prep for 18.04

docker/elk/README.md

@@ -1,11 +1,11 @@
 # Elasticsearch
-[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticsearch:1710.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1710 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticsearch:1710.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1710 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticsearch:1804.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1804 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticsearch:1804.svg)](https://microbadger.com/images/dtagdevsec/elasticsearch:1804 "Get your own image badge on microbadger.com")
 
 # Logstash
-[![](https://images.microbadger.com/badges/version/dtagdevsec/logstash:1710.svg)](https://microbadger.com/images/dtagdevsec/logstash:1710 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/logstash:1710.svg)](https://microbadger.com/images/dtagdevsec/logstash:1710 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/dtagdevsec/logstash:1804.svg)](https://microbadger.com/images/dtagdevsec/logstash:1804 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/logstash:1804.svg)](https://microbadger.com/images/dtagdevsec/logstash:1804 "Get your own image badge on microbadger.com")
 
 # Kibana
-[![](https://images.microbadger.com/badges/version/dtagdevsec/kibana:1710.svg)](https://microbadger.com/images/dtagdevsec/kibana:1710 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/kibana:1710.svg)](https://microbadger.com/images/dtagdevsec/kibana:1710 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/dtagdevsec/kibana:1804.svg)](https://microbadger.com/images/dtagdevsec/kibana:1804 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/kibana:1804.svg)](https://microbadger.com/images/dtagdevsec/kibana:1804 "Get your own image badge on microbadger.com")
 
 # elk stack
 

docker/elk/elasticsearch/Dockerfile

@@ -1,18 +1,21 @@
 FROM alpine
-MAINTAINER MO
 
 # Include dist
 ADD dist/ /root/dist/
 
 # Setup env and apt
 RUN apk -U upgrade && \
-    apk add bash curl openjdk8-jre procps wget && \
+    apk add bash \
+            curl \
+            openjdk8-jre \
+            procps \
+            wget && \
 
 # Get and install packages
     cd /root/dist/ && \
     mkdir -p /usr/share/elasticsearch/ && \
-    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.5.tar.gz && \
-    tar xvfz elasticsearch-5.6.5.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \
+    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.8.tar.gz && \
+    tar xvfz elasticsearch-5.6.8.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \
 
 # Add and move files
     cd /root/dist/ && \

docker/elk/head/Dockerfile

@@ -1,12 +1,13 @@
-# Elasticsearch-head Dockerfile by MO
-#
-# VERSION 17.06 
 FROM alpine
-MAINTAINER MO
 
 # Setup env and apt
 RUN apk -U upgrade && \
-    apk add bash curl nodejs nodejs-npm git procps && \
+    apk add bash \
+            curl \
+            git \
+            nodejs \
+            nodejs-npm \
+            procps && \
 
 # Get and install packages
     mkdir -p /usr/src/app/ && \

docker/elk/kibana/Dockerfile

@@ -1,18 +1,21 @@
 FROM alpine
-MAINTAINER MO
 
 # Include dist
 ADD dist/ /root/dist/
 
 # Setup env and apt
 RUN apk -U upgrade && \
-    apk add bash curl nodejs procps wget && \
+    apk add bash \
+            curl \
+            nodejs \
+            procps \
+            wget && \
 
 # Get and install packages
     cd /root/dist/ && \
     mkdir -p /usr/share/kibana/ && \
-    wget https://artifacts.elastic.co/downloads/kibana/kibana-5.6.5-linux-x86_64.tar.gz && \
-    tar xvfz kibana-5.6.5-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \
+    wget https://artifacts.elastic.co/downloads/kibana/kibana-5.6.8-linux-x86_64.tar.gz && \
+    tar xvfz kibana-5.6.8-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/kibana/ && \
 
 # Kibana's bundled node does not work in alpine
     rm /usr/share/kibana/node/bin/node && \

docker/elk/logstash/Dockerfile

@@ -1,20 +1,26 @@
 FROM alpine
-MAINTAINER MO
 
 # Include dist
 ADD dist/ /root/dist/
 
 # Setup env and apt
 RUN apk -U upgrade && \
-    apk add bash curl git libc6-compat libzmq openjdk8-jre procps wget && \
+    apk add bash \
+            curl \
+            git \
+            libc6-compat \
+            libzmq \
+            openjdk8-jre \
+            procps \
+            wget && \
 
 # Get and install packages
     git clone https://github.com/dtag-dev-sec/listbot /etc/listbot && \
     cd /root/dist/ && \
     mkdir -p /usr/share/logstash/ && \
-    wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.5.tar.gz && \
+    wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.8.tar.gz && \
     wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz && \
-    tar xvfz logstash-5.6.5.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    tar xvfz logstash-5.6.8.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
     /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
     /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
     tar xvfz GeoLite2-ASN.tar.gz --strip-components=1 -C /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/ && \

docker/elk/logstash/dist/logstash.conf

@@ -17,7 +17,7 @@ input {
 
 # Conpot 
   file {
-    path => ["/data/conpot/log/conpot.json"]
+    path => ["/data/conpot/log/*.json"]
     codec => json
     type => "ConPot"
   }
@@ -55,6 +55,12 @@ input {
     type => "Glastopf"
   }
 
+# Heralding
+  file {
+    path => ["/data/heralding/log/auth.csv"]
+    type => "Heralding"
+  }
+
 # Honeytrap
   file {
     path => ["/data/honeytrap/log/attackers.json"]
@@ -201,6 +207,17 @@ filter {
     }
   }
 
+# Heralding
+  if [type] == "Heralding" {
+    csv { 
+      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => "," 
+    }
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["timestamp"]
+    }
+  }
+
 # Honeytrap
   if [type] == "Honeytrap" {
     date {