| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Input section | 
					
						
							|  |  |  | input { | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  | # Fatt | 
					
						
							|  |  |  |   file { | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     path => ["/data/fatt/log/fatt.log"] | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |     codec => json | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     type => "Fatt" | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |   } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | # Suricata | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/suricata/log/eve.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Suricata" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # P0f | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/p0f/log/p0f.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "P0f" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Adbhoney | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/adbhoney/log/adbhoney.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Adbhoney" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ciscoasa | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/ciscoasa/log/ciscoasa.log"] | 
					
						
							|  |  |  |     codec => plain | 
					
						
							|  |  |  |     type => "Ciscoasa" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # CitrixHoneypot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/citrixhoneypot/logs/server.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "CitrixHoneypot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Conpot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/conpot/log/*.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "ConPot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Cowrie | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/cowrie/log/cowrie.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Cowrie" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Dionaea | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/dionaea/log/dionaea.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Dionaea" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Dicompot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/dicompot/log/dicompot.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Dicompot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ddospot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/ddospot/log/*.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Ddospot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # ElasticPot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/elasticpot/log/elasticpot.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "ElasticPot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Endlessh | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/endlessh/log/endlessh.log"] | 
					
						
							|  |  |  |     codec => plain | 
					
						
							|  |  |  |     type => "Endlessh" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Glutton | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/glutton/log/glutton.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Glutton" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Hellpot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/hellpot/log/hellpot.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Hellpot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Heralding | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/heralding/log/auth.csv"] | 
					
						
							|  |  |  |     type => "Heralding" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Honeypots | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/honeypots/log/*.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Honeypots" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Honeytrap | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/honeytrap/log/attackers.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Honeytrap" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ipphoney | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/ipphoney/log/ipphoney.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Ipphoney" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-03 18:24:17 +00:00
										 |  |  | # Log4pot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/log4pot/log/log4pot.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Log4pot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Mailoney | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/mailoney/log/commands.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Mailoney" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Medpot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/medpot/log/medpot.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Medpot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Redishoneypot | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/redishoneypot/log/redishoneypot.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Redishoneypot" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Host NGINX | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/nginx/log/access.log"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "NGINX" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-02-24 17:39:57 +00:00
										 |  |  | # Sentrypeer | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/sentrypeer/log/sentrypeer.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Sentrypeer" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Tanner | 
					
						
							|  |  |  |   file { | 
					
						
							|  |  |  |     path => ["/data/tanner/log/tanner_report.json"] | 
					
						
							|  |  |  |     codec => json | 
					
						
							|  |  |  |     type => "Tanner" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Filter Section | 
					
						
							|  |  |  | filter { | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Fatt | 
					
						
							|  |  |  |   if [type] == "Fatt" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "sourceIp" => "src_ip" | 
					
						
							|  |  |  | 	"destinationIp" => "dest_ip" | 
					
						
							|  |  |  | 	"sourcePort" => "src_port" | 
					
						
							|  |  |  | 	"destinationPort" => "dest_port" | 
					
						
							|  |  |  |         "gquic" => "fatt_gquic" | 
					
						
							|  |  |  |         "http" => "fatt_http" | 
					
						
							|  |  |  |         "rdp" => "fatt_rdp" | 
					
						
							|  |  |  |         "ssh" => "fatt_ssh" | 
					
						
							|  |  |  |         "tls" => "fatt_tls" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Suricata | 
					
						
							|  |  |  |   if [type] == "Suricata" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     translate { | 
					
						
							|  |  |  |       refresh_interval => 86400 | 
					
						
							| 
									
										
										
										
											2022-01-20 10:32:10 +00:00
										 |  |  |       source => "[alert][signature_id]" | 
					
						
							|  |  |  |       target => "[alert][cve_id]" | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |       dictionary_path => "/etc/listbot/cve.yaml" | 
					
						
							|  |  |  | #      fallback => "-" | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # P0f | 
					
						
							|  |  |  |   if [type] == "P0f" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "server_port" => "dest_port" | 
					
						
							|  |  |  |         "server_ip" => "dest_ip" | 
					
						
							|  |  |  |         "client_port" => "src_port" | 
					
						
							|  |  |  |         "client_ip" => "src_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Adbhoney | 
					
						
							|  |  |  |   if [type] == "Adbhoney" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |       remove_field => ["unixtime"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ciscoasa | 
					
						
							|  |  |  |   if [type] == "Ciscoasa" { | 
					
						
							|  |  |  |     kv { | 
					
						
							|  |  |  |       remove_char_key => " '{}" | 
					
						
							|  |  |  |       remove_char_value => "'{}" | 
					
						
							|  |  |  |       value_split => ":" | 
					
						
							|  |  |  |       field_split => "," | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { | 
					
						
							|  |  |  |         "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # CitrixHoneypot | 
					
