Create 13-snort.conf

09baee99 · Andrew · GitHub · dd93850c · 09baee99
Unverified Commit 09baee99 authored Sep 29, 2019 by Andrew Committed by GitHub Sep 29, 2019
--- a/conf.d/13-snort.conf
+++ b/conf.d/13-snort.conf
+# 13-snort.conf
+filter {
+  if "pf" in [tags] and [application] =~ /^snort/ {
+    mutate {
+      add_tag => [ "Snort" ]
+    }
+    grok {
+      patterns_dir => ["/etc/logstash/conf.d/patterns"]
+      match => [ "message", "%{SNORT}"]
+    }
+    if ![geoip] and [source][ip] {
+    # Check if source IP address is private.
+      cidr {
+        address => [ "%{[source][ip]}" ]
+        network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+        add_field => { "[@metadata][source][locality]" => "private" }
+      }
+    # Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
+      if ![@metadata][source][locality] {
+        geoip {
+          add_tag => [ "GeoIP" ]
+          source => "[source][ip]"
+          database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
+        }
+      }
+      if [application] =~ /^snort/ {
+        mutate {
+          add_tag => [ "ET-Sig" ]
+          add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+        }
+      }
+    }
+  }
+}