Shodan provides an integrated Graylog package to enrich IP information from our database.
Simply download the .jar file from our Gitlab release. Please check your Graylog version to choose the right package as the table below shows what our integrated version is compatible with your app version.
| Graylog Version | Shodan Packages |
|---|---|
| 5.1.X | 5.1.0 |
| 5.0.X | 5.0.0 |
| 4.3.X | 4.3.0 |
| 4.2.X | 4.2.0 |
| 4.1.X | 4.1.0 |
After download, put the .jar file to the Graylog plugin folder. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.
Restart Graylog and check the System -> Lookup Tables -> Data Adapter -> Create Data Adapter. Shodan and Shodan InternetDB should appear.
We will demonstrate an example to attach Shodan InternetDB lookup when fetching data into Graylog.
First create a new Shodan InternetDB Adapter. Then create new lookup table using the Shodan Internet Adapter we just created before.
Go to System -> Pipelines -> Manage Rules -> Create Rule. We need to add Rule Source here to check IP information from Shodan InternetDB Table if there is an IP field in your log (in this example src_ip).
rule "Shodan InternetDB check IP"
when
// Change field 'src_ip' depends on your log
has_field("src_ip")
then
let update_source = lookup("shodan_internetdb_table", $message.src_ip);
set_field("shodan_internetdb", update_source);
end
Back to System -> Pipelines -> Manage Pipelines. Create a new pipeline Shodan InternetDB. We need to configure which Stream the pipeline will connect to. Here we use All messages.
Finally, add new stage that tells the pipeline which uses the rule we just created and save.
Please check the Messages Processor Configuration in System/Configuration should follow this order.
Once the preparation is done, we can check the stream log and see the result.
