mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 01:27:27 -04:00
prepare for new attack map feature
tweaking, cleanup
This commit is contained in:
t3chn0m4g3
31
docker/elk/logstash/dist/http_output.conf
vendored
31
docker/elk/logstash/dist/http_output.conf
vendored
@ -664,6 +664,14 @@ filter {
|
||||
if "_grokparsefailure" in [tags] { drop {} }
|
||||
if "_jsonparsefailure" in [tags] { drop {} }
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
"t-pot_ip_int" => "${MY_INTIP}"
|
||||
"t-pot_hostname" => "${MY_HOSTNAME}"
|
||||
}
|
||||
}
|
||||
|
||||
# Add geo coordinates / ASN info / IP rep.
|
||||
if [src_ip] {
|
||||
@ -684,6 +692,20 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
||||
dictionary_path => "/etc/listbot/iprep.yaml"
|
||||
}
|
||||
}
|
||||
if [t-pot_ip_ext] {
|
||||
geoip {
|
||||
cache_size => 10000
|
||||
source => "t-pot_ip_ext"
|
||||
target => "geoip_ext"
|
||||
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb"
|
||||
}
|
||||
geoip {
|
||||
cache_size => 10000
|
||||
source => "t-pot_ip_ext"
|
||||
target => "geoip_ext"
|
||||
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb"
|
||||
}
|
||||
}
|
||||
|
||||
# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
|
||||
if [dest_port] {
|
||||
@ -712,15 +734,6 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
||||
}
|
||||
}
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
"t-pot_ip_int" => "${MY_INTIP}"
|
||||
"t-pot_hostname" => "${MY_HOSTNAME}"
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# Output section
|
||||
|
||||
31
docker/elk/logstash/dist/logstash.conf
vendored
31
docker/elk/logstash/dist/logstash.conf
vendored
@ -664,6 +664,14 @@ filter {
|
||||
if "_grokparsefailure" in [tags] { drop {} }
|
||||
if "_jsonparsefailure" in [tags] { drop {} }
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
"t-pot_ip_int" => "${MY_INTIP}"
|
||||
"t-pot_hostname" => "${MY_HOSTNAME}"
|
||||
}
|
||||
}
|
||||
|
||||
# Add geo coordinates / ASN info / IP rep.
|
||||
if [src_ip] {
|
||||
@ -684,6 +692,20 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
||||
dictionary_path => "/etc/listbot/iprep.yaml"
|
||||
}
|
||||
}
|
||||
if [t-pot_ip_ext] {
|
||||
geoip {
|
||||
cache_size => 10000
|
||||
source => "t-pot_ip_ext"
|
||||
target => "geoip_ext"
|
||||
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb"
|
||||
}
|
||||
geoip {
|
||||
cache_size => 10000
|
||||
source => "t-pot_ip_ext"
|
||||
target => "geoip_ext"
|
||||
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb"
|
||||
}
|
||||
}
|
||||
|
||||
# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
|
||||
if [dest_port] {
|
||||
@ -712,15 +734,6 @@ if "_jsonparsefailure" in [tags] { drop {} }
|
||||
}
|
||||
}
|
||||
|
||||
# Add T-Pot hostname and external IP
|
||||
mutate {
|
||||
add_field => {
|
||||
"t-pot_ip_ext" => "${MY_EXTIP}"
|
||||
"t-pot_ip_int" => "${MY_INTIP}"
|
||||
"t-pot_hostname" => "${MY_HOSTNAME}"
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# Output section
|
||||
|
||||
55
docker/elk/logstash/dist/logstash.sh
vendored
55
docker/elk/logstash/dist/logstash.sh
vendored
@ -1,55 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Let's ensure normal operation on exit or if interrupted ...
|
||||
function fuCLEANUP {
|
||||
exit 0
|
||||
}
|
||||
trap fuCLEANUP EXIT
|
||||
|
||||
# Check internet availability
|
||||
function fuCHECKINET () {
|
||||
mySITES=$1
|
||||
error=0
|
||||
for i in $mySITES;
|
||||
do
|
||||
curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
|
||||
if [ $? -ne 0 ];
|
||||
then
|
||||
let error+=1
|
||||
fi;
|
||||
done;
|
||||
echo $error
|
||||
}
|
||||
|
||||
# Check for connectivity and download latest translation maps
|
||||
myCHECK=$(fuCHECKINET "listbot.sicherheitstacho.eu")
|
||||
if [ "$myCHECK" == "0" ];
|
||||
then
|
||||
echo "Connection to Listbot looks good, now downloading latest translation maps."
|
||||
cd /etc/listbot
|
||||
aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/cve.yaml.bz2 && \
|
||||
aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
|
||||
bunzip2 -f *.bz2
|
||||
cd /
|
||||
else
|
||||
echo "Cannot reach Listbot, starting Logstash without latest translation maps."
|
||||
fi
|
||||
|
||||
exit
|
||||
|
||||
|
||||
# notizen
|
||||
|
||||
MY_TPOT_TYPE Standard = SINGLE, Distributed = POT
|
||||
|
||||
Wenn POT
|
||||
autossh -f -M 0 -4 -l tpot01 -i /data/elk/logstash/tpot01 -p 64295 -N -L64305:127.0.0.1:64305 172.20.254.194 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
|
||||
exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_output.conf --config.reload.automatic --java-execution
|
||||
|
||||
|
||||
Wenn SINGLE
|
||||
exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution
|
||||
|
||||
Umgebungsvariable holen aus /data/elk/logstash
|
||||
m besten über das ELK Environment file, damit es keine probleme gibt
|
||||
|
||||
@ -43,6 +43,15 @@
|
||||
"latitude" : { "type" : "half_float" },
|
||||
"longitude" : { "type" : "half_float" }
|
||||
}
|
||||
},
|
||||
"geoip_ext" : {
|
||||
"dynamic": true,
|
||||
"properties" : {
|
||||
"ip": { "type": "ip" },
|
||||
"location" : { "type" : "geo_point" },
|
||||
"latitude" : { "type" : "half_float" },
|
||||
"longitude" : { "type" : "half_float" }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
13
docker/elk/logstash/dist/update.sh
vendored
13
docker/elk/logstash/dist/update.sh
vendored
@ -47,7 +47,7 @@ if [ "$MY_TPOT_TYPE" == "POT" ];
|
||||
echo "Hive IP: $MY_HIVE_IP"
|
||||
echo
|
||||
cp /usr/share/logstash/config/pipelines_pot.yml /usr/share/logstash/config/pipelines.yml
|
||||
autossh -f -M 0 -v -4 -l $MY_HIVE_USERNAME -i $MY_POT_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
|
||||
autossh -f -M 0 -4 -l $MY_HIVE_USERNAME -i $MY_POT_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@ -60,7 +60,7 @@ echo "Checking if empty."
|
||||
curl -s -XGET http://elasticsearch:9200/_template/logstash
|
||||
echo
|
||||
echo "Putting default template."
|
||||
curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
|
||||
curl -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
|
||||
{
|
||||
"index_patterns" : "logstash-*",
|
||||
"version" : 60001,
|
||||
@ -106,6 +106,15 @@ curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: a
|
||||
"latitude" : { "type" : "half_float" },
|
||||
"longitude" : { "type" : "half_float" }
|
||||
}
|
||||
},
|
||||
"geoip_ext" : {
|
||||
"dynamic": true,
|
||||
"properties" : {
|
||||
"ip": { "type": "ip" },
|
||||
"location" : { "type" : "geo_point" },
|
||||
"latitude" : { "type" : "half_float" },
|
||||
"longitude" : { "type" : "half_float" }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user