bump elk to 7.17.0 to support 8.0.1 in 22.x

fix data fields with regard to the request field, log4pot, nginx
Update objects for qeeqbox honeypots
2025-07-02 01:27:27 -04:00 · 2022-03-18 16:23:27 +00:00 · 2022-01-17 17:10:48 +01:00 · 2022-01-13 15:22:49 +01:00 · 2022-01-12 01:28:06 +00:00 · 2022-01-11 15:43:45 +00:00
130 changed files with 3938 additions and 569 deletions
--- a/README.md
+++ b/README.md
@ -11,18 +11,24 @@ and includes dockerized versions of the following honeypots
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot),
 * [conpot](http://conpot.org/),
 * [cowrie](https://github.com/cowrie/cowrie),
 * [ddospot](https://github.com/aelth/ddospot),
 * [dicompot](https://github.com/nsmfoo/dicompot),
 * [dionaea](https://github.com/DinoTools/dionaea),
 * [elasticpot](https://gitlab.com/bontchev/elasticpot),
 * [endlessh](https://github.com/skeeto/endlessh),
 * [glutton](https://github.com/mushorg/glutton),
 * [heralding](https://github.com/johnnykv/heralding),
 * [hellpot](https://github.com/yunginnanet/HellPot),
 * [honeypots](https://github.com/qeeqbox/honeypots),
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
 * [ipphoney](https://gitlab.com/bontchev/ipphoney),
 * [log4pot](https://github.com/thomaspatzke/Log4Pot),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
 * [rdpy](https://github.com/citronneur/rdpy),
 * [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot),
 * [snare](http://mushmush.org/),
 * [tanner](http://mushmush.org/)
@ -92,17 +98,23 @@ In T-Pot we combine the dockerized honeypots ...
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot),
 * [conpot](http://conpot.org/),
 * [cowrie](http://www.micheloosterhof.com/cowrie/),
 * [ddospot](https://github.com/aelth/ddospot),
 * [dicompot](https://github.com/nsmfoo/dicompot),
 * [dionaea](https://github.com/DinoTools/dionaea),
 * [elasticpot](https://gitlab.com/bontchev/elasticpot),
 * [endlessh](https://github.com/skeeto/endlessh),
 * [glutton](https://github.com/mushorg/glutton),
 * [heralding](https://github.com/johnnykv/heralding),
 * [hellpot](https://github.com/yunginnanet/HellPot),
 * [honeypots](https://github.com/qeeqbox/honeypots),
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
 * [ipphoney](https://gitlab.com/bontchev/ipphoney),
 * [log4pot](https://github.com/thomaspatzke/Log4Pot),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
 * [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot),
 * [rdpy](https://github.com/citronneur/rdpy),
 * [snare](http://mushmush.org/),
 * [tanner](http://mushmush.org/)
@ -489,10 +501,13 @@ We hope you understand that we cannot provide support on an individual basis. We
 # Licenses
 The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
-<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
+<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
-<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE)
+<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE)
 <br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
 <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
 <br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
 <a name="credits"></a>
 # Credits
@ -507,6 +522,7 @@ Without open source and the fruitful development community (we are proud to be a
 * [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors)
 * [conpot](https://github.com/mushorg/conpot/graphs/contributors)
 * [cowrie](https://github.com/micheloosterhof/cowrie/graphs/contributors)
 * [ddospot](https://github.com/aelth/ddospot/graphs/contributors)
 * [debian](http://www.debian.org/)
 * [dicompot](https://github.com/nsmfoo/dicompot/graphs/contributors)
 * [dionaea](https://github.com/DinoTools/dionaea/graphs/contributors)
@ -514,20 +530,25 @@ Without open source and the fruitful development community (we are proud to be a
 * [elasticpot](https://gitlab.com/bontchev/elasticpot/-/project_members)
 * [elasticsearch](https://github.com/elastic/elasticsearch/graphs/contributors)
 * [elasticsearch-head](https://github.com/mobz/elasticsearch-head/graphs/contributors)
 * [endlessh](https://github.com/skeeto/endlessh/graphs/contributors)
 * [ewsposter](https://github.com/armedpot/ewsposter/graphs/contributors)
 * [fatt](https://github.com/0x4D31/fatt/graphs/contributors)
 * [glutton](https://github.com/mushorg/glutton/graphs/contributors)
 * [hellpot](https://github.com/yunginnanet/HellPot/graphs/contributors)
 * [heralding](https://github.com/johnnykv/heralding/graphs/contributors)
 * [honeypots](https://github.com/qeeqbox/honeypots/graphs/contributors)
 * [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors)
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors)
 * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors)
 * [ipphoney](https://gitlab.com/bontchev/ipphoney/-/project_members)
 * [kibana](https://github.com/elastic/kibana/graphs/contributors)
 * [logstash](https://github.com/elastic/logstash/graphs/contributors)
 * [log4pot](https://github.com/thomaspatzke/Log4Pot/graphs/contributors)
 * [mailoney](https://github.com/awhitehatter/mailoney)
 * [medpot](https://github.com/schmalle/medpot/graphs/contributors)
 * [p0f](http://lcamtuf.coredump.cx/p0f3/)
 * [rdpy](https://github.com/citronneur/rdpy)
 * [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/graphs/contributors)
 * [spiderfoot](https://github.com/smicallef/spiderfoot)
 * [snare](https://github.com/mushorg/snare/graphs/contributors)
 * [tanner](https://github.com/mushorg/tanner/graphs/contributors)
--- a/bin/clean.sh
+++ b/bin/clean.sh
@ -114,6 +114,14 @@ fuCOWRIE () {
  chown tpot:tpot /data/cowrie -R
 }
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
  mkdir -p /data/ddospot/log
  chmod 770 /data/ddospot -R
  chown tpot:tpot /data/ddospot -R
 }
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
@ -149,6 +157,14 @@ fuELK () {
  chown tpot:tpot /data/elk -R
 }
 # Let's create a function to clean up and prepare endlessh data
 fuENDLESSH () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
  mkdir -p /data/endlessh/log
  chmod 770 /data/endlessh -R
  chown tpot:tpot /data/endlessh -R
 }
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@ -165,6 +181,14 @@ fuGLUTTON () {
  chown tpot:tpot /data/glutton -R
 }
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
  mkdir -p /data/hellpot/log
  chmod 770 /data/hellpot -R
  chown tpot:tpot /data/hellpot -R
 }
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@ -173,6 +197,14 @@ fuHERALDING () {
  chown tpot:tpot /data/heralding -R
 }
 # Let's create a function to clean up and prepare honeypots data
 fuHONEYPOTS () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
  mkdir -p /data/honeypots/log
  chmod 770 /data/honeypots -R
  chown tpot:tpot /data/honeypots -R
 }
 # Let's create a function to clean up and prepare honeypy data
 fuHONEYPY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
@ -205,6 +237,14 @@ fuIPPHONEY () {
  chown tpot:tpot /data/ipphoney -R
 }
 # Let's create a function to clean up and prepare log4pot data
 fuLOG4POT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
  mkdir -p /data/log4pot/log
  chmod 770 /data/log4pot -R
  chown tpot:tpot /data/log4pot -R
 }
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@ -237,6 +277,14 @@ fuRDPY () {
  chown tpot:tpot /data/rdpy/ -R
 }
 # Let's create a function to clean up and prepare redishoneypot data
 fuREDISHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
  mkdir -p /data/redishoneypot/log
  chmod 770 /data/redishoneypot -R
  chown tpot:tpot /data/redishoneypot -R
 }
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
  mkdir -p /data/spiderfoot
@ -296,20 +344,26 @@ if [ "$myPERSISTENCE" = "on" ];
    fuCITRIXHONEYPOT
    fuCONPOT
    fuCOWRIE
    fuDDOSPOT
    fuDICOMPOT
    fuDIONAEA
    fuELASTICPOT
    fuELK
    fuENDLESSH
    fuFATT
    fuGLUTTON
    fuHERALDING
    fuHELLPOT
    fuHONEYSAP
    fuHONEYPOTS
    fuHONEYPY
    fuHONEYTRAP
    fuIPPHONEY
    fuLOG4POT
    fuMAILONEY
    fuMEDPOT
    fuNGINX
    fuREDISHONEYPOT
    fuRDPY
    fuSPIDERFOOT
    fuSURICATA
--- a/bin/deploy.sh
+++ b/bin/deploy.sh
@ -0,0 +1,182 @@
 #!/bin/bash
 # Do we have root?
 function fuGOT_ROOT {
 echo
 echo -n "### Checking for root: "
 if [ "$(whoami)" != "root" ];
  then
    echo "[ NOT OK ]"
    echo "### Please run as root."
    echo "### Example: sudo $0"
    exit
  else
    echo "[ OK ]"
 fi
 }
 function fuDEPLOY_POT () {
 echo
 echo "###############################"
 echo "# Deploying to T-Pot Hive ... #"
 echo "###############################"
 echo
 sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
 echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
 mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
 echo "$MY_POT_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
 chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
 EOF
 echo
 echo "###########################"
 echo "# Done. Please reboot ... #"
 echo "###########################"
 echo
 exit 0
 }
 # Check Hive availability 
 function fuCHECK_HIVE () {
 echo
 echo "############################################"
 echo "# Checking for T-Pot Hive availability ... #"
 echo "############################################"
 echo
 sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
 if [ $? -eq 0 ];
  then
    echo
    echo "#########################"
    echo "# T-Pot Hive available! #"
    echo "#########################"
    echo
    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
    if [ "$myHIVE_OK" == "ok" ];
      then
 	echo
        echo "##############################"
        echo "# T-Pot Hive tunnel test OK! #"
        echo "##############################"
        echo
        kill -9 $(pidof ssh)
      else
        echo
 	echo "######################################################"
        echo "# T-Pot Hive tunnel test FAILED!                     #"
 	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
 	echo "# Aborting.                                          #"
        echo "######################################################"
        echo
        kill -9 $(pidof ssh)
 	rm $MY_POT_PUBLICKEYFILE
 	rm $MY_POT_PRIVATEKEYFILE
 	rm $MY_LS_ENVCONFIGFILE
 	exit 1
    fi;
  else
    echo
    echo "#################################################################"
    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
    echo "# Aborting.                                                     #"
    echo "#################################################################"
    echo
    rm $MY_POT_PUBLICKEYFILE
    rm $MY_POT_PRIVATEKEYFILE
    rm $MY_LS_ENVCONFIGFILE
    exit 1
 fi;
 }
 function fuGET_DEPLOY_DATA () {
 echo
 echo "### Please provide data from your T-Pot Hive installation."
 echo "### This usually is the one running the 'T-Pot Hive' type."
 echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
 echo "### Do not worry, the password will not be persisted!"
 echo
 read -p "Username: " MY_TPOT_USERNAME
 read -s -p "Password: " SSHPASS
 echo
 export SSHPASS
 read -p "IP / FQDN: " MY_HIVE_IP
 MY_HIVE_USERNAME="$(hostname)"
 MY_TPOT_TYPE="POT"
 MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
 MY_POT_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
 MY_POT_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
 if ! [ -s "$MY_POT_PRIVATEKEYFILE" ] && ! [ -s "$MY_POT_PUBLICKEYFILE" ];
  then
    echo
    echo "##############################"
    echo "# Generating ssh keyfile ... #"
    echo "##############################"
    echo
    mkdir -p /data/elk/logstash
    ssh-keygen -f "$MY_POT_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
    MY_POT_PUBLICKEY="$(cat "$MY_POT_PUBLICKEYFILE")"
  else
    echo
    echo "#############################################"
    echo "# There is already a ssh keyfile. Aborting. #"
    echo "#############################################"
    echo
    exit 1
 fi
 echo
 echo "###########################################################"
 echo "# Writing config to /data/elk/logstash/ls_environment.    #"
 echo "# If you make changes to this file, you need to reboot or #"
 echo "# run /opt/tpot/bin/updateip.sh.                          #"
 echo "###########################################################"
 echo
 tee $MY_LS_ENVCONFIGFILE << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_POT_PRIVATEKEYFILE=$MY_POT_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 }
 # Deploy Pot to Hive
 fuGOT_ROOT
 echo
 echo "#################################"
 echo "# Ship T-Pot Logs to T-Pot Hive #"
 echo "#################################"
 echo
 echo "If you already have a T-Pot Hive installation running and"
 echo "this T-Pot installation is running the type \"Pot\" the"
 echo "script will automagically setup this T-Pot to ship and"
 echo "prepare the Hive to receive logs from this T-Pot."
 echo
 echo
 echo "###################################"
 echo "# Deploy T-Pot Logs to T-Pot Hive #"
 echo "###################################"
 echo 
 echo "[c] - Continue deplyoment"
 echo "[q] - Abort and exit"
 echo
 while [ 1 != 2 ]
  do
    read -s -n 1 -p "Your choice: " mySELECT
      echo $mySELECT
      case "$mySELECT" in
        [c,C])
          fuGET_DEPLOY_DATA
          fuCHECK_HIVE
 	  fuDEPLOY_POT
          break
          ;;
        [q,Q])
          echo "Aborted."
          exit 0
          ;;
      esac
 done
--- a/bin/deprecated/export_kibana-objects.sh
+++ b/bin/deprecated/export_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -15,7 +15,7 @@ fi
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
 myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
--- a/bin/deprecated/import_kibana-objects.sh
+++ b/bin/deprecated/import_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
--- a/bin/tped.sh
+++ b/bin/tped.sh
@ -29,7 +29,7 @@ for i in $myYMLS;
  do
    myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 17 50 10 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
  then
    echo "Have a nice day!"
--- a/bin/updateip.sh
+++ b/bin/updateip.sh
@ -32,5 +32,17 @@ MY_EXTIP=$myEXTIP
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
 EOF
 if [ -s "/data/elk/logstash/ls_environment" ];
  then
    source /data/elk/logstash/ls_environment
    tee -a /opt/tpot/etc/compose/elk_environment << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_POT_PRIVATEKEYFILE=$MY_POT_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 fi
 chown tpot:tpot /data/ews/conf/ews.ip
 chmod 770 /data/ews/conf/ews.ip
--- a/cloud/.gitignore
+++ b/cloud/.gitignore
@ -6,5 +6,5 @@
 **/terraform.*
 # OpenStack clouds
-clouds.yaml
+**/clouds.yaml
-secure.yaml
+**/secure.yaml
--- a/cloud/ansible/openstack/roles/check/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml
@ -16,4 +16,4 @@
  ansible.builtin.fail:
    msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
  ignore_errors: yes
-  when: lookup('env','SSH_AUTH_SOCK') == ""
+  failed_when: lookup('env','SSH_AUTH_SOCK') == ""
--- a/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
@ -1,33 +1,33 @@
 - name: Create security group
  openstack.cloud.security_group:
    cloud: "{{ cloud }}"
-    name: sg-tpot-any
+    name: sg-tpot-ansible
-    description: tpot any-any
+    description: Security Group for T-Pot
 - name: Add rules to security group
  openstack.cloud.security_group_rule:
    cloud: "{{ cloud }}"
-    security_group: sg-tpot-any
+    security_group: sg-tpot-ansible
    remote_ip_prefix: 0.0.0.0/0
 - name: Create network
  openstack.cloud.network:
    cloud: "{{ cloud }}"
-    name: network-tpot
+    name: network-tpot-ansible
 - name: Create subnet
  openstack.cloud.subnet:
    cloud: "{{ cloud }}"
-    network_name: network-tpot
+    network_name: network-tpot-ansible
-    name: subnet-tpot
+    name: subnet-tpot-ansible
    cidr: 192.168.0.0/24
    dns_nameservers:
-      - 1.1.1.1
+      - 100.125.4.25
-      - 8.8.8.8
+      - 100.125.129.199
 - name: Create router
  openstack.cloud.router:
    cloud: "{{ cloud }}"
-    name: router-tpot
+    name: router-tpot-ansible
    interfaces:
-      - subnet-tpot
+      - subnet-tpot-ansible
--- a/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
@ -11,10 +11,10 @@
    boot_from_volume: yes
    volume_size: "{{ volume_size }}"
    key_name: "{{ key_name }}"
-    timeout: 200
+    auto_ip: yes
    flavor: "{{ flavor }}"
-    security_groups: sg-tpot-any
+    security_groups: sg-tpot-ansible
-    network: network-tpot
+    network: network-tpot-ansible
  register: tpot
 - name: Add instance to inventory
--- a/cloud/ansible/openstack/roles/install/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml
@ -23,7 +23,7 @@
   shell: /bin/bash
 - name: Copy T-Pot configuration file
-  ansible.builtin.template:
+  ansible.builtin.copy:
    src: ../../../../../../iso/installer/tpot.conf.dist
    dest: /root/tpot.conf
    owner: root
--- a/cloud/terraform/README.md
+++ b/cloud/terraform/README.md
@ -37,12 +37,13 @@ This can easily be extended to support other [Terraform providers](https://regis
 <a name="what-created-otc"></a>
 ### Open Telekom Cloud (OTC)
 * ECS instance:
-  * s2.medium.8 (1 vCPU, 8 GB RAM)
+  * s3.medium.8 (1 vCPU, 8 GB RAM)
  * 128 GB disk
  * Debian 10
  * Public EIP
 * Security Group
-* Network, Subnet, Router (= Virtual Private Cloud [VPC])
+  * All TCP/UDP ports are open to the Internet
 * Virtual Private Cloud (VPC) and Subnet
 <a name="pre"></a>
 ## Prerequisites
@ -90,11 +91,13 @@ In `aws/variables.tf`, you can change the additional variables:
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
 * `ecs_flavor`
 * `ecs_disk_size`
 * `availability_zone`
 * `flavor`
 * `key_pair` - Specify an existing SSH key pair
-* `volume_size`  
+* `eip_size`
-Furthermore you can configure the naming of the created infrastructure (per default everything gets prefixed with "tpot-", e.g. "tpot-router").
