include tanner patterns, tweaking

2025-07-02 01:27:27 -04:00 · 2018-05-29 12:05:07 +00:00
parent 428ee43c18
commit 72313a600d
5 changed files with 243 additions and 226 deletions
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -395,6 +395,15 @@ filter {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
+    mutate {
+      rename => {
+        "[peer][ip]" => "src_ip"
+        "[peer][port]" => "src_port"
+      }
+      add_field => {
+        "dest_port" => "80"
+      }
+    }
  }

 # Vnclowpot 
@ -449,7 +458,7 @@ if "_grokparsefailure" in [tags] { drop {} }
  }

 # Add T-Pot hostname and external IP
-  if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" {
+  if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" or [type] == "Vnclowpot" {
    mutate {
      add_field => {
        "t-pot_ip_ext" => "${MY_EXTIP}"
@ -475,11 +484,11 @@ output {
      }
  }
  # Debug output
-  #if [type] == "XYZ" {
-  #  stdout {
-  #    codec => rubydebug
-  #  }
-  #}
+  if [type] == "Tanner" {
+    stdout {
+      codec => rubydebug
+    }
+  }
  # Debug output
  #stdout {
  #  codec => rubydebug
--- a/etc/objects/elkbase.tgz
+++ b/etc/objects/elkbase.tgz
--- a/etc/objects/index_patterns.json
+++ b/etc/objects/index_patterns.json
--- a/etc/objects/kibana-objects.tgz
+++ b/etc/objects/kibana-objects.tgz
--- a/etc/objects/kibana.esdump.json
+++ b/etc/objects/kibana.esdump.json