M81 : Détection d’intrusion
Préambule : CentOS n’est plus maintenue !
Exemples de journaux
À toute fin utile, vous pouvez récupérer dans cette archive un ensemble de fichiers journaux de cowrie au format JSON.
Analyse des journaux
Pour mieux exploiter les informations fournies par le honeypot nous allons les enregistrer dans une base de données.
- Au préalable, redémarrer la VM pour bénéficier de 4 vCPU et 4 Go de RAM.
- Installer la base de données
elasticsearch(cf documentation). - Désactiver toutes les fonctionnalités
xpackpuis démarrer le service. - Dans le dossier des sources de
cowrie, sous l’identité de l’utilisateurcowrie, en ayant activer l’environnement Python, installer les dépendances pour les formats de sortie (il faudra commenter les lignes qui posent problème). - Activer la sortie
elasticsearch, letypeet lepipeline. - Redémarrer
cowrie - Solliciter le honeypot
Requêtage de la base
- Requêter la base de données :
curl -X GET 'http://localhost:9200/cowrie/_search'?pretty=true - Utiliser
jqpour filtrer la sortie (cf manuel) - Installer Kibana, le frontal pour la base de données ElasticSearch (cf https://www.elastic.co/fr/kibana/)
- Démarrer Kibana
- Lister les services à l’écoute (
ss -lnutp) - Mettre en place un tunnel SSH pour accéder à Kibana. Exemple :
ssh -L 5000:127.0.0.1:5601 -N -f -p6202 vdi.unicaen.frpour accéder au serveur web (port 80) de la VM en 192.168.144.2 via l’URL http://127.0.0.1:5000
Interface web
- Consulter l’interface web
- Dans le menu hamburger, choisir « Discover »
- Créer un premier index utilisant la source existante
- Examiner les différents éléments de l’interface
- Dans la section « Dashboard », essayer de contruire une visualisation des données (exemple : La liste des couples login/mot de passe les plus utilisés)
- Importer le tableau de bord ci-joint.
{
"attributes": {
"fieldAttrs": "{}",
"fields": "[]",
"runtimeFieldMap": "{}",
"timeFieldName": "timestamp",
"title": "cowrie*",
"typeMeta": "{}"
},
"coreMigrationVersion": "7.17.0",
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"index-pattern": "7.11.0"
},
"references": [],
"type": "index-pattern",
"updated_at": "2022-02-13T15:20:39.626Z",
"version": "Wzc3NSwxXQ=="
}
{
"attributes": {
"description": "",
"state": {
"datasourceStates": {
"indexpattern": {
"layers": {
"ac6a4297-1a48-45ed-b8dc-6782da547f85": {
"columnOrder": [
"4a534989-30a7-4433-aefc-e50f63400557"
],
"columns": {
"4a534989-30a7-4433-aefc-e50f63400557": {
"customLabel": true,
"dataType": "number",
"isBucketed": false,
"label": "IP uniques",
"operationType": "unique_count",
"scale": "ratio",
"sourceField": "src_ip.keyword"
}
},
"incompleteColumns": {}
}
}
}
},
"filters": [],
"query": {
"language": "kuery",
"query": ""
},
"visualization": {
"accessor": "4a534989-30a7-4433-aefc-e50f63400557",
"layerId": "ac6a4297-1a48-45ed-b8dc-6782da547f85",
"layerType": "data"
}
},
"title": "IP uniques",
"visualizationType": "lnsMetric"
},
"coreMigrationVersion": "7.17.0",
"id": "0f9141e0-8ce5-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"lens": "7.16.0"
},
"references": [
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-layer-ac6a4297-1a48-45ed-b8dc-6782da547f85",
"type": "index-pattern"
}
],
"type": "lens",
"updated_at": "2022-02-13T15:53:17.822Z",
"version": "WzEzNTQsMV0="
}
{
"attributes": {
"description": "",
"state": {
"datasourceStates": {
"indexpattern": {
"layers": {
"98f8bc7c-6de6-445d-b677-32ae5c3b76f6": {
"columnOrder": [
"9ad4b6c5-1d8d-4721-8ee4-fc85c8f88c36",