+
 ... and some more, but these are the most relevant.
 <a name="initialising"></a>
 ## Initialising
--- a/cloud/terraform/aws/main.tf
+++ b/cloud/terraform/aws/main.tf
@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
    volume_size           = 128
    delete_on_termination = true
  }
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-  vpc_security_group_ids = [aws_security_group.tpot.id]
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
  associate_public_ip_address = true
 }
--- a/cloud/terraform/aws/variables.tf
+++ b/cloud/terraform/aws/variables.tf
@ -32,30 +32,31 @@ variable "ec2_instance_type" {
 variable "ec2_ami" {
  type = map(string)
  default = {
-    "af-south-1"     = "ami-04090a79eb0bcb6c1"
+    "af-south-1"     = "ami-0272d4f5fb1b98a0d"
-    "ap-east-1"      = "ami-0327f60df432e2479"
+    "ap-east-1"      = "ami-00d242e2f23abf6d2"
-    "ap-northeast-1" = "ami-06bc324209030cbc8"
+    "ap-northeast-1" = "ami-001c6b4d627e8be53"
-    "ap-northeast-2" = "ami-02ee842962ae7df95"
+    "ap-northeast-2" = "ami-0d841ed4bf80e764c"
-    "ap-south-1"     = "ami-0d548fffbb2d54e42"
+    "ap-northeast-3" = "ami-01b0a01d770321320"
-    "ap-southeast-1" = "ami-0dcf891cda6248f00"
+    "ap-south-1"     = "ami-04ba7e5bd7c6f6929"
-    "ap-southeast-2" = "ami-022578f782d4e5d30"
+    "ap-southeast-1" = "ami-0dca3eabb09c32ae2"
-    "ca-central-1"   = "ami-01444dd84a75e9a82"
+    "ap-southeast-2" = "ami-03ff8684dc585ddae"
-    "eu-central-1"   = "ami-097411fa8fbfdffda"
+    "ca-central-1"   = "ami-08af22d7c0382fd83"
-    "eu-north-1"     = "ami-026984326b6456f6a"
+    "eu-central-1"   = "ami-0f41e297b3c53fab8"
-    "eu-south-1"     = "ami-07ad114e5df69197e"
+    "eu-north-1"     = "ami-0bbc6a00971c77d6d"
-    "eu-west-1"      = "ami-0101794b418f8b2a6"
+    "eu-south-1"     = "ami-03ff8684dc585ddae"
-    "eu-west-2"      = "ami-00eac9341e72e638a"
+    "eu-west-1"      = "ami-080684ad73d431a05"
-    "eu-west-3"      = "ami-01469c569416f3bd3"
+    "eu-west-2"      = "ami-04b259723891dfc53"
-    "me-south-1"     = "ami-0821f357b877b076d"
+    "eu-west-3"      = "ami-00662eead74f66895"
-    "sa-east-1"      = "ami-0c87b2c6219e3d5fd"
+    "me-south-1"     = "ami-021a6c6047091ab5b"
-    "us-east-1"      = "ami-047f0b13f023f6553"
+    "sa-east-1"      = "ami-0aac091cce68a049c"
-    "us-east-2"      = "ami-0988470f4e830799f"
+    "us-east-1"      = "ami-05ad4ed7f9c48178b"
-    "us-west-1"      = "ami-0be6bacfeb2913ac2"
+    "us-east-2"      = "ami-07640f3f27c0ad3d3"
-    "us-west-2"      = "ami-0112d55fbe29acc68"
+    "us-west-1"      = "ami-0c053f1d5f22eb09f"
    "us-west-2"      = "ami-090cd3aed687b1ee1"
  }
 }
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
@ -63,20 +64,30 @@ variable "timezone" {
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/aws/versions.tf
+++ b/cloud/terraform/aws/versions.tf
@ -2,7 +2,7 @@ terraform {
  required_version = ">= 0.13"
  required_providers {
    aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
      version = "3.26.0"
    }
  }
--- a/cloud/terraform/cloud-init.yaml
+++ b/cloud/terraform/cloud-init.yaml
@ -5,6 +5,7 @@ packages:
  - git
 runcmd:
  - curl -sS --retry 5 https://github.com
  - git clone https://github.com/telekom-security/tpotce /root/tpot
  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
  - rm /root/tpot.conf
--- a/cloud/terraform/otc/.terraform.lock.hcl
+++ b/cloud/terraform/otc/.terraform.lock.hcl
@ -2,38 +2,37 @@
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.0.1"
+  version     = "3.1.0"
-  constraints = "~> 3.0.1"
+  constraints = "~> 3.1.0"
  hashes = [
-    "h1:SzM8nt2wzLMI28A3CWAtW25g3ZCm1O4xD0h3Ps/rU1U=",
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
-    "zh:0d4f683868324af056a9eb2b06306feef7c202c88dbbe6a4ad7517146a22fb50",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
-    "zh:4824b3c7914b77d41dfe90f6f333c7ac9860afb83e2a344d91fbe46e5dfbec26",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
-    "zh:4b82e43712f3cf0d0cbc95b2cbcd409ba8f0dc7848fdfb7c13633c27468ed04a",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
-    "zh:78b3a2b860c3ebc973a794000015f5946eb59b82705d701d487475406b2612f1",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
-    "zh:88bc65197bd74ff408d147b32f0045372ae3a3f2a2fdd7f734f315d988c0e4a2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
-    "zh:91bd3c9f625f177f3a5d641a64e54d4b4540cb071070ecda060a8261fb6eb2ef",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
-    "zh:a6818842b28d800f784e0c93284ff602b0c4022f407e4750da03f50b853a9a2c",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
-    "zh:c4a1a2b52abd05687e6cfded4a789dcd7b43e7a746e4d02dd1055370cf9a994d",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
-    "zh:cf65041bf12fc3bde709c1d267dbe94142bc05adcabc4feb17da3b12249132ac",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
-    "zh:e385e00e7425dda9d30b74ab4ffa4636f4b8eb23918c0b763f0ffab84ece0c5c",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
  ]
 }
 provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
-  version     = "1.22.5"
+  version     = "1.23.6"
-  constraints = "1.22.5"
+  constraints = "~> 1.23.4"
  hashes = [
-    "h1:H20WxSx+j2JyrqHAgqsrV3rMWEOEZVEQuA7upz/1IgY=",
+    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
-    "zh:276ab06e7c011351fc5a803fea0321a9d12b1353bd43f5389f3bbf491e31fc41",
+    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
-    "zh:3191dc598ea4e4c99d08a2b1a5f65710dbcc1a892b1f9dde7b52515f32028319",
+    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
-    "zh:43db37c5fb6a886ce3bbc2aa730854476da7dd0340622ad874998041fa96f7a2",
+    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
-    "zh:45f3e2677a4c35bd88d435c906224092e0dde17055a203b474da2eeacffbf9b7",
+    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
-    "zh:504568581e561130fc0a9ceb6514e9664c67e3a89cd6c912f64c82f0a0305a30",
+    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
-    "zh:5646c76cbe710fd0acde409cdcfb352dd53a282c0207e46e33ac5714d0eaa0b9",
+    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
-    "zh:578b0f5d43f156f86ca6a63604da6e968f035d0b4bf6ccfc83db284fd31057f6",
+    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
-    "zh:784459b8350dc650f01e6866bcec0632e8b5a8733d81e6ed53bc8cc1254abb92",
+    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
-    "zh:970aa873a81994cddf84279b255d3f51a4138b23cb9162707cefb84042451bfc",
+    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
    "zh:e892b8b6225a46067586b8e54a7102ac1b0fc296b4851dab3d4cc185de538d66",
    "zh:f8c4699eebe99ac93d9cdccfcc809a5bd3d6c238be136d5a26c4e812ef30ec32",
  ]
 }
--- a/cloud/terraform/otc/main.tf
+++ b/cloud/terraform/otc/main.tf
@ -14,24 +14,18 @@ resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
  security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
 }
-resource "opentelekomcloud_networking_network_v2" "network_1" {
+resource "opentelekomcloud_vpc_v1" "vpc_1" {
-  name = var.network_name
+  name = var.vpc_name
  cidr = var.vpc_cidr
 }
-resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
+resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
-  name            = var.subnet_name
+  name   = var.subnet_name
-  network_id      = opentelekomcloud_networking_network_v2.network_1.id
+  cidr   = var.subnet_cidr
-  cidr            = "192.168.0.0/24"
+  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
  dns_nameservers = ["1.1.1.1", "8.8.8.8"]
 }
-resource "opentelekomcloud_networking_router_v2" "router_1" {
+  gateway_ip = var.subnet_gateway_ip
-  name = var.router_name
+  dns_list   = ["100.125.4.25", "100.125.129.199"]
 }
 resource "opentelekomcloud_networking_router_interface_v2" "router_interface_1" {
  router_id = opentelekomcloud_networking_router_v2.router_1.id
  subnet_id = opentelekomcloud_networking_subnet_v2.subnet_1.id
 }
 resource "random_id" "tpot" {
@ -39,33 +33,36 @@ resource "random_id" "tpot" {
  prefix      = var.ecs_prefix
 }
-resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
+resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
  name     = random_id.tpot.b64_url
  image_id = data.opentelekomcloud_images_image_v2.debian.id
  flavor   = var.ecs_flavor
  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
  nics {
    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
  }
  system_disk_size  = var.ecs_disk_size
  system_disk_type  = "SAS"
  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
  availability_zone = var.availability_zone
-  name              = random_id.tpot.b64_std
+  key_name          = var.key_pair
-  flavor_name       = var.flavor
+  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-  key_pair          = var.key_pair
+}
  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.name]
  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
-  network {
+resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
-    name = opentelekomcloud_networking_network_v2.network_1.name
+  publicip {
    type = "5_bgp"
  }
-
+  bandwidth {
-  block_device {
+    name       = "bandwidth-${random_id.tpot.b64_url}"
-    uuid                  = data.opentelekomcloud_images_image_v2.debian.id
+    size       = var.eip_size
-    source_type           = "image"
+    share_type = "PER"
    volume_size           = var.volume_size
    destination_type      = "volume"
    delete_on_termination = "true"
  }
  depends_on = [opentelekomcloud_networking_router_interface_v2.router_interface_1]
 }
-resource "opentelekomcloud_networking_floatingip_v2" "floatip_1" {
+resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
-}
+  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
-
+  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
 resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_2" {
  floating_ip = opentelekomcloud_networking_floatingip_v2.floatip_1.address
  instance_id = opentelekomcloud_compute_instance_v2.ecs_1.id
 }
--- a/cloud/terraform/otc/outputs.tf
+++ b/cloud/terraform/otc/outputs.tf
@ -1,11 +1,11 @@
 output "Admin_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64294"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
 }
 output "SSH_Access" {
-  value = "ssh -p 64295 linux@${opentelekomcloud_networking_floatingip_v2.floatip_1.address}"
+  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
 }
 output "Web_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64297"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
 }
--- a/cloud/terraform/otc/provider.tf
+++ b/cloud/terraform/otc/provider.tf
@ -1,3 +1,3 @@
 provider "opentelekomcloud" {
-    cloud = "open-telekom-cloud"
+  cloud = "open-telekom-cloud"
 }
--- a/cloud/terraform/otc/variables.tf
+++ b/cloud/terraform/otc/variables.tf
@ -1,4 +1,4 @@
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
@ -6,66 +6,93 @@ variable "timezone" {
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
-# Cloud resources name configuration
+## Security Group ##
 variable "secgroup_name" {
-  default = "tpot-secgroup"
+  default = "sg-tpot"
 }
 variable "secgroup_desc" {
-  default = "T-Pot Security Group"
+  default = "Security Group for T-Pot"
 }
-variable "network_name" {
+## Virtual Private Cloud ##
-  default = "tpot-network"
+variable "vpc_name" {
  default = "vpc-tpot"
 }
 variable "vpc_cidr" {
  default = "192.168.0.0/16"
 }
 ## Subnet ##
 variable "subnet_name" {
-  default = "tpot-subnet"
+  default = "subnet-tpot"
 }
-variable "router_name" {
+variable "subnet_cidr" {
-  default = "tpot-router"
+  default = "192.168.0.0/24"
 }
 variable "subnet_gateway_ip" {
  default = "192.168.0.1"
 }
 ## Elastic Cloud Server ##
 variable "ecs_prefix" {
  default = "tpot-"
 }
-# ECS configuration
+variable "ecs_flavor" {
-variable "availability_zone" {
+  default = "s3.medium.8"
  default = "eu-de-03"
  description = "Select an availability zone"
 }
-variable "flavor" {
+variable "ecs_disk_size" {
-  default = "s3.medium.8"
+  default = "128"
-  description = "Select a compute flavor"
+}
 variable "availability_zone" {
  default = "eu-de-03"
 }
 variable "key_pair" {
  #default = ""
  description = "Specify your SSH key pair"
  validation {
    condition     = length(var.key_pair) > 0
    error_message = "Please specify a Key Pair."
