For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Sid / unstable) which will provide us with the latest advancements in a Debian based distribution.
Include HoneyPy honeypot
HoneyPy is now included in the NEXTGEN installation type
Include Suricata 4.1.3
Building Suricata 4.1.3 from scratch to enable JA3 and overall better protocol support.
Update tools to the latest versions
ELK Stack 6.6.2
NGINX is now built to enforce TLS 1.3 on the T-Pot WebUI
Where possible / feasible the honeypots have been updated to their latest versions.
Cowrie now supports HASSH generated hashes which allows for an easier identification of an attacker accross IP adresses.
Heralding now supports SOCKS5 emulation.
Update Dashboards & Visualizations
Offset Dashboard added to easily spot changes in attacks on a single dashboard in 24h time window.
Cowrie Dashboard modified to integrate HASSH support / visualizations.
HoneyPy Dashboard added to support latest honeypot addition.
Suricata Dashboard modified to integrate JA3 support / visualizations.
Debian mirror selection
During base install you now have to manually select a mirror.
Upon T-Pot install the mirror closest to you will be determined automatically.
This solves peering problems for most of the users speeding up installation and updates.
Fixed issue #298 where the import and export of objects on the shell did not work.
Fixed issue #313 where Spiderfoot raised a KeyError, which was previously fixed in upstream.
Fixed error in Suricata where path for reference.config changed.
As far as possible we will integrate changes now faster into the master branch, eliminating the need for monolithic releases. The update feature will be continuously improved on that behalf. However this might not account for all feature changes.
If you want to share your T-Pot data with a 3rd party HPFEEDS broker such as SISSDEN you can do so by creating an account at the SISSDEN portal and run hpfeeds_optin.sh on T-Pot.
For the ones who like to live on the bleeding edge of T-Pot development there is now an update script available in /opt/tpot/update.sh.
This feature is beta and is mostly intended to provide you with the latest development advances without the need of reinstalling T-Pot.