Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ELK Dashboard and Logstash parser for tcp-honeypot Logs SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ELK Dashboard and Logstash parser for tcp-honeypot Logs

In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 

tcp-honeypot Log Analysis from Discover

tcp-honeypot Dashboard Summary

The file tcp-honeyport parser can be downloaded here and the dashboard JSON here.

[1] https://github.com/DidierStevens/Beta/blob/master/tcp-honeypot.py
[2] https://handlers.sans.edu/gbruneau/elk/honeypot.conf
[3] https://handlers.sans.edu/gbruneau/elk/honeypot_graphs.ndjson
[4] https://handlers.sans.edu/gbruneau/elk/pihole.conf
[5] https://handlers.sans.edu/gbruneau/elk/pihole_graphs.ndjson

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

458 Posts
ISC Handler
As a cyber security geek with very little actual budget (no way we could afford a commercial SIEM product), I'm a HUGE believer in good log servers and visualization tools! And don't be shy about rolling your own parsers and logging data with elasticsearch and kibana. I wound up writing my own syslog daemon in nodejs (a Christmas Break project to learn nodejs) and it worked so well we used it in production. At home I use it to monitor all the logs from opnsense, some ssh honeypots, snort/suricata logs, squid and DNS logs, etc. And it's been very useful. I made several videos about it here:
https://www.minds.com/media/884629970573185024?referrer=linuxgeek
https://www.minds.com/newsfeed/1016723622898040832?referrer=linuxgeek

There's more on my https://www.minds.com/linuxgeek page too.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!