  }
 }
-variable "volume_size" {
+## Elastic IP ##
-  default = "128"
+variable "eip_size" {
-  description = "Set the volume size"
+  default = "100"
 }
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/otc/versions.tf
+++ b/cloud/terraform/otc/versions.tf
@ -2,12 +2,12 @@ terraform {
  required_version = ">= 0.13"
  required_providers {
    opentelekomcloud = {
-      source = "opentelekomcloud/opentelekomcloud"
+      source  = "opentelekomcloud/opentelekomcloud"
-      version = "1.22.5"
+      version = "~> 1.23.4"
    }
    random = {
-      source = "hashicorp/random"
+      source  = "hashicorp/random"
-      version = "~> 3.0.1"
+      version = "~> 3.1.0"
    }
  }
 }
--- a/docker/adbhoney/Dockerfile
+++ b/docker/adbhoney/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@ -23,7 +23,7 @@ RUN apk -U add \
    addgroup -g 2000 adbhoney && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
    chown -R adbhoney:adbhoney /opt/adbhoney && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Clean up
    apk del --purge git \
--- a/docker/adbhoney/docker-compose.yml
+++ b/docker/adbhoney/docker-compose.yml
@ -14,7 +14,8 @@ services:
     - adbhoney_local
    ports:
     - "5555:5555"
-    image: "ghcr.io/telekom-security/adbhoney:2006"
+#    image: "dtagdevsec/adbhoney:2006"
    image: "dtagdevsec/adbhoney:2006"
    read_only: true
    volumes:
     - /data/adbhoney/log:/opt/adbhoney/log
--- a/docker/ciscoasa/Dockerfile
+++ b/docker/ciscoasa/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
--- a/docker/ciscoasa/docker-compose.yml
+++ b/docker/ciscoasa/docker-compose.yml
@ -13,7 +13,7 @@ services:
    ports:
     - "5000:5000/udp"
     - "8443:8443"
-    image: "ghcr.io/telekom-security/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2006"
    read_only: true
    volumes:
     - /data/ciscoasa/log:/var/log/ciscoasa
--- a/docker/citrixhoneypot/Dockerfile
+++ b/docker/citrixhoneypot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Install packages
 RUN apk -U add \
@ -29,7 +29,7 @@ RUN apk -U add \
    addgroup -g 2000 citrixhoneypot && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
    chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Clean up
    apk del --purge git \
--- a/docker/citrixhoneypot/docker-compose.yml
+++ b/docker/citrixhoneypot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - citrixhoneypot_local
    ports:
     - "443:443"
-    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2006"
    read_only: true
    volumes:
     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
--- a/docker/conpot/Dockerfile
+++ b/docker/conpot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:edge
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@ -28,7 +28,6 @@ RUN apk -U add \
 # Setup ConPot
    git clone https://github.com/mushorg/conpot /opt/conpot && \
    cd /opt/conpot/ && \
 #    git checkout ff09e009d10d953aa7dcff2c06b7c890e6ffd4b7 && \
    git checkout 804fd65aa3b7ffa31c07fd4e863d4a5500414cf3 && \
    # Change template default ports if <1024
    sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ 
@ -45,13 +44,13 @@ RUN apk -U add \
    pip3 install --no-cache-dir pysnmp-mibs && \
    cd / && \
    rm -rf /opt/conpot /tmp/* /var/tmp/* && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #    
 # Get wireshark manuf db for scapy, setup configs, user, groups
    mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
    wget https://github.com/wireshark/wireshark/raw/master/manuf -o /usr/share/wireshark/manuf && \
    cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
-    cp -R /root/dist/templates /usr/lib/python3.8/site-packages/conpot/ && \
+    cp -R /root/dist/templates /usr/lib/python3.9/site-packages/conpot/ && \
    addgroup -g 2000 conpot && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
 #
--- a/docker/conpot/dist/conpot.cfg
+++ b/docker/conpot/dist/conpot.cfg
@ -3,7 +3,7 @@ sensorid = conpot
 [virtual_file_system]
 data_fs_url = %(CONPOT_TMP)s
-fs_url = tar:///usr/lib/python3.8/site-packages/conpot/data.tar
+fs_url = tar:///usr/lib/python3.9/site-packages/conpot/data.tar
 [session]
 timeout = 30
--- a/docker/conpot/docker-compose.yml
+++ b/docker/conpot/docker-compose.yml
@ -26,16 +26,16 @@ services:
    networks:
     - conpot_local_default
    ports:
-#    - "69:69"        
+#    - "69:69/udp"        
     - "80:80"
     - "102:102"
-     - "161:161"
+     - "161:161/udp"
     - "502:502"
-#     - "623:623"
+#     - "623:623/udp"
     - "2121:21"
     - "44818:44818"
-     - "47808:47808"
+     - "47808:47808/udp"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -56,9 +56,9 @@ services:
    networks:
     - conpot_local_IEC104
    ports:
-#     - "161:161"
+#     - "161:161/udp"
     - "2404:2404"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -80,7 +80,7 @@ services:
     - conpot_local_guardian_ast
    ports:
     - "10001:10001"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -101,8 +101,8 @@ services:
    networks:
     - conpot_local_ipmi
    ports:
-     - "623:623"
+     - "623:623/udp"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
@ -125,7 +125,7 @@ services:
    ports:
     - "1025:1025"
     - "50100:50100"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
--- a/docker/cowrie/Dockerfile
+++ b/docker/cowrie/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@ -17,12 +17,7 @@ RUN apk -U add \
             openssl-dev \
             py3-pip \
             python3 \
-             python3-dev \
+             python3-dev && \
 	     py3-bcrypt \
 	     py3-cryptography \
             py3-mysqlclient \
             py3-requests \
             py3-setuptools && \
 #
 # Setup user
    addgroup -g 2000 cowrie && \
@ -31,11 +26,13 @@ RUN apk -U add \
 # Install cowrie
    mkdir -p /home/cowrie && \
    cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.2.0 && \
+    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.3.0 && \
    cd cowrie && \
 #    git checkout 6b1e82915478292f1e77ed776866771772b48f2e && \
 #    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
    mkdir -p log && \
-    cp /root/dist/requirements.txt . && \
+    sed -i '/packaging.*/d' requirements.txt && \
    pip3 install --upgrade pip && \
    pip3 install -r requirements.txt && \
 #
 # Setup configs
--- a/docker/cowrie/dist/cowrie.cfg
+++ b/docker/cowrie/dist/cowrie.cfg
@ -36,6 +36,11 @@ rsa_public_key = etc/ssh_host_rsa_key.pub
 rsa_private_key = etc/ssh_host_rsa_key
 dsa_public_key = etc/ssh_host_dsa_key.pub
 dsa_private_key = etc/ssh_host_dsa_key
 ecdsa_public_key = etc/ssh_host_ecdsa_key.pub
 ecdsa_private_key = etc/ssh_host_ecdsa_key
 ed25519_public_key = etc/ssh_host_ed25519_key.pub
 ed25519_private_key = etc/ssh_host_ed25519_key
 public_key_auth = ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
 #version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 version = SSH-2.0-OpenSSH_7.9p1
 ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
--- a/docker/cowrie/dist/requirements.txt
+++ b/docker/cowrie/dist/requirements.txt
@ -1,14 +0,0 @@
 appdirs==1.4.4
 attrs==20.3.0
 bcrypt==3.2.0
 configparser==5.0.1
 #cryptography==3.4.5
 #packaging==20.9
 pyasn1_modules==0.2.8
 pyopenssl==20.0.1
 pyparsing==2.4.7
 python-dateutil==2.8.1
 service_identity==18.1.0
 tftpy==0.8.0
 treq==21.1.0
 twisted==20.3.0
--- a/docker/cowrie/docker-compose.yml
+++ b/docker/cowrie/docker-compose.yml
@ -18,7 +18,7 @@ services:
    ports:
     - "22:22"
     - "23:23"
-    image: "ghcr.io/telekom-security/cowrie:2006"
+    image: "dtagdevsec/cowrie:2006"
    read_only: true
    volumes:
     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
--- a/docker/cyberchef/Dockerfile
+++ b/docker/cyberchef/Dockerfile
@ -1,30 +1,30 @@
-FROM alpine:3.10
+FROM node:10.24.1-alpine3.11 as builder
 #
 # Get and install dependencies & packages
 RUN apk -U --no-cache add \
            curl \
            git \
            npm \
            nodejs && \
    npm install npm@latest -g && \
    npm install -g grunt-cli http-server && \
 #
 # Install CyberChef 
-    cd /root && \
+RUN apk -U --no-cache add git
-    git clone https://github.com/gchq/cyberchef -b v9.27.0 && \
+RUN chown -R node:node /srv
-    cd cyberchef && \
+RUN npm install -g grunt-cli
-    npm install && \
+WORKDIR /srv
-    grunt prod && \
+USER node
-    mkdir -p /opt/cyberchef && \
+RUN git clone https://github.com/gchq/cyberchef -b v9.32.3 .
-    mv build/prod/* /opt/cyberchef && \
+ENV NODE_OPTIONS=--max_old_space_size=2048
-    cd / && \
+RUN npm install
 RUN grunt prod
 #
 # Move from builder
 FROM alpine:3.14
 #
 RUN apk -U --no-cache add \
      curl \
      npm && \
      npm install -g http-server && \
 #
 # Clean up
    apk del --purge git \
                    npm && \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 COPY --from=builder /srv/build/prod /opt/cyberchef
 #
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
 #
--- a/docker/cyberchef/docker-compose.yml
+++ b/docker/cyberchef/docker-compose.yml
@ -14,5 +14,5 @@ services:
     - cyberchef_local
    ports:
     - "127.0.0.1:64299:8000"
-    image: "ghcr.io/telekom-security/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2006"
    read_only: true
--- a/docker/ddospot/Dockerfile
+++ b/docker/ddospot/Dockerfile
@ -0,0 +1,52 @@
 FROM alpine:3.14
 #
 # Install packages
 RUN apk -U add \
             build-base \
             git \
 	     libcap \
 	     py3-pip \
             python3 \
             python3-dev && \
 #	     
 # Install ddospot from GitHub and setup
    mkdir -p /opt && \
    cd /opt/ && \
    git clone https://github.com/aelth/ddospot && \
    cd ddospot && \
    git checkout 49f515237bd2d5744290ed21dcca9b53def243ba && \
    # We only want JSON events, setting logger format to ('') ...
    sed -i "/handler.setFormatter(logging.Formatter(/{n;N;d}" /opt/ddospot/ddospot/core/potloader.py && \
    sed -i "s#handler.setFormatter(logging.Formatter(#handler.setFormatter(logging.Formatter(''))#g" /opt/ddospot/ddospot/core/potloader.py && \
    # ... and remove msg from log message for individual honeypots
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/chargen/chargen.py && \
    sed -i "s#self.logger.info('New DNS query - \%s' \% (raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/dns/dns.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/generic/generic.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ntp/ntp.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ssdp/ssdp.py && \
    # We are using logrotate
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/chargen/chargenpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/dns/dnspot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/generic/genericpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \
    pip3 install -r ddospot/requirements.txt && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 ddospot && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ddospot && \
    chown ddospot:ddospot -R /opt/ddospot && \
 #
 # Clean up
    apk del --purge build-base \
                    git \
 		    python3-dev && \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 # Start ddospot
 STOPSIGNAL SIGINT
 USER ddospot:ddospot
 WORKDIR /opt/ddospot/ddospot/
 CMD ["/usr/bin/python3","ddospot.py", "-n"]
--- a/docker/ddospot/docker-compose.yml
+++ b/docker/ddospot/docker-compose.yml
@ -0,0 +1,26 @@
 version: '2.3'
 networks:
  ddospot_local:
 services:
 # Ddospot service
  ddospot:
    build: .
    container_name: ddospot
    restart: always
    networks:
     - ddospot_local
    ports:
     - "19:19/udp"
     - "53:53/udp"
     - "123:123/udp"
 #     - "161:161/udp"
     - "1900:1900/udp"
    image: "dtagdevsec/ddospot:2006"
    read_only: true
    volumes:
     - /data/ddospot/log:/opt/ddospot/ddospot/logs
     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
     - /data/ddospot/db:/opt/ddospot/ddospot/db
--- a/docker/dicompot/Dockerfile
+++ b/docker/dicompot/Dockerfile
@ -1,7 +1,7 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup apk
-RUN apk -U add \
+RUN apk -U add --no-cache \
                   build-base \
                   git \
                   g++ && \
--- a/docker/dicompot/docker-compose.yml
+++ b/docker/dicompot/docker-compose.yml
@ -17,7 +17,7 @@ services:
     - dicompot_local
    ports:
     - "11112:11112"
-    image: "ghcr.io/telekom-security/dicompot:2006"
+    image: "dtagdevsec/dicompot:2006"
    read_only: true
    volumes:
     - /data/dicompot/log:/var/log/dicompot
--- a/docker/dionaea/Dockerfile
+++ b/docker/dionaea/Dockerfile
@ -1,15 +1,14 @@
-FROM debian:buster-slim
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install dependencies and packages
-RUN apt-get update && \
+RUN apt-get update -y && \
-    apt-get install netselect-apt -y && \
+    apt-get install wget -y && \
-    netselect-apt && \
+    wget http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu2_0.2.0+git20120122-1.2build1_amd64.deb http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb && \
-    mv sources.list /etc/apt/ && \
+    apt install ./libemu2_0.2.0+git20120122-1.2build1_amd64.deb ./libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb -y && \
    apt-get update -y && \
    apt-get dist-upgrade -y && \
    apt-get install -y --no-install-recommends \
 	build-essential \
@ -20,7 +19,7 @@ RUN apt-get update && \
 	git \
        libcap2-bin \
 	libcurl4-openssl-dev \
-	libemu-dev \
+#	libemu-dev \
 	libev-dev \
 	libglib2.0-dev \
 	libloudmouth1-dev \
@ -82,7 +81,8 @@ RUN apt-get update && \
      python3-dev \   
      python3-boto3 \
      python3-bson \
-      python3-yaml && \ 
+      python3-yaml \ 
      wget && \ 
 #
    apt-get install -y \
      ca-certificates \
@ -97,7 +97,8 @@ RUN apt-get update && \
      libnetfilter-queue1 \
      libnl-3-200 \
      libpcap0.8 \
-      libpython3.7 \
+#      libpython3.6 \
      libpython3.8 \
      libudns0 && \
 #
    apt-get autoremove --purge -y && \
--- a/docker/dionaea/docker-compose.yml
+++ b/docker/dionaea/docker-compose.yml
@ -31,7 +31,7 @@ services:
     - "5060:5060/udp"
     - "5061:5061"
     - "27017:27017"
-    image: "ghcr.io/telekom-security/dionaea:2006"
+    image: "dtagdevsec/dionaea:2006"
    read_only: true
    volumes:
     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -10,98 +10,98 @@ services:
 # Adbhoney service
  adbhoney:
    build: adbhoney/.
-    image: "ghcr.io/telekom-security/adbhoney:2006"
+    image: "dtagdevsec/adbhoney:2006"
 # Ciscoasa service
  ciscoasa:
    build: ciscoasa/.
-    image: "ghcr.io/telekom-security/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2006"
 # CitrixHoneypot service
  citrixhoneypot:
    build: citrixhoneypot/.
-    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2006"
 # Conpot IEC104 service
  conpot_IEC104:
    build: conpot/.
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
 # Cowrie service
  cowrie:
    build: cowrie/.
-    image: "ghcr.io/telekom-security/cowrie:2006"
+    image: "dtagdevsec/cowrie:2006"
 # Dicompot service
  dicompot:
    build: dicompot/.
-    image: "ghcr.io/telekom-security/dicompot:2006"
+    image: "dtagdevsec/dicompot:2006"
 # Dionaea service
  dionaea:
    build: dionaea/.
-    image: "ghcr.io/telekom-security/dionaea:2006"
+    image: "dtagdevsec/dionaea:2006"
 # ElasticPot service
  elasticpot:
    build: elasticpot/.
-    image: "ghcr.io/telekom-security/elasticpot:2006"
+    image: "dtagdevsec/elasticpot:2006"
 # Glutton service
  glutton:
    build: glutton/.
-    image: "ghcr.io/telekom-security/glutton:2006"
+    image: "dtagdevsec/glutton:2006"
 # Heralding service
  heralding:
    build: heralding/.
-    image: "ghcr.io/telekom-security/heralding:2006"
+    image: "dtagdevsec/heralding:2006"
 # HoneyPy service
  honeypy:
    build: honeypy/.
-    image: "ghcr.io/telekom-security/honeypy:2006"
+    image: "dtagdevsec/honeypy:2006"
 # Honeytrap service
  honeytrap:
    build: honeytrap/.
-    image: "ghcr.io/telekom-security/honeytrap:2006"
+    image: "dtagdevsec/honeytrap:2006"
 # Mailoney service
  mailoney:
    build: mailoney/.
-    image: "ghcr.io/telekom-security/mailoney:2006"
+    image: "dtagdevsec/mailoney:2006"
 # Medpot service
  medpot:
    build: medpot/.
-    image: "ghcr.io/telekom-security/medpot:2006"
+    image: "dtagdevsec/medpot:2006"
 # Rdpy service
  rdpy:
    build: rdpy/.
-    image: "ghcr.io/telekom-security/rdpy:2006"
+    image: "dtagdevsec/rdpy:2006"
 #### Snare / Tanner
 ## Tanner Redis Service
  tanner_redis:
    build: tanner/redis/.
-    image: "ghcr.io/telekom-security/redis:2006"
+    image: "dtagdevsec/redis:2006"
 ## PHP Sandbox service
  tanner_phpox:
    build: tanner/phpox/.
-    image: "ghcr.io/telekom-security/phpox:2006"
+    image: "dtagdevsec/phpox:2006"
 ## Tanner API Service
  tanner_api:
    build: tanner/tanner/.
-    image: "ghcr.io/telekom-security/tanner:2006"
+    image: "dtagdevsec/tanner:2006"
 ## Snare Service
  snare:
    build: tanner/snare/.
-    image: "ghcr.io/telekom-security/snare:2006"
+    image: "dtagdevsec/snare:2006"
 ##################
@ -111,17 +111,17 @@ services:
 # Fatt service
  fatt:
    build: fatt/.
-    image: "ghcr.io/telekom-security/fatt:2006"
+    image: "dtagdevsec/fatt:2006"
 # P0f service
  p0f:
    build: p0f/.
-    image: "ghcr.io/telekom-security/p0f:2006"
+    image: "dtagdevsec/p0f:2006"
 # Suricata service
  suricata:
    build: suricata/.
-    image: "ghcr.io/telekom-security/suricata:2006"
+    image: "dtagdevsec/suricata:2006"
 ##################
@ -131,40 +131,40 @@ services:
 # Cyberchef service
  cyberchef:
    build: cyberchef/.