"718c2947-00ad-41e5-a1e0-0bfb2ec312ce",
"053718d2-8dd8-4835-a632-d57bd669446e",
"49a5c2c4-de29-4039-b543-e9dbb608eb23",
"047b3d2c-e4ba-4300-928a-ad22d82a7c63"
],
"columns": {
"047b3d2c-e4ba-4300-928a-ad22d82a7c63": {
"dataType": "number",
"isBucketed": false,
"label": "Count of records",
"operationType": "count",
"scale": "ratio",
"sourceField": "Records"
},
"053718d2-8dd8-4835-a632-d57bd669446e": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of geo.region_name.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 3
},
"scale": "ordinal",
"sourceField": "geo.region_name.keyword"
},
"49a5c2c4-de29-4039-b543-e9dbb608eb23": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of geo.city_name.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 3
},
"scale": "ordinal",
"sourceField": "geo.city_name.keyword"
},
"718c2947-00ad-41e5-a1e0-0bfb2ec312ce": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of geo.country_name.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 3
},
"scale": "ordinal",
"sourceField": "geo.country_name.keyword"
},
"9ad4b6c5-1d8d-4721-8ee4-fc85c8f88c36": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of geo.continent_name.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 5
},
"scale": "ordinal",
"sourceField": "geo.continent_name.keyword"
}
},
"incompleteColumns": {}
}
}
}
},
"filters": [],
"query": {
"language": "kuery",
"query": ""
},
"visualization": {
"columns": [
{
"columnId": "9ad4b6c5-1d8d-4721-8ee4-fc85c8f88c36",
"isTransposed": false
},
{
"columnId": "718c2947-00ad-41e5-a1e0-0bfb2ec312ce",
"isTransposed": false
},
{
"columnId": "053718d2-8dd8-4835-a632-d57bd669446e",
"isTransposed": false
},
{
"columnId": "49a5c2c4-de29-4039-b543-e9dbb608eb23",
"isTransposed": false
},
{
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"isTransposed": false
}
],
"layerId": "98f8bc7c-6de6-445d-b677-32ae5c3b76f6",
"layerType": "data",
"sorting": {
"columnId": "047b3d2c-e4ba-4300-928a-ad22d82a7c63",
"direction": "desc"
}
}
},
"title": "Top géographique",
"visualizationType": "lnsDatatable"
},
"coreMigrationVersion": "7.17.0",
"id": "018be420-8ce4-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"lens": "7.16.0"
},
"references": [
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-layer-98f8bc7c-6de6-445d-b677-32ae5c3b76f6",
"type": "index-pattern"
}
],
"type": "lens",
"updated_at": "2022-02-13T15:45:44.802Z",
"version": "WzEyMDYsMV0="
}
{
"attributes": {
"description": "",
"state": {
"datasourceStates": {
"indexpattern": {
"layers": {
"74076d78-868b-4b5c-b99b-4bf78c35b2bf": {
"columnOrder": [
"ff5a6b39-5fec-48e7-a3ee-9e75eac73d5a",
"7da1b0f6-bf85-486e-bf5a-ab6383a15363"
],
"columns": {
"7da1b0f6-bf85-486e-bf5a-ab6383a15363": {
"dataType": "number",
"isBucketed": false,
"label": "Count of records",
"operationType": "count",
"scale": "ratio",
"sourceField": "Records"
},
"ff5a6b39-5fec-48e7-a3ee-9e75eac73d5a": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of src_ip.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "7da1b0f6-bf85-486e-bf5a-ab6383a15363",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 10
},
"scale": "ordinal",
"sourceField": "src_ip.keyword"
}
},
"incompleteColumns": {}
}
}
}
},
"filters": [],
"query": {
"language": "kuery",
"query": ""
},
"visualization": {
"layers": [
{
"categoryDisplay": "default",
"groups": [
"ff5a6b39-5fec-48e7-a3ee-9e75eac73d5a"
],
"layerId": "74076d78-868b-4b5c-b99b-4bf78c35b2bf",
"layerType": "data",
"legendDisplay": "default",
"metric": "7da1b0f6-bf85-486e-bf5a-ab6383a15363",
