Attack Map Not Showing Attacks

bgao-pangeo commented 1 year ago

Hi, we just installed the latest T-POT, we give it a public IP but put the T-POT in a DMZ behind Cisco ASA firewall. Everything works fine however the Attack Map seems to have an issue. it does not show the attack on map or the list, only the counter on the top changes. Every other T-POT function seems to be working fine just fine.

Here is some the standard information that I have gathered:

⚠️ Basic support information (commands are expected to run as `root`)

What version of the OS are you currently using lsb_release -a and uname -a?
Linux fuzzyinterest 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux
What T-Pot version are you currently using?
- 22.04
What edition (Standard, Nextgen, etc.) of T-Pot are you running?
- Standard
What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
- VM
Did you have any problems during the install? If yes, please attach /install.log /install.err.
no issue
How long has your installation been running?
2wks
Did you install upgrades, packages or use the update script?
installed from ISO
Did you modify any scripts or configs? If yes, please attach the changes.
no modification
Please provide a screenshot of glances and htop.
glances output:

htop output: htop

How much free disk space is available (df -h)? [tsec@fuzzyinterest:/opt/tpot/bin]$ sudo df -h Filesystem Size Used Avail Use% Mounted on udev 7.8G 0 7.8G 0% /dev tmpfs 1.6G 3.9M 1.6G 1% /run /dev/sda2 118G 70G 43G 63% / tmpfs 7.9G 0 7.9G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock overlay 118G 70G 43G 63% /var/lib/docker/overlay2/1f915122febb74f996c56f99f3bcd804631e22708b28dbb626c7e3d5755928fb/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/a3a17a8120df442eebc153c912e8dbeefe6964a3501577d804d4cbbbb380576f/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/0a6559d21b1e83ab998d35d747851977fdab921007ee37eb77666820f4ded9a9/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/549e5e637a95960fb8566de46bf11c28ca162abc3e8eddc641e1b749e47ffe67/merged shm 64M 0 64M 0% /var/lib/docker/containers/e9e05278ca2617917c681ff1cbce9024bd92465edc94c123706b5a670b291174/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/076a51c79f7a9646980291f68340e0ad47504a69389dc98621b3a61343f8c488/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/0a5a0363d2867cee5be5efe3029ed551f03e1af796a0b9f2706f13384f3b8d60/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/b218f0c2a7c5ce865ea757d3fff2c32d3a1eb6e2741c3f13aab897b8fcbc89eb/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/7fabbfaaf4118d16a1d41c811a5fda077ba875390b7ea1013ebd7880aa5cc820/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/e05e4879521d0ce07afc223cb1f37036d6b497d745a03ed93c82ebc7b74b9d2e/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/8cd22d1f78610142e201e4113b5d8253962b01528c67d4ae0466f6bbb785ea3c/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/801446061bb4fd690a473f8081074aa770f8f7675335c95d0c8b00ff2315f7f9/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/708108ca3f08d18c77b38bf95ff63801e2c03f76bb066b5edcb20b2a10daab14/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/41831ab899f49433a03f140fae1252d0139df4eeac5bc021b615b5ced99edbc3/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/42c51c6979b8f87f195b61cc3c74b72c8b69359bf0b520dc0ae405a028d5ce0f/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/4491989650dd7be53d5b39e8b27caafbd9cfe979c9e9a0b86f24266877a7be38/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/196b6bdb0fb53a54defc8e0e9c51b0077fd1285e92686574b56f5f5ee9a43897/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/7d3ddb6bedeba14785c1ed7bf55116dd279514