From 2015c8169867f6055b6c506b32a97071df58a735 Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Tue, 10 Sep 2019 11:04:12 -0400
Subject: [PATCH] Update 11-pf.conf

Incorporated "2stacks" Private IPs
---
 11-pf.conf | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/11-pf.conf b/11-pf.conf
index 506d208..107d837 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -34,10 +34,18 @@ filter {
           patterns_dir => ["/etc/logstash/conf.d/patterns"]
           match => [ "message", "%{SURICATA}"]
       }
-        if ![geoip] and [ids_src_ip] !~ /^(10\.|172\.22\.|192\.168\.)/ {
+      if ![geoip] and [src_ip] {
+        # Check if source IP address is private.
+        cidr {
+               address => [ "%{[src_ip]}" ]
+               network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+               add_field => { "[@metadata][src_locality]" => "private" }
+        }
+        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
+        if ![@metadata][src_locality] {
           geoip {
             add_tag => [ "GeoIP" ]
-            source => "ids_src_ip"
+            source => "src_ip"
             database => "/etc/logstash/GeoLite2-City.mmdb"
           }
         }
@@ -45,6 +53,7 @@ filter {
           mutate {
             add_tag => [ "ET-Sig" ]
             add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+          }
         }
       }
     }
-- 
GitLab