernel database onboard slot path +MACAddressPolicy=none +" +myCOCKPIT_SOCKET="[Socket] +ListenStream= +ListenStream=64294 +" +myCRONJOBS=" +# Check if updated images are available and download them +27 1 * * * root docker-compose -f /opt/tpot/etc/tpot.yml pull + +# Delete elasticsearch logstash indices older than 90 days +27 4 * * * root curator --config /opt/tpot/etc/curator/curator.yml /opt/tpot/etc/curator/actions.yml + +# Uploaded binaries are not supposed to be downloaded +*/1 * * * * root mv --backup=numbered /data/dionaea/roots/ftp/* /data/dionaea/binaries/ + +# Daily reboot +27 3 * * * root systemctl stop tpot && docker stop \$(docker ps -aq) || docker rm \$(docker ps -aq) || reboot + +# Check for updated packages every sunday, upgrade and reboot +27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot +" +myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' +myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' +myROOTCOLORS="export LS_OPTIONS='--color=auto' +eval \"\`dircolors\`\" +alias ls='ls \$LS_OPTIONS' +alias ll='ls \$LS_OPTIONS -l' +alias l='ls \$LS_OPTIONS -lA'" + + +################# +# II. Functions # +################# + +# Create banners +function fuBANNER { + toilet -f ivrit "$1" +} + +# Create funny words for hostnames +function fuRANDOMWORD { + local myWORDFILE="$1" + local myLINES=$(cat $myWORDFILE | wc -l) + local myRANDOM=$((RANDOM % $myLINES)) + local myNUM=$((myRANDOM * myRANDOM % $myLINES + 1)) + echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z) +} + +# Do we have root? +function fuGOT_ROOT { +echo +echo -n "### Checking for root: " +if [ "$(whoami)" != "root" ]; then - echo "Aborting. Ubuntu $myLSB is not supported." + echo "[ NOT OK ]" + echo "### Please run as root." + echo "### Example: sudo $0" + exit + else + echo "[ OK ]" +fi +} + +# Check for pre-installer package requirements. +# If not present install them +function fuCHECKPACKAGES { + export DEBIAN_FRONTEND=noninteractive + echo -n "### Checking for installer dependencies: " + local myPACKAGES="$1" + for myDEPS in $myPACKAGES; + do + myOK=$(dpkg -s $myDEPS 2>&1 | grep -w ok | awk '{ print $3 }' | head -n 1) + if [ "$myOK" != "ok" ]; + then + echo "[ NOW INSTALLING ]" + apt-get update -y + apt-get install -y $myPACKAGES + break + fi + done + if [ "$myOK" = "ok" ]; + then + echo "[ OK ]" + fi +} + +# Check if remote sites are available +function fuCHECKNET { + if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + local mySITES="$1" + mySITESCOUNT=$(echo $mySITES | wc -w) + j=0 + for i in $mySITES; + do + echo $(expr 100 \* $j / $mySITESCOUNT) | dialog --title "[ Availability check ]" --backtitle "$myBACKTITLE" --gauge "\n Now checking: $i\n" 8 80 + curl --connect-timeout 30 -IsS $i 2>&1>/dev/null + if [ $? -ne 0 ]; + then + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nAvailability check failed. You can continue, but the installation might fail." 10 50 + if [ $? = 1 ]; + then + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 + exit + else + break; + fi; + fi; + let j+=1 + echo $(expr 100 \* $j / $mySITESCOUNT) | dialog --keep-window --title "[ Availability check ]" --backtitle "$myBACKTITLE" --gauge "\n Now checking: $i\n" 8 80 + done; + fi +} + +# Install T-Pot dependencies +function fuGET_DEPS { + export DEBIAN_FRONTEND=noninteractive + # Determine fastest mirror + echo + echo "### Determine fastest mirror for your location." + echo + netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/ + echo + echo "### Getting update information." + echo + apt-get -y update + echo + echo "### Upgrading packages." + echo + # Downlaod and upgrade packages, but silently keep existing configs + echo "docker.io docker.io/restart boolean true" | debconf-set-selections -v + echo "debconf debconf/frontend select noninteractive" | debconf-set-selections -v + apt-get -y dist-upgrade -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes + echo + echo "### Installing T-Pot dependencies." + echo + apt-get -y install $myINSTALLPACKAGES + # Remove exim4 + apt-get -y purge exim4-base mailutils + apt-get -y autoremove + apt-mark hold exim4-base mailutils +} + +# Check for other services +function fuCHECK_PORTS { +if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + echo + echo "### Checking for active services." + echo + grc netstat -tulpen + echo + echo "### Please review your running services." + echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc." + echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully." + echo + while [ 1 != 2 ] + do + read -s -n 1 -p "Continue [y/n]? " mySELECT + echo + case "$mySELECT" in + [y,Y]) + break + ;; + [n,N]) + exit + ;; + esac + done +fi +} + +############################ +# III. Pre-Installer phase # +############################ +fuGOT_ROOT +fuCHECKPACKAGES "$myPREINSTALLPACKAGES" + +##################################### +# IV. Prepare installer environment # +##################################### + +# Check for Debian release and extract command line arguments +myLSB=$(lsb_release -c | awk '{ print $2 }') +if [ "$myLSB" != "$myLSB_STABLE_SUPPORTED" ] && [ "$myLSB" != "$myLSB_TESTING_SUPPORTED" ]; + then + echo "Aborting. Debian $myLSB is not supported." exit fi if [ "$1" == "" ]; @@ -64,7 +367,7 @@ for i in "$@" echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"." echo echo "--type=<[user, auto, iso]>" - echo " user, use this if you want to manually install a T-Pot on a Ubuntu 18.04 LTS machine." + echo " user, use this if you want to manually install a T-Pot on a Debian (testing) machine." echo " auto, implied if a configuration file is passed as an argument for automatic deployment." echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso." echo @@ -77,11 +380,7 @@ for i in "$@" esac done - -################################################### -# Validate command line arguments and load config # -################################################### - +# Validate command line arguments and load config # If a valid config file exists, set deployment type to "auto" and load the configuration if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ] && [ "$myTPOT_CONF_FILE" == "" ]; then @@ -104,144 +403,32 @@ if [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ]; exit fi - -####################### -# Prepare environment # -####################### - -# Got root? -function fuGOT_ROOT { -echo -echo -n "### Checking for root: " -if [ "$(whoami)" != "root" ]; - then - echo "[ NOT OK ]" - echo "### Please run as root." - echo "### Example: sudo $0" - exit - else - echo "[ OK ]" -fi -} - -# Let's check if all dependencies are met -function fuGET_DEPS { -local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip unattended-upgrades unzip vim wireless-tools wpasupplicant" -apt-get -y update -apt-get -y install software-properties-common -add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) main universe restricted multiverse" -echo -echo "### Getting update information." -echo -apt-get -y update -echo -echo "### Upgrading packages." -echo -# Downlaod and upgrade packages, but silently keep existing configs -echo "docker.io docker.io/restart boolean true" | debconf-set-selections -v -echo "debconf debconf/frontend select noninteractive" | debconf-set-selections -v -apt-get -y dist-upgrade -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes -echo -echo "### Installing T-Pot dependencies." -echo -apt-get -y install $myPACKAGES -} - -# Let's load dialog color theme -function fuDIALOG_SETUP { -echo -echo -n "### Checking for dialogrc: " -if [ -f "dialogrc" ]; - then - echo "[ OK ]" - cp dialogrc /etc/ - else - echo "[ NOT OK ]" - echo "### 'dialogrc' is missing. Please run 'install.sh' from within the setup folder." - exit - fi -} - -# Let's check for other services -function fuCHECK_PORTS { -if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; - then - echo - echo "### Checking for active services." - echo - grc netstat -tulpen - echo - echo "### Please review your running services." - echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc." - echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully." - echo - while [ 1 != 2 ] - do - read -s -n 1 -p "Continue [y/n]? " mySELECT - echo - case "$mySELECT" in - [y,Y]) - break - ;; - [n,N]) - exit - ;; - esac - done -fi -} - - # Prepare running the installer echo "$myINFO" | head -n 3 -fuGOT_ROOT -fuGET_DEPS fuCHECK_PORTS -fuDIALOG_SETUP -############# -# Installer # -############# +####################################### +# V. Installer user interaction phase # +####################################### -# Set TERM, DIALOGRC +# Set TERM export TERM=linux -export DIALOGRC=/etc/dialogrc - -####################### -# Global vars section # -####################### - -myBACKTITLE="T-Pot-Installer" -myCONF_FILE="/root/installer/iso.conf" -myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" -mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://ubuntu.com" -myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" - -##################### -# Functions section # -##################### - -fuRANDOMWORD () { - local myWORDFILE="$1" - local myLINES=$(cat $myWORDFILE | wc -l) - local myRANDOM=$((RANDOM % $myLINES)) - local myNUM=$((myRANDOM * myRANDOM % $myLINES + 1)) - echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z) -} # If this is a ISO installation we need to wait a few seconds to avoid interference with service messages if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; then sleep 5 - tput civis - dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 + dialog --keep-window --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 fi -# Let's load the iso config file if there is one +# Check if remote sites are available +fuCHECKNET "$myREMOTESITES" + +# Let' s load the iso config file if there is one if [ -f $myCONF_FILE ]; then - dialog --backtitle "$myBACKTITLE" --title "[ Found personalized iso.config ]" --msgbox "\nYour personalized settings will be applied!" 7 47 + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Found personalized iso.config ]" --msgbox "\nYour personalized settings will be applied!" 