c35359bfd8b86fe97caf6cdba6/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/9c143d8f71aab42c2ad6435bf2d7b9ef537cc078ee0ed95c8c25a99a04667a3c/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/646de5c2961692666c83be0911d6895bc181c0e81f89a2106b616688949eea7e/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/9226b0ec87e54ff366ad1c5cd3f9758347d6b96af9570c92d79533b88ae45a82/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/a40ec4c9d5379670dc786c99c93b98f65e7b24b5e6ffe12fdb148480376e1438/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/38d9626bc1c2e5b665c42b7e426e7082f16ebc9e0ea24008cd9e37a0323b7dc4/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/db4bbd32588b5cf92faaf22865ce4a3d9968865707b4334394c97d3c70df3bf0/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/e9258d5fc024d52c840185cfe460e8a96659c1dc265f0272625a4b29ea51423e/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/fde9e86b8849f98e2e5c7a06319e003298a31c0dd5e9f37f1e5820993152eb74/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/41072fdfa9c3c807621fe3d0fa28ec5f95033da1a3c5e59d8386a7e77b2fa619/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/a4c1dffd89604811c2337533f471c83f1ce237256de2ccd7a1d6e556de2314a5/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/c0b380f04b627e765c65252901ebaaaad2a4f36fff325da43bc0ce19fbbf793c/merged shm 64M 0 64M 0% /var/lib/docker/containers/c1aef1e5be42066193386079ef5173f5fd407ffa26f5947fe7c07312b6df911e/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/eb3787c5c4d8977a3df6f4784b902f37b28490833d5f17530969ddd60c81fcad/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/b83a27b916e78cf37a683a68ec623af898b14f28a64b7e031576190bf8e1e99d/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/18b12e5759367ff9b2815b48d68ceaecce8ad6d4b48668b778f4f07a289edfb0/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/bbe2f881ef0cca8fa126a8df60a7125f28176bfb6205f311aee6683e06fe6068/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/449dad74ba92342d49613df3038ca6ffbf850c151ec580cc777eb48441ca142e/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/e6578e700f48d524da2d9697f70355e03d79c87703d0755809ed03de0898ea12/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/f952d0794f24a447c376a7c045c44b7a78a276ef982ed664d46964deeff4b7ad/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/49020ef3d10d8d3ac8f6c24d981cab2572f72916538e7503af9b24b6e0269367/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/826c0d54de561dc8a5becb627307e8d76d19ac80fde5e27efcbd6466199cfd60/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/23e82af7a554d3b802322d09a2f776c1a46e6b24a238f0e4e6b4d288c2b034ec/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/80b3ff1bbb2d259101fc6a928438df03ae7fb65ef9f61722424d3edacac12c3b/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/4be45fa597f63f3860e40fbd5342fff8c51cd8d81c62f5968709d517257a1040/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/99b1693817488ba90edd2047a596fda25ae76fd178aa311ae54a64d7cada31d5/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/901784bf3dc1b2c70545c2fa3e8ab735e0a863e13a394e53739e31587e801f63/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/a2de0e7226e45bb1bae8226240074df27fd0ce4ed60237d65b1e7122842edcca/mounts/shm shm 64M 12K 64M 