Distributed Hive Reconfigure logstash.conf to accept data transmitted from other honeypot? #1098
Unanswered
arnsterling
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, I was doing a research project for school. I wanted to learn what changes need to be made to HIVE logstash to accept filebeats from another honeypot not currently supported by tpot?
#set up HIVE Collector and HIVE Sensor first
#set up user on HIVE for new tunnel
sudo useradd -m -s /sbin/nologin -G tpotlogs [honeypotname]
[generate/pass sshkey]
#set up SSH tunnel Local Port Forwarding on remote honeypot to HIVE Collector
ssh -4 -t -l [honeypotname]-p 64295 -f -N -L64305:127.0.0.1:64305 20.236.32.150 -o "StrictHostKeyChecking=no"
#set up filebeats on new honeypot to send to 127.0.0.1:64305
#make changes to logstash.conf by mounting volume per https://github.com/telekom-security/tpotce/wiki/Reconfigure-logstash.conf
#e.g.
"
filebeats
beats {
port => 64305
codec => json
ssl => false
type => "filebeat"
}
Filter Section
filter {
#filebeat
if [type] == "filebeat" {
mutate {
rename => {
"src_host" => "src_ip"
"dst_host" => "dest_ip"
"dst_port" => "dest_port"
}
}
}
"
make changes to elasticsearch kibanna?
then restart systemctl start tpot?
Incoming logfile would be in this format:
"
{"dst_host": "192.168.101.114", "dst_port": 22, "local_time": "2022-05-15 05:24:42.208339", "local_time_adjusted": "2022-05-15 05:24:42.208423", "logdata": {"SESSION": "0"}, "logtype": 4000, "node_id": "SVC1337", "src_host": "192.168.101.112", "src_port": 43010, "utc_time": "2022-05-15 05:24:42.208408"}
{"dst_host": "192.168.101.114", "dst_port": 22, "local_time": "2022-05-15 05:25:06.795492", "local_time_adjusted": "2022-05-15 05:25:06.795558", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10", "REMOTEVERSION": "SSH-2.0-OpenSSH_8.4p1 Debian-5"}, "logtype": 4001, "node_id": "SVC1337", "src_host": "192.168.101.112", "src_port": 43010, "utc_time": "2022-05-15 05:25:06.795544"}
{"dst_host": "192.168.101.114", "dst_port": 22, "local_time": "2022-05-15 05:25:32.827599", "local_time_adjusted": "2022-05-15 05:25:32.827655", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10", "PASSWORD": "cat", "REMOTEVERSION": "SSH-2.0-OpenSSH_8.4p1 Debian-5", "USERNAME": "root"}, "logtype": 4002, "node_id": "SVC1337", "src_host": "192.168.101.112", "src_port": 43010, "utc_time": "2022-05-15 05:25:32.827642"}
{"dst_host": "192.168.101.114", "dst_port": 22, "local_time": "2022-05-15 05:25:59.714306", "local_time_adjusted": "2022-05-15 05:25:59.714362", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10", "PASSWORD": "baseball", "REMOTEVERSION": "SSH-2.0-OpenSSH_8.4p1 Debian-5", "USERNAME": "root"}, "logtype": 4002, "node_id": "SVC1337", "src_host": "192.168.101.112", "src_port": 43010, "utc_time": "2022-05-15 05:25:59.714348"}
{"dst_host": "192.168.101.114", "dst_port": 80, "local_time": "2022-05-06 01:25:53.101628", "local_time_adjusted": "2022-05-06 01:25:53.101684", "logdata": {"HOSTNAME": "192.168.101.114", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32"}, "logtype": 3000, "node_id": "SVC1337", "src_host": "192.168.101.102", "src_port": 54109, "utc_time": "2022-05-06 01:25:53.101666"}
"
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions