Skip to content

Instantly share code, notes, and snippets.

@lksnyder0

lksnyder0/cowrie.conf

Created October 1, 2020 20:00
Show Gist options
  • Save lksnyder0/10bf0568f714753379e66d87852fb8aa to your computer and use it in GitHub Desktop.
Save lksnyder0/10bf0568f714753379e66d87852fb8aa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cowrie.conf
input {
beats {
port => 5044
id => "beats-5044"
}
}
filter {
# Metadata
if [@metadata][beat] {
mutate {
add_field => {
"[@metadata][index]" => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
id => "filter-mutate-add-beat-index"
}
}
if "cowrie" in [tags] {
if [host][hostname] == "honeytest1" {
mutate {
replace => {
"[@metadata][index]" => "cowrie-test"
}
id => "filter-mutate-add-cowrie-test-index"
}
}
else {
mutate {
replace => {
"[@metadata][index]" => "cowrie-ilm"
}
id => "filter-mutate-add-cowrie-index"
}
}
}
# Cowrie
if "cowrie" in [tags] {
mutate {
add_field => {
"[event][kind]" => "event"
"[ecs][version]" => "1.5.0"
"[event][provider]" => "cowrie"
"[event][dataset]" => "cowrie.cowrie"
}
id => "cowrie-ecs-fields-1"
}
mutate {
rename => {
"@timestamp" => "[event][created]"
"arch" => "[source][os][architecture]"
"compCS" => "[source][comp_cs]"
"destfile" => "[file][path]"
"dst_ip" => "[destination][ip]"
"dst_port" => "[destination][port]"
"duplicate" => "[file][duplicate]"
"duration" => "[event][duration]"
"encCS" => "[source][enc_cs]"
"eventid" => "[event][code]"
"filename" => "[file][name]"
"hassh" => "[source][hassh_fingerprint]"
"hasshAlgorithms" => "[source][hassh_algorithms]"
"input" => "[process][command_line]"
"kexAlgs" => "[source][key_exchange_algorithms]"
"keyAlgs" => "[source][key_algorithms]"
"langCS" => "[source][lang_cs]"
"macCS" => "[source][mac_cs]"
"name" => "[source][environment][name]"
"outfile" => "[file][target_path]"
"password" => "[user][password]"
"protocol" => "[service][type]"
"sensor" => "[observer][hostname]"
"session" => "[transaction][id]"
"shasum" => "[file][hash][sha256]"
"size" => "[file][size]"
"src_ip" => "[source][ip]"
"src_port" => "[source][port]"
"ttylog" => "[file][path]"
"url" => "[url][full]"
"username" => "[user][name]"
"value" => "[source][environment][value]"
"version" => "[source][version]"
}
id => "cowrie-rename-ecs"
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
id => "cowrie-timestamp-convert"
}
mutate {
remove_field => ["timestamp"]
id => "cowrie-remove-timestamp"
}
translate {
field => "[event][code]"
destination => "[event][outcome]"
dictionary => {
"cowrie.login.success" => "success"
"cowrie.session.file_download" => "success"
"cowrie.session.file_upload" => "success"
"cowrie.command.input" => "success"
"cowrie.login.failed" => "failure"
"cowrie.command.failed" => "failure"
"cowrie.session.file_download.failed" => "failure"
}
fallback => "unknown"
id => "cowrie-event-code-ecs"
}
if [event][code] == "cowrie.session.connect" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "create"
code => "
map['total_events'] = 1
map['files_downloaded'] = 0
map['files_failed_download'] = 0
map['files_uploaded'] = 0
map['total_files'] = 0
map['total_commands'] = 0
map['commands_success'] = 0
map['commands_failure'] = 0
"
id => "cowrie-aggregate-session-connect"
}
}
else if [event][code] == "cowrie.session.file_download" {
mutate {
copy => {"[file][path]" => "[temp][file_path]"}
}
mutate {
split => ["[temp][file_path]" , "/"]
add_field => {
"[file][name]" => "%{[temp][file_path][-1]}"
}
}
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
map['files_downloaded'] += 1
map['total_files'] += 1
map['total_events'] += 1
"
id => "cowrie-aggregate-session.file_download"
}
}
else if [event][code] == "cowrie.session.file_download.failed" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
map['files_failed_download'] += 1
map['total_events'] += 1
"
id => "cowrie-aggregate-session.file_download_failed"
}
}
else if [event][code] == "cowrie.session.file_upload" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