1% /var/lib/docker/containers/76ef71d27139ff29ff1044a7221051d8875107fb93e0e93208f8f202247cf8fe/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/403ffdaab18f55e368fd8ac0d257bec67dc6162c1d9271c871eef4d4f418cfd1/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/b121022f6949a170cc51e495619f0a1c30db391b9cb4b1bc633a8767139e4553/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/7431a686dc52da383a89c143e589087dd93a313d5d7a11ae631bbb3f9d0bbe58/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/7eec43b32815ef2e1bac7f309f700fa176ff3fa6f743232639cd3e46e70550fb/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/a639b56811b6a28b880cf437f18debcb7ee0503e7a011071fd1db4b2ece85324/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/96cc32f18f180a6569c54f33694291d4fd7b46f3325b057a59d4947c7e08e2d4/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/f8eda8f26177c5808ccfa04133aa80d800ac89722468a278f4f6d65f97749666/merged shm 64M 0 64M 0% /var/lib/docker/containers/6c79c2c220876a8de8a0886d0dbb8178ec99cf1dc53b6e4be7af1bd1249f1f48/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/0178fc6d0116213cc917dfe57bfc8bb312f747ef20a717eafa4ffe8ce655b499/merged shm 64M 0 64M 0% /var/lib/docker/containers/291b04ca232e8a12759e392e0fa9ade9e5d15a49abcff180e83aba467edb2434/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/fed96ba4ac77b8338d2b10f88f958c1535573570368ecbed4396b3ff640034f0/merged shm 64M 20K 64M 1% /var/lib/docker/containers/f3b7809fa671344a9a18d41f0ae55376edda8d7c5465c3ae0063e1d924b2bcf9/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/9fabf30989f1cd7409765487ef47122dcc026648ef2181aa0fbcb953ebfb86f9/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/a7dba0a1ade40ab78cdefe555adba64da66e7c34370d1360d4e97f3cf93b875f/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/8591f3a0a387d59f4a9b222e9168786c452163cde7e8a1c8f2e9a4f5076887ee/merged shm 64M 0 64M 0% /var/lib/docker/containers/d8ac6c1d31f72dc63a2ed249e950a108c2c70926be440998f7008cde16ece57e/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/956336e4d8d2b19e60dee09d5161fc4638fcd39fa06ce09ffe68a02796ea5c20/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/9a60538ed2a962d897f5737bc42d54ecb85439a99db1169752b9e53aee0ec500/merged shm 64M 0 64M 0% /var/lib/docker/containers/e975aaf156ef07af1085d513ef7930eee028a53e1136504354f3023474f5586c/mounts/shm overlay 118G 70G 43G 63% /var/lib/docker/overlay2/65f51f943198bb45c788db27ac0c0e74f6714d793fa24e26c3b9655ca99a0e3b/merged overlay 118G 70G 43G 63% /var/lib/docker/overlay2/70c8107a69d5b7b9001313506f5913cb90d1a95f5fd80aa7b86903324afeaeec/merged shm 64M 0 64M 0% /var/lib/docker/containers/8684c706b38cb72de5df49ac867688a8f41c878c8a4d961a93e2a4e5291edf8c/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/da520e9aaf7cd27388fdaf28b94c1a7e3bf6b8988fbe66cf721929abe9ac4e8d/mounts/shm tmpfs 1.6G 0 1.6G 0% /run/user/1000 shm 64M 0 64M 0% /var/lib/docker/containers/89ca25bdeb4769f4968f981d90861eca5149f88f6ac568a7f886858e94f9ed91/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/5c1bffb922489d58f916cd63dc652ae038868287afb68a06bfb519f9af92b8dc/mounts/shm shm 64M 0 64M 0% /var/lib/docker/containers/4be16c1f84be3660e1df030d3ecde3e8ef5cbaf72953930f2b32c6291d1d1a9a/mounts/shm
What is the current container status (dps.sh)?
What is the status of the T-Pot service (systemctl status tpot)? [tsec@fuzzyinterest:/opt/tpot/bin]$ systemctl status tpot ● tpot.service - tpot Loaded: loaded (/etc/systemd/system/tpot.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-09-26 02:55:07 UTC; 14h ago Process: 852 ExecStartPre=/opt/tpot/bin/updateip.sh (code=exited, status=0/SUCCESS) Process: 1036 ExecStartPre=/bin/bash -c /opt/tpot/bin/clean.sh on (code=exited, status=0/SUCCESS) Process: 1157 ExecStartPre=/opt/tpot/bin/tpdclean.sh -y (code=exited, status=0/SUCCESS) Process: 1247 ExecStartPre=/bin/bash -c /sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) rx off tx off (code=exited, status=0/SUCCESS) Process: 1253 ExecStartPre=/bin/bash -c /sbin/ethtool -K $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) gso off gro off (code=exited, status=0/SUCCESS) Process: 1259 ExecStartPre=/bin/bash -c /sbin/ip link set $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) promisc on (code=exited, status=0/SUCCESS) Process: 1265 ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set (code=exited, status=0/SUCCESS) Process: 1345 ExecStartPost=/bin/bash -c /usr/bin/sleep 30 && /usr/sbin/conntrack -D -p udp (code=exited, status=0/SUCCESS) Main PID: 1344 (docker-compose) Tasks: 41 (limit: 19153) Memory: 112.9M CPU: 7min 30.693s CGroup: /system.slice/tpot.service └─1344 /usr/bin/python3 /usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
What ports are being occupied? [tsec@fuzzyinterest:/opt/tpot/bin]$ (Not all processes could will not be shown, you Active Internet connections Proto Recv-Q Send-Q Local Address tcp 0 0 127.0.0.1:41185 tcp 0 0 127.0.0.1:36193 tcp 0 0 0.0.0.0:993 tcp 0 0 0.0.0.0:1025 tcp 0 0 127.0.0.1:36417 tcp 0 0 0.0.0.0:995 tcp 0 0 0.0.0.0:2404 tcp 0 0 0.0.0.0:135 tcp 0 0 0.0.0.0:64295 tcp 0 0 127.0.0.1:64296 tcp 0 0 0.0.0.0:11112 tcp 0 0 0.0.0.0:64297 tcp 0 0 0.0.0.0:27017 tcp 0 0 0.0.0.0:42 tcp 0 0 0.0.0.0:3306 tcp 0 0 127.0.0.1:64298 tcp 0 0 127.0.0.1:64299 tcp 0 0 0.0.0.0:6379 tcp 0 0 0.0.0.0:5900 tcp 0 0 0.0.0.0:110 tcp 0 0 0.0.0.0:143 tcp 0 0 0.0.0.0:2575 tcp 0 0 127.0.0.1:64303 tcp 0 0 0.0.0.0:9200 tcp 0 0 0.0.0.0:80 tcp 0 0 0.0.0.0:81 tcp 0 0 0.0.0.0:465 tcp 0 0 0.0.0.0:10001 tcp 0 0 0.0.0.0:5555 tcp 0 0 0.0.0.0:20 tcp 0 0 0.0.0.0:50100 tcp 0 0 0.0.0.0:21 tcp 0 0 0.0.0.0:57782 tcp 0 0 0.0.0.0:22 tcp 0 0 0.0.0.0:631 tcp 0 0 0.0.0.0:23 tcp 0 0 0.0.0.0:1080 tcp 0 0 0.0.0.0:5432 tcp 0 0 0.0.0.0:1433 tcp 0 0 0.0.0.0:25 tcp 0 0 0.0.0.0:8123 tcp 0 0 0.0.0.0:1723 tcp 0 0 0.0.0.0:1883 tcp 0 0 0.0.0.0:8443 tcp 0 0 0.0.0.0:443 tcp 0 0 0.0.0.0:445 tcp6 0 0 :::64294 tcp6 0 0 :::64295 udp 0 0 0.0.0.0:19 udp 0 0 0.0.0.0:53 udp 0 0 0.0.0.0:69 udp 0 0 0.0.0.0:123 udp 0 0 0.0.0.0:161 udp 0 0 0.0.0.0:623 udp 0 0 0.0.0.0:1900 udp 0 0 0.0.0.0:5000 udp 0 0 0.0.0.0:5060 Stop T-Pot systemctl stop tpot and run netstat -tulpen netstat -tulpen be identified, non-owned process info would have to be root to see it all.) (only servers) Foreign Address State User Inode PID/Program name
0.0.0.0: LISTEN 0 2769919 -
0.0.0.0: LISTEN 1000 2769899 581126/cockpit-brid 0.0.0.0: LISTEN 0 28877 -
0.0.0.0: LISTEN 0 22933 -
0.0.0.0: LISTEN 0 13544 -
0.0.0.0: LISTEN 0 25509 -
0.0.0.0: LISTEN 0 21352 -
0.0.0.0: LISTEN 0 29241 -
0.0.0.0: LISTEN 0 13516 -
0.0.0.0: LISTEN 0 49340 -
0.0.0.0: LISTEN 0 24807 -
0.0.0.0: LISTEN 0 26944 -
0.0.0.0: LISTEN 0 23167 -
0.0.0.0: LISTEN 0 30777 -
0.0.0.0: LISTEN 0 26630 -
0.0.0.0: LISTEN 0 19233 -
0.0.0.0: LISTEN 0 3226714 -
0.0.0.0: LISTEN 0 25751 -
0.0.0.0: LISTEN 0 22656 -
0.0.0.0: LISTEN 0 29309 -
0.0.0.0: LISTEN 0 28233 -
0.0.0.0: LISTEN 0 24040 -
0.0.0.0: LISTEN 0 24033 -
0.0.0.0: LISTEN 0 2713855 -
0.0.0.0: LISTEN 0 35512 -
0.0.0.0: LISTEN 0 28308 -
0.0.0.0: LISTEN 0 27480 -
0.0.0.0: LISTEN 0 22158 -
0.0.0.0: LISTEN 0 23175 -
0.0.0.0: LISTEN 0 29455 -
0.0.0.0: LISTEN 0 22561 -
0.0.0.0: LISTEN 0 30803 -
0.0.0.0: LISTEN 2000 3494295 -
0.0.0.0: LISTEN 0 26050 -
0.0.0.0: LISTEN 0 2715083 -
0.0.0.0: LISTEN 0 24847 -
0.0.0.0: LISTEN 0 26678 -
0.0.0.0: LISTEN 0 24827 -
0.0.0.0: LISTEN 0 28022 -
0.0.0.0: LISTEN 0 20466 -
0.0.0.0: LISTEN 2000 3495055 -
0.0.0.0: LISTEN 0 28790 -
0.0.0.0: LISTEN 0 26839 -
0.0.0.0: LISTEN 0 19450 -
0.0.0.0: LISTEN 0 22096 -
0.0.0.0: LISTEN 0 28145 -
::: LISTEN 0 9793 -
::: LISTEN 0 13518 -
0.0.0.0: 0 28700 -
0.0.0.0: 0 26720 -
0.0.0.0: 0 28397 -
0.0.0.0: 0 25096 -
0.0.0.0: 0 23084 -
0.0.0.0: 0 19437 -
0.0.0.0: 0 22447 -
0.0.0.0: 0 21469 -
0.0.0.0:* 0 19222 -
If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