-    image: "ghcr.io/telekom-security/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2006"
 #### ELK
 ## Elasticsearch service
  elasticsearch:
    build: elk/elasticsearch/.
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
 ## Kibana service
  kibana:
    build: elk/kibana/.
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"
 ## Logstash service
  logstash:
    build: elk/logstash/.
-    image: "ghcr.io/telekom-security/logstash:2006"
+    image: "dtagdevsec/logstash:2006"
 ## Elasticsearch-head service
  head:
    build: elk/head/.
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
 # Ewsposter service
  ewsposter:
    build: ews/.
-    image: "ghcr.io/telekom-security/ewsposter:2006"
+    image: "dtagdevsec/ewsposter:2006"
 # Nginx service
  nginx:
    build: heimdall/.
-    image: "ghcr.io/telekom-security/nginx:2006"
+    image: "dtagdevsec/nginx:2006"
 # Spiderfoot service
  spiderfoot:
    build: spiderfoot/.
-    image: "ghcr.io/telekom-security/spiderfoot:2006"
+    image: "dtagdevsec/spiderfoot:2006"
--- a/docker/elasticpot/Dockerfile
+++ b/docker/elasticpot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
--- a/docker/elasticpot/docker-compose.yml
+++ b/docker/elasticpot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - elasticpot_local
    ports:
     - "9200:9200"
-    image: "ghcr.io/telekom-security/elasticpot:2006"
+    image: "dtagdevsec/elasticpot:2006"
    read_only: true
    volumes:
     - /data/elasticpot/log:/opt/elasticpot/log
--- a/docker/elk/docker-compose.yml
+++ b/docker/elk/docker-compose.yml
@ -10,7 +10,7 @@ services:
    restart: always
    environment:
     - bootstrap.memory_lock=true
-     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+#     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
     - ES_TMPDIR=/tmp
    cap_add:
     - IPC_LOCK
@ -21,10 +21,10 @@ services:
      nofile:
        soft: 65536
        hard: 65536
-    mem_limit: 4g
+#    mem_limit: 4g
    ports:
     - "127.0.0.1:64298:9200"
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
    volumes:
     - /data:/data
@ -39,21 +39,21 @@ services:
        condition: service_healthy
    ports:
     - "127.0.0.1:64296:5601"
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"
 ## Logstash service
  logstash:
    build: logstash/.
    container_name: logstash
    restart: always
-    environment:
+#    environment:
-     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
    depends_on:
      elasticsearch:
        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/logstash:2006"
+    image: "dtagdevsec/logstash:2006"
    volumes:
     - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
@ -68,5 +68,5 @@ services:
        condition: service_healthy
    ports:
     - "127.0.0.1:64302:9100"
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
    read_only: true
--- a/docker/elk/elasticsearch/Dockerfile
+++ b/docker/elk/elasticsearch/Dockerfile
@ -1,25 +1,28 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # VARS
-ENV ES_VER=7.11.1 \
+ENV ES_VER=7.17.0 \
-    JAVA_HOME=/usr/lib/jvm/java-11-openjdk
+    ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
             aria2 \
             bash \
             curl \
-             nss \
+             nss && \
-             openjdk11-jre && \
+    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
 #
 # Get and install packages
    cd /root/dist/ && \
    mkdir -p /usr/share/elasticsearch/ && \
    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-$ES_VER-linux-x86_64.tar.gz && \
    tar xvfz elasticsearch-$ES_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \
    rm -rf /usr/share/elasticsearch/jdk && \
    rm -rf /usr/share/elasticsearch/modules/x-pack-ml && \
    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
    sed -i 's/! -x/! -e/g' /usr/share/elasticsearch/bin/elasticsearch-env && \
 #
 # Add and move files
    cd /root/dist/ && \
@ -30,7 +33,6 @@ RUN apk -U --no-cache add \
    addgroup -g 2000 elasticsearch && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 elasticsearch && \
    chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ && \
    rm -rf /usr/share/elasticsearch/modules/x-pack-ml && \
 #
 # Clean up
    apk del --purge aria2 && \
--- a/docker/elk/elasticsearch/dist/elasticsearch.yml
+++ b/docker/elk/elasticsearch/dist/elasticsearch.yml
@ -2,7 +2,6 @@ cluster.name: tpotcluster
 node.name: "tpotcluster-node-01"
 xpack.ml.enabled: false
 xpack.security.enabled: false
 #xpack.ilm.enabled: false
 path:
    logs: /data/elk/log
    data: /data/elk/data
@ -10,7 +9,5 @@ http.host: 0.0.0.0
 http.cors.enabled: true
 http.cors.allow-origin: "*"
 indices.query.bool.max_clause_count: 2000
-cluster.initial_master_nodes:
+cluster.routing.allocation.disk.watermark.enable_for_single_data_node: true
- "tpotcluster-node-01"
+discovery.type: single-node
 discovery.zen.ping.unicast.hosts:
 - localhost 
--- a/docker/elk/elasticsearch/docker-compose.yml
+++ b/docker/elk/elasticsearch/docker-compose.yml
@ -24,6 +24,6 @@ services:
    mem_limit: 2g
    ports:
     - "127.0.0.1:64298:9200"
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
    volumes:
     - /data:/data
--- a/docker/elk/head/Dockerfile
+++ b/docker/elk/head/Dockerfile
@ -1,11 +1,12 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup env and apt
 RUN apk -U add \
            curl \
            git \
            nodejs \
-            nodejs-npm && \
+            #nodejs-npm && \
            npm && \
 #
 # Get and install packages
    mkdir -p /usr/src/app/ && \
--- a/docker/elk/head/docker-compose.yml
+++ b/docker/elk/head/docker-compose.yml
@ -12,5 +12,5 @@ services:
    #        condition: service_healthy
    ports:
     - "127.0.0.1:64302:9100"
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
    read_only: true
--- a/docker/elk/kibana/Dockerfile
+++ b/docker/elk/kibana/Dockerfile
@ -1,13 +1,11 @@
-FROM node:14.15.4-alpine
+FROM node:16.13.2-alpine3.14
 #
 # VARS
-ENV KB_VER=7.11.1
+ENV KB_VER=7.17.0
 # 
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
            aria2 \
            curl \
@ -25,36 +23,17 @@ RUN apk -U --no-cache add \
 #
 # Add and move files
    cd /root/dist/ && \
 #    cp kibana.svg /usr/share/kibana/src/ui/public/images/kibana.svg && \
 #    cp kibana.svg /usr/share/kibana/src/ui/public/icons/kibana.svg && \
 #    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon.ico && \
 #    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-16x16.png && \
 #    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-32x32.png && \
 #
 # Setup user, groups and configs
    sed -i 's/#server.basePath: ""/server.basePath: "\/kibana"/' /usr/share/kibana/config/kibana.yml && \
    sed -i 's/#kibana.defaultAppId: "home"/kibana.defaultAppId: "dashboards"/' /usr/share/kibana/config/kibana.yml && \
    sed -i 's/#server.host: "localhost"/server.host: "0.0.0.0"/' /usr/share/kibana/config/kibana.yml && \
    sed -i 's/#elasticsearch.hosts: \["http:\/\/localhost:9200"\]/elasticsearch.hosts: \["http:\/\/elasticsearch:9200"\]/' /usr/share/kibana/config/kibana.yml && \
    sed -i 's/#server.rewriteBasePath: false/server.rewriteBasePath: false/' /usr/share/kibana/config/kibana.yml && \
-#    sed -i "s/#005571/#e20074/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
+    echo "xpack.reporting.roles.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
 #    sed -i "s/#007ba4/#9e0051/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
 #    sed -i "s/#00465d/#4f0028/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
    echo "xpack.infra.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ 
    echo "xpack.logstash.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.canvas.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.spaces.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.apm.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.security.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.uptime.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.securitySolution.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.ml.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "xpack.fleet.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
    echo "elasticsearch.requestTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
    echo "elasticsearch.shardTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
-# There is no switch to disable Enterprise Search, so we need to remove it
+    echo "kibana.autocompleteTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
-# In order to remove all X-Pack features we need to use OSS versions
+    echo "kibana.autocompleteTerminateAfter: 1000000" >> /usr/share/kibana/config/kibana.yml && \
    rm -rf /usr/share/kibana/x-pack/plugins/enterprise_search && \
    rm -rf /usr/share/kibana/optimize/bundles/* && \
    /usr/share/kibana/bin/kibana --optimize --allow-root && \
    addgroup -g 2000 kibana && \
--- a/docker/elk/kibana/docker-compose.yml
+++ b/docker/elk/kibana/docker-compose.yml
@ -12,4 +12,4 @@ services:
 #        condition: service_healthy
    ports:
     - "127.0.0.1:64296:5601"
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"
--- a/docker/elk/logstash/Dockerfile
+++ b/docker/elk/logstash/Dockerfile
@ -1,7 +1,7 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # VARS
-ENV LS_VER=7.11.1
+ENV LS_VER=7.17.0
 # Include dist
 ADD dist/ /root/dist/
 #
@ -9,13 +9,15 @@ ADD dist/ /root/dist/
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
             aria2 \
 	     autossh \
             bash \
             bzip2 \
 	     curl \
             libc6-compat \
             libzmq \
             nss \
-             openjdk11-jre && \
+             openssh && \
    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
 #
 # Get and install packages
    mkdir -p /etc/listbot && \
@ -28,8 +30,13 @@ RUN apk -U --no-cache add \
    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
    tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
    rm -rf /usr/share/logstash/jdk && \
-    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
+    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
-    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
+    sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-filter-translate && \
    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-input-http && \
    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-gelf && \
    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-http && \
    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-syslog && \
 #
 # Add and move files
    cd /root/dist/ && \
@ -37,6 +44,10 @@ RUN apk -U --no-cache add \
    chmod u+x /usr/bin/update.sh && \
    mkdir -p /etc/logstash/conf.d && \
    cp logstash.conf /etc/logstash/conf.d/ && \
    cp http_input.conf /etc/logstash/conf.d/ && \
    cp http_output.conf /etc/logstash/conf.d/ && \
    cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
    cp pipelines_pot.yml /usr/share/logstash/config/pipelines_pot.yml && \
    cp tpot_es_template.json /etc/logstash/ && \
 #
 # Setup user, groups and configs
@ -57,4 +68,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
 # Start logstash
 #USER logstash:logstash
 #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
-CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_output.conf --config.reload.automatic --java-execution
 CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution
--- a/docker/elk/logstash/Dockerfile.new
+++ b/docker/elk/logstash/Dockerfile.new
@ -0,0 +1,68 @@
 FROM alpine:3.14
 #
 # VARS
 ENV LS_VER=7.15.1
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
             aria2 \
             bash \
             bzip2 \
 	     curl \
             libc6-compat \
             libzmq \
             nss && \
    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
 #
 # Get and install packages
    mkdir -p /etc/listbot && \
    cd /etc/listbot && \
    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/cve.yaml.bz2 && \
    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
    bunzip2 *.bz2 && \
    cd /root/dist/ && \
    mkdir -p /usr/share/logstash/ && \
    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
    tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
    rm -rf /usr/share/logstash/jdk && \
    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
    sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
    /usr/share/logstash/bin/logstash-plugin install logstash-input-http && \
    /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf && \
    /usr/share/logstash/bin/logstash-plugin install logstash-output-http && \
    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
 #
 # Add and move files
    cd /root/dist/ && \
    cp update.sh /usr/bin/ && \
    chmod u+x /usr/bin/update.sh && \
    mkdir -p /etc/logstash/conf.d && \
    cp logstash.conf /etc/logstash/conf.d/ && \
    cp http.conf /etc/logstash/conf.d/ && \
    cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
    cp tpot_es_template.json /etc/logstash/ && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 logstash && \
    adduser -S -H -s /bin/bash -u 2000 -D -g 2000 logstash && \
    chown -R logstash:logstash /usr/share/logstash && \
    chown -R logstash:logstash /etc/listbot && \
    chmod 755 /usr/bin/update.sh && \
 #
 # Clean up
    rm -rf /root/* && \
    rm -rf /tmp/* && \
    rm -rf /var/cache/apk/*
 #
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
 #
 # Start logstash
 #USER logstash:logstash
 #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
 #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
 CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution
--- a/docker/elk/logstash/dist/http_input.conf
+++ b/docker/elk/logstash/dist/http_input.conf
@ -0,0 +1,19 @@
 # Input section
 input {
  http {
    id => "tpot"
    host => "0.0.0.0"
    port => "80"
  }
 }
 # Output section
 output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
    index => "logstash-%{+YYYY.MM.dd}"
    template => "/etc/logstash/tpot_es_template.json"
  }
 }
--- a/docker/elk/logstash/dist/http_output.conf
+++ b/docker/elk/logstash/dist/http_output.conf
@ -0,0 +1,756 @@
 # Input section
 input {
 # Fatt                                 
  file {                                   
    path => ["/data/fatt/log/fatt.log"]
    codec => json     
    type => "Fatt"
  }  
 # Suricata
  file {
    path => ["/data/suricata/log/eve.json"]
    codec => json
    type => "Suricata"
  }
 # P0f
  file {
    path => ["/data/p0f/log/p0f.json"]
    codec => json
    type => "P0f"
  }
 # Adbhoney
  file {
    path => ["/data/adbhoney/log/adbhoney.json"]
    codec => json
    type => "Adbhoney"
  }
 # Ciscoasa
  file {
    path => ["/data/ciscoasa/log/ciscoasa.log"]
    codec => plain
    type => "Ciscoasa"
  }
 # CitrixHoneypot
  file {
    path => ["/data/citrixhoneypot/logs/server.log"]
    codec => json
    type => "CitrixHoneypot"
  }
 # Conpot
  file {
    path => ["/data/conpot/log/*.json"]
    codec => json
    type => "ConPot"
  }
 # Cowrie
  file {
    path => ["/data/cowrie/log/cowrie.json"]
    codec => json
    type => "Cowrie"
  }
 # Dionaea
  file {
    path => ["/data/dionaea/log/dionaea.json"]
    codec => json
    type => "Dionaea"
  }
 # Dicompot
  file {
    path => ["/data/dicompot/log/dicompot.log"]
    codec => json
    type => "Dicompot"
  }
 # Ddospot
  file {
    path => ["/data/ddospot/log/*.log"]
    codec => json
    type => "Ddospot"
  }
 # ElasticPot
  file {
    path => ["/data/elasticpot/log/elasticpot.json"]
    codec => json
    type => "ElasticPot"
  }
 # Endlessh
  file {
    path => ["/data/endlessh/log/endlessh.log"]
    codec => plain
    type => "Endlessh"
  }
 # Glutton
  file {
    path => ["/data/glutton/log/glutton.log"]
    codec => json
    type => "Glutton"
  }
 # Hellpot
  file {
    path => ["/data/hellpot/log/hellpot.log"]
    codec => json
    type => "Hellpot"
  }
 # Heralding
  file {
    path => ["/data/heralding/log/auth.csv"]
    type => "Heralding"
  }
 # Honeypots
  file {
    path => ["/data/honeypots/log/*.log"]
    codec => json
    type => "Honeypots"
  }
 # Honeypy
  file {
    path => ["/data/honeypy/log/json.log"]
    codec => json
    type => "Honeypy"
  }
 # Honeysap
  file {
    path => ["/data/honeysap/log/honeysap-external.log"]
    codec => json
    type => "Honeysap"
  }
 # Honeytrap
  file {
    path => ["/data/honeytrap/log/attackers.json"]
    codec => json
    type => "Honeytrap"
  }
 # Ipphoney
  file {
    path => ["/data/ipphoney/log/ipphoney.json"]
    codec => json
    type => "Ipphoney"
  }
 # Log4pot
  file {
    path => ["/data/log4pot/log/log4pot.log"]
    codec => json
    type => "Log4pot"
  }
 # Mailoney
  file {
    path => ["/data/mailoney/log/commands.log"]
    codec => json
    type => "Mailoney"
  }
 # Medpot
  file {
    path => ["/data/medpot/log/medpot.log"]
    codec => json
    type => "Medpot"
  }
 # Rdpy
  file {
    path => ["/data/rdpy/log/rdpy.log"]
    type => "Rdpy"
  }
 # Redishoneypot
  file {
    path => ["/data/redishoneypot/log/redishoneypot.log"]
    codec => json
    type => "Redishoneypot"
  }
 # Host NGINX
  file {
    path => ["/data/nginx/log/access.log"]
    codec => json
    type => "NGINX"
  }
 # Tanner
  file {
    path => ["/data/tanner/log/tanner_report.json"]
    codec => json
    type => "Tanner"
  }
 }
 # Filter Section
 filter {
 # Fatt
  if [type] == "Fatt" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "sourceIp" => "src_ip"
 	"destinationIp" => "dest_ip"
 	"sourcePort" => "src_port"
 	"destinationPort" => "dest_port"
        "gquic" => "fatt_gquic"
        "http" => "fatt_http"
        "rdp" => "fatt_rdp"
        "ssh" => "fatt_ssh"
        "tls" => "fatt_tls"
      }
    }
  }
 # Suricata
  if [type] == "Suricata" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    translate {
      refresh_interval => 86400
      field => "[alert][signature_id]"
      destination => "[alert][cve_id]"
      dictionary_path => "/etc/listbot/cve.yaml"