map['files_uploaded'] += 1
map['total_files'] += 1
map['total_events'] += 1
"
id => "cowrie-aggregate-session-file_upload"
}
}
else if [event][code] == "cowrie.command.input" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
map['commands_success'] += 1
map['total_commands'] += 1
map['total_events'] += 1
"
id => "cowrie-aggregate-command-input"
}
}
else if [event][code] == "cowrie.command.failed" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
map['commands_failure'] += 1
map['total_commands'] += 1
map['total_events'] += 1
"
id => "cowrie-aggregate-command-failed"
}
}
else if [event][code] == "cowrie.session.closed" {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "
event.set('metrics', {
'events': {
'total': map['total_events'] + 1
},
'files': {
'total': map['total_files'],
'downloaded': map['files_downloaded'],
'uploaded': map['files_uploaded']
},
'commands': {
'total': map['total_commands'],
'success': map['commands_success'],
'failure': map['commands_failure']
}
})
"
end_of_task => true
id => "cowrie-aggregate-session-closed"
}
}
else {
aggregate {
task_id => "%{[transaction][id]}"
map_action => "update"
code => "map['total_events'] += 1"
id => "cowrie-aggregate-all-other-events"
}
}
if [temp] {
mutate {
remove_field => [ "temp" ]
id => "remove-temp"
}
}
}
# GeoIP
if [source][ip] {
geoip {
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}"
source => "[source][ip]"
target => "[source][geo]"
id => "source-ip-geoip-lookup"
}
}
if [destination][ip] {
geoip {
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}"
source => "[destination][ip]"
target => "[destination][geo]"
id => "destination-ip-geoip-lookup"
}
}
if [client][ip] {
geoip {
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}"
source => "[client][ip]"
target => "[client][geo]"
id => "client-ip-geoip-lookup"
}
}
if [server][ip] {
geoip {
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}"
source => "[server][ip]"
target => "[server][geo]"
id => "server-ip-geoip-lookup"
}
}
if [host][ip] {
geoip {
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}"
source => "[host][ip]"
target => "[host][geo]"
id => "host-ip-geoip-lookup"
}
}
# Fill ECS Fields
if [destination][domain] {
mutate {
add_field => {
"[destination][address]" => "%{[destination][domain]}"
}
}
}
else if [destination][ip] {
mutate {
add_field => {
"[destination][address]" => "%{[destination][ip]}"
}
}
}
if [source][domain] {
mutate {
add_field => {
"[source][address]" => "%{[source][domain]}"
}
}
}
else if [source][ip] {
mutate {
add_field => {
"[source][address]" => "%{[source][ip]}"
}
}
}
if [client][domain] {
mutate {
add_field => {
"[client][address]" => "%{[client][domain]}"
}
}
}
else if [client][ip] {
mutate {
add_field => {
"[client][address]" => "%{[client][ip]}"
}
}
}
if [server][domain] {
mutate {
add_field => {
"[server][address]" => "%{[server][domain]}"
}
}
}
else if [server][ip] {
mutate {
add_field => {
"[server][address]" => "%{[server][ip]}"
}
}
}
if [process][command_line] and ![process][args] {
mutate {
copy => {
"[process][command_line]" => "[process][args]"
}
}
mutate {
split => {
"[process][args]" => " "
}
}
}
}
output {
if "cowrie" in [tags] {
elasticsearch {
hosts => ["{{ elastic_ingest_endpoints | join(',') }}"]
user => "logstash_shipper"
password => "{{ vault_logstash_shipper_password }}"
ssl_certificate_verification => false
index => "logs-cowrie"
action => "create"
pipeline => "ingest_time"
id => "output-elasticsearch-cowrie"
}
}
else if [@metadata][index] {
elasticsearch {
hosts => ["{{ elastic_ingest_endpoints | join(',') }}"]
ssl_certificate_verification => false
user => "logstash_shipper"
password => "{{ vault_logstash_shipper_password }}"
index => "%{[@metadata][index]}"
pipeline => "ingest_time"
id => "output-elasticsearch"
}
}
else {
file {
path => "/var/log/logstash/unparsed.txt"
id => "output-file-unparsed"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment