telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

cleanup, tweaking, updating

Browse Source 
make tpotinit aware of sigterm events to unload blackhole routes, firewall rules
fixes #1204 where citrixhoneypot logs use logs instead of log folder
bump ELK stack to 8.12.2
add wordpot logs to logstash pipeline
bump t-pot attackmap to 2.2.0, alpine 3.19
This commit is contained in:
t3chn0m4g3
2024-03-12 17:03:43 +01:00
parent 1da35284be
commit 540d5574d1
36 changed files with 109 additions and 4356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docker/elk/logstash/dist/logstash.conf vendored
View File

@ -38,7 +38,7 @@ input {
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
path => ["/data/citrixhoneypot/log/server.log"]
codec => json
type => "CitrixHoneypot"
}
@ -182,6 +182,13 @@ input {
type => "Tanner"
}
# Wordpot
file {
path => ["/data/wordpot/log/wordpot.log"]
codec => json
type => "Wordpot"
}
}
# Filter Section
@ -620,6 +627,13 @@ filter {
}
}
# Wordpot
if [type] == "Wordpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} }
if "_jsonparsefailure" in [tags] { drop {} }
@ -639,13 +653,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
cache_size => 10000
source => "src_ip"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "src_ip"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
translate {
refresh_interval => 86400
@ -660,14 +674,14 @@ if "_jsonparsefailure" in [tags] { drop {} }
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "t-pot_ip_ext"
target => "geoip_ext"
default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
}
}