From fbf4ca00a3f94d016977140f5b0d6976768dbc5f Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Wed, 10 Apr 2019 10:52:57 +0000 Subject: [PATCH] Added custom ews.cfg Playbook --- cloud/ansible/custom_ews.yaml | 11 ++ .../ansible/roles/custom_ews/tasks/main.yaml | 17 +++ .../roles/custom_ews/templates/ews.cfg | 137 ++++++++++++++++++ 3 files changed, 165 insertions(+) create mode 100644 cloud/ansible/custom_ews.yaml create mode 100644 cloud/ansible/roles/custom_ews/tasks/main.yaml create mode 100644 cloud/ansible/roles/custom_ews/templates/ews.cfg diff --git a/cloud/ansible/custom_ews.yaml b/cloud/ansible/custom_ews.yaml new file mode 100644 index 00000000..f9a81c06 --- /dev/null +++ b/cloud/ansible/custom_ews.yaml @@ -0,0 +1,11 @@ +# This playbook sets a custom EWS config on the T-Pot + +- hosts: TPOT + remote_user: linux + become: yes + become_user: root + become_method: sudo + gather_facts: no + + roles: + - custom_ews diff --git a/cloud/ansible/roles/custom_ews/tasks/main.yaml b/cloud/ansible/roles/custom_ews/tasks/main.yaml new file mode 100644 index 00000000..54e5afd4 --- /dev/null +++ b/cloud/ansible/roles/custom_ews/tasks/main.yaml @@ -0,0 +1,17 @@ +- name: Waiting for SSH connection + wait_for_connection: + timeout: 300 + +- name: Gathering Facts + setup: + +- name: Install ews configuration file + template: + src: ../templates/ews.cfg + dest: /data/ews/conf + owner: root + group: root + mode: 0644 + +- name: Patching tpot.yml + raw: sed -i '/\/opt\/ewsposter\/ews.ip/a\\ \ \ \ \ - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg' /opt/tpot/etc/tpot.yml diff --git a/cloud/ansible/roles/custom_ews/templates/ews.cfg b/cloud/ansible/roles/custom_ews/templates/ews.cfg new file mode 100644 index 00000000..b153d2fc --- /dev/null +++ b/cloud/ansible/roles/custom_ews/templates/ews.cfg @@ -0,0 +1,137 @@ +[MAIN] +homedir = /opt/ewsposter/ +spooldir = /opt/ewsposter/spool/ +logdir = /opt/ewsposter/log/ +del_malware_after_send = false +send_malware = true +sendlimit = 500 +contact = your_email_address +proxy = +ip = + +[EWS] +ews = true +username = your_username +token = your_token +rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage +rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage +ignorecert = false + +[HPFEED] +hpfeed = false +host = 0.0.0.0 +port = 0 +channels = 0 +ident = 0 +secret= 0 +# path/to/certificate for tls broker - or "false" for non-tls broker +tlscert = false +# hpfeeds submission format: "ews" (xml) or "json" +hpfformat = json + +[EWSJSON] +json = false +jsondir = /data/ews/json/ + +[GLASTOPFV3] +glastopfv3 = true +nodeid = glastopfv3-{{ HPNAME }} +sqlitedb = /data/glastopf/db/glastopf.db +malwaredir = /data/glastopf/data/files/ + +[GLASTOPFV2] +glastopfv2 = false +nodeid = +mysqlhost = +mysqldb = +mysqluser = +mysqlpw = +malwaredir = + +[KIPPO] +kippo = false +nodeid = +mysqlhost = +mysqldb = +mysqluser = +mysqlpw = +malwaredir = + +[COWRIE] +cowrie = true +nodeid = cowrie-{{ HPNAME }} +logfile = /data/cowrie/log/cowrie.json + +[DIONAEA] +dionaea = true +nodeid = dionaea-{{ HPNAME }} +malwaredir = /data/dionaea/binaries/ +sqlitedb = /data/dionaea/log/dionaea.sqlite + +[HONEYTRAP] +honeytrap = true +nodeid = honeytrap-{{ HPNAME }} +newversion = true +payloaddir = /data/honeytrap/attacks/ +attackerfile = /data/honeytrap/log/attacker.log + +[RDPDETECT] +rdpdetect = false +nodeid = +iptableslog = +targetip = + +[EMOBILITY] +eMobility = false +nodeid = emobility-{{ HPNAME }} +logfile = /data/emobility/log/centralsystemEWS.log + +[CONPOT] +conpot = true +nodeid = conpot-{{ HPNAME }} +logfile = /data/conpot/log/conpot*.json + +[ELASTICPOT] +elasticpot = true +nodeid = elasticpot-{{ HPNAME }} +logfile = /data/elasticpot/log/elasticpot.log + +[SURICATA] +suricata = true +nodeid = suricata-{{ HPNAME }} +logfile = /data/suricata/log/eve.json + +[MAILONEY] +mailoney = true +nodeid = mailoney-{{ HPNAME }} +logfile = /data/mailoney/log/commands.log + +[RDPY] +rdpy = true +nodeid = rdpy-{{ HPNAME }} +logfile = /data/rdpy/log/rdpy.log + +[VNCLOWPOT] +vnclowpot = true +nodeid = vnclowpot-{{ HPNAME }} +logfile = /data/vnclowpot/log/vnclowpot.log + +[HERALDING] +heralding = true +nodeid = heralding-{{ HPNAME }} +logfile = /data/heralding/log/auth.csv + +[CISCOASA] +ciscoasa = true +nodeid = ciscoasa-{{ HPNAME }} +logfile = /data/ciscoasa/log/ciscoasa.log + +[TANNER] +tanner = true +nodeid = tanner-{{ HPNAME }} +logfile = /data/tanner/log/tanner_report.json + +[GLUTTON] +glutton = true +nodeid = glutton-{{ HPNAME }} +logfile = /data/glutton/log/glutton.log