extraction of payloads into ElasticSearch

[mlodic]

hey guys how are you? :)

Last day I was looking for a chance to automatically extract payloads from adbhoney and cowrie so that I can feed other platforms like IntelOwl.

Correct me if I am wrong: right now, those payloads can be found only in the /data/<honeypot> folders.

I thought about adding a logstash parser here to extract those payload from the file system and push a new document for each payload in Elastic with the base64 or hex encoded payload.

In that way it would be possible to use ElasticSearch to extract them and maybe add them into GreedyBear too as an additional feed.

Does it make sense to you? If yes, we could try doing that and open a PR to the project?

Looking forward to meet you at the next workshop :)

[t3chn0m4g3]

@mlodic Great! Currently diving into the next T-Pot release, the first to include LLM based honeypots 🥳

You are right, right now we store everything in the filesystem in $HOME/tpotce/data/<honeypot>.

I think the idea is excellent and will make a lot of users happy. For quite some time I had similar thoughts but backlogged since the concepts I came up with did not meet my expectations from a user point of view.
I think the parser would either need to directly enrich the corresponding log message or at least create a subsequent one with the most important log info linking the artifact and the log message together.

Let's discuss it further in Slack and thank you for taking this on!

[dmille6]

yes, that would be really helpful.. expecially on a hive install.. where you have to log into each sensor.. grab the payloads.. download them then analyze them..