prepare for adbhoney

2025-07-02 01:27:27 -04:00 · 2018-12-05 16:59:08 +00:00
parent 223aed6676
commit c7873554c3
8 changed files with 108 additions and 9 deletions
--- a/docker/adbhoney/Dockerfile
+++ b/docker/adbhoney/Dockerfile
@ -0,0 +1,31 @@
+FROM alpine 
+
+# Install packages
+RUN apk -U --no-cache add \
+            git \
+            libcap \
+            python \
+            python-dev && \
+
+# Install adbhoney from git
+    git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/main.py && \
+    sed -i 's/dst_port/dest_port/' /opt/adbhoney/main.py && \
+
+# Setup user, groups and configs
+    addgroup -g 2000 adbhoney && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
+    chown -R adbhoney:adbhoney /opt/adbhoney && \
+    setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \
+
+# Clean up
+    apk del --purge git \
+                    python-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+
+# Set workdir and start adbhoney
+STOPSIGNAL SIGINT
+USER adbhoney:adbhoney
+WORKDIR /opt/adbhoney/
+CMD nohup /usr/bin/python main.py -l log/adbhoney.log -j log/adbhoney.json -d dl/
--- a/docker/adbhoney/docker-compose.yml
+++ b/docker/adbhoney/docker-compose.yml
@ -0,0 +1,21 @@
+version: '2.3'
+
+networks:
+  adbhoney_local:
+
+services:
+
+# Adbhoney service
+  adbhoney:
+    build: .
+    container_name: adbhoney
+    restart: always
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: "dtagdevsec/adbhoney:1811"
+    read_only: true
+    volumes:
+     - /data/adbhoney/log:/opt/adbhoney/log
+     - /data/adbhoney/downloads:/opt/adbhoney/dl
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -15,6 +15,13 @@ input {
    type => "P0f"
  }

+# Adbhoney
+  file {
+    path => ["/data/adbhoney/log/adbhoney.json"]
+    codec => json
+    type => "Adbhoney"
+  }
+
 # Ciscoasa
  file {
    path => ["/data/ciscoasa/log/ciscoasa.log"]
@ -143,6 +150,14 @@ filter {
    }
  }

+# Adbhoney
+  if [type] == "Adbhoney" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["unixtime"]
+    }
+  }
+
 # Ciscoasa
  if [type] == "Ciscoasa" {
    kv {
@ -372,7 +387,7 @@ if "_grokparsefailure" in [tags] { drop {} }
  }

 # Add T-Pot hostname and external IP
-  if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
+  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
    mutate {
      add_field => {
        "t-pot_ip_ext" => "${MY_EXTIP}"