From 09baee999af841e8ec74059246dca214cb8f6bbc Mon Sep 17 00:00:00 2001 From: Andrew <a@3ilson.com> Date: Sun, 29 Sep 2019 15:35:58 -0400 Subject: [PATCH] Create 13-snort.conf --- conf.d/13-snort.conf | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 conf.d/13-snort.conf diff --git a/conf.d/13-snort.conf b/conf.d/13-snort.conf new file mode 100644 index 0000000..9b60c29 --- /dev/null +++ b/conf.d/13-snort.conf @@ -0,0 +1,34 @@ +# 13-snort.conf +filter { + if "pf" in [tags] and [application] =~ /^snort/ { + mutate { + add_tag => [ "Snort" ] + } + grok { + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{SNORT}"] + } + if ![geoip] and [source][ip] { + # Check if source IP address is private. + cidr { + address => [ "%{[source][ip]}" ] + network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ] + add_field => { "[@metadata][source][locality]" => "private" } + } + # Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public. + if ![@metadata][source][locality] { + geoip { + add_tag => [ "GeoIP" ] + source => "[source][ip]" + database => "/usr/share/GeoIP/GeoLite2-City.mmdb" + } + } + if [application] =~ /^snort/ { + mutate { + add_tag => [ "ET-Sig" ] + add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ] + } + } + } + } +} -- GitLab