"nestedLegend": false,
"numberDisplay": "percent"
}
],
"shape": "donut"
}
},
"title": "Top 10 IP",
"visualizationType": "lnsPie"
},
"coreMigrationVersion": "7.17.0",
"id": "dd85d350-8ce4-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"lens": "7.16.0"
},
"references": [
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-layer-74076d78-868b-4b5c-b99b-4bf78c35b2bf",
"type": "index-pattern"
}
],
"type": "lens",
"updated_at": "2022-02-13T15:51:53.861Z",
"version": "WzEzMjEsMV0="
}
{
"attributes": {
"description": "",
"state": {
"datasourceStates": {
"indexpattern": {
"layers": {
"1f207003-397d-41f4-a218-2780817bd31e": {
"columnOrder": [
"ee0b9b7e-de68-4126-908b-04a00ce666cd",
"7685dbf1-73bd-4133-874f-7ab28c8d3fa0",
"1a5f19c7-b705-40d6-abb9-972def6b22dd"
],
"columns": {
"1a5f19c7-b705-40d6-abb9-972def6b22dd": {
"dataType": "number",
"isBucketed": false,
"label": "Count of records",
"operationType": "count",
"scale": "ratio",
"sourceField": "Records"
},
"7685dbf1-73bd-4133-874f-7ab28c8d3fa0": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of password.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "1a5f19c7-b705-40d6-abb9-972def6b22dd",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 10
},
"scale": "ordinal",
"sourceField": "password.keyword"
},
"ee0b9b7e-de68-4126-908b-04a00ce666cd": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of username.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "1a5f19c7-b705-40d6-abb9-972def6b22dd",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 10
},
"scale": "ordinal",
"sourceField": "username.keyword"
}
},
"incompleteColumns": {}
}
}
}
},
"filters": [],
"query": {
"language": "kuery",
"query": ""
},
"visualization": {
"columns": [
{
"columnId": "7685dbf1-73bd-4133-874f-7ab28c8d3fa0",
"isTransposed": false
},
{
"columnId": "ee0b9b7e-de68-4126-908b-04a00ce666cd",
"isTransposed": false
},
{
"columnId": "1a5f19c7-b705-40d6-abb9-972def6b22dd",
"isTransposed": false
}
],
"layerId": "1f207003-397d-41f4-a218-2780817bd31e",
"layerType": "data",
"sorting": {
"columnId": "1a5f19c7-b705-40d6-abb9-972def6b22dd",
"direction": "desc"
}
}
},
"title": "Top login/password",
"visualizationType": "lnsDatatable"
},
"coreMigrationVersion": "7.17.0",
"id": "98ed34f0-8ce3-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"lens": "7.16.0"
},
"references": [
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-layer-1f207003-397d-41f4-a218-2780817bd31e",
"type": "index-pattern"
}
],
"type": "lens",
"updated_at": "2022-02-13T15:42:49.279Z",
"version": "WzExMzUsMV0="
}
{
"attributes": {
"description": "",
"state": {
"datasourceStates": {
"indexpattern": {
"layers": {
"d8641af5-192b-4a3a-91fb-c3943a9d5d9d": {
"columnOrder": [
"5d42cd7c-1fc6-4e16-8b20-3901e8285a6f",
"a46a8403-520e-42f9-a406-5c1f51a97051"
],
"columns": {
"5d42cd7c-1fc6-4e16-8b20-3901e8285a6f": {
"dataType": "string",
"isBucketed": true,
"label": "Top values of input.keyword",
"operationType": "terms",
"params": {
"missingBucket": false,
"orderBy": {
"columnId": "a46a8403-520e-42f9-a406-5c1f51a97051",
"type": "column"
},
"orderDirection": "desc",
"otherBucket": true,
"size": 100
},
"scale": "ordinal",
"sourceField": "input.keyword"
},
"a46a8403-520e-42f9-a406-5c1f51a97051": {
"dataType": "number",
"isBucketed": false,
"label": "Count of records",
"operationType": "count",
"scale": "ratio",
"sourceField": "Records"
}
},
"incompleteColumns": {}
}
}
}
},
"filters": [],
"query": {
"language": "kuery",
"query": ""
},
"visualization": {
"columns": [
{
"columnId": "5d42cd7c-1fc6-4e16-8b20-3901e8285a6f",
"isTransposed": false
},
{
"columnId": "a46a8403-520e-42f9-a406-5c1f51a97051",
"isTransposed": false
}
],
"layerId": "d8641af5-192b-4a3a-91fb-c3943a9d5d9d",
"layerType": "data",
"sorting": {
"columnId": "a46a8403-520e-42f9-a406-5c1f51a97051",
"direction": "desc"
}
}
},
"title": "Commandes utilisées",
"visualizationType": "lnsDatatable"
},
"coreMigrationVersion": "7.17.0",
"id": "8dc19930-8ce4-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"lens": "7.16.0"
},
"references": [
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "806442a0-8ce0-11ec-bb3a-79d0efb6b00e",
"name": "indexpattern-datasource-layer-d8641af5-192b-4a3a-91fb-c3943a9d5d9d",
"type": "index-pattern"
}
],
"type": "lens",
"updated_at": "2022-02-13T15:49:40.035Z",
"version": "WzEyNzYsMV0="
}
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}",
"panelsJSON": "[{\"version\":\"7.17.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"6ac84bf8-c7c5-468c-a3f1-6558aa4a402f\"},\"panelIndex\":\"6ac84bf8-c7c5-468c-a3f1-6558aa4a402f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6ac84bf8-c7c5-468c-a3f1-6558aa4a402f\"},{\"version\":\"7.17.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":15,\"w\":24,\"h\":15,\"i\":\"1443cfd0-d313-4090-aa9b-c4a57a6cd10c\"},\"panelIndex\":\"1443cfd0-d313-4090-aa9b-c4a57a6cd10c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1443cfd0-d313-4090-aa9b-c4a57a6cd10c\"},{\"version\":\"7.17.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":15,\"i\":\"7e633bb0-b12e-4f43-bb16-139e71644bf0\"},\"panelIndex\":\"7e633bb0-b12e-4f43-bb16-139e71644bf0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7e633bb0-b12e-4f43-bb16-139e71644bf0\"},{\"version\":\"7.17.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":15,\"i\":\"5acb9c36-13fa-40dc-b571-a91af04fb7ae\"},\"panelIndex\":\"5acb9c36-13fa-40dc-b571-a91af04fb7ae\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5acb9c36-13fa-40dc-b571-a91af04fb7ae\"},{\"version\":\"7.17.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":24,\"h\":30,\"i\":\"229af252-6652-40e3-9ecb-98df6e7f3c17\"},\"panelIndex\":\"229af252-6652-40e3-9ecb-98df6e7f3c17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_229af252-6652-40e3-9ecb-98df6e7f3c17\"}]",
"timeRestore": false,
"title": "My Cowrie Dashboard",
"version": 1
},
"coreMigrationVersion": "7.17.0",
"id": "1de016a0-8ce4-11ec-bb3a-79d0efb6b00e",
"migrationVersion": {
"dashboard": "7.17.0"
},
"references": [
{
"id": "0f9141e0-8ce5-11ec-bb3a-79d0efb6b00e",
"name": "6ac84bf8-c7c5-468c-a3f1-6558aa4a402f:panel_6ac84bf8-c7c5-468c-a3f1-6558aa4a402f",
"type": "lens"
},
{
"id": "018be420-8ce4-11ec-bb3a-79d0efb6b00e",
"name": "1443cfd0-d313-4090-aa9b-c4a57a6cd10c:panel_1443cfd0-d313-4090-aa9b-c4a57a6cd10c",
"type": "lens"
},
{
"id": "dd85d350-8ce4-11ec-bb3a-79d0efb6b00e",
"name": "7e633bb0-b12e-4f43-bb16-139e71644bf0:panel_7e633bb0-b12e-4f43-bb16-139e71644bf0",
"type": "lens"
},
{
"id": "98ed34f0-8ce3-11ec-bb3a-79d0efb6b00e",
"name": "5acb9c36-13fa-40dc-b571-a91af04fb7ae:panel_5acb9c36-13fa-40dc-b571-a91af04fb7ae",
"type": "lens"
},
{
"id": "8dc19930-8ce4-11ec-bb3a-79d0efb6b00e",
"name": "229af252-6652-40e3-9ecb-98df6e7f3c17:panel_229af252-6652-40e3-9ecb-98df6e7f3c17",
"type": "lens"
}
],
"type": "dashboard",
"updated_at": "2022-02-13T15:53:38.832Z",
"version": "WzEzNjAsMV0="
}
{
"excludedObjects": [],
"excludedObjectsCount": 0,
"exportedCount": 7,
"missingRefCount": 0,
"missingReferences": []
}