From 06ef8850fec10164fa4aadb1e79e43d971436fa0 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Wed, 25 Aug 2021 15:04:27 +0000 Subject: [PATCH] prep for ELK 7.13.4, start full integration of new honeypots --- docker/elk/elasticsearch/Dockerfile | 2 +- docker/elk/kibana/Dockerfile | 4 ++-- docker/elk/logstash/Dockerfile | 2 +- docker/elk/logstash/dist/logstash.conf | 32 ++++++++++++++++++++++++-- 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile index fc8fdc8e..9926cb05 100644 --- a/docker/elk/elasticsearch/Dockerfile +++ b/docker/elk/elasticsearch/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.14 # # VARS -ENV ES_VER=7.13.2 \ +ENV ES_VER=7.13.4 \ ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk # Include dist diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile index 769f4063..64e1273e 100644 --- a/docker/elk/kibana/Dockerfile +++ b/docker/elk/kibana/Dockerfile @@ -1,7 +1,7 @@ -FROM node:14.16.1-alpine +FROM node:14.17.2-alpine # # VARS -ENV KB_VER=7.13.2 +ENV KB_VER=7.13.4 # # Include dist ADD dist/ /root/dist/ diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 0ee6188f..7df4c117 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -1,7 +1,7 @@ FROM alpine:3.14 # # VARS -ENV LS_VER=7.13.2 +ENV LS_VER=7.13.4 # Include dist ADD dist/ /root/dist/ # diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 9a02b0f0..8ba68d9d 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -71,6 +71,13 @@ input { type => "Dicompot" } +# Ddospot + file { + path => ["/data/ddospot/log/*.log"] + codec => json + type => "Ddospot" + } + # ElasticPot file { path => ["/data/elasticpot/log/elasticpot.json"] @@ -78,6 +85,13 @@ input { type => "ElasticPot" } +# Endlessh + file { + path => ["/data/endlessh/log/endlessh.log"] + codec => plain + type => "Endlessh" + } + # Glutton file { path => ["/data/glutton/log/glutton.log"] @@ -85,6 +99,13 @@ input { type => "Glutton" } +# Hellpot + file { + path => ["/data/hellpot/log/hellpot.log"] + codec => json + type => "Hellpot" + } + # Heralding file { path => ["/data/heralding/log/auth.csv"] @@ -139,6 +160,13 @@ input { type => "Rdpy" } +# Redishoneypot + file { + path => ["/data/redishoneypot/log/redishoneypot.log"] + codec => json + type => "Redishoneypot" + } + # Host NGINX file { path => ["/data/nginx/log/access.log"] @@ -550,7 +578,7 @@ if "_grokparsefailure" in [tags] { drop {} } } # Add T-Pot hostname and external IP - if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { +# if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { mutate { add_field => { "t-pot_ip_ext" => "${MY_EXTIP}" @@ -558,7 +586,7 @@ if "_grokparsefailure" in [tags] { drop {} } "t-pot_hostname" => "${MY_HOSTNAME}" } } - } +# } }