 #      fallback => "-"
    }
  }
 # P0f
  if [type] == "P0f" {
    date {
      match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ]
      remove_field => ["timestamp"]
    }
    mutate {
      rename => {
        "server_port" => "dest_port"
        "server_ip" => "dest_ip"
        "client_port" => "src_port"
        "client_ip" => "src_ip"
      }
    }
  }
 # Adbhoney
  if [type] == "Adbhoney" {
    date {
      match => [ "timestamp", "ISO8601" ]
      remove_field => ["unixtime"]
    }
  }
 # Ciscoasa
  if [type] == "Ciscoasa" {
    kv {
      remove_char_key => " '{}"
      remove_char_value => "'{}"
      value_split => ":"
      field_split => ","
    }
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      add_field => {
        "dest_ip" => "${MY_EXTIP}"
      }
    }
  }
 # CitrixHoneypot
  if [type] == "CitrixHoneypot" {
    grok { 
      match => { 
        "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", 
 	               "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", 
 		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
 		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] 
      } 
    }
    date {
      match => [ "asctime", "ISO8601" ]
      remove_field => ["asctime"]
      remove_field => ["message"]
    }
    mutate {
      add_field => {
        "dest_port" => "443"
      }
      rename => {
        "levelname" => "level"
      }
    }
  }
 # Conpot
  if [type] == "ConPot" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate { 
      rename => { 
        "dst_port" => "dest_port" 
        "dst_ip" => "dest_ip" 
      } 
    } 
  }
 # Cowrie
  if [type] == "Cowrie" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "dst_port" => "dest_port"
        "dst_ip" => "dest_ip"
      }
    }
  }
 # Ddospot
  if [type] == "Ddospot" {
    date {
      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["time"]
    }
    if [path] == "/data/ddospot/log/chargenpot.log" {
      mutate {
        add_field => {
 	  "dest_port" => "19"
          "dest_ip" => "${MY_EXTIP}"
 	}
      }
    }
    if [path] == "/data/ddospot/log/dnspot.log" {
      mutate {
        add_field => {
          "dest_port" => "53"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
    if [path] == "/data/ddospot/log/ntpot.log" {
      mutate {
        add_field => {
          "dest_port" => "123"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
    if [path] == "/data/ddospot/log/ssdpot.log" {
      mutate {
        add_field => {
          "dest_port" => "1900"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
  }
 # Dionaea
  if [type] == "Dionaea" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "dst_port" => "dest_port"
        "dst_ip" => "dest_ip"
      }
      gsub => [
        "src_ip", "::ffff:", "",
        "dest_ip", "::ffff:", ""
      ]
    }
    if [credentials] {
      mutate {
        add_field => {
          "username" => "%{[credentials][username]}"
          "password" => "%{[credentials][password]}"
        }
        remove_field => "[credentials]"
      }
    }
  }
 # Dicompot
  if [type] == "Dicompot" {
    date {
      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
      remove_field => ["time"]
      remove_field => ["timestamp"]
    }
    mutate {
      rename => {
        "ID" => "id"
        "IP" => "src_ip"
        "Port" => "src_port"
        "AETitle" => "aetitle"
        "Command" => "input"
        "Files" => "files"
        "Identifier" => "identifier"
        "Matches" => "matches"
        "Status" => "session"
        "Version" => "version"
      }
    }
  }
 # ElasticPot
  if [type] == "ElasticPot" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "content_type" => "http.http_content_type"
        "dst_port" => "dest_port"
        "dst_ip" => "dest_ip"
        "message" => "event_type"
        "request" => "request_method"
        "user_agent" => "http_user_agent"
 	"url" => "http.url"
      }
    }
  }
 # Endlessh
 # Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
 # Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
  if [type] == "Endlessh" {
    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
    date {
      match => [ "timestamp", "ISO8601" ]
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => {
        "dest_port" => "22"
        "dest_ip" => "${MY_EXTIP}"
      }
    }
  }
 # Glutton
  if [type] == "Glutton" {
    date {
      match => [ "ts", "UNIX" ]
      remove_field => ["ts"]
    }
  }
 # Hellpot
  if [type] == "Hellpot" {
    date {
      match => [ "time", "ISO8601" ]
      remove_field => ["time"]
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => {
        "dest_port" => "80"
        "dest_ip" => "${MY_EXTIP}"
      }
      rename => {
        "BYTES" => "bytes"
        "DURATION" => "duration"
        "REMOTE_ADDR" => "src_ip"
        "URL" => "url"
        "USERAGENT" => "http_user_agent"
        "message" => "reason"
      }
    }
  }
 # Heralding
  if [type] == "Heralding" {
    csv {
      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
    }
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["timestamp"]
    }
  }
 # Honeypy
  if [type] == "Honeypy" {
    date {
      match => [ "timestamp", "ISO8601" ]
      remove_field => ["timestamp"]
      remove_field => ["date"]
      remove_field => ["time"]
      remove_field => ["millisecond"]
    }
  }
 # Honeypots
  if [type] == "Honeypots" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
 # Honeysap
  if [type] == "Honeysap" {
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["timestamp"]
    }
    mutate {
      rename => {
        "[data][error_msg]" => "event_type"
        "service" => "sensor"
        "source_port" => "src_port"
        "source_ip" => "src_ip"
        "target_port" => "dest_port"
        "target_ip" => "dest_ip"
      }
      remove_field => "event"
      remove_field => "return_code"
    }
    if [data] {
      mutate {
 	remove_field => "[data]"
      }
    }    
  }
 # Honeytrap
  if [type] == "Honeytrap" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "[attack_connection][local_port]" => "dest_port"
        "[attack_connection][local_ip]" => "dest_ip"
        "[attack_connection][remote_port]" => "src_port"
        "[attack_connection][remote_ip]" => "src_ip"
      }
    }
  }
 # Ipphoney
  if [type] == "Ipphoney" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
 	"query" => "ipp_query"
        "content_type" => "http.http_content_type"
        "dst_port" => "dest_port"
        "dst_ip" => "dest_ip"
        "request" => "request_method"
        "operation" => "data"
        "user_agent" => "http_user_agent"
        "url" => "http.url"
      }
    }
  }
 # Log4pot
  if [type] == "Log4pot" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "request" => "request_uri"
        "server_port" => "dest_port"
        "port" => "src_port"
        "client" => "src_ip"
      }
    }
  }
 # Mailoney
  if [type] == "Mailoney" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      add_field => { "dest_port" => "25" }
    }
  }
 # Medpot
  if [type] == "Medpot" {
    mutate {
      add_field => {
        "dest_port" => "2575"
        "dest_ip" => "${MY_EXTIP}"
      }
    }
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
 # Rdpy
  if [type] == "Rdpy" {
    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
    date {
      match => [ "timestamp", "ISO8601" ]
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => { "dest_port" => "3389" }
    }
  }
 # Redishoneypot
  if [type] == "Redishoneypot" {
    date {
      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
      remove_field => ["time"]
      remove_field => ["timestamp"]
    }
    mutate {
      split => { "addr" => ":" }
      add_field => { 
        "src_ip" => "%{[addr][0]}" 
        "src_port" => "%{[addr][1]}"
        "dest_port" => "6379"
        "dest_ip" => "${MY_EXTIP}"
      }
      remove_field => ["addr"]
    }
  }
 # NGINX
  if [type] == "NGINX" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "request" => "request_data"
      }
    }
  }
 # Tanner
  if [type] == "Tanner" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "[peer][ip]" => "src_ip"
        "[peer][port]" => "src_port"
      }
      add_field => { "dest_port" => "80" }
    }
  }
 # Drop if parse fails
 if "_grokparsefailure" in [tags] { drop {} }
 if "_jsonparsefailure" in [tags] { drop {} }
 # Add T-Pot hostname and external IP
  mutate {
    add_field => {
      "t-pot_ip_ext" => "${MY_EXTIP}"
      "t-pot_ip_int" => "${MY_INTIP}"
      "t-pot_hostname" => "${MY_HOSTNAME}"
    }
  }
 # Add geo coordinates / ASN info / IP rep.
  if [src_ip]  {
    geoip {
      cache_size => 10000
      source => "src_ip"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "src_ip"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
    }
    translate {
      refresh_interval => 86400
      field => "src_ip"
      destination => "ip_rep"
      dictionary_path => "/etc/listbot/iprep.yaml"
    }
  }
  if [t-pot_ip_ext]  {
    geoip {
      cache_size => 10000
      source => "t-pot_ip_ext"
      target => "geoip_ext"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "t-pot_ip_ext"
      target => "geoip_ext"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
    }
  }
 # In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
  if [dest_port] {
    mutate {
        convert => { "dest_port" => "integer" }
    }
  }
  if [src_port] {
    mutate {
        convert => { "src_port" => "integer" }
    }
  }
  if [status] {
    mutate {
        convert => { "status" => "integer" }
    }
  }
  if [id] {
    mutate {
        convert => { "id" => "string" }
    }
  }
  if [request] {
    mutate {
        convert => { "request" => "string" }
    }
  }
 }
 # Output section
 output {
    http {
      http_method => "post"
      http_compression => true
      id => "${MY_HOSTNAME}"
      codec => "json"
      format => "json_batch"
      url => "http://127.0.0.1:64305"
    }
 }
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -71,6 +71,13 @@ input {
    type => "Dicompot"
  }
 # Ddospot
  file {
    path => ["/data/ddospot/log/*.log"]
    codec => json
    type => "Ddospot"
  }
 # ElasticPot
  file {
    path => ["/data/elasticpot/log/elasticpot.json"]
@ -78,6 +85,13 @@ input {
    type => "ElasticPot"
  }
 # Endlessh
  file {
    path => ["/data/endlessh/log/endlessh.log"]
    codec => plain
    type => "Endlessh"
  }
 # Glutton
  file {
    path => ["/data/glutton/log/glutton.log"]
@ -85,12 +99,26 @@ input {
    type => "Glutton"
  }
 # Hellpot
  file {
    path => ["/data/hellpot/log/hellpot.log"]
    codec => json
    type => "Hellpot"
  }
 # Heralding
  file {
    path => ["/data/heralding/log/auth.csv"]
    type => "Heralding"
  }
 # Honeypots
  file {
    path => ["/data/honeypots/log/*.log"]
    codec => json
    type => "Honeypots"
  }
 # Honeypy
  file {
    path => ["/data/honeypy/log/json.log"]
@ -119,6 +147,13 @@ input {
    type => "Ipphoney"
  }
 # Log4pot
  file {
    path => ["/data/log4pot/log/log4pot.log"]
    codec => json
    type => "Log4pot"
  }
 # Mailoney
  file {
    path => ["/data/mailoney/log/commands.log"]
@ -139,6 +174,13 @@ input {
    type => "Rdpy"
  }
 # Redishoneypot
  file {
    path => ["/data/redishoneypot/log/redishoneypot.log"]
    codec => json
    type => "Redishoneypot"
  }
 # Host NGINX
  file {
    path => ["/data/nginx/log/access.log"]
@ -286,6 +328,46 @@ filter {
    }
  }
 # Ddospot
  if [type] == "Ddospot" {
    date {
      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["time"]
    }
    if [path] == "/data/ddospot/log/chargenpot.log" {
      mutate {
        add_field => {
 	  "dest_port" => "19"
          "dest_ip" => "${MY_EXTIP}"
 	}
      }
    }
    if [path] == "/data/ddospot/log/dnspot.log" {
      mutate {
        add_field => {
          "dest_port" => "53"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
    if [path] == "/data/ddospot/log/ntpot.log" {
      mutate {
        add_field => {
          "dest_port" => "123"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
    if [path] == "/data/ddospot/log/ssdpot.log" {
      mutate {
        add_field => {
          "dest_port" => "1900"
          "dest_ip" => "${MY_EXTIP}"
        }
      }
    }
  }
 # Dionaea
  if [type] == "Dionaea" {
    date {
@ -353,6 +435,23 @@ filter {
    }
  }
 # Endlessh
 # Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
 # Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
  if [type] == "Endlessh" {
    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
    date {
      match => [ "timestamp", "ISO8601" ]
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => {
        "dest_port" => "22"
        "dest_ip" => "${MY_EXTIP}"
      }
    }
  }
 # Glutton
  if [type] == "Glutton" {
    date {
@ -361,6 +460,29 @@ filter {
    }
  }
 # Hellpot
  if [type] == "Hellpot" {
    date {
      match => [ "time", "ISO8601" ]
      remove_field => ["time"]
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => {
        "dest_port" => "80"
        "dest_ip" => "${MY_EXTIP}"
      }
      rename => {
        "BYTES" => "bytes"
        "DURATION" => "duration"
        "REMOTE_ADDR" => "src_ip"
        "URL" => "url"
        "USERAGENT" => "http_user_agent"
        "message" => "reason"
      }
    }
  }
 # Heralding
  if [type] == "Heralding" {
    csv {
@ -383,6 +505,13 @@ filter {
    }
  }
 # Honeypots
  if [type] == "Honeypots" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
 # Honeysap
  if [type] == "Honeysap" {
    date {
@ -442,15 +571,28 @@ filter {
    }
  }
 # Log4pot
  if [type] == "Log4pot" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "request" => "request_uri"
        "server_port" => "dest_port"
        "port" => "src_port"
        "client" => "src_ip"
      }
    }
  }
 # Mailoney
  if [type] == "Mailoney" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
-      add_field => {
+      add_field => { "dest_port" => "25" }
        "dest_port" => "25"
      }
    }
  }
@ -475,9 +617,26 @@ filter {
      remove_field => ["timestamp"]
    }
    mutate {
      add_field => { "dest_port" => "3389" }
    }
  }
 # Redishoneypot
  if [type] == "Redishoneypot" {
    date {
      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
      remove_field => ["time"]
      remove_field => ["timestamp"]
    }
    mutate {
      split => { "addr" => ":" }
      add_field => { 
-        "dest_port" => "3389"
+        "src_ip" => "%{[addr][0]}" 
        "src_port" => "%{[addr][1]}"
        "dest_port" => "6379"
        "dest_ip" => "${MY_EXTIP}"
      }
      remove_field => ["addr"]
    }
  }
@ -486,6 +645,11 @@ filter {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      rename => {
        "request" => "request_data"
      }
    }
  }
 # Tanner
@ -498,26 +662,34 @@ filter {
        "[peer][ip]" => "src_ip"
        "[peer][port]" => "src_port"
      }
-      add_field => {
+      add_field => { "dest_port" => "80" }
        "dest_port" => "80"
      }
    }
  }
 # Drop if parse fails
 if "_grokparsefailure" in [tags] { drop {} }
 if "_jsonparsefailure" in [tags] { drop {} }
 # Add T-Pot hostname and external IP
  mutate {
    add_field => {
      "t-pot_ip_ext" => "${MY_EXTIP}"
      "t-pot_ip_int" => "${MY_INTIP}"
      "t-pot_hostname" => "${MY_HOSTNAME}"
    }
  }
 # Add geo coordinates / ASN info / IP rep.
  if [src_ip]  {
    geoip {
      cache_size => 10000
      source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-ASN.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
    }
    translate {
      refresh_interval => 86400
@ -526,6 +698,20 @@ if "_grokparsefailure" in [tags] { drop {} }
      dictionary_path => "/etc/listbot/iprep.yaml"
    }
  }
  if [t-pot_ip_ext]  {
    geoip {
      cache_size => 10000
      source => "t-pot_ip_ext"
      target => "geoip_ext"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "t-pot_ip_ext"
      target => "geoip_ext"
      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
    }
  }
 # In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
  if [dest_port] {
@ -548,15 +734,9 @@ if "_grokparsefailure" in [tags] { drop {} }
        convert => { "id" => "string" }
    }
  }
-
+  if [request] {
 # Add T-Pot hostname and external IP
  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
    mutate {
-      add_field => {
+        convert => { "request" => "string" }
        "t-pot_ip_ext" => "${MY_EXTIP}"
        "t-pot_ip_int" => "${MY_INTIP}"
        "t-pot_hostname" => "${MY_HOSTNAME}"
      }
    }
  }
@ -569,7 +749,7 @@ output {
    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
    index => "logstash-%{+YYYY.MM.dd}"
    template => "/etc/logstash/tpot_es_template.json"
-#    document_type => "doc"
+    #document_type => "doc"
  }
  #if [type] == "Suricata" {
--- a/docker/elk/logstash/dist/pipelines.yml
+++ b/docker/elk/logstash/dist/pipelines.yml
@ -0,0 +1,4 @@
 - pipeline.id: logstash
  path.config: "/etc/logstash/conf.d/logstash.conf"
 - pipeline.id: http_input
  path.config: "/etc/logstash/conf.d/http_input.conf"
--- a/docker/elk/logstash/dist/pipelines_pot.yml
+++ b/docker/elk/logstash/dist/pipelines_pot.yml
@ -0,0 +1,2 @@
 - pipeline.id: http_output
  path.config: "/etc/logstash/conf.d/http_output.conf"
--- a/docker/elk/logstash/dist/tpot_es_template.json
+++ b/docker/elk/logstash/dist/tpot_es_template.json
@ -43,6 +43,15 @@
          "latitude" : { "type" : "half_float" },
          "longitude" : { "type" : "half_float" }
        }
      },
      "geoip_ext"  : {
        "dynamic": true,
        "properties" : {
          "ip": { "type": "ip" },
          "location" : { "type" : "geo_point" },
          "latitude" : { "type" : "half_float" },
          "longitude" : { "type" : "half_float" }
        }
      }
    }
  }
--- a/docker/elk/logstash/dist/update.sh
+++ b/docker/elk/logstash/dist/update.sh
@ -35,6 +35,22 @@ if [ "$myCHECK" == "0" ];
    echo "Cannot reach Listbot, starting Logstash without latest translation maps."
