Private GIT

Skip to content
Snippets Groups Projects
Unverified Commit 15d6e34b authored by Andrew's avatar Andrew Committed by GitHub
Browse files

Update 10-pf.conf

parent 28e425bf
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 2 additions and 176 deletions
conf.d/10-pf.conf
+ 2
176
View file @ 15d6e34b
# 10-pf.conf
filter { filter {
if "pf" in [tags] { if "pf" in [tags] {
date { date {
...@@ -6,8 +7,7 @@ filter { ...@@ -6,8 +7,7 @@ filter {
} }
grok { grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"] patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PFSENSE}", match => [ "message", "%{OPNSENSE}"]
"message", "%{OPNSENSE}" ]
} }
mutate { mutate {
replace => [ "message", "%{msg}" ] replace => [ "message", "%{msg}" ]
...@@ -15,179 +15,5 @@ filter { ...@@ -15,179 +15,5 @@ filter {
mutate { mutate {
remove_field => [ "msg" ] remove_field => [ "msg" ]
} }
if [application] =~ /^dhcpd$/ {
mutate {
add_tag => [ "dhcpd" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{DHCPD}"]
}
}
if [application] =~ /^suricata/ {
mutate {
add_tag => [ "Suricata" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{SURICATA}"]
}
if ![geoip] and [source][ip] {
# Check if source.ip address is private.
cidr {
address => [ "%{[source][ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][source][locality]" => "private" }
}
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source][locality] {
geoip {
add_tag => [ "GeoIP" ]
source => "[source][ip]"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if [application] =~ /^suricata/ {
mutate {
add_tag => [ "ET-Sig" ]
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
}
}
}
}
if [application] =~ /^snort/ {
mutate {
add_tag => [ "Snort" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{SNORT}"]
}
if ![geoip] and [source][ip] {
# Check if source IP address is private.
cidr {
address => [ "%{[source][ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][source][locality]" => "private" }
}
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source][locality] {
geoip {
add_tag => [ "GeoIP" ]
source => "[source][ip]"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if [application] =~ /^snort/ {
mutate {
add_tag => [ "ET-Sig" ]
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
}
}
}
}
if [application] =~ /^charon$/ {
mutate {
add_tag => [ "ipsec" ]
}
}
if [application] =~ /^barnyard2/ {
mutate {
add_tag => [ "barnyard2" ]
}
}
if [application] =~ /^openvpn/ {
mutate {
add_tag => [ "openvpn" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{OPENVPN}"]
}
}
if [application] =~ /^ntpd/ {
mutate {
add_tag => [ "ntpd" ]
}
}
if [application] =~ /^php-fpm/ {
mutate {
add_tag => [ "web_portal" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
}
mutate {
lowercase => [ 'pf_ACTION' ]
}
}
if [application] =~ /^apinger/ {
mutate {
add_tag => [ "apinger" ]
}
}
if [application] =~ /^filterlog$/ {
mutate {
remove_field => [ "msg", "datetime" ]
}
grok {
add_tag => [ "firewall" ]
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
"message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
"message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
}
if [interface] =~ /^igb0$/ {
mutate {
add_tag => [ "WAN" ]
}
}
if [interface] =~ /^igb1$/ {
mutate {
add_tag => [ "DEV" ]
}
}
if [interface] =~ /^igb2$/ {
mutate {
add_tag => [ "DMZ" ]
}
}
if [interface] =~ /^igb3$/ {
mutate {
add_tag => [ "LAN" ]
}
}
if [interface] =~ /^lo0$/ {
mutate {
add_tag => [ "Link-Local" ]
}
}
if ![geoip] and [source][ip] {
# Check if source.ip address is private.
cidr {
address => [ "%{[source][ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][source][locality]" => "private" }
add_tag => [ "Private-IP" ]
}
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source][locality] {
geoip {
source => "[source][ip]"
add_tag => [ "GeoIP" ]
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if ![@metadata][source][locality] {
geoip {
source => "[source][ip]"
add_tag => [ "ASN" ]
database => "/usr/share/GeoIP/GeoLite2-ASN.mmdb"
}
}
}
}
} }
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Another place to be (or not)