System Configuration

The stingar.env file resides in STINGAR's root directory; it is responsible for configuring/customizing your implementation of STINGAR. It lists environment variables (many with a default setting) which you may change to modify the functionality or appearance of your STINGAR implementation. The environment variables are grouped by the following categories:

Fluentd

FLUENTD_HOST=fluentd      # Automatically set when STINGAR is installed.
FLUENTD_PORT=24224        # Automatically set when STINGAR is installed.
FLUENTD_REMOTE_HOST=      # The address of the STINGAR server that hosts fluentd. It is automatically set when STINGAR is installed.
FLUENTD_LOCAL_PORT=24225  # The port that STINGAR will use to access fluentd. It is automatically set when STINGAR is installed.
FLUENTD_KEY=              # An access key that is automatically generated and saved to the stingar.env file when STINGAR is installed.  It should not be changed.
FLUENTD_APP=stingar       # The name of the fluentd application.

Fluent Bit

FLUENTBIT_HOST=fluentbit     # Automatically set when STINGAR is installed.
FLUENTBIT_PORT=24284         # Automatically set when STINGAR is installed.
FLUENTBIT_APP=stingar        # Automatically set when STINGAR is installed.
FLUENTBIT_HOSTNAME=flb.local # Automatically set when STINGAR is installed.

Syslog output of attack logs

# Syslog settings

SYSLOG_ENABLED=false         # disabled by default, set to true to enable
SYSLOG_HOST=                 # if enabled, insert name/IP addr of Syslog destination server
SYSLOG_PORT=514
SYSLOG_SEVERITY=info
SYSLOG_HOSTNAME=             # if enabled, insert name/IP addr of this STINGAR server
SYSLOG_PROTOCOL=udp          # udp output protocol (default) 
# SYSLOG_PROTOCOL=tcp        # optional tcp output (uncomment to set)

Local file output of attack logs

FILE_ENABLED=false      # disabled by default, set to true to enable

If enabled, the output file location is mounted/mapped to the local file system in the docker-compose.yml file under the volumes section for the fluentd image (e.g. ./stingar-logs here)

fluentd:
      image: 4warned/fluentd:latest
    ports:
      - 24224:24224
      - 24224:24224/udp
      - 127.0.0.1:24225:24225
      - 127.0.0.1:24225:24225/udp
    env_file:
      - stingar.env
    depends_on:
      - elasticsearch
    volumes:
      - ./stingar-logs:/var/log/stingar

CIF ENV variables

CIF_ENABLED=false       # disabled by default, set to true to enable (see below)
CIF_HOST=               # Provided by Forewarned (info@forewarned,io).
CIF_TOKEN=              # Provided by Forewarned (info@forewarned,io).
CIF_PROVIDER=           # Provided by Forewarned (info@forewarned,io).
CIF_CONFIDENCE=8        # Automatically set when STINGAR is installed.
CIF_TAGS=honeypots      # Automatically set when STINGAR is installed.
CIF_GROUP=everyone      # Automatically set when STINGAR is installed.

Remote sharing of attack data

To contribute your attack data anonymously to the common repository you'll need to enable CIF (Central Intelligence Framework) and provide information about the CIF broker so that STINGAR knows where to send the data.

Edit your stingar.env file with the following details

CIF_ENABLED=true
CIF_HOST=cif.stingar.info
CIF_TOKEN=TOKEN_PROVIDED_BY_FOREWARNED
CIF_PROVIDER=PARTNERNAME_PROVIDED_BY_FOREWARNED
CIF_CONFIDENCE=8
CIF_TAGS=honeypots
CIF_GROUP=everyone

your CIF_TOKEN & CIF_PROVIDER values will be provided by Forewarned, Inc.
email info@forewarned.io to request

Once stingar.env is updated, restart the docker containers

% docker-compose down
..wait a few seconds to complete..
% docker-compose up -d

Local server settings

These values are set by install script and used internally by STINGAR, typically not modified.

API_HOST=http://stingarapi:8000/                    # Automatically set when STINGAR is installed.
API_KEY=xxxxxxxxxxxxxxxxxx                          # Automatically set when STINGAR is installed.
PASSPHRASE=xxxxxxxxxxxxxxx                          # Used by install script to create API key.
SALT=xxxxxxxxxxxxxxxxxxxxx                          # Used by install script to create API key.
STINGAR_SERVICE_URL=http://stingarapi:8000/api/v2   # Automatically set when STINGAR is installed.
UI_HOSTNAME=localhost                               # Automatically set when STINGAR is installed.

API_KEY The key that STINGAR uses to access the API.

The API stores this token and confirms that the one provided by all API requests match before it responds.

Honeypot health check interval

HONEYPOT_HEALTHCHECK_INTERVAL=PT01h0m0s   # default check every 01 hours 0 mins 0 secs

Honeypot Tags

List of tags to use for honeypots. List should be comma separated. Key value pairs should be colon delimited. Non-key value pairs will be added to "misc" tag

TAGS=network:localnet,area:dmz,test_tag

LDAP

You may enable LDAP on your implementation of STINGAR. If this LDAP_ENABLED env var is set to true, LDAP will be enabled. This allows you use your organization's institutional identity management system to authenticate STINGAR users. If enable, you'll still need to add users to STINGAR via the User Management module to identify which people within your organization can access STINGAR. Users will then be able to access STINGAR using their standard/organization unique ID & password by clicking on the [LDAP Login] button that will appear on the login page. If LDAP_ENABLED=true, you'll need to define the additional 3 LDAP env vars to let STINGAR know how to send requests to your organization's LDAP instance.

LDAP_ENABLED=false      # set to true to enable
LDAP_HOST=              # set to local LDAP server 
LDAP_PORT=636
LDAP_BASE=              # set to LDAP Base

Miscellaneous UI settings

INSTITUTION_NAME=MY_UNIVERSITY # The name of your organization. The value you enter will appear in the STINGAR header.
THEME_DARK_BASE_COLOR=#363636  # A dark color that is used throughout the application (including header & sidebar backgrounds).
THEME_LIGHT_BASE_COLOR=white   # A light color that is used throughout the application (including header & sidebar text).
DEFAULT_ROWS_PER_PAGE=50       # When displaying attack events, STINGAR presents them page by page.  You may use this env variable to define the number of rows that should appear per page, as the default. (The user may change this while viewing events).

Docker Code Repository (DEPRECATED)

DOCKER_USERNAME=         # The name of the Docker user that Langstroth will use to access the repository of 'playbooks' that tell STINGAR how to deploy each type of honeypot. The API stores information about this user in a sqlite database.
DOCKER_REPOSITORY=       # The address of the code repository STINGAR uses to install your implementation and keep it updated. Automatically set when STINGAR is installed and should not be modified.
DOCKER_PASSWORD=         # The password STINGAR uses to retrieve code from the STINGAR code repository. Automatically set when STINGAR is installed and should not be modified.