DShield Sensor Log Collection with Elasticsearch

Published: 2024-02-03
Last Updated: 2024-02-03 15:44:16 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This is fork from the original work by Scott Jensen [1][2] originally published here as guest diary part of the SANS.edu BACS program. This update has a number of new features now available in Github [4]. 

The docker compose is custom built to be used with the DShield Honeypot [3][6] to collect, store, parse sensor logs and display the data in a visual and easy way to search and analyze them for research purposes. The assume the DShield sensor is already installed in a Raspberry using PI Raspbian OS or a system running Ubuntu 20.04 LTS either in your network or in the cloud of your choice.

Suggested Setup of ELK Server Based on Ubuntu

  • Ubuntu 20.04 LTS Live Server 64-Bit
  • Minimum 8+ GB RAM
  • If the amount of RAM assigned to each container (see below) is more than 2GB, consider increasing the server RAM capacity.
  • 4-8 Cores
  • Minimum 40 GB partition assigned to /var/lib/docker

Setting Up Docker

The instructions to setup docker and Elasticsearch are listed here.

The docker package comes setup with the fleet-server and the elastic-agent pre-loaded in docker with 350+ integration for collecting and analyzing data which can be used to add threat intel to ELK, collect netflow data with softflowd or any other logs you want to send to ELK. Docker compose is configured with the following components:

  • Kibana
  • Elasticsearch
  • Logstash
  • Elastic-Agent

Example of DShield Dashboard

Dashboard [Logs DShield Sensor] Overview

Traffic & Log Analysis

This section contains direct link to CyberGordon which will query multiple sites for the selected hashes. If the ttylogs DShield sensor logs are collected, they can be moved over to the ELK server for review.

Traffic Analysis, Location and Network Owner

This section contains direct link to CyberGordon, Censys & Shodan.

DShield sensor TTYLog Capture Activity

[1] https://isc.sans.edu/diary/DShield+Sensor+Monitoring+with+a+Docker+ELK+Stack+Guest+Diary/30118
[2] https://github.com/fkadriver/Dshield-ELK
[3] https://isc.sans.edu/tools/honeypot/
[4] https://github.com/bruneaug/DShield-SIEM/tree/main
[5] https://github.com/bruneaug/DShield-SIEM/blob/main/README.md#install-docker
[6] https://github.com/DShield-ISC/dshield
[7] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: Activity Cowrie DShield elasticagent Elasticsearch Honeypot Kibana Statistics Traffic Analysis
0 comment(s)

Comments

Login here to join the discussion.


Diary Archives