From 09baee999af841e8ec74059246dca214cb8f6bbc Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Sun, 29 Sep 2019 15:35:58 -0400
Subject: [PATCH] Create 13-snort.conf

---
 conf.d/13-snort.conf | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 conf.d/13-snort.conf

diff --git a/conf.d/13-snort.conf b/conf.d/13-snort.conf
new file mode 100644
index 0000000..9b60c29
--- /dev/null
+++ b/conf.d/13-snort.conf
@@ -0,0 +1,34 @@
+# 13-snort.conf
+filter {
+  if "pf" in [tags] and [application] =~ /^snort/ {
+    mutate {
+      add_tag => [ "Snort" ]
+    }
+    grok {
+      patterns_dir => ["/etc/logstash/conf.d/patterns"]
+      match => [ "message", "%{SNORT}"]
+    }
+    if ![geoip] and [source][ip] {
+    # Check if source IP address is private.
+      cidr {
+        address => [ "%{[source][ip]}" ]
+        network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+        add_field => { "[@metadata][source][locality]" => "private" }
+      }
+    # Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
+      if ![@metadata][source][locality] {
+        geoip {
+          add_tag => [ "GeoIP" ]
+          source => "[source][ip]"
+          database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
+        }
+      }
+      if [application] =~ /^snort/ {
+        mutate {
+          add_tag => [ "ET-Sig" ]
+          add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+        }
+      }
+    }
+  }
+}
-- 
GitLab