Private GIT

Skip to content
Snippets Groups Projects
Unverified Commit 9ff791ae authored by Andrew's avatar Andrew Committed by GitHub
Browse files

Update 11-pf.conf

parent 3b9050d2
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 117 additions and 108 deletions
11-pf.conf
+ 117
108
View file @ 9ff791ae
...@@ -28,13 +28,13 @@ filter { ...@@ -28,13 +28,13 @@ filter {
} }
if [prog] =~ /^suricata/ { if [prog] =~ /^suricata/ {
mutate { mutate {
add_tag => [ "Suricata" ] add_tag => [ "SuricataIDPS" ]
} }
grok { grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"] patterns_dir => ["/etc/logstash/conf.d/patterns"]
match => [ "message", "%{SURICATA}"] match => [ "message", "%{SURICATA}"]
} }
if ![geoip] and [ids_src_ip] !~ /^(10\.|192\.168\.)/ { if ![geoip] and [ids_src_ip] !~ /^(10\.|172\.22\.|192\.168\.)/ {
geoip { geoip {
add_tag => [ "GeoIP" ] add_tag => [ "GeoIP" ]
source => "ids_src_ip" source => "ids_src_ip"
...@@ -103,7 +103,15 @@ filter { ...@@ -103,7 +103,15 @@ filter {
mutate { mutate {
lowercase => [ 'proto' ] lowercase => [ 'proto' ]
} }
if ![geoip] and [src_ip] !~ /^(10\.|192\.168\.)/ { if ![geoip] and [src_ip] {
# Check if source IP address is private.
cidr {
address => [ "%{[src_ip]}" ]
network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
add_field => { "[@metadata][src_locality]" => "private" }
}
# Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
if ![@metadata][src_locality] {
geoip { geoip {
add_tag => [ "GeoIP" ] add_tag => [ "GeoIP" ]
source => "src_ip" source => "src_ip"
...@@ -113,3 +121,4 @@ filter { ...@@ -113,3 +121,4 @@ filter {
} }
} }
} }
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment

Another place to be (or not)