telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

cleanup, tweaking, updating

Browse Source 
make tpotinit aware of sigterm events to unload blackhole routes, firewall rules
fixes #1204 where citrixhoneypot logs use logs instead of log folder
bump ELK stack to 8.12.2
add wordpot logs to logstash pipeline
bump t-pot attackmap to 2.2.0, alpine 3.19
This commit is contained in:
t3chn0m4g3
2024-03-12 17:03:43 +01:00
parent 1da35284be
commit 540d5574d1
36 changed files with 109 additions and 4356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docker/elk/docker-compose.yml
View File

@ -26,7 +26,7 @@ services:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
- $HOME/tpotce/data:/data
## Kibana service
kibana:
@ -37,6 +37,7 @@ services:
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
@ -51,11 +52,9 @@ services:
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
- $HOME/tpotce/data:/data
# - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# Map Redis Service
@ -76,8 +75,6 @@ services:
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
@ -92,8 +89,6 @@ services:
restart: always
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"

2
docker/elk/elasticsearch/Dockerfile
View File

@ -1,7 +1,7 @@
FROM ubuntu:22.04
#
# VARS
ENV ES_VER=8.6.2
ENV ES_VER=8.12.2
#
# Include dist
COPY dist/ /root/dist/

2
docker/elk/elasticsearch/docker-compose.yml
View File

@ -26,4 +26,4 @@ services:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
- $HOME/tpotce/data:/data

2
docker/elk/kibana/Dockerfile
View File

@ -1,7 +1,7 @@
FROM ubuntu:22.04
#
# VARS
ENV KB_VER=8.6.2
ENV KB_VER=8.12.2
# Include dist
COPY dist/ /root/dist/
#

2
docker/elk/logstash/Dockerfile
View File

@ -1,7 +1,7 @@
FROM ubuntu:22.04
#
# VARS
ENV LS_VER=8.6.2
ENV LS_VER=8.12.2
# Include dist
COPY dist/ /root/dist/
#

24
docker/elk/logstash/dist/http_output.conf vendored
View File

@ -38,7 +38,7 @@ input {
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
path => ["/data/citrixhoneypot/log/server.log"]
codec => json
type => "CitrixHoneypot"
}
@ -182,6 +182,13 @@ input {
type => "Tanner"
}
# Wordpot
file {
path => ["/data/wordpot/log/wordpot.log"]
codec => json
type => "Wordpot"
}
}
# Filter Section
@ -620,6 +627,13 @@ filter {
}
}
# Wordpot
if [type] == "Wordpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} }
if "_jsonparsefailure" in [tags] { drop {} }
@ -639,13 +653,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
cache_size => 10000
source => "src_ip"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "src_ip"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
translate {
refresh_interval => 86400
@ -660,14 +674,14 @@ if "_jsonparsefailure" in [tags] { drop {} }
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
}

24
docker/elk/logstash/dist/logstash.conf vendored
View File

@ -38,7 +38,7 @@ input {
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
path => ["/data/citrixhoneypot/log/server.log"]
codec => json
type => "CitrixHoneypot"
}
@ -182,6 +182,13 @@ input {
type => "Tanner"
}
# Wordpot
file {
path => ["/data/wordpot/log/wordpot.log"]
codec => json
type => "Wordpot"
}
}
# Filter Section
@ -620,6 +627,13 @@ filter {
}
}
# Wordpot
if [type] == "Wordpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} }
if "_jsonparsefailure" in [tags] { drop {} }
@ -639,13 +653,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
cache_size => 10000
source => "src_ip"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "src_ip"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
translate {
refresh_interval => 86400
@ -660,14 +674,14 @@ if "_jsonparsefailure" in [tags] { drop {} }
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
}

10
docker/elk/logstash/docker-compose.yml
View File

@ -12,13 +12,11 @@ services:
# depends_on:
# elasticsearch:
# condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
ports:
- "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
# - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf
# - /root/tpotce/docker/elk/logstash/dist/logstash.yml:/etc/logstash/conf.d/logstash.yml
- $HOME/tpotce/data:/data
# - /$HOME/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# - /$HOME/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf
# - /$HOME/tpotce/docker/elk/logstash/dist/logstash.yml:/etc/logstash/conf.d/logstash.yml

34
docker/elk/map/Dockerfile
View File

@ -1,29 +1,23 @@
FROM alpine:3.17
#
# Include dist
#COPY dist/ /root/dist/
FROM alpine:3.19
#
# Install packages
RUN apk -U --no-cache add \
build-base \
git \
libcap \
py3-pip \
python3 \
python3-dev \
tzdata && \
build-base \
git \
libcap \
py3-pip \
python3 \
python3-dev \
tzdata && \
#
# Install from GitHub and setup
mkdir -p /opt && \
cd /opt/ && \
git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.1.0 && \
git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.0 && \
cd t-pot-attack-map && \
# git checkout eaf8d123d72a62e4c12093e4e8487e10e6ef60f3 && \
# git branch -a && \
# git checkout multi && \
pip3 install --upgrade pip && \
pip3 install -r requirements.txt && \
setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
pip3 install --break-system-packages --upgrade pip && \
pip3 install --break-system-packages -r requirements.txt && \
setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
#
# Setup user, groups and configs
addgroup -g 2000 map && \
@ -32,8 +26,8 @@ RUN apk -U --no-cache add \
#
# Clean up
apk del --purge build-base \
git \
python3-dev && \
git \
python3-dev && \
rm -rf /root/* /var/cache/apk/* /opt/t-pot-attack-map/.git
#
# Start T-Pot-Attack-Map

2
docker/elk/map/dist/entrypoint.sh vendored
View File

@ -1,2 +0,0 @@
#!/bin/ash
sed -i "s/var hqLatLng = new L.LatLng(52.3058, 4.932);/var hqLatLng = new L.LatLng($MY_EXTIP_LAT, $MY_EXTIP_LONG);/g" /opt/geoip-attack-map/static/map.js

6
docker/elk/map/docker-compose.yml
View File

@ -21,8 +21,6 @@ services:
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
@ -37,8 +35,8 @@ services:
restart: always
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
# - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
# - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"