7 47 source $myCONF_FILE else # dialog logic considers 1=false, 0=true @@ -250,7 +437,6 @@ if [ -f $myCONF_FILE ]; myCONF_NTP_USE="1" fi - ### <--- Begin proxy setup # If a proxy is set in iso.conf it needs to be setup. # However, none of the other installation types will automatically take care of a proxy. @@ -275,64 +461,31 @@ no_proxy=localhost,127.0.0.1,.sock if [ "$myCONF_PROXY_USE" == "0" ]; then # Let's setup proxy for the environment - echo "$myPROXY_ENV" 2>&1 | tee -a /etc/environment | dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF + echo "$myPROXY_ENV" 2>&1 | tee -a /etc/environment | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF source /etc/environment # Let's setup the proxy for apt - echo "$myPROXY_APT" 2>&1 | tee /etc/apt/apt.conf | dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF + echo "$myPROXY_APT" 2>&1 | tee /etc/apt/apt.conf | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF # Let's add proxy settings to docker defaults - echo "$myPROXY_DOCKER" 2>&1 | tee -a /etc/default/docker | dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF + echo "$myPROXY_DOCKER" 2>&1 | tee -a /etc/default/docker | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF # Let's restart docker for proxy changes to take effect - systemctl stop docker 2>&1 | dialog --title "[ Stop docker service ]" $myPROGRESSBOXCONF - systemctl start docker 2>&1 | dialog --title "[ Start docker service ]" $myPROGRESSBOXCONF + systemctl stop docker 2>&1 | dialog --keep-window --title "[ Stop docker service ]" $myPROGRESSBOXCONF + systemctl start docker 2>&1 | dialog --keep-window --title "[ Start docker service ]" $myPROGRESSBOXCONF fi ### ---> End proxy setup -# Let's test the internet connection -if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; - then - mySITESCOUNT=$(echo $mySITES | wc -w) - j=0 - for i in $mySITES; - do - curl --connect-timeout 30 -IsS $i 2>&1>/dev/null | dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) - if [ $? -ne 0 ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50 - if [ $? = 1 ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 - exit - else - break; - fi; - fi; - let j+=1 - echo 2>&1>/dev/null | dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) - done; -fi -# Let's put cursor back in standard form -tput cnorm - -#################### -# User interaction # -#################### - # Let's ask the user for install flavor if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; then - myCONF_TPOT_FLAVOR=$(dialog --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \ - "\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 15 70 7 \ + myCONF_TPOT_FLAVOR=$(dialog --keep-window --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \ + "\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 14 70 6 \ "STANDARD" "Honeypots, ELK, NSM & Tools" \ "SENSOR" "Just Honeypots, EWS Poster & NSM" \ "INDUSTRIAL" "Conpot, RDPY, Vnclowpot, ELK, NSM & Tools" \ "COLLECTOR" "Heralding, ELK, NSM & Tools" \ - "NEXTGEN" "NextGen (Glutton instead of Honeytrap)" \ - "LEGACY" "Standard Edition from previous release" 3>&1 1>&2 2>&3 3>&-) + "NEXTGEN" "NextGen (Glutton, HoneyPy)" 3>&1 1>&2 2>&3 3>&-) fi # Let's ask for a secure tsec password if installation type is iso @@ -346,16 +499,16 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; do while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] do - myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ + myPASS1=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ --title "[ Enter password for console user (tsec) ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) done - myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ + myPASS2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ --title "[ Repeat password for console user (tsec) ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) if [ "$myPASS1" != "$myPASS2" ]; then - dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ --msgbox "\nPlease re-enter your password." 7 60 myPASS1="pass1" myPASS2="pass2" @@ -363,7 +516,7 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; then - dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 myOK=$? if [ "$myOK" == "1" ]; then @@ -375,7 +528,7 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd fi -# Let's ask for a web user credentials if deployment type is iso or user +# Let's ask for web user credentials if deployment type is iso or user # In case of auto, credentials are created from config values # Skip this step entirely if SENSOR flavor if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; @@ -387,9 +540,9 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "use mySECURE="0" while [ 1 != 2 ] do - myCONF_WEB_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) + myCONF_WEB_USER=$(dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-") - dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50 + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50 myOK=$? if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ]; then @@ -400,16 +553,16 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "use do while [ "$myCONF_WEB_PW" == "pass1" ] || [ "$myCONF_WEB_PW" == "" ] do - myCONF_WEB_PW=$(dialog --insecure --backtitle "$myBACKTITLE" \ + myCONF_WEB_PW=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ --title "[ Enter password for your web user ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) done - myCONF_WEB_PW2=$(dialog --insecure --backtitle "$myBACKTITLE" \ + myCONF_WEB_PW2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ --title "[ Repeat password for your web user ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ]; then - dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ --msgbox "\nPlease re-enter your password." 