 fi
 # Distributed T-Pot installation needs a different pipeline config and autossh tunnel. 
 if [ "$MY_TPOT_TYPE" == "POT" ];
  then
    echo
    echo "Distributed T-Pot setup, sending T-Pot logs to $MY_HIVE_IP."
    echo
    echo "T-Pot type: $MY_TPOT_TYPE"
    echo "Keyfile used: $MY_POT_PRIVATEKEYFILE"
    echo "Hive username: $MY_HIVE_USERNAME"
    echo "Hive IP: $MY_HIVE_IP"
    echo
    cp /usr/share/logstash/config/pipelines_pot.yml /usr/share/logstash/config/pipelines.yml
    autossh -f -M 0 -4 -l $MY_HIVE_USERNAME -i $MY_POT_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
    exit 0
 fi
 # We do want to enforce our es_template thus we always need to delete the default template, putting our default afterwards
 # This is now done via common_configs.rb => overwrite default logstash template
 echo "Removing logstash template."
@ -44,7 +60,7 @@ echo "Checking if empty."
 curl -s -XGET http://elasticsearch:9200/_template/logstash
 echo
 echo "Putting default template."
-curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
+curl -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
 {
  "index_patterns" : "logstash-*",
  "version" : 60001,
@ -90,6 +106,15 @@ curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: a
          "latitude" : { "type" : "half_float" },
          "longitude" : { "type" : "half_float" }
        }
      },
      "geoip_ext"  : {
        "dynamic": true,
        "properties" : {
          "ip": { "type": "ip" },
          "location" : { "type" : "geo_point" },
          "latitude" : { "type" : "half_float" },
          "longitude" : { "type" : "half_float" }
        }
      }
    }
  }
--- a/docker/elk/logstash/docker-compose.yml
+++ b/docker/elk/logstash/docker-compose.yml
@ -7,14 +7,17 @@ services:
    build: .
    container_name: logstash
    restart: always
-    environment:
+#    environment:
-     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
 #    depends_on:
 #      elasticsearch:
 #        condition: service_healthy
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/logstash:2006"
+    ports:
     - "127.0.0.1:64305:80"
    image: "dtagdevsec/logstash:2006"
    volumes:
     - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
 #     - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf
--- a/docker/endlessh/Dockerfile
+++ b/docker/endlessh/Dockerfile
@ -0,0 +1,42 @@
 FROM alpine:3.13 as builder
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
 RUN apk -U add --no-cache \
            build-base \
 	    git \
            libcap && \
 #
 # Install endlessh from git
    git clone https://github.com/skeeto/endlessh /opt/endlessh && \
    cd /opt/endlessh && \
    git checkout dfe44eb2c5b6fc3c48a39ed826fe0e4459cdf6ef && \
    make && \
    mv /opt/endlessh/endlessh /root/dist
 #
 FROM alpine:3.14
 #
 COPY --from=builder /root/dist/* /opt/endlessh/
 #
 # Install packages
 RUN apk -U add --no-cache \
            libcap && \
 #
 # Setup user, groups and configs
    mkdir -p /var/log/endlessh && \
    addgroup -g 2000 endlessh && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 endlessh && \
    chown -R endlessh:endlessh /opt/endlessh && \
    #setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
 #
 # Clean up
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 # Set workdir and start endlessh
 STOPSIGNAL SIGINT
 USER endlessh:endlessh
 WORKDIR /opt/endlessh/
 CMD ./endlessh -f endlessh.conf >/var/log/endlessh/endlessh.log
--- a/docker/endlessh/dist/endlessh.conf
+++ b/docker/endlessh/dist/endlessh.conf
@ -0,0 +1,27 @@
 # The port on which to listen for new SSH connections.
 Port 2222
 # The endless banner is sent one line at a time. This is the delay
 # in milliseconds between individual lines.
 Delay 10000
 # The length of each line is randomized. This controls the maximum
 # length of each line. Shorter lines may keep clients on for longer if
 # they give up after a certain number of bytes.
 MaxLineLength 32
 # Maximum number of connections to accept at a time. Connections beyond
 # this are not immediately rejected, but will wait in the queue.
 MaxClients 4096
 # Set the detail level for the log.
 #   0 = Quiet
 #   1 = Standard, useful log messages
 #   2 = Very noisy debugging information
 LogLevel 1
 # Set the family of the listening socket
 #   0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default)
 #   4 = Use IPv4 only
 #   6 = Use IPv6 only
 BindFamily 4
--- a/docker/endlessh/docker-compose.yml
+++ b/docker/endlessh/docker-compose.yml
@ -0,0 +1,20 @@
 version: '2.3'
 networks:
  endlessh_local:
 services:
 # Endlessh service
  endlessh:
    build: .
    container_name: endlessh
    restart: always
    networks:
     - endlessh_local
    ports:
     - "22:2222"
    image: "dtagdevsec/endlessh:2006"
    read_only: true
    volumes:
     - /data/endlessh/log:/var/log/endlessh
--- a/docker/ews/Dockerfile
+++ b/docker/ews/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@ -20,12 +20,13 @@ RUN apk -U --no-cache add \
            py3-requests \
 	    py3-pip \
            py3-setuptools && \
-    pip3 install --no-cache-dir configparser hpfeeds3 pyOpenSSL xmljson && \
+    pip3 install --no-cache-dir configparser hpfeeds3 influxdb influxdb-client pyOpenSSL xmljson && \
 #
 # Setup ewsposter
    git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \
    cd /opt/ewsposter && \
-    git checkout 46cd801fb444f1fb0a90418ab46e5977ec0a90b6 && \
+#    git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \
    git checkout 17c08f3ae500d838c1528c9700e4430d5f6ad214 && \
    mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \
 #
 # Setup user and groups
--- a/docker/ews/dist/ews.cfg
+++ b/docker/ews/dist/ews.cfg
@ -34,8 +34,18 @@ hpfformat = %(EWS_HPFEEDS_FORMAT)s
 json = false
 jsondir = /data/ews/json/
 [INFLUXDB]
 influxdb = false
 host = http://localhost
 port = 8086
 username = <your username for influx 1.8>
 password = <your password for influx 1.8>
 token = <your token for influx 2.0>
 bucket = <your bucket/database for 2.0/1.8>
 org = <your org for influx 2.0>
 [GLASTOPFV3]
-glastopfv3 = true
+glastopfv3 = false
 nodeid = glastopfv3-community-01
 sqlitedb = /data/glastopf/db/glastopf.db
 malwaredir = /data/glastopf/data/files/
@ -69,12 +79,12 @@ nodeid = conpot-community-01
 logfile = /data/conpot/log/conpot*.json
 [ELASTICPOT]
-elasticpot = false
+elasticpot = true
 nodeid = elasticpot-community-01
 logfile = /data/elasticpot/log/elasticpot.json
 [SURICATA]
-suricata = true
+suricata = false
 nodeid = suricata-community-01
 logfile = /data/suricata/log/eve.json
@ -89,7 +99,7 @@ nodeid = rdpy-community-01
 logfile = /data/rdpy/log/rdpy.log
 [VNCLOWPOT]
-vnclowpot = true
+vnclowpot = false
 nodeid = vnclowpot-community-01
 logfile = /data/vnclowpot/log/vnclowpot.log
@ -124,6 +134,31 @@ nodeid = adbhoney-community-01
 logfile = /data/adbhoney/log/adbhoney.json
 [FATT]
-fatt = true
+fatt = false
 nodeid = fatt-community-01
 logfile = /data/fatt/log/fatt.log
 [IPPHONEY]
 ipphoney = true
 nodeid = ipphoney-community-01
 logfile = /data/ipphoney/log/ipphoney.json
 [DICOMPOT]
 dicompot = true
 nodeid = dicompot-community-01
 logfile = /data/dicompot/log/dicompot.log
 [MEDPOT]
 medpot = true
 nodeid = medpot-community-01
 logfile = /data/medpot/log/medpot.log
 [HONEYPY]
 honeypy = true
 nodeid = honeypy-community-01
 logfile = /data/honeypy/log/json.log
 [CITRIX]
 citrix = true
 nodeid = citrix-community-01
 logfile = /data/citrixhoneypot/logs/server.log
--- a/docker/ews/docker-compose.yml
+++ b/docker/ews/docker-compose.yml
@ -23,7 +23,7 @@ services:
     - EWS_HPFEEDS_FORMAT=json
    env_file:
     - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/ewsposter:2006"
+    image: "dtagdevsec/ewsposter:2006"
    volumes:
     - /data:/data
 #     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
--- a/docker/fatt/Dockerfile
+++ b/docker/fatt/Dockerfile
@ -1,7 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 #ADD dist/ /root/dist/
 #
 # Get and install dependencies & packages
 RUN apk -U add \
@ -10,8 +7,8 @@ RUN apk -U add \
              py3-lxml \
 	      py3-pip \
              python3 \
-              python3-dev && \
+              python3-dev \
-    apk -U add tshark --repository http://dl-3.alpinelinux.org/alpine/edge/community/ && \
+              tshark && \
 #
 # Setup user
    addgroup -g 2000 fatt && \
@ -24,7 +21,8 @@ RUN apk -U add \
    cd fatt && \
    git checkout 314cd1ff7873b5a145a51ec4e85f6107828a2c79 && \
    mkdir -p log && \
-    pip3 install pyshark==0.4.2.2 && \
+    # pyshark >= 0.4.3 breaks fatt
    pip3 install pyshark==0.4.2.11 && \
 #
 # Setup configs
    chown fatt:fatt -R /opt/fatt/* && \
--- a/docker/fatt/docker-compose.yml
+++ b/docker/fatt/docker-compose.yml
@ -12,6 +12,6 @@ services:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
-    image: "ghcr.io/telekom-security/fatt:2006"
+    image: "dtagdevsec/fatt:2006"
    volumes:
     - /data/fatt/log:/opt/fatt/log
--- a/docker/glutton/docker-compose.yml
+++ b/docker/glutton/docker-compose.yml
@ -13,7 +13,7 @@ services:
    network_mode: "host"
    cap_add:
     - NET_ADMIN
-    image: "ghcr.io/telekom-security/glutton:2006"
+    image: "dtagdevsec/glutton:2006"
    read_only: true
    volumes:
     - /data/glutton/log:/var/log/glutton
--- a/docker/heimdall/Dockerfile
+++ b/docker/heimdall/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@ -64,6 +64,7 @@ RUN apk -U --no-cache add \
    sed -i "s/APP_NAME=Heimdall/APP_NAME=T-Pot/g" /var/lib/nginx/html/.env && \
 ## Add Nginx / T-Pot specific configs
    rm -rf /etc/nginx/conf.d/* /usr/share/nginx/html/* && \
    mkdir -p /etc/nginx/conf.d && \
    cp /root/dist/conf/nginx.conf /etc/nginx/ && \
    cp -R /root/dist/conf/ssl /etc/nginx/ && \
    cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \
--- a/docker/heimdall/docker-compose.yml
+++ b/docker/heimdall/docker-compose.yml
@ -26,7 +26,7 @@ services:
    ports:
     - "64297:64297"
     - "127.0.0.1:64304:64304"
-    image: "ghcr.io/telekom-security/nginx:2006"
+    image: "dtagdevsec/nginx:2006"
    read_only: true
    volumes:
     - /data/nginx/cert/:/etc/nginx/cert/:ro
--- a/docker/hellpot/Dockerfile
+++ b/docker/hellpot/Dockerfile
@ -0,0 +1,48 @@
 FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup apk
 RUN apk -U --no-cache add \
                   build-base \
                   git \
                   go \
                   g++ && \
 #
 # Setup go, hellpot
    cd /root && \
    export GOPATH=/opt/go/ && \
    mkdir -p /opt/hellpot && \
    mkdir -p /opt/go && \ 
    git clone https://github.com/yunginnanet/HellPot && \
    cd HellPot && \
    git checkout f87b1f17e21b36edae41b7f49d4a54ae420a9bf8 && \
  # Hellpot ignores setting the logpath, need to this hardcoded :(
    sed -i 's#logDir = snek.GetString("logger.directory")#logDir = "/var/log/hellpot/"#g' config/logger.go && \
    sed -i 's#tnow := "HellPot"#tnow := "hellpot"#g' config/logger.go && \
    go build cmd/HellPot/HellPot.go && \
    mv /root/HellPot/HellPot /opt/hellpot/ && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 hellpot && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 hellpot && \
    mkdir -p /var/log/hellpot && \
  # Hellpot wants to create .config folder always in user's home
    mkdir -p /home/hellpot/.config/HellPot/logs && \
    mv /root/dist/config.toml /home/hellpot/.config/HellPot/ && \
    chown hellpot:hellpot -R /home/hellpot && \
 #
 # Clean up
    apk del --purge build-base \
                    git \
                    go \
                    g++ && \
    rm -rf /var/cache/apk/* \
           /opt/go \
           /root/dist
 #
 # Start hellpot
 WORKDIR /opt/hellpot
 USER hellpot:hellpot
 CMD ["./HellPot"]
--- a/docker/hellpot/dist/config.toml
+++ b/docker/hellpot/dist/config.toml
@ -0,0 +1,23 @@
 [http]
  bind_addr = "0.0.0.0"
  bind_port = "8080"
  paths = ["wp-login.php","wp-login","wp-json/omapp/v1/support"]
  # Unix Socket Listener (will override default)
  use_unix_socket = false
  unix_socket = "/var/run/hellpot"
 [logger]
  debug = true
  log_directory = "/var/log/hellpot/"
  nocolor = true
  use_date_filename = false
 [performance]
  # max_workers is only valid if restrict_concurrency is true
  restrict_concurrency = false
  max_workers = 256
 [deception]
  # Used as "Server: " header (if not proxied)
  server_name = "nginx"
--- a/docker/hellpot/docker-compose.yml
+++ b/docker/hellpot/docker-compose.yml
@ -0,0 +1,20 @@
 version: '2.3'
 networks:
  hellpot_local:
 services:
 # hellpot service
  hellpot:
    build: .
