From c1eb9f72163c140ba42bc58104d5752d8af16eab Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Thu, 28 Oct 2021 18:57:55 +0000
Subject: [PATCH] logstash parsing for ddospot, hellpot

---
 docker/elk/logstash/dist/logstash.conf | 47 ++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf
index 46ea5e4e..2c51078a 100644
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@@ -320,6 +320,38 @@ filter {
       match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
       remove_field => ["time"]
     }
+    if [path] == "/data/ddospot/log/chargenpot.log" {
+      mutate {
+        add_field => {
+	  "dest_port" => "19"
+          "dest_ip" => "${MY_EXTIP}"
+	}
+      }
+    }
+    if [path] == "/data/ddospot/log/dnspot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "53"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ntpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "123"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ssdpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "1900"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
   }
 
 # Dionaea
@@ -397,6 +429,21 @@ filter {
     }
   }
 
+# Hellpot
+  if [type] == "Hellpot" {
+    date {
+      match => [ "time", "ISO8601" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "80"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
 # Heralding
   if [type] == "Heralding" {
     csv {