remove elk and fix guide

colbyprior · Jun 19, 2023 · 74e705e · 74e705e
1 parent a6d21b6
commit 74e705e
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 122 deletions.
diff --git a/cowrie.md b/cowrie.md
@@ -4,30 +4,25 @@ This is a basic guide of how to install and run Cowrie.
 ## 1.1 Run Cowrie
 You can run Cowrie by running the following.
 ```
-docker run -p 22:2222 -v cowrie-log:/cowrie/cowrie-git/var/log/cowrie/ cowrie/cowrie:latest
+cd ~/cowrie/docker/
+docker-compose up
 ```
 
 If you want to stop the running container you will need to press `ctrl+c` to cancel.
 
 Logs can be viewed via:
 ```
-sudo tail /var/lib/docker/volumes/cowrie/_data/cowrie.json
+tail ~/cowrie/docker/cowrie-var/log/cowrie/cowrie.json
 ```
 
 ## 1.2 Configuring Cowrie
 ## Default config
 The default config can be viewed here: https://github.com/cowrie/cowrie/blob/master/etc/cowrie.cfg.dist 
 
 ## Custom config
-- Cowrie docker will read in environment variables under the convention `COWRIE_<SECTION>_<VARIABLE>` eg. `COWRIE_HONEYPOT_HOSTNAME`.
-- Add a custom hostname value as an environment variable in a new file called `env.txt`.
+The Cowrie config file is under `~/cowrie/docker/cowrie-etc/`. Try changing the default hostname
 ```
-COWRIE_HONEYPOT_HOSTNAME=foobar
-```
-
-Run cowrie docker again using the new env file.
-```
-docker run -p 22:2222 --env-file=env.txt cowrie/cowrie:latest
+hostname = svr04
 ```
 
 # 2 Exercises
@@ -36,25 +31,29 @@ docker run -p 22:2222 --env-file=env.txt cowrie/cowrie:latest
 - The default userdb is here: https://github.com/cowrie/cowrie/blob/master/etc/userdb.example
 
 ## 2.2 View a downloaded file
-- Run docker using a mount for the downloads dir: `-v cowrie-download:/cowrie/cowrie-git/var/lib/cowrie/downloads`
 - Connect to the honeypot and download a file using wget. The log will output the filehash of the file.
+- Get the file from the honeypot artifacts.
 
 ```
-sudo cat /var/lib/docker/volumes/cowrie-download/_data/<filehash>
+sudo cat ~/cowrie/docker/cowrie-var/lib/cowrie/downloads/<filehash>
 ```
 
 ## 2.3 Make your honeypot "sweeter"
 - Try configuring a non-default hostname, kernel version, ssh version for the honeypot.
+- Modify the default userdb.
 
 # 3 Enable telnet
 Run cowrie with the extra port mapping and telnet option.
 ```
-docker run -p 22:2222 -p 23:2223 -e COWRIE_TELNET_ENABLED=yes cowrie/cowrie:latest
+[telnet]
+
+# Enable Telnet support, disabled by default
+enabled = true
 ```
 Connect to your server using telnet on port 23.
 
 # 4 Submittting malware samples to MISP
-- Uncomment the output_misp module in `~/volumes/cowrie_cowrie-etc/_data/cowrie.cfg`
+- Uncomment the output_misp module in `~/cowrie/docker/cowrie-etc/cowrie.cfg.dst`
 - Replace the base_url and api_key with the ones provided.
 - For the purposes of this tutorial only, disable verify_cert.
 - Restart the docker container.

diff --git a/filebeat.yml b/filebeat.yml
diff --git a/help.md b/help.md
@@ -5,6 +5,3 @@ Press `Ctrl+c` to cancel a running application in linux.
 ## How do I view the log files and run the docker container at the same time?
 You should create a second terminal window and ssh to the server on both.
 
