Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: ELK Dashboard and Logstash parser for tcp-honeypot Logs SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ELK Dashboard and Logstash parser for tcp-honeypot Logs

In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 

tcp-honeypot Log Analysis from Discover

tcp-honeypot Dashboard Summary

The file tcp-honeyport parser can be downloaded here and the dashboard JSON here.

[1] https://github.com/DidierStevens/Beta/blob/master/tcp-honeypot.py
[2] https://handlers.sans.edu/gbruneau/elk/honeypot.conf
[3] https://handlers.sans.edu/gbruneau/elk/honeypot_graphs.ndjson
[4] https://handlers.sans.edu/gbruneau/elk/pihole.conf
[5] https://handlers.sans.edu/gbruneau/elk/pihole_graphs.ndjson

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

451 Posts
ISC Handler
As a cyber security geek with very little actual budget (no way we could afford a commercial SIEM product), I'm a HUGE believer in good log servers and visualization tools! And don't be shy about rolling your own parsers and logging data with elasticsearch and kibana. I wound up writing my own syslog daemon in nodejs (a Christmas Break project to learn nodejs) and it worked so well we used it in production. At home I use it to monitor all the logs from opnsense, some ssh honeypots, snort/suricata logs, squid and DNS logs, etc. And it's been very useful. I made several videos about it here:
https://www.minds.com/media/884629970573185024?referrer=linuxgeek
https://www.minds.com/newsfeed/1016723622898040832?referrer=linuxgeek

There's more on my https://www.minds.com/linuxgeek page too.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!