Dshield Honeypot
#14648
Replies: 1 comment
-
|
I can dump the conf files I created for this if it helps or anything else you ask for. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.150
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
12
RAM
128GB
Storage for /
500GB
Storage for /nsm
200GGB
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I am a SANS student. I am trying to setup an ingestion pipeline, based on https://github.com/bruneaug/DShield-SIEM, rather than spinning up a whole different ELK stack.
I have a plan I just need details. Please and thank you.
I am just confused by the amount of directories that point to what looks like logstash pipelines. I dont want to lose/overwrite current ingestion functionality.
SO , is the correct dir to create *.conf files /opt/so/local/salt/logstash/pipelines/config/custom/ ?
both this directory and /opt/so/local/salt/logstash/pipelines/config/so appear to be empty.
If this is correct, would I then be able to just place in all the *.conf files like this one(?):
https://github.com/bruneaug/DShield-SIEM/blob/main/logstash/pipeline/logstash-200-filter-cowrie.conf
Then I create an indices (e.g., dshield-cowrie-, dshield-iptables-, etc.) and index templates
I am seeing port 5055 is the standard ingestion now, not 5044? is that right?
Again thank you. UI plan on open sourcing this once complete, so other students can use SO instead of just elk to to do the ICS internship portion of the degree.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions