From 8fdba557f167f9139538bb1d96737f2146ef6fb3 Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Tue, 10 Sep 2019 11:29:05 -0400
Subject: [PATCH] Update 11-pf.conf
---
11-pf.conf | 50 +++++++++++++++++++++++++-------------------------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/11-pf.conf b/11-pf.conf
index 107d837..ec49c72 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -21,25 +21,25 @@ filter {
mutate {
add_tag => [ "dhcpd" ]
}
- grok {
- patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{DHCPD}"]
- }
+ grok {
+ patterns_dir => ["/etc/logstash/conf.d/patterns"]
+ match => [ "message", "%{DHCPD}"]
+ }
}
if [prog] =~ /^suricata/ {
mutate {
- add_tag => [ "SuricataIDPS" ]
+ add_tag => [ "Suricata" ]
}
grok {
- patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{SURICATA}"]
+ patterns_dir => ["/etc/logstash/conf.d/patterns"]
+ match => [ "message", "%{SURICATA}"]
}
if ![geoip] and [src_ip] {
# Check if source IP address is private.
cidr {
- address => [ "%{[src_ip]}" ]
- network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
- add_field => { "[@metadata][src_locality]" => "private" }
+ address => [ "%{[src_ip]}" ]
+ network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+ add_field => { "[@metadata][src_locality]" => "private" }
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
@@ -72,8 +72,8 @@ filter {
add_tag => [ "openvpn" ]
}
grok {
- patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{OPENVPN}"]
+ patterns_dir => ["/etc/logstash/conf.d/patterns"]
+ match => [ "message", "%{OPENVPN}"]
}
}
if [prog] =~ /^ntpd/ {
@@ -86,11 +86,11 @@ filter {
add_tag => [ "web_portal" ]
}
grok {
- patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
+ patterns_dir => ["/etc/logstash/conf.d/patterns"]
+ match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
}
mutate {
- lowercase => [ 'pf_ACTION' ]
+ lowercase => [ 'pf_ACTION' ]
}
}
if [prog] =~ /^apinger/ {
@@ -100,24 +100,24 @@ filter {
}
if [prog] =~ /^filterlog$/ {
mutate {
- remove_field => [ "msg", "datetime" ]
+ remove_field => [ "msg", "datetime" ]
}
grok {
- add_tag => [ "firewall" ]
- patterns_dir => ["/etc/logstash/conf.d/patterns"]
- match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
- "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
- "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
+ add_tag => [ "firewall" ]
+ patterns_dir => ["/etc/logstash/conf.d/patterns"]
+ match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+ "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+ "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
}
mutate {
- lowercase => [ 'proto' ]
+ lowercase => [ 'proto' ]
}
if ![geoip] and [src_ip] {
# Check if source IP address is private.
cidr {
- address => [ "%{[src_ip]}" ]
- network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
- add_field => { "[@metadata][src_locality]" => "private" }
+ address => [ "%{[src_ip]}" ]
+ network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+ add_field => { "[@metadata][src_locality]" => "private" }
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
--
GitLab