-## I broke filebeat
-This command will pull down the fully configured filebeat config.
-`sudo wget -q - https://raw.githubusercontent.com/colbyprior/honeypot-workshop/master/filebeat.yml -O /etc/filebeat/filebeat.yml`
diff --git a/opencanary.md b/opencanary.md
@@ -6,8 +6,7 @@
 First you should enter the Python virtual environment for OpenCanary:
 
 ```
-source ~/env/bin/activate
-cd ~/opencanary
+source ~/venv/bin/activate
 ```
 
 Before the first run, generate a default opencanary config
@@ -64,36 +63,3 @@ Check that opencanary is picking up your failed ftp authentication logs
 `less /var/tmp/opencanary.log`
 
 
-## 2.5 Elasticsearch and Kibana setup
-Add the following log config to the `filebeat.inputs:` section in `/etc/filebeat/filebeat.yml`.
-```
-- type: log
-  enabled: true
-  paths:
-    - /var/tmp/opencanary.log
-  json.keys_under_root: true
-  processors:
-    - decode_json_fields:
-        fields: ["inner"]
-    - rename:
-        fields:
-        - from: "src_host"
-          to: "src_ip"
-        - from: "logdata.PASSWORD"
-          to: "password"
-        - from: "logdata.USERNAME"
-          to: "username"
-        ignore_missing: true
-        fail_on_error: false
-```
-
-
-## 2.6 Refresh the index
-Now we need to make sure the index is refreshed so we can properly search over our new data types.
-1. Restart filebeat `systemctl restart filebeat`
-2. Visit Kibana and go in to Management
-3. Select index management
-4. Select your filebeat index
-5. Click the refresh icon to refresh the index.
-
-
diff --git a/setup/install.sh b/setup/install.sh
@@ -5,32 +5,21 @@ sudo apt update
 sudo apt install -y docker.io docker-compose jq git nano sqlite3 python3-dev python3-pip python3-virtualenv python3-venv python3-scapy samba libpcap-dev
 
 # clone repos
-git clone https://github.com/cowrie/docker-cowrie
 git clone https://github.com/cowrie/cowrie.git
 git clone https://github.com/buffer/thug.git
 git clone https://github.com/mushorg/snare.git
 git clone https://github.com/mushorg/tanner.git
 git clone https://github.com/colbyprior/honeypot-workshop.git
-git clone https://github.com/thinkst/opencanary.git
-
-# elasticsearch setup
-curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.0-amd64.deb
-sudo dpkg -i filebeat-7.7.0-amd64.deb
-wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
-sudo apt-get install apt-transport-https
-echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
-sudo apt-get update 
-sudo apt-get install elasticsearch kibana -y
 
 # docker permissions
 sudo usermod -aG docker ${USER}
 newgrp docker
 
 # install opencanary
-virtualenv env/
-. env/bin/activate
+virtualenv venv/
+. venv/bin/activate
 pip install opencanary scapy pcapy
 
 mkdir ~/tanner/docker/log
 chmod 7777 ~/tanner/docker/log
-cp docker-compose_tanner.yml ~/tanner/docker/docker-compose.yml
+cp docker-compose_tanner.yml ~/tanner/docker/docker-compose.yml
diff --git a/tanner.md b/tanner.md
@@ -18,7 +18,7 @@ ARG PAGE_URL=demo.dontthinkjustroll.com
 Now we can simply run the Docker container which will clone the website then serve a copy on port 80.
 ```
 cd ~/snare
-docker-compose up
+docker-compose up --build
 ```
 
 Try and load your web honeypot.
@@ -38,7 +38,7 @@ Try injecting a javascript alert.
 - After you have triggered a sqli attack there will be a db emulator directory in the docker volume. This contains the emulated database for the attack, you can view the contents manually.
 
 ```
-sqlite3 ~/tanner/docker/log/emulators/db/tanner_db
+sqlite3 ~/tanner/docker/tmp/emulators/db/tanner_db
 sqlite> .tables
 sqlite> .schema users
 sqlite> select * from users limit 1;
@@ -50,6 +50,6 @@ sqlite> select * from users limit 1;
 - Once you have triggered a RFI attack there will be a "files" directory with the files pulled down via RFI emulation.
 
 ```
-ls ~/tanner/docker/log/emulators/files/
+ls ~/tanner/docker/tmp/emulators/files/
 ```