-
Notifications
You must be signed in to change notification settings - Fork 1
/
elasticpot.cfg.template
269 lines (237 loc) · 6.44 KB
/
elasticpot.cfg.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# honeypot.cfg
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
# ============================================================================
# General Honeypot Options
# ============================================================================
[honeypot]
# Sensor name is used to identify this honeypot instance. Used by the database
# logging modules such as JSON.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: the name of the local machine)
#sensor_name = myhostname
# The version of Elasticsearch reported by the honeypot.
#
# (default: 1.4.1)
#spoofed_version = 1.4.1
# The Elasticsearch instance name reported by the honeypot.
#
# (default = Green Goblin
#instance_name = Green Goblin
# The name of the simulated Elasticsearch cluster
#
# (default = elasticsearch
#cluster_name = elasticsearch
# The name of the simulated host running Elasticsearch
#
# (default = elk)
#host_name = elk
# The build number of the simulated Elasticsearch instance
# Use something realistic or simply don't touch this value
#
# (default = 89d3241)
#build = 89d3241
# The number of processors on the simulated host
#
# (default = 12)
#total_processors = 12
# The total number of CPU cores on the simulated host
# Use a multiple of total_processors
#
# (default = 24)
#total_cores = 24
# The total number of sockets on the simulated host
# Use a multiple of total_cores
#
# (default = 48)
#total_sockets = 48
# The MAC address of the networking card of the simulated host
#
# (default = 08:01:c7:3F:15:DD)
#mac_address = 08:01:c7:3F:15:DD
# Directory where to save log files in.
# Log files are <log_filename>.YYYY-MM-DD in that directory
#
# (default: log)
log_path = log
# Log file name
#
# (default: stdout)
#log_filename =
# Directory containing the response files
#
# (default: responses)
#responses_dir = responses
# ============================================================================
# Network Specific Options
# ============================================================================
# Port to listen for incoming connections.
#
# (default: 9200)
#listen_port = 9200
# Site to query for one's public IP address
#
# (default: https://ident.me)
#public_ip_url = https://ident.me
# TODO:
# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying public_ip_url
#
# (default: false)
#report_public_ip = false
# TODO:
# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
#
# Output entries need to start with 'output_' and have the 'enabled' entry.
# ============================================================================
# JSON based logging module
#
#[output_jsonlog]
#enabled = false
#logfile = log/elasticpot.json
#epoch_timestamp = true
# MySQL logging module
# Database structure for this module is supplied in docs/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#enabled = false
#host = localhost
#database = elasticpot
#username = elasticpot
#password = secret
#port = 3306
#debug = false
# Whether to store geolocation data in the database
#geoip = true
# Location of the databases used for geolocation
#geoip_citydb = data/GeoLite2-City.mmdb
#geoip_asndb = data/GeoLite2-ASN.mmdb
# Text output
# This writes audit log entries to a text file
#
#[output_textlog]
#enabled = false
#logfile = log/elasticpot.txt
# HPFeeds
#
# Note the lack of "s" at the end:
[output_hpfeed]
enabled = true
server = hpfeeds.mysite.org
port = 10000
identifier = abc123
secret = secret
channel = elasticpot.events
tags =
reported_ip =
# TODO:
# Supports logging to Elasticsearch
#
#[output_elasticsearch]
#enabled = false
#host = localhost
#port = 9200
#index = elasticpot
#
# type has been deprecated since ES 6.0.0
# use _doc which is the default type. See
# https://stackoverflow.com/a/53688626 for
# more information
#
#type = _doc
#
# set pipeline = geoip to map src_ip to
# geo location data. You can use a custom
# pipeline but you must ensure it exists
# in elasticsearch.
#
#pipeline = geoip
#
# Authentication. When x-pack.security is enabled
# in ES, default users have been created and requests
# must be authenticated.
#
# Credentials
#
#username = elasticpot
#password =
#
# TLS encryption. Communications between the client (elasticpot)
# and the ES server should naturally be protected by encryption
# if requests are authenticated (to prevent from man-in-the-middle
# attacks). The following options are then paramount
# if username and password are provided.
#
# use ssl/tls
#ssl = true
# Path to trusted CA certs on disk
#ca_certs = /path/to/cert/file/elastic_ca.crt
# verify SSL certificates
#verify_certs = true
# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# docs/sql/sqlite3.sql:
# sqlite3 <db_file> < docs/sql/sqlite3.sql
#
#[output_sqlite]
#enabled = false
#db_file = elasticpot.db
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
#
#[output_rethinkdblog]
#enabled = false
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = elasticpot
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#enabled = false
#connection_string = mongodb://username:password@host:port/database
#database = elasticpot
#[output_influx]
#enabled = false
#host = 127.0.0.1
#port = 8086
#database_name = elasticpot
#retention_policy_duration = 12w
#[output_kafka]
#enabled = false
#host = 127.0.0.1
#port = 9092
#topic = elasticpot
#[output_redis]
#enabled = false
#host = 127.0.0.1
#port = 6379
# DB of the redis server. Defaults to 0
#db = 0
# Password of the redis server. Defaults to None
#password = secret
# Name of the list to push to or the channel to publish to. Required
#keyname = elasticpot
# Method to use when sending data to redis.
# Can be one of [lpush, rpush, publish]. Defaults to lpush
#send_method = lpush