Update 10-pf.conf

Add "Private-IP" tag to private IP addresses Delineated GeoIP tags and ASN tags (removed duplicated GeoIP tagging

Update 10-pf.conf
20792f8d · Andrew · GitHub · df2d8a9f · 20792f8d
Unverified Commit 20792f8d authored Sep 25, 2019 by Andrew Committed by GitHub Sep 25, 2019
--- a/10-pf.conf
+++ b/10-pf.conf
@@ -151,19 +151,20 @@ filter {
          address => [ "%{[src_ip]}" ]
          network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
          add_field => { "[@metadata][src_locality]" => "private" }
+          add_tag => [ "Private-IP" ]
        }
        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
        if ![@metadata][src_locality] {
          geoip {
-            add_tag => [ "GeoIP" ]
            source => "src_ip"
+            add_tag => [ "GeoIP" ]
            database => "/etc/logstash/GeoLite2-City.mmdb"
          }
        }
        if ![@metadata][src_locality] {
          geoip {
-            add_tag => [ "GeoIP" ]
            source => "src_ip"
+            add_tag => [ "ANS" ]
            database => "/etc/logstash/GeoLite2-ASN.mmdb"
          }
        }