honeypot-project's Issues
Logstash Cant communication on 5044: Connection refuse
Hello,
I've Implemented honeypot project locally .
As soon as I trigger mod-sec rule. (by hitting curl request)
Python file start processing those rule but,
got this error.
ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://127.0.0.1:5044)): dial tcp 127.0.0.1:5044: connect: connection refused
modsec_app | 2021-01-06T07:49:46.218Z INFO pipeline/output.go:93 Attempting to reconnect to backoff(async(tcp://127.0.0.1:5044)) with 3 reconnect attempt(s)
Any thoughts on this ?
my env file
LOGSTASH_HOST=127.0.0.1:5044
my filebeat.yml
output:
logstash:
enabled: true
hosts: '${LOGSTASH_HOST:?must set LOGSTASH_HOST env variable}'
timeout: 15
filebeat:
inputs:
-
paths:
- /var/log/modsec_audit_processed.log
type: log
json.keys_under_root: true
json.add_error_key: true
my logstash.conf file
input {
beats {
port => 5044
type => "mod_security"
codec => json
ssl => false
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}
How information is shared from elasticsearch to MISP
I need code location for sharing information from elasticsearch to MISP.
Create module for CMSs
One of the problems for adoption is the lack of simple inclusion into well-known CMSs.
The idea is to provide a simple add-on/plugin/modules to include the functionality of semi-automatic configuration for the major CMSs: Wordpress, Joomla, Drupal.
The modules will:
- provide a simple way for configuring the Honeypot data, e.g. Server, redirection, possible variables that will act as the honeypot
- a way of inserting that variables at randon on the web interface
- redirection to the Honeypot when this variable is modified
Lists of feature and optimisation requirements
initiatives
The project has been idle for a while. The issue will be created as a root ticket to gather new items (including some of the old tickets) which are going to be implemented.
Items
- [FEAT] Develop alternative small-footprint honeypot/probe formats.
- [FEAT] pluggable modules #9
- [OPT] Consider new alternatives for log transfer approaches. #6
- [OPT] The project structure may be a little confusing for individuals to run it. Consider refactoring the structure of the docker-compose file, the folder structure, and the README file.
- [FIX] images cannot work correctly in some OS (e.g., MacOS) because it does not specify the version.
Output logging to ELK
This is related to #2.
- Develop a mechanism to convert from stored MySQL to JSON format.
- Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.
- Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.
Forward Threat Intelligence data
We need to provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.
Evaluate console options
Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in:
- ModSecurity Audit Console
- WAF-FLE,
- ELK?
Fluent and bespoke scripts for single and multiple probes.
PoC: undestand and document the flow from ModSecurity to the console
We need a Proof of Concept to understand how ModSecurity baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes)
- Install modsecurity stack
- Send logs/probes to console
- Write documentation for the process
No Docker-compose.yml file found
there is no "docker-compose.yml" file for the honeytrap folder.
Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received
any instructions and guidelines for install ?
Develop a new VM based honeypot/probe based on CRS v3.2.
We need to create a new deployment using CRS v3.0-v3.1
Ideally the setup using packer will provide us a simple and repetitive way of generating for many different platforms.
Develop new alternative small footprint honeypots
Small footprint honeypot/probe formats utilising Docker & Raspberry Pi
Logging alternatives
Consider new alternatives for log transfer including the use of:
- MLOGC-NG
- FileBeat (Logstash)
- You name it..
Docker Build Error for ELK/Logstash
When building the docker image (i.e docker-compose build) for ELK/Logstash
Most of the build completes but near the end
/bin/sh: 1: wget: not found
ERROR: Service 'modsec_crs' failed to build: The command '/bin/sh -c wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm' returned a non-zero code: 127
Any thoughts?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.