prep for 18.04

2025-07-02 01:27:27 -04:00 · 2018-03-25 18:35:32 +00:00
parent 60cb42b34d
commit c9a33870ff
57 changed files with 2268 additions and 178 deletions
--- a/docker/elk/logstash/Dockerfile
+++ b/docker/elk/logstash/Dockerfile
@ -1,20 +1,26 @@
 FROM alpine
-MAINTAINER MO

 # Include dist
 ADD dist/ /root/dist/

 # Setup env and apt
 RUN apk -U upgrade && \
-    apk add bash curl git libc6-compat libzmq openjdk8-jre procps wget && \
+    apk add bash \
+            curl \
+            git \
+            libc6-compat \
+            libzmq \
+            openjdk8-jre \
+            procps \
+            wget && \

 # Get and install packages
    git clone https://github.com/dtag-dev-sec/listbot /etc/listbot && \
    cd /root/dist/ && \
    mkdir -p /usr/share/logstash/ && \
-    wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.5.tar.gz && \
+    wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.8.tar.gz && \
    wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz && \
-    tar xvfz logstash-5.6.5.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    tar xvfz logstash-5.6.8.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
    tar xvfz GeoLite2-ASN.tar.gz --strip-components=1 -C /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.3.1-java/vendor/ && \
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -17,7 +17,7 @@ input {

 # Conpot 
  file {
-    path => ["/data/conpot/log/conpot.json"]
+    path => ["/data/conpot/log/*.json"]
    codec => json
    type => "ConPot"
  }
@ -55,6 +55,12 @@ input {
    type => "Glastopf"
  }

+# Heralding
+  file {
+    path => ["/data/heralding/log/auth.csv"]
+    type => "Heralding"
+  }
+
 # Honeytrap
  file {
    path => ["/data/honeytrap/log/attackers.json"]
@ -201,6 +207,17 @@ filter {
    }
  }

+# Heralding
+  if [type] == "Heralding" {
+    csv { 
+      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => "," 
+    }
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["timestamp"]
+    }
+  }
+
 # Honeytrap
  if [type] == "Honeytrap" {
    date {