telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

prepare citrixhoneypot for ELK integration

Browse Source
This commit is contained in:
t3chn0m4g3
2020-01-16 15:13:58 +00:00
parent a953542f8f
commit a6ed6613a5
4 changed files with 38 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docker/elk/logstash/dist/logstash.conf vendored
View File

@ -36,6 +36,13 @@ input {
type => "Ciscoasa"
}
# CitrixHoneypot
file {
path => ["/data/citrixhoneypot/logs/server.log"]
codec => json
type => "CitrixHoneypot"
}
# Conpot
file {
path => ["/data/conpot/log/*.json"]
@ -206,6 +213,29 @@ filter {
}
}
# CitrixHoneypot
if [type] == "CitrixHoneypot" {
grok {
match => {
"message" => [ "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{UNIXPATH:filename}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg} %{CISCO_REASON:filename.state}: %{GREEDYDATA:payload}",
"\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{GREEDYDATA:msg}" ]
}
}
date {
match => [ "asctime", "ISO8601" ]
remove_field => ["asctime"]
remove_field => ["message"]
}
mutate {
add_field => {
"dest_port" => "443"
}
}
}
# Conpot
if [type] == "ConPot" {
date {
@ -417,7 +447,7 @@ if "_grokparsefailure" in [tags] { drop {} }
}
# Add T-Pot hostname and external IP
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
mutate {
add_field => {
"t-pot_ip_ext" => "${MY_EXTIP}"
@ -443,7 +473,7 @@ output {
# }
#}
# Debug output
#if [type] == "XYZ" {
#if [type] == "CitrixHoneypot" {
# stdout {
# codec => rubydebug
# }