From 9ff791aef6d5660b5a8cb045454df686cc81c7fa Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Tue, 10 Sep 2019 10:56:38 -0400
Subject: [PATCH] Update 11-pf.conf

---
 11-pf.conf | 225 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 117 insertions(+), 108 deletions(-)

diff --git a/11-pf.conf b/11-pf.conf
index 2e58ef2..506d208 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -3,113 +3,122 @@ filter {
     grok {
       add_tag => [ "firewall" ]
       match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
-            }
-            mutate {
-              gsub => ["datetime","  "," "]
-            }
-            date {
-              match => [ "datetime", "MMM dd HH:mm:ss" ]
-              timezone => "America/New_York"
-            }
-            mutate {
-              replace => [ "message", "%{msg}" ]
-            }
-            mutate {
-              remove_field => [ "msg", "datetime" ]
-            }
-            if [prog] =~ /^dhcpd$/ {
-              mutate {
-                add_tag => [ "dhcpd" ]
-              }
-             grok {
-                 patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                 match => [ "message", "%{DHCPD}"]
-             }
-            }
-            if [prog] =~ /^suricata/ {
-              mutate {
-                add_tag => [ "Suricata" ]
-              }
-              grok {
-                  patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{SURICATA}"]
-             }
-                if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ {
-                  geoip {
-                    add_tag => [ "GeoIP" ]
-                    source => "ids_src_ip"
-                    database => "/etc/logstash/GeoLite2-City.mmdb"
-                  }
-                }
-            if [prog] =~ /^suricata/ {
-                mutate {
-                    add_tag => [ "ET-Sig" ]
-                    add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
-                }
-              }
-            }
-            if [prog] =~ /^charon$/ {
-              mutate {
-                add_tag => [ "ipsec" ]
-              }
-            }
-            if [prog] =~ /^barnyard2/ {
-              mutate {
-                add_tag => [ "barnyard2" ]
-              }
-            }
-            if [prog] =~ /^openvpn/ {
-              mutate {
-                add_tag => [ "openvpn" ]
-              }
-              grok {
-                  patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{OPENVPN}"]
-              }
-            }
-            if [prog] =~ /^ntpd/ {
-              mutate {
-                add_tag => [ "ntpd" ]
-              }
-            }
-            if [prog] =~ /^php-fpm/ {
-              mutate {
-                add_tag => [ "web_portal" ]
-              }
-              grok {
-                  patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                  match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
-              }
-              mutate {
-                  lowercase => [ 'pf_ACTION' ]
-              }
-            }
-            if [prog] =~ /^apinger/ {
-              mutate {
-                add_tag => [ "apinger" ]
-              }
-            }
-            if [prog] =~ /^filterlog$/ {
-                mutate {
-                    remove_field => [ "msg", "datetime" ]
-                }
-                grok {
-                    add_tag => [ "firewall" ]
-                    patterns_dir => ["/etc/logstash/conf.d/patterns"]
-                    match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
-                               "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
-                               "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
-                }
-                mutate {
-                    lowercase => [ 'proto' ]
-                }
-                if ![geoip] and [src_ip] !~ /^(10\.|192\.168\.)/ {
-                  geoip {
-                    add_tag => [ "GeoIP" ]
-                    source => "src_ip"
-                    database => "/etc/logstash/GeoLite2-City.mmdb"
-                  }
-                }
-            }
+    }
+    mutate {
+      gsub => ["datetime","  "," "]
+    }
+    date {
+      match => [ "datetime", "MMM dd HH:mm:ss" ]
+      timezone => "America/New_York"
+    }
+    mutate {
+      replace => [ "message", "%{msg}" ]
+    }
+    mutate {
+      remove_field => [ "msg", "datetime" ]
+    }
+    if [prog] =~ /^dhcpd$/ {
+      mutate {
+        add_tag => [ "dhcpd" ]
+      }
+     grok {
+         patterns_dir => ["/etc/logstash/conf.d/patterns"]
+         match => [ "message", "%{DHCPD}"]
+     }
+    }
+    if [prog] =~ /^suricata/ {
+      mutate {
+        add_tag => [ "SuricataIDPS" ]
+      }
+      grok {
+          patterns_dir => ["/etc/logstash/conf.d/patterns"]
+          match => [ "message", "%{SURICATA}"]
+      }
+        if ![geoip] and [ids_src_ip] !~ /^(10\.|172\.22\.|192\.168\.)/ {
+          geoip {
+            add_tag => [ "GeoIP" ]
+            source => "ids_src_ip"
+            database => "/etc/logstash/GeoLite2-City.mmdb"
+          }
         }
+        if [prog] =~ /^suricata/ {
+          mutate {
+            add_tag => [ "ET-Sig" ]
+            add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+        }
+      }
+    }
+    if [prog] =~ /^charon$/ {
+      mutate {
+        add_tag => [ "ipsec" ]
+      }
+    }
+    if [prog] =~ /^barnyard2/ {
+      mutate {
+        add_tag => [ "barnyard2" ]
+      }
+    }
+    if [prog] =~ /^openvpn/ {
+      mutate {
+        add_tag => [ "openvpn" ]
+      }
+      grok {
+          patterns_dir => ["/etc/logstash/conf.d/patterns"]
+          match => [ "message", "%{OPENVPN}"]
+      }
+    }
+    if [prog] =~ /^ntpd/ {
+      mutate {
+        add_tag => [ "ntpd" ]
+      }
+    }
+    if [prog] =~ /^php-fpm/ {
+      mutate {
+        add_tag => [ "web_portal" ]
+      }
+      grok {
+          patterns_dir => ["/etc/logstash/conf.d/patterns"]
+          match => [ "message", "%{PF_APP}%{PF_APP_DATA}"]
+      }
+      mutate {
+          lowercase => [ 'pf_ACTION' ]
+      }
+    }
+    if [prog] =~ /^apinger/ {
+      mutate {
+        add_tag => [ "apinger" ]
+      }
+    }
+    if [prog] =~ /^filterlog$/ {
+      mutate {
+          remove_field => [ "msg", "datetime" ]
+      }
+      grok {
+          add_tag => [ "firewall" ]
+          patterns_dir => ["/etc/logstash/conf.d/patterns"]
+          match => [ "message", "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+                     "message", "%{PF_IPv4_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}",
+                     "message", "%{PF_IPv6_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}"]
+      }
+      mutate {
+          lowercase => [ 'proto' ]
+      }
+      if ![geoip] and [src_ip] {
+        # Check if source IP address is private.
+        cidr {
+               address => [ "%{[src_ip]}" ]
+               network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+               add_field => { "[@metadata][src_locality]" => "private" }
+        }
+        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
+        if ![@metadata][src_locality] {
+          geoip {
+            add_tag => [ "GeoIP" ]
+            source => "src_ip"
+            database => "/etc/logstash/GeoLite2-City.mmdb"
+          }
+        }
+      }
+    }
+  }
 }
-- 
GitLab