-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshockpot.cfg
59 lines (50 loc) · 2.06 KB
/
shockpot.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Alienvault plugin
# Author: Fatih usta <fatihusta@labrisnetworks.com>
# Plugin shockpot id:90010 version: 0.0.1
# Last modification: 2018-10-04 11:15
#
# Plugin Selection Info:
# shockpot:-
#
# END-HEADER
#
# Description:
# Shockpot
#
#
#
#
[DEFAULT]
plugin_id=90010
[config]
type=detector
enable=yes
source=log
location=/var/log/shockpot.log
create_file=false
process=
start=no
stop=no
startup=
shutdown=
[translation]
true=1
false=2
#Oct 4 19:04:47 ahtapot shockpot: 2018-10-04 19:04:46,970 - {"timestamp": "2018-10-04 19:04:46.969770", "path": "/", "command_data": null, "dest_port": "80", "dest_host": "10.0.3.15", "url": "http://10.0.3.15/", "source_ip": "10.0.3.254", "headers": [["Accept", "*/*"], ["Host", "10.0.3.15"], ["User-Agent", "() { :; }; /bin/ls"], ["Content-Type", "text/plain"], ["Content-Length", ""]], "is_shellshock": true, "command": null, "query_string": "", "method": "GET"}
[0001 - shockpot]
event_type=event
regexp='\w+\s\s\d\s\d+:\d+:\d+\s(?P<device>\w+)\s(?P<sensor>\w+):\s(?P<date>\d+-\d+-\d+\s\d+:\d+:\d+),\d+\s-\s{"\w+":\s+"(?P<timestamp>\w+-\d+-\d+\s\d+:\d+:\d+).\d+",\s"\w+":\s+"(?P<path>.*?)",\s"\w+":\s(?P<command_data>null|".*?"),\s"\w+":\s+"(?P<dst_port>\d+)",\s"\w+":\s+"(?P<dst_ip>\d{1,3}.{1,3}.{1,3}.{1,3})",\s"\w+":\s+(?P<url>".*?"),\s"\w+":\s+"(?P<src_ip>\d{1,3}.{1,3}.{1,3}.{1,3})",\s"\w+":\s+\[\["\w+",\s(?P<accept>".*?")],\s\["\w+",\s"(?P<host>.*?)"],\s\["\w+-\w+",\s(?P<user_agent>".*?")],\s\["\w+-\w+",\s(?P<content_type>".*?")],\s\["\w+-\w+",\s(?P<content_lenght>".*?")]],\s"\w+":\s+(?P<is_shellshock>true|false),\s"\w+":\s+(?P<command>null|".*?"),\s"\w+":\s+(?P<query_string>".*?"),\s"\w+":\s(?P<method>"\w+")}'
date={$timestamp}
device={$device}
plugin_sid={translate($is_shellshock)}
src_ip={$src_ip}
dst_ip={$dst_ip}
dst_port={$dst_port}
userdata1={$path}
userdata2={$url}
userdata3={$command_data}
userdata4=headers: Accept: {$accept}, Host: {$host}, User-Agent: ${$user_agent}, Content-Type: {$content_type}, Content-Length: {$content_length}
userdata5={$is_shellshock}
userdata6={$command}
userdata7={$query_string}
userdata8={$method}