7 60 myCONF_WEB_PW="pass1" myCONF_WEB_PW2="pass2" @@ -417,7 +570,7 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "use mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK") if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ]; then - dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 + dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 myOK=$? if [ "$myOK" == "1" ]; then @@ -427,186 +580,125 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "use fi done fi + +dialog --clear + +########################## +# VI. Installation phase # +########################## + +exec 2> >(tee "/install.err") +exec > >(tee "/install.log") + +fuBANNER "Installing ..." + +fuGET_DEPS + # If flavor is SENSOR do not write credentials if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; then - mkdir -p /data/nginx/conf 2>&1 - htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; + fuBANNER "Webuser creds" + mkdir -p /data/nginx/conf + htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" + echo fi - -######################## -# Installation section # -######################## - -# Put cursor in invisible mode -tput civis - # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; then -mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; -openssl req \ - -nodes \ - -x509 \ - -sha512 \ - -newkey rsa:8192 \ - -keyout "/data/nginx/cert/nginx.key" \ - -out "/data/nginx/cert/nginx.crt" \ - -days 3650 \ - -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; + fuBANNER "NGINX Certificate" + mkdir -p /data/nginx/cert + openssl req \ + -nodes \ + -x509 \ + -sha512 \ + -newkey rsa:8192 \ + -keyout "/data/nginx/cert/nginx.key" \ + -out "/data/nginx/cert/nginx.crt" \ + -days 3650 \ + -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' fi # Let's setup the ntp server if [ "$myCONF_NTP_USE" == "0" ]; then - cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF + fuBANNER "Setup NTP" + cp $myCONF_NTP_CONF_FILE /etc/ntp.conf fi # Let's setup 802.1x networking -myNETWORK_INTERFACES=" -wpa-driver wired -wpa-conf /etc/wpa_supplicant/wired8021x.conf - -### Example wireless config for 802.1x -### This configuration was tested with the IntelNUC series -### If problems occur you can try and change wpa-driver to \"iwlwifi\" -### Do not forget to enter a ssid in /etc/wpa_supplicant/wireless8021x.conf -### The Intel NUC uses wlpXsY notation instead of wlanX -# -#auto wlp2s0 -#iface wlp2s0 inet dhcp -# wpa-driver wext -# wpa-conf /etc/wpa_supplicant/wireless8021x.conf -" -myNETWORK_WIRED8021x="ctrl_interface=/var/run/wpa_supplicant -ctrl_interface_group=root -eapol_version=1 -ap_scan=1 -network={ - key_mgmt=IEEE8021X - eap=TLS - identity=\"host/$myCONF_PFX_HOST_ID\" - private_key=\"/etc/wpa_supplicant/8021x.pfx\" - private_key_passwd=\"$myCONF_PFX_PW\" -} -" -myNETWORK_WLAN8021x="ctrl_interface=/var/run/wpa_supplicant -ctrl_interface_group=root -eapol_version=1 -ap_scan=1 -network={ - ssid="" - key_mgmt=WPA-EAP - pairwise=CCMP - group=CCMP - eap=TLS - identity="host/$myCONF_PFX_HOST_ID" - private_key="/etc/wpa_supplicant/8021x.pfx" - private_key_passwd="$myCONF_PFX_PW" -} -" if [ "myCONF_PFX_USE" == "0" ]; then - cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - - echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - - echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF + fuBANNER "Setup 802.1x" + cp $myCONF_PFX_FILE /etc/wpa_supplicant/ + echo "$myNETWORK_INTERFACES" | tee -a /etc/network/interfaces + echo "$myNETWORK_WIRED8021x" | tee /etc/wpa_supplicant/wired8021x.conf + echo "$myNETWORK_WLAN8021x" | tee /etc/wpa_supplicant/wireless8021x.conf fi # Let's provide a wireless example config ... -myNETWORK_WLANEXAMPLE=" -### Example static ip config -### Replace with the name of your physical interface name -# -#auto eth0 -#iface eth0 inet static -# address 192.168.1.1 -# netmask 255.255.255.0 -# network 192.168.1.0 -# broadcast 192.168.1.255 -# gateway 192.168.1.1 -# dns-nameservers 192.168.1.1 - -### Example wireless config without 802.1x -### This configuration was tested with the IntelNUC series -### If problems occur you can try and change wpa-driver to "iwlwifi" -# -#auto wlan0 -#iface wlan0 inet dhcp -# wpa-driver wext -# wpa-ssid -# wpa-ap-scan 1 -# wpa-proto RSN -# wpa-pairwise CCMP -# wpa-group CCMP -# wpa-key-mgmt WPA-PSK -# wpa-psk \"\" -" -echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces | dialog --title "[ Provide WLAN example config ]" $myPROGRESSBOXCONF - -# Let's modify the sources list -sed -i '/cdrom/d' /etc/apt/sources.list +fuBANNER "Example config" +echo "$myNETWORK_WLANEXAMPLE" | tee -a /etc/network/interfaces # Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778) -echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config | dialog --title "[ Turn SSH roaming off ]" $myPROGRESSBOXCONF +fuBANNER "SSH roaming off" +echo "UseRoaming no" | tee -a /etc/ssh/ssh_config -# Installing ctop, elasticdump, tpot, yq -npm install https://github.com/taskrabbit/elasticsearch-dump -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF -pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF -hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF -pip install elasticsearch-curator yq 2>&1 | dialog --title "[ Installing elasticsearch-curator, yq ]" $myPROGRESSBOXCONF -wget https://github.com/bcicen/ctop/releases/download/v0.7.1/ctop-0.7.1-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF -chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF -git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF +# Installing elasticdump, yq +fuBANNER "Installing pkgs" +npm install https://github.com/taskrabbit/elasticsearch-dump -g +pip install --upgrade pip +hash -r +pip install elasticsearch-curator yq + +# Cloning T-Pot from GitHub +fuBANNER "Cloning T-Pot" +git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot # Let's create the T-Pot user -addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF -adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF +fuBANNER "Create user" +addgroup --gid 2000 tpot +adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot # Let's set the hostname a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt) n=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/n.txt) myHOST=$a$n -hostnamectl set-hostname $myHOST 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF -sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF -if [ -f "/etc/cloud/cloud.cfg" ]; - then - sed -i 's/preserve_hostname: false/preserve_hostname: true/' /etc/cloud/cloud.cfg -fi +fuBANNER "Set hostname" +hostnamectl set-hostname $myHOST +sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts # Let's patch cockpit.socket, sshd_config -sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket 2>&1 | dialog --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF -sed -i '/^port/Id' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF -echo "Port 64295" >> /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF +fuBANNER "Adjust ports" +mkdir -p /etc/systemd/system/cockpit.socket.d +echo "$myCOCKPIT_SOCKET" | tee /etc/systemd/system/cockpit.socket.d/listen.conf +sed -i '/^port/Id' /etc/ssh/sshd_config +echo "Port 64295" >> /etc/ssh/sshd_config + +# Do not allow root login for cockpit +sed -i '2i\auth requisite pam_succeed_if.so uid >= 1000' /etc/pam.d/cockpit # Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started case $myCONF_TPOT_FLAVOR in STANDARD) - echo "### Preparing STANDARD flavor installation." - ln -s /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE 2>&1>/dev/null + fuBANNER "STANDARD" + ln -s /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE ;; SENSOR) - echo "### Preparing SENSOR flavor installation." - ln -s /opt/tpot/etc/compose/sensor.yml $myTPOTCOMPOSE 2>&1>/dev/null + fuBANNER "SENSOR" + ln -s /opt/tpot/etc/compose/sensor.yml $myTPOTCOMPOSE ;; INDUSTRIAL) - echo "### Preparing INDUSTRIAL flavor installation." - ln -s /opt/tpot/etc/compose/industrial.yml $myTPOTCOMPOSE 2>&1>/dev/null + fuBANNER "INDUSTRIAL" + ln -s /opt/tpot/etc/compose/industrial.yml $myTPOTCOMPOSE ;; COLLECTOR) - echo "### Preparing COLLECTOR flavor installation." - ln -s /opt/tpot/etc/compose/collector.yml $myTPOTCOMPOSE 2>&1>/dev/null + fuBANNER "COLLECTOR" + ln -s /opt/tpot/etc/compose/collector.yml $myTPOTCOMPOSE ;; NEXTGEN) - echo "### Preparing NEXTGEN flavor installation." - ln -s /opt/tpot/etc/compose/nextgen.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - LEGACY) - echo "### Preparing LEGACY flavor installation." - ln -s /opt/tpot/etc/compose/legacy.yml $myTPOTCOMPOSE 2>&1>/dev/null + fuBANNER "NEXTGEN" + ln -s /opt/tpot/etc/compose/nextgen.yml $myTPOTCOMPOSE ;; esac @@ -618,157 +710,121 @@ for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | un done wait } -fuPULLIMAGES 2>&1 | dialog --title "[ Pulling docker images, please be patient ]" $myPROGRESSBOXCONF +fuBANNER "Pull images" +fuPULLIMAGES # Let's add the daily update check with a weekly clean interval -myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\"; -APT::Periodic::Download-Upgradeable-Packages \"0\"; -APT::Periodic::AutocleanInterval \"7\"; -" -echo "$myUPDATECHECK" 2>&1 | tee /etc/apt/apt.conf.d/10periodic | dialog --title "[ Modifying update checks ]" $myPROGRESSBOXCONF +fuBANNER "Modify checks" +echo "$myUPDATECHECK" | tee /etc/apt/apt.conf.d/10periodic # Let's make sure to reboot the system after a kernel panic -mySYSCTLCONF=" -# Reboot after kernel panic, check via /proc/sys/kernel/panic[_on_oops] -# Set required map count for ELK -kernel.panic = 1 -kernel.panic_on_oops = 1 -vm.max_map_count = 262144 -net.ipv6.conf.all.disable_ipv6 = 1 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.lo.disable_ipv6 = 1 -" -echo "$mySYSCTLCONF" 2>&1 | tee -a /etc/sysctl.conf | dialog --title "[ Tweak Sysctl ]" $myPROGRESSBOXCONF +fuBANNER "Tweak sysctl" +echo "$mySYSCTLCONF" | tee -a /etc/sysctl.conf # Let's setup fail2ban config -myFAIL2BANCONF="[DEFAULT] -ignore-ip = 127.0.0.1/8 -bantime = 3600 -findtime = 600 -maxretry = 5 - -[nginx-http-auth] -enabled = true -filter = nginx-http-auth -port = 64297 -logpath = /data/nginx/log/error.log - -[pam-generic] -enabled = true -port = 64294 -filter = pam-generic -logpath = /var/log/auth.log - -[sshd] -enabled = true -port = 64295 -filter = sshd -logpath = /var/log/auth.log -" -echo "$myFAIL2BANCONF" 2>&1 | tee /etc/fail2ban/jail.d/tpot.conf | dialog --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF +fuBANNER "Setup fail2ban" +echo "$myFAIL2BANCONF" | tee /etc/fail2ban/jail.d/tpot.conf # Fix systemd error https://github.com/systemd/systemd/issues/3374 -mySYSTEMDFIX="[Link] -NamePolicy=kernel database onboard slot path -MACAddressPolicy=none -" -echo "$mySYSTEMDFIX" 2>&1 | tee /etc/systemd/network/99-default.link | dialog --title "[ systemd fix ]" $myPROGRESSBOXCONF +fuBANNER "Systemd fix" +echo "$mySYSTEMDFIX" | tee /etc/systemd/network/99-default.link # Let's add some cronjobs -myCRONJOBS=" -# Check if updated images are available and download them -27 1 * * * root docker-compose -f /opt/tpot/etc/tpot.yml pull - -# Delete elasticsearch logstash indices older than 90 days -27 4 * * * root curator --config /opt/tpot/etc/curator/curator.yml /opt/tpot/etc/curator/actions.yml - -# Uploaded binaries are not supposed to be downloaded -*/1 * * * * root mv --backup=numbered /data/dionaea/roots/ftp/* /data/dionaea/binaries/ - -# Daily reboot -27 3 * * * root systemctl stop tpot && docker stop \$(docker ps -aq) || docker rm \$(docker ps -aq) || reboot - -# Check for updated packages every sunday, upgrade and reboot -27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot -" -echo "$myCRONJOBS" 2>&1 | tee -a /etc/crontab | dialog --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF +fuBANNER "Add cronjobs" +echo "$myCRONJOBS" | tee -a /etc/crontab # Let's create some files and folders +fuBANNER "Files & folders" mkdir -p /data/adbhoney/downloads /data/adbhoney/log \ /data/ciscoasa/log \ - /data/conpot/log \ + /data/conpot/log \ /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \ /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \ /data/elasticpot/log \ /data/elk/data /data/elk/log \ /data/glastopf/log /data/glastopf/db \ /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \ - /data/glutton/log \ - /data/heralding/log \ + /data/glutton/log \ + /data/heralding/log \ + /data/honeypy/log \ /data/mailoney/log \ /data/medpot/log \ - /data/nginx/log \ + /data/nginx/log \ /data/emobility/log \ /data/ews/conf \ /data/rdpy/log \ /data/spiderfoot \ /data/suricata/log /home/tsec/.ssh/ \ - /data/tanner/log /data/tanner/files \ - /data/p0f/log 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF -touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF -touch /data/nginx/log/error.log 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF + /data/tanner/log /data/tanner/files \ + /data/p0f/log +touch /data/spiderfoot/spiderfoot.db +touch /data/nginx/log/error.log # Let's copy some files -tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF -cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF +fuBANNER "Copy configs" +tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / +cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ +systemctl enable tpot # Let's take care of some files and permissions -chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF +fuBANNER "Permissions" +chmod 760 -R /data +chown tpot:tpot -R /data +chmod 644 -R /data/nginx/conf +chmod 644 -R /data/nginx/cert # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub -sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null -sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub 2>&1>/dev/null -update-grub 2>&1 | dialog --title "[ Update grub ]" $myPROGRESSBOXCONF +fuBANNER "Options" +sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub +sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub +update-grub + +fuBANNER "Setup console" cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/ gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup -update-initramfs -u 2>&1 | dialog --title "[ Update initramfs ]" $myPROGRESSBOXCONF +update-initramfs -u +sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service # Let's enable a color prompt and add /opt/tpot/bin to path -myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' -myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' -tee -a /root/.bashrc 2>&1>/dev/null <&1>/dev/null <&1>/dev/null +fuBANNER "Update IP" +/opt/tpot/bin/updateip.sh # Let's clean up apt -apt-get autoclean -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF -apt-get autoremove -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF +fuBANNER "Clean up" +apt-get autoclean -y +apt-get autoremove -y # Final steps -cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ -rm -rf /root/installer 2>&1>/dev/null && \ +cp /opt/tpot/host/etc/rc.local /etc/rc.local && \ +rm -rf /root/installer && \ +rm -rf /etc/issue.d/cockpit.issue && \ +rm -rf /etc/motd.d/cockpit && \ +rm -rf /etc/issue.net && \ +rm -rf /etc/motd && \ +systemctl restart console-setup.service + if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ]; then echo "Done. Please reboot." else - dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Thanks for your patience. Now rebooting. ]" --pause "" 6 80 2 && \ + fuBANNER "Rebooting ..." + sleep 2 reboot fi diff --git a/iso/installer/rc.local.install b/iso/installer/rc.local.install index f1634564..5f0962f1 100755 --- a/iso/installer/rc.local.install +++ b/iso/installer/rc.local.install @@ -1,3 +1,3 @@ #!