From dac547d84b535106ff191ce3240e3ad0cc7b8041 Mon Sep 17 00:00:00 2001
From: a3ilson <a@3ilson.com>
Date: Sat, 4 Nov 2017 19:11:49 -0400
Subject: [PATCH] Create 10-suricata

---
 10-suricata | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 10-suricata

diff --git a/10-suricata b/10-suricata
new file mode 100644
index 0000000..64deabf
--- /dev/null
+++ b/10-suricata
@@ -0,0 +1,37 @@
+filter {
+  if [type] == "SuricataIDPS" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    ruby {
+      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
+    }
+  }
+
+  if [src_ip]  {
+    geoip {
+      source => "src_ip"
+      target => "geoip"
+      database => "/etc/logstash/GeoLite2-City.mmdb"
+      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
+      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
+    }
+    mutate {
+      convert => [ "[geoip][coordinates]", "float" ]
+    }
+    if ![geoip.ip] {
+      if [dest_ip]  {
+        geoip {
+          source => "dest_ip"
+          target => "geoip"
+          database => "/etc/logstash/GeoLite2-City.mmdb"
+          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
+          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
+        }
+        mutate {
+          convert => [ "[geoip][coordinates]", "float" ]
+        }
+      }
+    }
+  }
+}
-- 
GitLab