From 9ff791aef6d5660b5a8cb045454df686cc81c7fa Mon Sep 17 00:00:00 2001 From: Andrew <a@3ilson.com> Date: Tue, 10 Sep 2019 10:56:38 -0400 Subject: [PATCH] Update 11-pf.conf --- 11-pf.conf | 225 ++++++++++++++++++++++++++++------------------------- 1 file changed, 117 insertions(+), 108 deletions(-) diff --git a/11-pf.conf b/11-pf.conf index 2e58ef2..506d208 100644 --- a/11-pf.conf +++ b/11-pf.conf @@ -3,113 +3,122 @@ filter { grok { add_tag => [ "firewall" ] match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ] - } - mutate { - gsub => ["datetime"," "," "] - } - date { - match => [ "datetime", "MMM dd HH:mm:ss" ] - timezone => "America/New_York" - } - mutate { - replace => [ "message", "%{msg}" ] - } - mutate { - remove_field => [ "msg", "datetime" ] - } - if [prog] =~ /^dhcpd$/ { - mutate { - add_tag => [ "dhcpd" ] - } - grok { - patterns_dir => ["/etc/logstash/conf.d/patterns"] - match => [ "message", "%{DHCPD}"] - } - } - if [prog] =~ /^suricata/ { - mutate { - add_tag => [ "Suricata" ] - } - grok { - patterns_dir => ["/etc/logstash/conf.d/patterns"] - match => [ "message", "%{SURICATA}"] - } - if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ { - geoip { - add_tag => [ "GeoIP" ] - source => "ids_src_ip" - database => "/etc/logstash/GeoLite2-City.mmdb" - } - } - if [prog] =~ /^suricata/ { - mutate { - add_tag => [ "ET-Sig" ] - add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ] - } - } - } - if [prog] =~ /^charon$/ { - mutate { - add_tag => [ "ipsec" ] - } - } - if [prog] =~ /^barnyard2/ { - mutate { - add_tag => [ "barnyard2" ] - } - } - if [prog] =~ /^openvpn/ { - mutate { - add_tag => [ "openvpn" ] - } - grok { - patterns_dir => ["/etc/logstash/conf.d/patterns"] - match => [ "message", "%{OPENVPN}"] - } - } - if [prog] =~ /^ntpd/ { - mutate { - add_tag => [ "ntpd" ] - } - } - if [prog] =~ /^php-fpm/ { - mutate { - add_tag => [ "web_portal" ] - } - grok { - patterns_dir => ["/etc/logstash/conf.d/patterns"] - match => [ "message", "%{PF_APP}%{PF_APP_DATA}"] - } - mutate { - lowercase => [ 'pf_ACTION' ] - } - } - if [prog] =~ /^apinger/ { - mutate { - add_tag => [ "apinger" ] - } - } - if [prog] =~ /^filterlog$/ { - mutate { - remove_field => [ "msg", "datetime" ] - } - grok { - add_tag => [ "firewall" ] - patterns_dir => ["/etc/logstash/conf.d/patterns"] - match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}", - "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}", - "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"] - } - mutate { - lowercase => [ 'proto' ] - } - if ![geoip] and [src_ip] !~ /^(10\.|192\.168\.)/ { - geoip { - add_tag => [ "GeoIP" ] - source => "src_ip" - database => "/etc/logstash/GeoLite2-City.mmdb" - } - } - } + } + mutate { + gsub => ["datetime"," "," "] + } + date { + match => [ "datetime", "MMM dd HH:mm:ss" ] + timezone => "America/New_York" + } + mutate { + replace => [ "message", "%{msg}" ] + } + mutate { + remove_field => [ "msg", "datetime" ] + } + if [prog] =~ /^dhcpd$/ { + mutate { + add_tag => [ "dhcpd" ] + } + grok { + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{DHCPD}"] + } + } + if [prog] =~ /^suricata/ { + mutate { + add_tag => [ "SuricataIDPS" ] + } + grok { + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{SURICATA}"] + } + if ![geoip] and [ids_src_ip] !~ /^(10\.|172\.22\.|192\.168\.)/ { + geoip { + add_tag => [ "GeoIP" ] + source => "ids_src_ip" + database => "/etc/logstash/GeoLite2-City.mmdb" + } } + if [prog] =~ /^suricata/ { + mutate { + add_tag => [ "ET-Sig" ] + add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ] + } + } + } + if [prog] =~ /^charon$/ { + mutate { + add_tag => [ "ipsec" ] + } + } + if [prog] =~ /^barnyard2/ { + mutate { + add_tag => [ "barnyard2" ] + } + } + if [prog] =~ /^openvpn/ { + mutate { + add_tag => [ "openvpn" ] + } + grok { + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{OPENVPN}"] + } + } + if [prog] =~ /^ntpd/ { + mutate { + add_tag => [ "ntpd" ] + } + } + if [prog] =~ /^php-fpm/ { + mutate { + add_tag => [ "web_portal" ] + } + grok { + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{PF_APP}%{PF_APP_DATA}"] + } + mutate { + lowercase => [ 'pf_ACTION' ] + } + } + if [prog] =~ /^apinger/ { + mutate { + add_tag => [ "apinger" ] + } + } + if [prog] =~ /^filterlog$/ { + mutate { + remove_field => [ "msg", "datetime" ] + } + grok { + add_tag => [ "firewall" ] + patterns_dir => ["/etc/logstash/conf.d/patterns"] + match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}", + "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}", + "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"] + } + mutate { + lowercase => [ 'proto' ] + } + if ![geoip] and [src_ip] { + # Check if source IP address is private. + cidr { + address => [ "%{[src_ip]}" ] + network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ] + add_field => { "[@metadata][src_locality]" => "private" } + } + # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public. + if ![@metadata][src_locality] { + geoip { + add_tag => [ "GeoIP" ] + source => "src_ip" + database => "/etc/logstash/GeoLite2-City.mmdb" + } + } + } + } + } } -- GitLab