    container_name: hellpot
    restart: always
    networks:
     - hellpot_local
    ports:
     - "80:8080"    
    image: "dtagdevsec/hellpot:2006"
    read_only: true
    volumes:
     - /data/hellpot/log:/var/log/hellpot
--- a/docker/heralding/Dockerfile
+++ b/docker/heralding/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #  
 # Include dist
 ADD dist/ /root/dist/
@ -10,21 +10,19 @@ RUN apk -U --no-cache add \
            		libcap \
            		libffi-dev \
            		openssl-dev \
-                        libzmq \
+                        py3-pyzmq \
            		postgresql-dev \
 			py3-cryptography \
 			py3-pip \
 			py3-pyzmq \
            		python3 \
-            		python3-dev \
+            		python3-dev && \
            		py-virtualenv && \
 #
 # Setup heralding
    mkdir -p /opt && \
    cd /opt/ && \
    git clone https://github.com/johnnykv/heralding && \
    cd heralding && \
-    git checkout 3f38976a2ab4d884d755b6324f2c71923ddadbdb && \
+    git checkout c31f99c55c7318c09272d8d9998e560c3d4de9aa && \
    pip3 install --upgrade pip && \
    pip3 install --no-cache-dir -r requirements.txt && \
    pip3 install --no-cache-dir . && \
 #
@ -33,7 +31,7 @@ RUN apk -U --no-cache add \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 heralding && \
    mkdir -p /var/log/heralding/ /etc/heralding && \
    mv /root/dist/heralding.yml /etc/heralding/ && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
    chown -R heralding:heralding /var/log/heralding && \
 #
 # Clean up
@ -44,8 +42,7 @@ RUN apk -U --no-cache add \
            libffi-dev \
            libressl-dev \
            postgresql-dev \
-            python3-dev \
+            python3-dev && \
            py-virtualenv && \
    rm -rf /root/* \
           /var/cache/apk/* \
           /opt/heralding
--- a/docker/heralding/docker-compose.yml
+++ b/docker/heralding/docker-compose.yml
@ -31,7 +31,7 @@ services:
     - "3389:3389"
     - "5432:5432"
     - "5900:5900"
-    image: "ghcr.io/telekom-security/heralding:2006"
+    image: "dtagdevsec/heralding:2006"
    read_only: true
    volumes:
     - /data/heralding/log:/var/log/heralding
--- a/docker/honeypots/Dockerfile
+++ b/docker/honeypots/Dockerfile
@ -0,0 +1,65 @@
 FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
 RUN apk -U add \
             build-base \
 	     freetds \
 	     freetds-dev \
 	     gcc \
             git \
             hiredis \
 	     jpeg-dev \
 	     libcap \
             libffi-dev \
             libpq \
 	     musl-dev \
             openssl \
             openssl-dev \
 	     postgresql-dev \
 	     py3-pip \
             python3 \
             python3-dev \
             zlib-dev && \
 #	     
 # Install honeypots from GitHub and setup
    mkdir -p /opt \
             /var/log/honeypots && \
    cd /opt/ && \
    #git clone https://github.com/qeeqbox/honeypots && \
    git clone https://github.com/t3chn0m4g3/honeypots && \
    cd honeypots && \
    #git checkout 7c654a3ef2c564ae6f1247bf302d652037080163 && \
    pip3 install --upgrade pip && \
    pip3 install --ignore-installed hiredis packaging && \
    pip3 install . && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 honeypots && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 honeypots && \
    chown honeypots:honeypots -R /opt/honeypots && \
    chown honeypots:honeypots -R /var/log/honeypots && \
    mv /root/dist/config.json /opt/honeypots/ && \
 #
 # Clean up
    apk del --purge build-base \
                    freetds-dev \
                    git \
 		    jpeg-dev \
 		    libffi-dev \
 		    openssl-dev \
 		    postgresql-dev \
 		    python3-dev \
 		    zlib-dev && \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 # Start honeypots 
 STOPSIGNAL SIGINT
 USER honeypots:honeypots
 WORKDIR /opt/honeypots/
 CMD python3 -m honeypots --setup all --config config.json
 #CMD python3 -m honeypots --setup telnet --config config.json
--- a/docker/honeypots/dist/config.json
+++ b/docker/honeypots/dist/config.json
@ -0,0 +1,144 @@
 {
    "logs":"file,terminal",
    "logs_location":"/var/log/honeypots/",
    "honeypots": {
        "dns": {
            "port": 53,
            "ip": "0.0.0.0",
            "username": "administrator",
            "password": "123456"
            },
        "ftp": {
            "port": 21,
            "ip": "0.0.0.0",
            "username": "ftp",
            "password": "anonymous"
            },
        "httpproxy": {
            "port": 8080,
            "ip": "0.0.0.0",
            "username": "admin",
            "password": "admin"
            },
        "http": {
            "port": 80,
            "ip": "0.0.0.0",
            "username": "admin",
            "password": "admin"
            },
        "https": {
            "port": 443,
            "ip": "0.0.0.0",
            "username": "admin",
            "password": "admin"
            },
        "imap": {
            "port": 143,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "mysql": {
            "port": 3306,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "pop3": {
            "port": 110,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "postgres": {
            "port": 5432,
            "ip": "0.0.0.0",
            "username": "postgres",
            "password": "123456"
            },
        "redis": {
            "port": 6379,
            "ip": "0.0.0.0",
            "username": "root",
            "password": ""
            },
        "smb": {
            "port": 445,
            "ip": "0.0.0.0",
            "username": "administrator",
            "password": "123456"
            },
        "smtp": {
            "port": 25,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "socks5": {
            "port": 1080,
            "ip": "0.0.0.0",
            "username": "admin",
            "password": "admin"
            },
        "ssh": {
            "port": 22,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "telnet": {
            "port": 23,
            "ip": "0.0.0.0",
            "username": "root",
            "password": "123456"
            },
        "vnc": {
            "port": 5900,
            "ip": "0.0.0.0",
            "username": "administrator",
            "password": "123456"
            },
        "elastic": {
            "port": 9200,
            "ip": "0.0.0.0",
            "username": "elastic",
            "password": "123456"
            },
        "mssql": {
            "port": 1433,
            "ip": "0.0.0.0",
            "username": "sa",
            "password": ""
            },
        "ldap": {
            "port": 389,
            "ip": "0.0.0.0",
            "username": "administrator",
            "password": "123456"
            },
        "ntp": {
            "port": 123,
            "ip": "0.0.0.0",
            "username": "administrator",
            "password": "123456"
            },
        "memcache": {
            "port": 11211,
            "ip": "0.0.0.0",
            "username": "admin",
            "password": "123456"
            },
        "oracle": {
            "port": 1521,
            "ip": "0.0.0.0",
            "username": "bi",
            "password": "123456"
            },
        "snmp": {
            "port": 161,
            "ip": "0.0.0.0",
            "username": "privUser",
            "password": "123456"
            }
        }
 }
--- a/docker/honeypots/docker-compose.yml
+++ b/docker/honeypots/docker-compose.yml
@ -0,0 +1,42 @@
 version: '2.3'
 networks:
  honeypots_local:
 services:
 # Honeypots service
  honeypots:
    build: .
    container_name: honeypots
    stdin_open: true
    tty: true
    restart: always
    tmpfs:
     - /tmp:uid=2000,gid=2000
    networks:
     - honeypots_local
    ports:
     - "21:21"
     - "22:22"
     - "23:23"
     - "25:25"
     - "53:53/udp"
     - "80:80"
     - "110:110"
     - "143:143"
     - "389:389"
     - "443:443"
     - "445:445"
     - "1080:1080"
     - "1433:1433"
     - "3306:3306"
     - "5432:5432"
     - "5900:5900"
     - "6379:6379"
     - "8080:8080"
     - "9200:9200"
    image: "dtagdevsec/honeypots:2006"
    read_only: true
    volumes:
     - /data/honeypots/log:/var/log/honeypots
--- a/docker/honeypy/Dockerfile
+++ b/docker/honeypy/Dockerfile
@ -49,7 +49,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
-# Set workdir and start mailoney
+# Set workdir and start honeypy
 USER honeypy:honeypy
 WORKDIR /opt/honeypy
 CMD ["/opt/honeypy/env/bin/python2", "/opt/honeypy/Honey.py", "-d"]
--- a/docker/honeypy/docker-compose.yml
+++ b/docker/honeypy/docker-compose.yml
@ -20,7 +20,7 @@ services:
     - "2324:2324"
     - "4096:4096"
     - "9200:9200"
-    image: "ghcr.io/telekom-security/honeypy:2006"
+    image: "dtagdevsec/honeypy:2006"
    read_only: true
    volumes:
     - /data/honeypy/log:/opt/honeypy/log
--- a/docker/honeysap/Dockerfile
+++ b/docker/honeysap/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.10
+FROM alpine:3.11
 #
 # Include dist
 ADD dist/ /root/dist/
@ -8,7 +8,6 @@ RUN apk -U --no-cache add \
            build-base \
            git \
 	    libstdc++ \
 	    py2-markupsafe \
            python2 \
            python2-dev \
            py2-pip \
@ -22,6 +21,7 @@ RUN apk -U --no-cache add \
    mkdir conf && \
    cp /root/dist/* conf/ && \
    python setup.py install && \
    pip install markupsafe && \
    pip install -r requirements-optional.txt && \
 #
 # Setup user, groups and configs
--- a/docker/honeysap/docker-compose.yml
+++ b/docker/honeysap/docker-compose.yml
@ -14,6 +14,6 @@ services:
     - honeysap_local
    ports:
     - "3299:3299"
-    image: "ghcr.io/telekom-security/honeysap:2006"
+    image: "dtagdevsec/honeysap:2006"
    volumes:
     - /data/honeysap/log:/opt/honeysap/log
--- a/docker/honeytrap/Dockerfile
+++ b/docker/honeytrap/Dockerfile
@ -1,11 +1,12 @@
-FROM debian:buster-slim 
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup apt
-RUN apt-get update -y && \
+RUN apt-get update && \
    apt-get update -y && \
    apt-get dist-upgrade -y && \
 #
 # Install packages
@ -26,10 +27,10 @@ RUN apt-get update -y && \
                       wget && \
 #
 # Install honeytrap from source
-    git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
+#    git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
-#    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
+    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
    cd /root/honeytrap/ && \
-    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
+#    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
    autoreconf -vfi && \
    ./configure \
      --with-stream-mon=nfq \
--- a/docker/honeytrap/docker-compose.yml
+++ b/docker/honeytrap/docker-compose.yml
@ -12,7 +12,7 @@ services:
    network_mode: "host"
    cap_add:
     - NET_ADMIN
-    image: "ghcr.io/telekom-security/honeytrap:2006"
+    image: "dtagdevsec/honeytrap:2006"
    read_only: true
    volumes:
     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
--- a/docker/ipphoney/docker-compose.yml
+++ b/docker/ipphoney/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - ipphoney_local
    ports:
     - "631:631"
-    image: "ghcr.io/telekom-security/ipphoney:2006"
+    image: "dtagdevsec/ipphoney:2006"
    read_only: true
    volumes:
     - /data/ipphoney/log:/opt/ipphoney/log
--- a/docker/log4pot/Dockerfile
+++ b/docker/log4pot/Dockerfile
@ -0,0 +1,58 @@
 FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 #
 # Install packages
 RUN apt-get update && \
    apt-get update -y && \
    apt-get dist-upgrade -y && \
    apt-get install -y \
             build-essential \
 	     cargo \
 	     cleo \
             git \
 	     libcap2 \
 	     libcap2-bin \
 	     libcurl4 \
 	     libcurl4-nss-dev \
 	     libffi7 \
 	     libffi-dev \
 	     libssl-dev \
 	     python3-pip \
             python3 \
             python3-dev \
             rust-all && \
     pip3 install --upgrade pip && \
     pip3 install poetry pycurl && \
 #	     
 # Install log4pot from GitHub and setup
    mkdir -p /opt /var/log/log4pot && \
    cd /opt/ && \
    git clone https://github.com/thomaspatzke/Log4Pot && \
    cd Log4Pot && \
 #    git checkout 4269bf4a91457328fb64c3e7941cb2f520e5e911 && \
    git checkout 4e9bac32605e4d2dd4bbc6df56365988b4815c4a && \
    sed -i 's#"type": logtype,#"reason": logtype,#g' log4pot.py && \
    poetry install && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
 #
 # Setup user, groups and configs
    addgroup --gid 2000 log4pot && \
    adduser --system --no-create-home --shell /bin/bash -uid 2000 --disabled-password --disabled-login -gid 2000 log4pot && \
    chown log4pot:log4pot -R /opt/Log4Pot && \
 #
 # Clean up
     apt-get purge -y build-essential \
                    cargo \
                    git \
 		    libffi-dev \
 		    libssl-dev \
 		    python3-dev \
 		    rust-all && \
    apt-get autoremove -y --purge && \
    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 #
 # Start log4pot
 STOPSIGNAL SIGINT
 USER log4pot:log4pot
 WORKDIR /opt/Log4Pot/
 CMD ["/usr/bin/python3","log4pot.py","--port","8080","--log","/var/log/log4pot/log/log4pot.log","--download-dir","/var/log/log4pot/payloads/","--download-class","--download-payloads"]
--- a/docker/log4pot/docker-compose.yml
+++ b/docker/log4pot/docker-compose.yml
@ -0,0 +1,27 @@
 version: '2.3'
 networks:
  log4pot_local:
 services:
 # Log4pot service
  log4pot:
    build: .
