# Guy Bruneau, guybruneau@outlook.com # Updated: 28 June 2020 # Version: 1.0 # # Initial Release # Date: 6 Dec 2019 # Version: 0.5 # # This is a tcp-honeypot parser for the different log format capture by tcp-honeypot # The tcp-honeypot script can be downloaded at: https://github.com/DidierStevens/Beta/blob/master/tcp-honeypot.py input { beats { port => 5044 } } filter { mutate { rename => ["host", "name"] convert => {"host" => "string"} } } filter { grok { match => { "message" => [ # ================ Various Types ================== # This one has Referer at the end "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data\s+'%{WORD:http.request.method}\s+%{DATA:http.request.body.content}\s+HTTP/%{DATA:http.version}\\r\\nHost:\s+%{DATA:url.domain}(:%{DATA:url.port})?\\r\\n.*User-Agent:%{DATA:user_agent.original}\\r\\n.*Referer:\s+%{DATA:http.request.referer}\\r\\n.*", # Same as previous without Referer "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data\s+'%{WORD:http.request.method}\s+%{DATA:http.request.body.content}\s+HTTP/%{DATA:http.version}\\r\\nHost:\s+%{DATA:url.domain}(:%{DATA:url.port})?\\r\\n.*User-Agent:%{DATA:user_agent.original}\\r\\n.*", "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}*\s+data\s+'%{WORD:http.request.method}\s+%{DATA:http.request.body.content}\s+HTTP/%{DATA:http.version}\\r\\nUser-Agent:%{DATA:user_agent.original}\\r\\n.*", "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data\s+'%{WORD:http.request.method}\s+%{DATA:http.request.body.content}(\s+HTTP/%{DATA:http.version})?(\\r\\nHost:\s+%{DATA:url.domain}(:%{DATA:url.port})?)?(\\r.*)?'", # =============mstshash =============== # 20191019-105233: 192.168.25.9:80-45.136.108.64:1598 data '\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n\x01\x00\x08\x00\x03\x00\x00\x00' "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data\s+.*Cookie:\s+mstshash=%{USERNAME:user.name}\\r\\n.*", # ============= SSH Logs =============== # 20191201-124101: 192.168.25.9:2222-116.89.189.37:53528 data 'SSH-2.0-libssh2_1.8.0\r\n' "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data\s+'%{DATA:version}(\\n|\\r\\n)'", # Catch everything else with basic data "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+(data.*)?%{GREEDYDATA:event.action}", # Basic header "^(?(%{YEAR}%{MONTHNUM2}%{MONTHDAY}-%{HOUR}%{MINUTE}%{SECOND}))\:\s+%{IP:host.ip}:%{INT:destination.port}-%{IP:source.ip}:%{INT:source.port}\s+data.*" ] # End of rules } } } filter { geoip { source => "source.ip" } geoip { source => "destination.ip" } } output { elasticsearch { hosts => ["http://192.168.25.12:9200"] index => "tcp-honeypot-%{+YYYY.MM.dd}" user => "elastic" password => "training" } stdout { codec => rubydebug { metadata => true } } }