						
							|  |  |  |   if [type] == "CitrixHoneypot" { | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |     grok { | 
					
						
							|  |  |  |       match => { | 
					
						
							|  |  |  |         "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", | 
					
						
							|  |  |  | 	               "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | 		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}", | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  | 		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] | 
					
						
							|  |  |  |       } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     } | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "asctime", "ISO8601" ] | 
					
						
							|  |  |  |       remove_field => ["asctime"] | 
					
						
							|  |  |  |       remove_field => ["message"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { | 
					
						
							|  |  |  |         "dest_port" => "443" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "levelname" => "level" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Conpot | 
					
						
							|  |  |  |   if [type] == "ConPot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "dst_port" => "dest_port" | 
					
						
							|  |  |  |         "dst_ip" => "dest_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Cowrie | 
					
						
							|  |  |  |   if [type] == "Cowrie" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "dst_port" => "dest_port" | 
					
						
							|  |  |  |         "dst_ip" => "dest_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ddospot | 
					
						
							|  |  |  |   if [type] == "Ddospot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] | 
					
						
							|  |  |  |       remove_field => ["time"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if [path] == "/data/ddospot/log/chargenpot.log" { | 
					
						
							|  |  |  |       mutate { | 
					
						
							|  |  |  |         add_field => { | 
					
						
							|  |  |  | 	  "dest_port" => "19" | 
					
						
							|  |  |  |           "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if [path] == "/data/ddospot/log/dnspot.log" { | 
					
						
							|  |  |  |       mutate { | 
					
						
							|  |  |  |         add_field => { | 
					
						
							|  |  |  |           "dest_port" => "53" | 
					
						
							|  |  |  |           "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if [path] == "/data/ddospot/log/ntpot.log" { | 
					
						
							|  |  |  |       mutate { | 
					
						
							|  |  |  |         add_field => { | 
					
						
							|  |  |  |           "dest_port" => "123" | 
					
						
							|  |  |  |           "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if [path] == "/data/ddospot/log/ssdpot.log" { | 
					
						
							|  |  |  |       mutate { | 
					
						
							|  |  |  |         add_field => { | 
					
						
							|  |  |  |           "dest_port" => "1900" | 
					
						
							|  |  |  |           "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Dionaea | 
					
						
							|  |  |  |   if [type] == "Dionaea" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "dst_port" => "dest_port" | 
					
						
							|  |  |  |         "dst_ip" => "dest_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       gsub => [ | 
					
						
							|  |  |  |         "src_ip", "::ffff:", "", | 
					
						
							|  |  |  |         "dest_ip", "::ffff:", "" | 
					
						
							|  |  |  |       ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if [credentials] { | 
					
						
							|  |  |  |       mutate { | 
					
						
							|  |  |  |         add_field => { | 
					
						
							|  |  |  |           "username" => "%{[credentials][username]}" | 
					
						
							|  |  |  |           "password" => "%{[credentials][password]}" | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         remove_field => "[credentials]" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Dicompot | 
					
						
							|  |  |  |   if [type] == "Dicompot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "time", "yyyy-MM-dd HH:mm:ss" ] | 
					
						
							|  |  |  |       remove_field => ["time"] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "ID" => "id" | 
					
						
							|  |  |  |         "IP" => "src_ip" | 
					
						
							|  |  |  |         "Port" => "src_port" | 
					
						
							|  |  |  |         "AETitle" => "aetitle" | 
					
						
							|  |  |  |         "Command" => "input" | 
					
						
							|  |  |  |         "Files" => "files" | 
					
						
							|  |  |  |         "Identifier" => "identifier" | 
					
						
							|  |  |  |         "Matches" => "matches" | 
					
						
							|  |  |  |         "Status" => "session" | 
					
						
							|  |  |  |         "Version" => "version" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # ElasticPot | 
					
						
							|  |  |  |   if [type] == "ElasticPot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "content_type" => "http.http_content_type" | 
					
						
							|  |  |  |         "dst_port" => "dest_port" | 
					
						
							|  |  |  |         "dst_ip" => "dest_ip" | 
					
						
							|  |  |  |         "message" => "event_type" | 
					
						
							|  |  |  |         "request" => "request_method" | 
					
						
							|  |  |  |         "user_agent" => "http_user_agent" | 
					
						
							|  |  |  | 	"url" => "http.url" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Endlessh | 
					
						
							|  |  |  | # Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24 | 
					
						
							|  |  |  | # Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096 | 
					
						
							|  |  |  |   if [type] == "Endlessh" { | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |     grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { | 
					
						
							|  |  |  |         "dest_port" => "22" | 
					
						
							|  |  |  |         "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Glutton | 
					
						
							|  |  |  |   if [type] == "Glutton" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "ts", "UNIX" ] | 
					
