[Faitour Honeypot] Initial Push of Beta Integration #15889
+29,043
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| dependencies: | ||
| ecs: | ||
| reference: "[email protected]" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Faitour | ||
|
|
||
| This integration is for [Faitour](https://github.com/MakoWish/Faitour) honeypot event logs. The package processes messages from Faitour honeypot logs to allow visibility and alerting to observed activity on your network. | ||
|
|
||
| ## Data streams | ||
|
|
||
| The Faitour integration collects the following event types: | ||
|
|
||
| - **events** | ||
|
|
||
| Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). | ||
|
|
||
|
|
||
| ### Enabling the integration in Elastic: | ||
|
|
||
| 1. In Kibana navigate to Management > Integrations. | ||
| 2. In "Search for integrations" top bar, search for `Faitour`. | ||
| 3. Select the "Faitour" integration from the search results. | ||
| 4. Select "Add Faitour" to add the integration. | ||
| 5. Add all the required integration configuration parameters. | ||
| 6. Select "Save and continue" to save the integration. | ||
|
|
||
| ## Logs | ||
|
|
||
| ### Faitour Honeypot | ||
|
|
||
| The `honeypot` dataset collects the Faitour honeypot logs. | ||
|
|
||
| {{event "honeypot"}} | ||
|
|
||
| {{fields "honeypot"}} | ||
|
|
||
| ### Faitour Application | ||
|
|
||
| The `application` dataset collects the Faitour application logs. | ||
|
|
||
| {{event "application"}} | ||
|
|
||
| {{fields "application"}} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| version: "2.3" | ||
| services: | ||
| opencanary-log: | ||
| image: docker.elastic.co/observability/stream:v0.17.1 | ||
| volumes: | ||
| - ./sample_logs:/sample_logs:ro | ||
| command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/*.log |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,6 @@ | ||||||
| # newer versions go on top | ||||||
| - version: "0.0.1" | ||||||
| changes: | ||||||
| - description: Initial draft of the package | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| type: enhancement | ||||||
| link: https://github.com/elastic/integrations/pull/13304 | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| fields: | ||
| tags: | ||
| - preserve_original_event |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| {"timestamp":"2025-02-05T19:30:39.127","log":{"level":"DEBUG","logger":"faitour","origin":{"file":{"line":54,"name":"/home/foo/Faitour/utils/logger.py"}}},"event":{"provider":"logger","type":["info"],"kind":"event","category":["configuration"],"dataset":"faitour.application","action":"file_logging_start","reason":"File logging has been initiated and set to DEBUG","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:30:39.232","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":26,"name":"/home/foo/Faitour/faitour.py"}}},"event":{"provider":"faitour","type":["start","info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"reason","reason":"Faitour is starting","outcome":"unknown"}} | ||
| {"timestamp":"2025-02-05T19:30:39.314","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":209,"name":"/home/foo/Faitour/emulators/http.py"}}},"event":{"provider":"http","type":["info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"start_http","reason":"HTTP server emulator is starting on http://192.168.200.47:80","outcome":"unknown"},"server":{"ip":"192.168.200.47","port":80}} | ||
| {"timestamp":"2025-02-05T19:30:39.315","log":{"level":"DEBUG","logger":"faitour","origin":{"file":{"line":271,"name":"/home/foo/Faitour/emulators/http.py"}}},"event":{"provider":"http","type":["info"],"kind":"event","category":["configuration"],"dataset":"faitour.application","action":"generate_self_signed_cert","reason":"HTTP certificate and key already exist","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:30:39.316","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":116,"name":"/home/foo/Faitour/emulators/ftp.py"}}},"event":{"provider":"ftp","type":["info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"stop","reason":"FTP server emulator is starting","outcome":"unknown"},"server":{"ip":"192.168.200.47","port":21}} | ||
| {"timestamp":"2025-02-05T19:30:39.317","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":222,"name":"/home/foo/Faitour/emulators/http.py"}}},"event":{"provider":"http","type":["info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"start_http","reason":"HTTPS server emulator is starting on https://192.168.200.47:443","outcome":"unknown"},"server":{"ip":"192.168.200.47","port":80}} | ||
| {"timestamp":"2025-02-05T19:30:39.321","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":26,"name":"/home/foo/Faitour/emulators/rdp.py"}}},"event":{"provider":"rdp","type":["start"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"start","reason":"RDP server emulator started on 192.168.200.47:3389","outcome":"success"},"server":{"ip":"192.168.200.47","port":3389}} | ||
| {"timestamp":"2025-02-05T19:30:39.325","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":32,"name":"/home/foo/Faitour/emulators/smbv2.py"}}},"event":{"provider":"smbv2","type":["start"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"start","reason":"SMBv2 server emulator has started on 192.168.200.47:445","outcome":"success"},"server":{"ip":"192.168.200.47","port":445}} | ||
| {"timestamp":"2025-02-05T19:30:39.344","log":{"level":"DEBUG","logger":"faitour","origin":{"file":{"line":253,"name":"/home/foo/Faitour/emulators/ssh.py"}}},"event":{"provider":"ssh","type":["info","creation"],"kind":"event","category":["configuration"],"dataset":"faitour.application","action":"get_ssh_key","reason":"RSA key ./emulators/ssh_key already exists","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:30:39.344","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":29,"name":"/home/foo/Faitour/emulators/telnet.py"}}},"event":{"provider":"telnet","type":["info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"handle_packet","reason":"Telnet server started on 192.168.200.47:23","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:30:39.353","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":145,"name":"/home/foo/Faitour/handlers/intercept.py"}}},"event":{"provider":"intercept","type":["info","change"],"kind":"event","category":["configuration"],"dataset":"faitour.application","action":"end","reason":"Network and iptables rules have been set","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:30:39.354","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":162,"name":"/home/foo/Faitour/handlers/intercept.py"}}},"event":{"provider":"intercept","type":["info","start"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"start","reason":"NFQUEUE socket is now intercepting packets","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:36:53.537","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":166,"name":"/home/foo/Faitour/handlers/intercept.py"}}},"event":{"provider":"intercept","type":["info","end"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"end","reason":"Shutting down Faitour due to keyboard interrupt","outcome":"success"}} | ||
| {"timestamp":"2025-02-05T19:36:53.538","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":171,"name":"/home/foo/Faitour/handlers/intercept.py"}}},"event":{"provider":"intercept","type":["info","change"],"kind":"event","category":["configuration"],"dataset":"faitour.application","action":"start","reason":"Network and iptables rules are being reset","outcome":"unknown"}} | ||
| {"timestamp":"2025-02-05T19:36:55.540","log":{"level":"INFO","logger":"faitour","origin":{"file":{"line":49,"name":"/home/foo/Faitour/faitour.py"}}},"event":{"provider":"faitour","type":["end","info"],"kind":"event","category":["process"],"dataset":"faitour.application","action":"end","reason":"Faitour has stopped","outcome":"success"}} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've changed the general structure of the READMEs, so it would be good to update this to match. @alaudazzi can you provide guidance for that here?