/bin/bash -plymouth --quit +#plymouth --quit openvt -f -w -s /root/installer/wrapper.sh diff --git a/iso/isolinux/txt.cfg b/iso/isolinux/txt.cfg index 84302a26..932b0a97 100755 --- a/iso/isolinux/txt.cfg +++ b/iso/isolinux/txt.cfg @@ -1,6 +1,6 @@ default install label install - menu label ^T-Pot 18.11 + menu label ^T-Pot 19.03 (based on Debian Sid) menu default kernel linux append vga=788 initrd=initrd.gz console-setup/ask_detect=true -- diff --git a/iso/preseed/tpot.seed b/iso/preseed/tpot.seed index 8c8926b8..32aafd12 100755 --- a/iso/preseed/tpot.seed +++ b/iso/preseed/tpot.seed @@ -13,7 +13,7 @@ d-i localechooser/preferred-locale string en_US.UTF-8 ###################### ### Keyboard Selection ###################### -#d-i console-setup/ask_detect boolean true +d-i console-setup/ask_detect boolean true #d-i keyboard-configuration/layoutcode string de d-i console-setup/detected note @@ -25,10 +25,10 @@ d-i console-setup/detected note ######################### ### Network Configuration ######################### -d-i netcfg/do_not_use_netplan true -#d-i netcfg/choose_interface select auto -#d-i netcfg/dhcp_timeout string 60 +d-i netcfg/choose_interface select auto +d-i netcfg/dhcp_timeout string 60 d-i netcfg/get_hostname string t-pot +d-i netcfg/get_domain string ############### ### Disk Layout @@ -70,10 +70,17 @@ d-i user-setup/encrypt-home boolean false ######################################## ### Country Mirror & Proxy Configuration ######################################## -d-i mirror/country string manual -d-i mirror/http/hostname string archive.ubuntu.com -d-i mirror/http/directory string /ubuntu -d-i mirror/http/proxy string +#d-i mirror/country string manual +#d-i mirror/http/hostname string deb.debian.org +#d-i mirror/http/directory string /debian +#d-i mirror/http/proxy string + +################### +# Suite to install +################### +#d-i mirror/suite string unstable +#d-i mirror/suite string testing +#d-i mirror/udeb/suite string testing ########################### ### Skip Grub Configuration @@ -81,6 +88,7 @@ d-i mirror/http/proxy string #d-i grub-installer/confirm boolean true #d-i grub-installer/only_debian boolean true #d-i grub-installer/with_other_os boolean true +#d-i grub-installer/bootdev string default d-i grub-installer/skip boolean true d-i lilo-installer/skip boolean true @@ -91,17 +99,18 @@ d-i lilo-installer/skip boolean true d-i clock-setup/utc boolean true d-i time/zone string UTC d-i clock-setup/ntp boolean true -d-i clock-setup/ntp-server string ntp.ubuntu.com +d-i clock-setup/ntp-server string debian.pool.ntp.org ################## ### Package Groups ################## -tasksel tasksel/first multiselect ubuntu-server +tasksel tasksel/first multiselect ssh-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip unzip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils curl dialog figlet git grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet +popularity-contest popularity-contest/participate boolean false ################# ### Update Policy @@ -120,8 +129,12 @@ d-i debian-installer/splash boolean false d-i preseed/late_command string \ in-target apt-get -y install grub-pc; \ in-target grub-install --force $(debconf-get partman-auto/disk); \ +update-dev; \ in-target update-grub; \ -in-target git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot; \ +in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce /opt/tpot; \ +in-target sed -i 's/allow-hotplug/auto/g' /etc/network/interfaces; \ +#in-target apt-get -y remove exim4-base; \ +#in-target apt-get -y autoremove; \ cp /target/opt/tpot/iso/installer/rc.local.install /target/etc/rc.local; \ cp /target/opt/tpot/iso/installer -R /target/root/; diff --git a/makeiso.sh b/makeiso.sh index 7769a4c3..95638d05 100755 --- a/makeiso.sh +++ b/makeiso.sh @@ -2,14 +2,14 @@ # Set TERM, DIALOGRC export TERM=linux -export DIALOGRC=/etc/dialogrc # Let's define some global vars myBACKTITLE="T-Pot - ISO Creator" -# If you need latest hardware support, try using the hardware enablement (hwe) ISO, usually released later in time -# myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/hwe-netboot/mini.iso" -myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/netboot/mini.iso" -myUBUNTUISO="mini.iso" +#myMINIISOLINK="http://ftp.debian.org/debian/dists/testing/main/installer-amd64/current/images/netboot/mini.iso" +#myMINIISOLINK="https://d-i.debian.org/daily-images/amd64/daily/netboot/mini.iso" +# For stability reasons Debian Sid installation is built on a stable installer +myMINIISOLINK="http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/mini.iso" +myMINIISO="mini.iso" myTPOTISO="tpot.iso" myTPOTDIR="tpotiso" myTPOTSEED="iso/preseed/tpot.seed" @@ -49,9 +49,6 @@ if [ "$myINST" != "" ] done fi -# Let's load dialog color theme -cp host/etc/dialogrc /etc/ - # Let's clean up at the end or if something goes wrong ... function fuCLEANUP { rm -rf $myTMP $myTPOTDIR $myPFXFILE $myNTPCONFFILE $myCONF_FILE @@ -81,7 +78,7 @@ function valid_ip() } # Let's ask if the user wants to run the script ... -dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nDownload latest supported Ubuntu Mini ISO and build the T-Pot Install Image." 