						
							|  |  |  |       remove_field => ["ts"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Hellpot | 
					
						
							|  |  |  |   if [type] == "Hellpot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "time", "ISO8601" ] | 
					
						
							|  |  |  |       remove_field => ["time"] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { | 
					
						
							|  |  |  |         "dest_port" => "80" | 
					
						
							|  |  |  |         "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "BYTES" => "bytes" | 
					
						
							|  |  |  |         "DURATION" => "duration" | 
					
						
							|  |  |  |         "REMOTE_ADDR" => "src_ip" | 
					
						
							|  |  |  |         "URL" => "url" | 
					
						
							|  |  |  |         "USERAGENT" => "http_user_agent" | 
					
						
							|  |  |  |         "message" => "reason" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Heralding | 
					
						
							|  |  |  |   if [type] == "Heralding" { | 
					
						
							|  |  |  |     csv { | 
					
						
							|  |  |  |       columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => "," | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Honeypots | 
					
						
							|  |  |  |   if [type] == "Honeypots" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Honeytrap | 
					
						
							|  |  |  |   if [type] == "Honeytrap" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "[attack_connection][local_port]" => "dest_port" | 
					
						
							|  |  |  |         "[attack_connection][local_ip]" => "dest_ip" | 
					
						
							|  |  |  |         "[attack_connection][remote_port]" => "src_port" | 
					
						
							|  |  |  |         "[attack_connection][remote_ip]" => "src_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Ipphoney | 
					
						
							|  |  |  |   if [type] == "Ipphoney" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  | 	"query" => "ipp_query" | 
					
						
							|  |  |  |         "content_type" => "http.http_content_type" | 
					
						
							|  |  |  |         "dst_port" => "dest_port" | 
					
						
							|  |  |  |         "dst_ip" => "dest_ip" | 
					
						
							|  |  |  |         "request" => "request_method" | 
					
						
							|  |  |  |         "operation" => "data" | 
					
						
							|  |  |  |         "user_agent" => "http_user_agent" | 
					
						
							|  |  |  |         "url" => "http.url" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-03 18:24:17 +00:00
										 |  |  | # Log4pot | 
					
						
							|  |  |  |   if [type] == "Log4pot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |         "request" => "request_uri" | 
					
						
							| 
									
										
										
										
											2022-01-03 18:24:17 +00:00
										 |  |  |         "server_port" => "dest_port" | 
					
						
							|  |  |  |         "port" => "src_port" | 
					
						
							|  |  |  |         "client" => "src_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Mailoney | 
					
						
							|  |  |  |   if [type] == "Mailoney" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { "dest_port" => "25" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Medpot | 
					
						
							|  |  |  |   if [type] == "Medpot" { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       add_field => { | 
					
						
							|  |  |  |         "dest_port" => "2575" | 
					
						
							|  |  |  |         "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Redishoneypot | 
					
						
							|  |  |  |   if [type] == "Redishoneypot" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "time", "yyyy-MM-dd HH:mm:ss" ] | 
					
						
							|  |  |  |       remove_field => ["time"] | 
					
						
							|  |  |  |       remove_field => ["timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       split => { "addr" => ":" } | 
					
						
							| 
									
										
										
										
											2022-01-17 14:50:50 +00:00
										 |  |  |       add_field => { | 
					
						
							|  |  |  |         "src_ip" => "%{[addr][0]}" | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |         "src_port" => "%{[addr][1]}" | 
					
						
							|  |  |  |         "dest_port" => "6379" | 
					
						
							|  |  |  |         "dest_ip" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       remove_field => ["addr"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # NGINX | 
					
						
							|  |  |  |   if [type] == "NGINX" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2022-01-17 17:10:48 +01:00
										 |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "request" => "request_data" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-02-24 17:39:57 +00:00
										 |  |  | # Sentrypeer | 
					
						
							|  |  |  |   if [type] == "Sentrypeer" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ] | 
					
						
							|  |  |  |       remove_field => ["event_timestamp"] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "source_ip" => "src_ip" | 
					
						
							|  |  |  |         "destination_ip" => "dest_ip" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       add_field => { "dest_port" => "5060" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | # Tanner | 
					
						
							|  |  |  |   if [type] == "Tanner" { | 
					
						
							|  |  |  |     date { | 
					
						
							|  |  |  |       match => [ "timestamp", "ISO8601" ] | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |       rename => { | 
					
						
							|  |  |  |         "[peer][ip]" => "src_ip" | 
					
						
							|  |  |  |         "[peer][port]" => "src_port" | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       add_field => { "dest_port" => "80" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Drop if parse fails | 
					
						
							|  |  |  | if "_grokparsefailure" in [tags] { drop {} } | 
					
						
							|  |  |  | if "_jsonparsefailure" in [tags] { drop {} } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-04 16:16:27 +00:00
										 |  |  | # Add T-Pot hostname and external IP | 
					
						
							|  |  |  |   mutate { | 
					
						
							|  |  |  |     add_field => { | 
					
						
							|  |  |  |       "t-pot_ip_ext" => "${MY_EXTIP}" | 
					
						
							|  |  |  |       "t-pot_ip_int" => "${MY_INTIP}" | 
					
						
							|  |  |  |       "t-pot_hostname" => "${MY_HOSTNAME}" | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | # Add geo coordinates / ASN info / IP rep. | 
					
						
							| 
									
										
										
