Private GIT

Skip to content
Snippets Groups Projects
Unverified Commit 4dfd190f authored by Andrew's avatar Andrew Committed by GitHub
Browse files

Update 10-pf.conf 

Elastic Common Schema
Eliminated configured adjustment for pfSense/OPNsense (lines 7-11)
parent f036821a
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 79 additions and 55 deletions
10-pf.conf
+ 79
55
View file @ 4dfd190f
filter {
if "pf" in [tags] {
grok {
#PFsense
#match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
#OPNsense
match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<host.name>.*?) (?<prog>.*?): (?<msg>.*)" ]
}
mutate {
gsub => ["datetime"," "," "]
}
date {
match => [ "datetime", "MMM dd HH:mm:ss" ]
timezone => "America/New_York"
match => [ "timestamp", " MMM dd HH:mm:ss" ]
target => "@timestamp"
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{PFSENSE}",
"message", "%{OPNSENSE}" ]
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg", "datetime" ]
remove_field => [ "msg" ]
}
if [prog] =~ /^dhcpd$/ {
if [application] =~ /^dhcpd$/ {
mutate {
add_tag => [ "dhcpd" ]
}
......@@ -28,7 +25,7 @@ filter {
match => [ "message", "%{DHCPD}"]
}
}
if [prog] =~ /^suricata/ {
if [application] =~ /^suricata/ {
mutate {
add_tag => [ "Suricata" ]
}
......@@ -36,22 +33,22 @@ filter {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{SURICATA}"]
}
if ![geoip] and [src_ip] {
# Check if source IP address is private.
if ![geoip] and [source.ip] {
# Check if source.ip address is private.
cidr {
address => [ "%{[src_ip]}" ]
address => [ "%{[source.ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][src_locality]" => "private" }
add_field => { "[@metadata][source.locality]" => "private" }
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source.locality] {
geoip {
add_tag => [ "GeoIP" ]
source => "src_ip"
database => "/etc/logstash/GeoLite2-City.mmdb"
source => "source.ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if [prog] =~ /^suricata/ {
if [application] =~ /^suricata/ {
mutate {
add_tag => [ "ET-Sig" ]
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
......@@ -59,7 +56,7 @@ filter {
}
}
}
if [prog] =~ /^snort/ {
if [application] =~ /^snort/ {
mutate {
add_tag => [ "Snort" ]
}
......@@ -67,22 +64,22 @@ filter {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{SNORT}"]
}
if ![geoip] and [src_ip] {
if ![geoip] and [source.ip] {
# Check if source IP address is private.
cidr {
address => [ "%{[src_ip]}" ]
address => [ "%{[source.ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][src_locality]" => "private" }
add_field => { "[@metadata][source.locality]" => "private" }
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source.locality] {
geoip {
add_tag => [ "GeoIP" ]
source => "src_ip"
database => "/etc/logstash/GeoLite2-City.mmdb"
source => "source.ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if [prog] =~ /^snort/ {
if [application] =~ /^snort/ {
mutate {
add_tag => [ "ET-Sig" ]
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
......@@ -90,17 +87,17 @@ filter {
}
}
}
if [prog] =~ /^charon$/ {
if [application] =~ /^charon$/ {
mutate {
add_tag => [ "ipsec" ]
}
}
if [prog] =~ /^barnyard2/ {
if [application] =~ /^barnyard2/ {
mutate {
add_tag => [ "barnyard2" ]
}
}
if [prog] =~ /^openvpn/ {
if [application] =~ /^openvpn/ {
mutate {
add_tag => [ "openvpn" ]
}
......@@ -109,12 +106,12 @@ filter {
match => [ "message", "%{OPENVPN}"]
}
}
if [prog] =~ /^ntpd/ {
if [application] =~ /^ntpd/ {
mutate {
add_tag => [ "ntpd" ]
}
}
if [prog] =~ /^php-fpm/ {
if [application] =~ /^php-fpm/ {
mutate {
add_tag => [ "web_portal" ]
}
......@@ -126,12 +123,12 @@ filter {
lowercase => [ 'pf_ACTION' ]
}
}
if [prog] =~ /^apinger/ {
if [application] =~ /^apinger/ {
mutate {
add_tag => [ "apinger" ]
}
}
if [prog] =~ /^filterlog$/ {
if [application] =~ /^filterlog$/ {
mutate {
remove_field => [ "msg", "datetime" ]
}
......@@ -142,30 +139,57 @@ filter {
"message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
"message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
}
# Change interface as desired
if [interface] =~ /^igb0$/ {
mutate {
lowercase => [ 'proto' ]
add_tag => [ "interface.WAN" ]
}
if ![geoip] and [src_ip] {
# Check if source IP address is private.
}
# Change interface as desired
if [interface] =~ /^igb1$/ {
mutate {
add_tag => [ "interface.DEV" ]
}
}
# Change interface as desired
if [interface] =~ /^igb2$/ {
mutate {
add_tag => [ "interface.DMZ" ]
}
}
# Change interface as desired
if [interface] =~ /^igb3$/ {
mutate {
add_tag => [ "interface.LAN" ]
}
}
# Change interface as desired
if [interface] =~ /^lo0$/ {
mutate {
add_tag => [ "interface.Link-Local" ]
}
}
if ![geoip] and [source.ip] {
# Check if source.ip address is private.
cidr {
address => [ "%{[src_ip]}" ]
address => [ "%{[source.ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][src_locality]" => "private" }
add_field => { "[@metadata][source.locality]" => "private" }
add_tag => [ "Private-IP" ]
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
# Check to see if source.locality exists. If it doesn't the source.ip didn't match a private address space and locality must be public.
if ![@metadata][source.locality] {
geoip {
source => "src_ip"
source => "source.ip"
add_tag => [ "GeoIP" ]
database => "/etc/logstash/GeoLite2-City.mmdb"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
if ![@metadata][src_locality] {
if ![@metadata][source.locality] {
geoip {
source => "src_ip"
add_tag => [ "ANS" ]
database => "/etc/logstash/GeoLite2-ASN.mmdb"
source => "source.ip"
add_tag => [ "ASN" ]
database => "/usr/share/GeoIP/GeoLite2-ASN.mmdb"
}
}
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Another place to be (or not)