bgao-pangeo commented 1 year ago

Something I forgot to mention just now. Friday of last week for reason that we don't know, the attack map showed attacks real-time. That was the only time that it showed anything for the 2 weeks that we had the system running. We don't believe the "not showing" was because there was no attack, as every T-POT sensor registered a lot of attacks everyday.

t3chn0m4g3 commented 12 months ago

Sorry, but I cannot reproduce that. Please check with Elasticvue or Kibana if all of your indices are in ok. Also check with docker logs <container name> if there are any specific errors that might help identifying the root cause.

bgao-pangeo commented 12 months ago

Hi Marco,

I installed two instances of T-POT, one works without issue; one that is behind a Cisco ASA firewall has this issue.

I've gone through everything and there was no error message.

For the Attack Map to work, is there certain port or filter needs to be turned on/off?

Thank you, Bo

From: Marco Ochse @.> Sent: Thursday, October 5, 2023 5:34 AM To: telekom-security/tpotce @.> Cc: Bo Gao @.>; Author @.> Subject: Re: [telekom-security/tpotce] Attack Map Not Showing Attacks (Issue #1414)

Sorry, but I cannot reproduce that. Please check with Elasticvue or Kibana if all of your indices are in ok. Also check with docker logs if there are any specific errors that might help identifying the root cause.

— Reply to this email directly, view it on GitHubhttps://github.com/telekom-security/tpotce/issues/1414#issuecomment-1748486157, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A5WY2YUYNPMQZYNRP6N6GTLX5Z5JHAVCNFSM6AAAAAA5IDRG6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBYGQ4DMMJVG4. You are receiving this because you authored the thread.Message ID: @.***>

telekom-security / tpotce