8 50 +dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nDownload latest supported Debian Mini ISO and build the T-Pot Install Image." 8 50 mySTART=$? if [ "$mySTART" = "1" ]; then @@ -207,18 +204,18 @@ if [ "$myCONF_PROXY_USE" == "0" ] || [ "$myCONF_PFX_USE" == "0" ] || [ "$myCONF_ echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE fi -# Let's download Ubuntu Minimal ISO -if [ ! -f $myUBUNTUISO ] +# Let's download Debian Minimal ISO +if [ ! -f $myMINIISO ] then - wget $myUBUNTULINK --progress=dot 2>&1 | awk '{print $7+0} fflush()' | dialog --backtitle "$myBACKTITLE" --title "[ Downloading Ubuntu ... ]" --gauge "" 5 70; - echo 100 | dialog --backtitle "$myBACKTITLE" --title "[ Downloading Ubuntu ... Done! ]" --gauge "" 5 70; + wget $myMINIISOLINK --progress=dot 2>&1 | awk '{print $7+0} fflush()' | dialog --backtitle "$myBACKTITLE" --title "[ Downloading Debian ... ]" --gauge "" 5 70; + echo 100 | dialog --backtitle "$myBACKTITLE" --title "[ Downloading Debian ... Done! ]" --gauge "" 5 70; else dialog --infobox "Using previously downloaded .iso ..." 3 50; fi # Let's loop mount it and copy all contents mkdir -p $myTMP $myTPOTDIR -mount -o loop $myUBUNTUISO $myTMP +mount -o loop $myMINIISO $myTMP rsync -a $myTMP/ $myTPOTDIR umount $myTMP @@ -279,4 +276,6 @@ do fi done +dialog --clear + exit 0 diff --git a/update.sh b/update.sh index 25f90131..6d5a93f4 100755 --- a/update.sh +++ b/update.sh @@ -76,8 +76,8 @@ echo # Let's check for version function fuCHECK_VERSION () { -local myMINVERSION="18.04.0" -local myMASTERVERSION="18.11.0" +local myMINVERSION="19.03.0" +local myMASTERVERSION="19.03.0" echo echo "### Checking for version tag ..." if [ -f "version" ]; @@ -168,7 +168,8 @@ echo } function fuUPDATER () { -local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip unattended-upgrades unzip vim wireless-tools wpasupplicant" +export DEBIAN_FRONTEND=noninteractive +local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" echo "### Now upgrading packages ..." dpkg --configure -a apt-get -y autoclean @@ -185,18 +186,17 @@ npm install "https://github.com/taskrabbit/elasticsearch-dump" -g pip install --upgrade pip hash -r pip install --upgrade elasticsearch-curator yq -wget https://github.com/bcicen/ctop/releases/download/v0.7.1/ctop-0.7.1-linux-amd64 -O /usr/bin/ctop && chmod +x /usr/bin/ctop +apt-get -y purge exim4-base mailutils +apt-mark hold exim4-base mailutils echo echo "### Now replacing T-Pot related config files on host" cp host/etc/systemd/* /etc/systemd/system/ -cp host/etc/issue /etc/ systemctl daemon-reload echo # Ensure some defaults echo "### Ensure some T-Pot defaults with regard to some folders, permissions and configs." -sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket sed -i '/^port/Id' /etc/ssh/sshd_config echo "Port 64295" >> /etc/ssh/sshd_config echo @@ -213,6 +213,7 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \ /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \ /data/glutton/log \ /data/heralding/log \ + /data/honeypy/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/log \ @@ -234,10 +235,17 @@ echo "### Now pulling latest docker images" echo "######$myBLUE This might take a while, please be patient!$myWHITE" fuPULLIMAGES 2>&1>/dev/null -fuREMOVEOLDIMAGES "1804" +#fuREMOVEOLDIMAGES "1804" echo "### If you made changes to tpot.yml please ensure to add them again." echo "### We stored the previous version as backup in /root/." -echo "### Done, please reboot." +echo "### Some updates may need an import of the latest Kibana objects as well." +echo "### Download the latest objects here if they recently changed:" +echo "### https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip" +echo "### Export and import the objects easily through the Kibana WebUI:" +echo "### Go to Kibana > Management > Saved Objects > Export / Import" +echo "### All objects will be overwritten upon import, make sure to run an export first." +echo +echo "### Please reboot." echo } @@ -267,7 +275,7 @@ fi fuCHECK_VERSION fuCONFIGCHECK -fuCHECKINET "https://index.docker.io https://github.com https://pypi.python.org https://ubuntu.com" +fuCHECKINET "https://index.docker.io https://github.com https://pypi.python.org https://debian.org" fuSTOP_TPOT fuBACKUP fuSELFUPDATE "$0" "$@" diff --git a/version b/version index 9b7b3ce8..f8d11db7 100644 --- a/version +++ b/version @@ -1 +1 @@ -18.11.0 +19.03.0