										
											2022-01-20 10:32:10 +00:00
										 |  |  |   if [src_ip] { | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     geoip { | 
					
						
							|  |  |  |       cache_size => 10000 | 
					
						
							|  |  |  |       source => "src_ip" | 
					
						
							| 
									
										
										
										
											2023-06-07 05:54:17 +00:00
										 |  |  |       default_database_type => "City" | 
					
						
							| 
									
										
										
										
											2023-05-07 18:10:23 +02:00
										 |  |  | #      database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     } | 
					
						
							|  |  |  |     geoip { | 
					
						
							|  |  |  |       cache_size => 10000 | 
					
						
							|  |  |  |       source => "src_ip" | 
					
						
							| 
									
										
										
										
											2023-06-07 05:54:17 +00:00
										 |  |  |       default_database_type => "ASN" | 
					
						
							| 
									
										
										
										
											2023-05-07 18:10:23 +02:00
										 |  |  | #      database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     } | 
					
						
							|  |  |  |     translate { | 
					
						
							|  |  |  |       refresh_interval => 86400 | 
					
						
							| 
									
										
										
										
											2022-01-20 10:32:10 +00:00
										 |  |  |       source => "src_ip" | 
					
						
							|  |  |  |       target => "ip_rep" | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |       dictionary_path => "/etc/listbot/iprep.yaml" | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							| 
									
										
										
										
											2022-01-04 16:16:27 +00:00
										 |  |  |   if [t-pot_ip_ext]  { | 
					
						
							|  |  |  |     geoip { | 
					
						
							|  |  |  |       cache_size => 10000 | 
					
						
							|  |  |  |       source => "t-pot_ip_ext" | 
					
						
							|  |  |  |       target => "geoip_ext" | 
					
						
							| 
									
										
										
										
											2023-06-07 05:54:17 +00:00
										 |  |  |       default_database_type => "City" | 
					
						
							| 
									
										
										
										
											2023-05-07 18:10:23 +02:00
										 |  |  | #      database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" | 
					
						
							| 
									
										
										
										
											2022-01-04 16:16:27 +00:00
										 |  |  |     } | 
					
						
							|  |  |  |     geoip { | 
					
						
							|  |  |  |       cache_size => 10000 | 
					
						
							|  |  |  |       source => "t-pot_ip_ext" | 
					
						
							|  |  |  |       target => "geoip_ext" | 
					
						
							| 
									
										
										
										
											2023-06-07 05:54:17 +00:00
										 |  |  |       default_database_type => "ASN" | 
					
						
							| 
									
										
										
										
											2023-05-07 18:10:23 +02:00
										 |  |  | #      database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" | 
					
						
							| 
									
										
										
										
											2022-01-04 16:16:27 +00:00
										 |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | # In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now | 
					
						
							|  |  |  |   if [dest_port] { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |         convert => { "dest_port" => "integer" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |   if [src_port] { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |         convert => { "src_port" => "integer" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |   if [status] { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |         convert => { "status" => "integer" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |   if [id] { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |         convert => { "id" => "string" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |   if [request] { | 
					
						
							|  |  |  |     mutate { | 
					
						
							|  |  |  |         convert => { "request" => "string" } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Output section | 
					
						
							|  |  |  | output { | 
					
						
							|  |  |  |     http { | 
					
						
							|  |  |  |       http_method => "post" | 
					
						
							|  |  |  |       http_compression => true | 
					
						
							|  |  |  |       id => "${MY_HOSTNAME}" | 
					
						
							|  |  |  |       codec => "json" | 
					
						
							| 
									
										
										
										
											2022-01-07 15:41:57 +00:00
										 |  |  |       format => "json_batch" | 
					
						
							| 
									
										
										
										
											2024-01-05 20:19:50 +01:00
										 |  |  |       url => "https://${TPOT_HIVE_IP}:64294" | 
					
						
							|  |  |  |       cacert => "/data/hive.crt" | 
					
						
							|  |  |  |       headers => { | 
					
						
							|  |  |  |         "Authorization" => "Basic ${TPOT_HIVE_USER}" | 
					
						
							|  |  |  |       } | 
					
						
							| 
									
										
										
										
											2021-12-21 11:36:38 +00:00
										 |  |  |     } | 
					
						
							|  |  |  | } |