Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: tcp-honeypot.py Logstash Parser & Dashboard Update SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
tcp-honeypot.py Logstash Parser & Dashboard Update

This is an update for logstash and dashboard published in January for Didier's tcp-honeypot.py honeypot script. The parser has been updated to follow the Elastic Common Schema (ECE) format, parsing more information from the honeypot logs that include revised and additional dashboards.

tcp-honeypot Log Analysis from Discover

tcp-honeypot Dashboard Summary

The file tcp-honeyport parser can be downloaded here and the dashboard JSON here.

[1] https://isc.sans.edu/forums/diary/ELK+Dashboard+and+Logstash+parser+for+tcphoneypot+Logs/25702
[2] https://www.elastic.co/guide/en/ecs/current/ecs-reference.html
[3] https://handlers.sans.edu/gbruneau/elastic.htm

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

472 Posts
ISC Handler
Jun 28th 2020
Looks nice! Is this or will this be integrated into the DShield honeypot? https://isc.sans.edu/honeypot.html
Sam

1 Posts
This is not currently part of the DShield Honeypot, this is a different honeypot maintained by handler Didier Stevens.
Guy

472 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!