    container_name: log4pot
    restart: always
    tmpfs:
     - /tmp:uid=2000,gid=2000
    networks:
     - log4pot_local
    ports:
     - "80:8080"
     - "443:8080"
     - "8080:8080"
     - "9200:8080"
     - "25565:8080"
    image: "dtagdevsec/log4pot:2006"
    read_only: true
    volumes:
     - /data/log4pot/log:/var/log/log4pot/log
     - /data/log4pot/payloads:/var/log/log4pot/payloads
--- a/docker/mailoney/docker-compose.yml
+++ b/docker/mailoney/docker-compose.yml
@ -20,7 +20,7 @@ services:
     - mailoney_local
    ports:
     - "25:25"
-    image: "ghcr.io/telekom-security/mailoney:2006"
+    image: "dtagdevsec/mailoney:2006"
    read_only: true
    volumes:
     - /data/mailoney/log:/opt/mailoney/logs
--- a/docker/medpot/Dockerfile
+++ b/docker/medpot/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup apk
 RUN apk -U --no-cache add \
@ -9,6 +9,7 @@ RUN apk -U --no-cache add \
 #
 # Setup go, build medpot
    export GOPATH=/opt/go/ && \
    export GO111MODULE=off && \
    mkdir -p /opt/go/src && \
    cd /opt/go/src && \
    git clone https://github.com/schmalle/medpot && \
--- a/docker/medpot/docker-compose.yml
+++ b/docker/medpot/docker-compose.yml
@ -14,7 +14,7 @@ services:
     - medpot_local
    ports:
     - "2575:2575"
-    image: "ghcr.io/telekom-security/medpot:2006"
+    image: "dtagdevsec/medpot:2006"
    read_only: true
    volumes:
     - /data/medpot/log/:/var/log/medpot
--- a/docker/p0f/Dockerfile
+++ b/docker/p0f/Dockerfile
@ -1,4 +1,6 @@
-FROM alpine:3.13
+# In case of problems Alpine 3.13 needs to be used:
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
 FROM alpine:3.14
 #
 # Add source
 ADD . /opt/p0f
--- a/docker/p0f/docker-compose.yml
+++ b/docker/p0f/docker-compose.yml
@ -8,7 +8,7 @@ services:
    container_name: p0f
    restart: always
    network_mode: "host"
-    image: "ghcr.io/telekom-security/p0f:2006"
+    image: "dtagdevsec/p0f:2006"
    read_only: true
    volumes:
     - /data/p0f/log:/var/log/p0f
--- a/docker/rdpy/Dockerfile
+++ b/docker/rdpy/Dockerfile
@ -28,7 +28,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
                pyopenssl \
                qt4reactor \
                service_identity \
-                rsa \
+                rsa==4.5 \		
                pyasn1 && \
 #
 # Install rdpy from git
--- a/docker/rdpy/docker-compose.yml
+++ b/docker/rdpy/docker-compose.yml
@ -22,7 +22,7 @@ services:
     - rdpy_local
    ports:
     - "3389:3389"
-    image: "ghcr.io/telekom-security/rdpy:2006"
+    image: "dtagdevsec/rdpy:2006"
    read_only: true
    volumes:
     - /data/rdpy/log:/var/log/rdpy
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
t3chn0m4g3	e2752458d4	bump elk to 7.17.0 to support 8.0.1 in 22.x	2022-03-18 16:23:27 +00:00
Marco Ochse	cac7cdcec6	fix data fields with regard to the request field, log4pot, nginx	2022-01-17 17:10:48 +01:00
Marco Ochse	ed79b72869	Update objects for qeeqbox honeypots	2022-01-13 15:22:49 +01:00
t3chn0m4g3	e7e521edba	tweaking	2022-01-12 01:28:06 +00:00
t3chn0m4g3	7d012726b7	tweaking	2022-01-11 15:43:45 +00:00
t3chn0m4g3	d6ea4cdde2	prep for elk 8.x, pave way for next t-pot release	2022-01-07 18:03:00 +00:00
t3chn0m4g3	f441ec0bfc	Merge branch 'master' of https://github.com/telekom-security/tpotce	2022-01-07 15:42:46 +00:00
t3chn0m4g3	fb49a77180	tweaking, json_batch transfer to hive	2022-01-07 15:41:57 +00:00
Marco Ochse	5dc6350106	New objects for next release	2022-01-06 17:47:39 +01:00
t3chn0m4g3	202246a3cd	tweaking	2022-01-06 16:45:51 +00:00
t3chn0m4g3	467dfae320	cleanup, move to correct folders	2022-01-04 18:35:44 +00:00
t3chn0m4g3	788a4c4f98	prepare for new attack map feature tweaking, cleanup	2022-01-04 16:16:27 +00:00
t3chn0m4g3	0178b4c4d3	Work in progress! This is the foundation for the distributed T-Pot feature, highly work in progress, only works with local docker image builds, will be available for prod for upcoming T-Pot 22xx.	2022-01-03 18:25:31 +00:00
t3chn0m4g3	68b080a3a8	Work in progress! This is the foundation for the distributed T-Pot feature, highly work in progress, only works with local docker image builds, will be available for prod for upcoming T-Pot 22xx.	2022-01-03 18:24:17 +00:00
t3chn0m4g3	ef1a1fa057	Merge branch 'master' of https://github.com/telekom-security/tpotce	2021-12-21 11:37:18 +00:00
t3chn0m4g3	daf41b4b71	tweaking	2021-12-21 11:36:38 +00:00
t3chn0m4g3	0bca794fe7	bump log4pot to latest master rebuild on ubuntu for payload download support	2021-12-20 18:40:38 +00:00
t3chn0m4g3	aaccb43471	bump elk stack to 7.16.2 ELK 7.16.2 includes log4j 2.17.0 to address latest issues	2021-12-20 11:17:18 +00:00
Marco Ochse	beb9abca16	fixes #973	2021-12-17 02:25:10 +01:00
Marco Ochse	fb93d85119	Log4Pot Credits, Install Flavor	2021-12-16 23:10:25 +01:00
t3chn0m4g3	ceee197e68	Add Kibana Objects for Log4Pot	2021-12-16 21:53:04 +00:00
t3chn0m4g3	b0339610a2	Prep for Log4Pot integration	2021-12-16 20:25:40 +00:00
t3chn0m4g3	a98b447556	ELK 7.16.1 fixes log4j vulns.	2021-12-13 15:59:48 +00:00
t3chn0m4g3	b4c1805551	disable log4j lookups	2021-12-13 10:54:07 +00:00
t3chn0m4g3	0ef2e89cac	remove log4j JndiLookup Class	2021-12-13 10:35:22 +00:00
t3chn0m4g3	b76f0f109f	tweaking	2021-12-09 22:17:30 +00:00
t3chn0m4g3	5f29516197	tweaking	2021-12-08 23:55:13 +00:00
Marco Ochse	ff1c12e848	Disable FATT submissions for now	2021-11-30 16:04:58 +01:00
t3chn0m4g3	2ee2d08e5a	rename	2021-11-20 13:11:12 +00:00
t3chn0m4g3	3103c94355	add mini edition	2021-11-20 13:08:35 +00:00
t3chn0m4g3	a3be0011fb	Merge branch 'master' of https://github.com/telekom-security/tpotce	2021-11-19 23:22:11 +00:00
t3chn0m4g3	ce39e1bd4f	logstash logging for honeypots	2021-11-19 23:20:13 +00:00
Marco Ochse	6fb2fa783a	update for new honeypots	2021-11-18 21:32:48 +01:00
Marco Ochse	e76a643296	Update Readme for new honeypots	2021-11-18 20:58:17 +01:00
t3chn0m4g3	6c155ad87f	add qeeqbox honeypots	2021-11-18 19:55:44 +00:00
t3chn0m4g3	81b8242c68	bump ewsposter to latest master	2021-11-18 13:48:02 +00:00
t3chn0m4g3	d2cbf6ebbc	build fix for tanner	2021-11-18 13:39:05 +00:00
Marco Ochse	591be0791b	Fixes #939 https://stackoverflow.com/questions/28785383/how-to-disable-persistence-with-redis	2021-11-18 13:05:01 +01:00
t3chn0m4g3	adee51bee5	bump heralding to latest master	2021-11-16 18:23:25 +00:00
t3chn0m4g3	b214db6e9d	bump cowrie to 2.3.0, ewsposter to 1.21	2021-11-05 17:43:47 +00:00
Marco Ochse	2694c05953	Updated Kibana objects for new honeypots	2021-11-02 20:19:02 +01:00
t3chn0m4g3	c9b909e51d	finetune new honeypots logging	2021-11-02 19:13:28 +00:00
t3chn0m4g3	db74c610ad	bump hellpot to 0.3 and train config for CVE-2021-39341	2021-11-01 13:36:44 +00:00
t3chn0m4g3	ea624351b5	finetuning logstash.conf for new honeypots	2021-10-29 16:28:16 +00:00
t3chn0m4g3	c1eb9f7216	logstash parsing for ddospot, hellpot	2021-10-28 18:57:55 +00:00
t3chn0m4g3	1a844d13ba	start integrating new honeypots into ELK	2021-10-27 16:14:52 +00:00
t3chn0m4g3	348a5d572b	bump elastic stack to 7.15.1	2021-10-26 13:56:38 +00:00
t3chn0m4g3	77dcd771df	move debian to ubuntu 20.04	2021-10-05 15:26:02 +00:00
t3chn0m4g3	b566b39688	move honeytrap to ubuntu 20.04 thanks to @adepasquale's work	2021-10-04 20:19:40 +00:00
t3chn0m4g3	8285657e5d	remove snare, tanner from nextgen	2021-10-01 16:26:18 +00:00
t3chn0m4g3	dd7fb325b6	add new honeypots to nextgen to prep for ELK setup honeytrap testing	2021-10-01 16:18:10 +00:00
t3chn0m4g3	ab092faa2c	prep conpot rebuild	2021-10-01 15:10:37 +00:00
t3chn0m4g3	28681ef398	prep heralding rebuild	2021-10-01 14:32:24 +00:00
t3chn0m4g3	eefd38a335	bump elastic stack to 7.15.0 no image upgrade before 7.15.1	2021-09-30 20:40:42 +00:00
t3chn0m4g3	261b380db7	cleaup fatt, bump suricata to 6.0.3	2021-09-30 19:39:59 +00:00
t3chn0m4g3	77e2dd2da6	cleanup spiderfoot, prep fatt rebuild	2021-09-30 19:14:11 +00:00
t3chn0m4g3	183136c1f1	bump spiderfoot to v3.4	2021-09-30 17:03:28 +00:00
t3chn0m4g3	1fe0247095	prep p0f, medpot for image rebuild	2021-09-30 15:58:10 +00:00
t3chn0m4g3	adab02a067	prep for updated nginx image	2021-09-28 19:51:08 +00:00
t3chn0m4g3	58aa3162cb	prep for ewsposter fix	2021-09-28 15:58:15 +00:00
t3chn0m4g3	405ee521a6	prep ubuntu rebuild for honeytrap	2021-09-24 17:09:55 +00:00
t3chn0m4g3	9a3465aef1	bump cowrie to latest master, prep for rebuild	2021-09-24 17:03:55 +00:00
t3chn0m4g3	e23c57e58d	some tests with dionaea	2021-09-24 16:10:14 +00:00
t3chn0m4g3	44749fe9e7	bump honeysap to alpine3.11	2021-09-24 15:47:05 +00:00
t3chn0m4g3	f5d11bb008	bump snare, tanner, prep for rebuild	2021-09-24 15:18:59 +00:00
t3chn0m4g3	efa9d991ba	revert honeypy to alpine	2021-09-23 22:28:33 +00:00
t3chn0m4g3	a7faafeba9	test mailoney	2021-09-23 21:50:37 +00:00
t3chn0m4g3	f05abc07c9	cleanup	2021-09-23 21:20:25 +00:00
t3chn0m4g3	eeae863820	revert to alpine	2021-09-23 21:11:24 +00:00
t3chn0m4g3	9f9d1a65bd	debian test	2021-09-23 20:53:38 +00:00
t3chn0m4g3	a48840d1b2	prep rdpy for debian rebuild	2021-09-23 20:15:33 +00:00
t3chn0m4g3	48de3d846c	fix typo in crontab	2021-09-23 10:00:20 +00:00
t3chn0m4g3	122135dd80	prepare rebuilding dicompot	2021-09-20 21:57:39 +00:00
t3chn0m4g3	8576e576a6	prep mailoney for rebuild	2021-09-20 20:20:04 +00:00
t3chn0m4g3	32e1e8a8ea	prep for rebuilding ciscoasa, elasticpot, honeypy	2021-09-20 16:08:16 +00:00
t3chn0m4g3	ed224215a4	tweak cyberchef image for better security, prep citrixhoneypot for rebuild	2021-09-20 14:29:42 +00:00
t3chn0m4g3	e9c03e512c	prep rebuild for adbhoney, cyberchef	2021-09-20 09:15:28 +00:00
t3chn0m4g3	ed0c5aa89f	add logstash-output-gelf, fixes #861	2021-09-15 17:39:04 +00:00
Marco Ochse	d5290e68ff	Update Kibana objects	2021-09-15 18:00:56 +02:00
t3chn0m4g3	9de1bdd0b5	tweaking, bump elastic stack to 7.14.1, rebuild dashboards	2021-09-15 15:58:44 +00:00
Marco Ochse	00457b8b70	Merge pull request #887 from shaderecker/ansible Minor Ansible improvements	2021-09-02 09:50:56 +02:00
Sebastian Haderecker	e26600ad75	Minor Ansible improvements	2021-09-01 21:55:22 +02:00
Marco Ochse	310f560c65	Update credts and licenses	2021-08-26 15:14:04 +02:00
t3chn0m4g3	06ef8850fe	prep for ELK 7.13.4, start full integration of new honeypots	2021-08-25 15:04:27 +00:00
t3chn0m4g3	05a7d33c9f	add paths, logrotate settings, cleaner settings for new honeypots	2021-08-24 11:51:01 +00:00
Marco Ochse	baaba5311a	Merge pull request #881 from brianlechthaler/patch-5 🔄 🇯🇵 Update AMIs & add region ap-northeast-3	2021-08-24 12:40:48 +02:00
Brian Lechthaler	35014a15ca	🔄 🇯🇵 Update AMIs & add region ap-northeast-3 This commit updates all AMIs to debian-10-arm64-20210721-710, and add the AWS region 🇯🇵 ap-northeast-3 (Osaka, Japan) to the list.	2021-08-21 14:14:09 -07:00
t3chn0m4g3	2aa4c3c2c6	disable ntp server on host, start working on ddospot	2021-07-09 23:16:19 +00:00
t3chn0m4g3	0867d8f011	prep for redishoneypot	2021-07-05 19:59:44 +00:00
t3chn0m4g3	a2071eb4d2	hellpot cleanup and prep for endlessh	2021-07-03 15:51:32 +00:00
t3chn0m4g3	e6402b793c	start including hellpot	2021-07-02 22:12:47 +00:00
t3chn0m4g3	4cb84166c5	bump ewsposter to 1.2.0, elk stack to 7.13.2	2021-06-28 16:30:40 +00:00
t3chn0m4g3	b6be931641	prep for new ewsposter, rollout to follow next week	2021-06-24 16:26:53 +00:00
t3chn0m4g3	f51ab7ec0f	prepare to bump elastic stack to 7.13.1	2021-06-10 17:03:22 +00:00
t3chn0m4g3	f22ec3a360	Merge branch 'master' of https://github.com/telekom-security/tpotce	2021-05-26 11:01:47 +00:00
t3chn0m4g3	de38e5e86f	Rebuild Logstash, Elasticsearch Setting static limits for Elasticsearch / Logstash on Xms, Xmx and Container RAM results in unwanted side effects for some installations. With Elastic supporting dynamic heap management for Java 14+ we now use OpenJDK 16 JRE and as such remove limitations. This should improve stability for T-Pot, provided the minimum requirements will be met.	2021-05-26 11:00:49 +00:00
Marco Ochse	bd9cb43960	Merge pull request #837 from shaderecker/terraform Terraform improvements	2021-05-19 16:05:01 +02:00
Sebastian Haderecker	7763ceff4c	Test connection before git clone Test the connection to github before cloning the repository. Previously it could happen that the git clone failed due to the external network connection not being established immediately after boot.	2021-05-19 15:57:30 +02:00
Sebastian Haderecker	0e1a86f93b	Use b64_url for eip bandwidth name Missed this one in #819	2021-05-19 14:28:40 +02:00
Marco Ochse	0f0c728c90	Merge pull request #836 from shaderecker/tf-disk TF: Use SAS disk on OTC	2021-05-18 17:03:42 +02:00
Sebastian Haderecker	16d5a6e0c1	Use SAS disk	2021-05-18 16:49:56 +02:00
t3chn0m4g3	0c5ab33b8a	bump elastic stack to 7.12.1	2021-05-17 16:32:03 +00:00
Marco Ochse	cd91183b8b	Prep obejcts for 7.12.1	2021-05-12 15:38:04 +02:00
Marco Ochse	12c4308b89	Merge pull request #818 from trixam/suricata-updatescript Update update.sh	2021-05-03 14:43:01 +02:00
trixam	bbf5d70d98	Update sensor.yml	2021-05-03 14:42:39 +02:00
trixam	60e57bce52	Update update.sh Adding quotation marks for $URL	2021-05-03 14:40:08 +02:00
trixam	460214f848	Update sensor.yml	2021-05-03 14:37:52 +02:00
Marco Ochse	334b98c01b	Merge pull request #819 from shaderecker/tf-ecs-name Terraform: Use b64_url for ecs name	2021-04-26 11:34:07 +02:00
Sebastian Haderecker	0493e5eb3d	Use b64_url for ecs name Previously it could happen that special characters were generated in the name. Now it allows only letters, digits, underscore & hyphen to conform with ecs naming requirements.	2021-04-26 11:31:47 +02:00
trixam	dceaa984c9	Update update.sh Download rules via URL	2021-04-21 12:44:36 +02:00
Marco Ochse	8abd1be5bb	Merge pull request #815 from shaderecker/cloud-updates Cloud updates (Ansible & Terraform)	2021-04-15 17:35:57 +02:00
Sebastian Haderecker	d0cc43e89e	Ansible: Create VM: Use default timeout and explicitly declare auto_ip	2021-04-15 17:00:13 +02:00
Sebastian Haderecker	8c19ea68c8	Ansible: Use OTC nameservers for subnet	2021-04-15 16:58:56 +02:00
Sebastian Haderecker	0649d56521	Improve Ansible resource naming	2021-04-15 16:58:19 +02:00
Sebastian Haderecker	628ea0224c	Update Terraform readme	2021-04-15 16:34:52 +02:00
Sebastian Haderecker	c9ec5347d5	TF: Formatting	2021-04-15 16:23:49 +02:00
Sebastian Haderecker	de3d7c7f4f	TF: Check input variables also for AWS	2021-04-15 16:22:55 +02:00
Sebastian Haderecker	b0ea90c65b	TF: Rework ECS and EIP setup	2021-04-15 16:18:17 +02:00
Sebastian Haderecker	0c7d0d0eaa	TF: Check if input variables are defined	2021-04-15 15:16:33 +02:00
Sebastian Haderecker	aec0761580	TF: More formatting	2021-04-15 14:59:03 +02:00
Sebastian Haderecker	77e0b8c313	Update provider versions	2021-04-15 14:51:12 +02:00
Sebastian Haderecker	c659572df1	TF: Formatting	2021-04-15 14:44:55 +02:00
Sebastian Haderecker	37120a7324	Update gitignore	2021-04-15 12:37:30 +02:00
t3chn0m4g3	532907c27c	rebuild honeytrap	2021-02-25 11:57:16 +00:00
t3chn0m4g3	fb860fb861	fix protocols for conpot testing	2021-02-25 11:55:51 +00:00
t3chn0m4g3	1c7e5274aa	fix protocols for conpot fixes #781	2021-02-25 11:32:59 +00:00
		`@ -0,0 +1,2 @@`
							`- pipeline.id: http_output`
							`path.config: "/etc/logstash/conf.d/http_output.conf"`