What is the fllow of tpotce

[joroMaser]

Why does tpotce using Fatt ? What is the fllow of tpotce from the time that network communication is comming until the alert will show in ELK stack?

I understand that all the signatures are into Suricata, so is fatt tool is only for sniffing? And just pass to suricata pcap file?

So the process if fatt->Suricata->ELK?

[t3chn0m4g3]

1. fatt and suricata run independently
2. if there is a match it's almost instantly available in ELK

[TanveerAhmad2017]

Why does tpotce using Fatt ? What is the fllow of tpotce from the time that network communication is comming until the alert will show in ELK stack?

I understand that all the signatures are into Suricata, so is fatt tool is only for sniffing? And just pass to suricata pcap file?

So the process if fatt->Suricata->ELK?

I am also trying to get an idea of the whole process of TPOT.I am new learner so I will tell what I understand and happy to be corrected as I am new to this best TPOT project which have no doubt beautiful bundle of technologies.

When ever some one(attacker) tries to interact with the honeypots .Honeypots capture the activity and save it to their respective location(data/honeypots) and these location are mentioned in /opt/tpot/etc/tpot.yml. At the same time every activity requests are processed by fatt and Suricata individually and similarly save their logs at location(data/fatt or suricata).Now Logstash (/root/tpotce/docker/elk/logstash/dist/logstash.conf) will get all the data as input and parse it and process output to the Elastic search. From there Kibana take out the data and visualize it( i did'nt find the kibana config file location as a beginner). This is my understanding hope you might get little path.