From f91e8eb632ed8756b8963eab616f4a5d0c4d66f2 Mon Sep 17 00:00:00 2001
From: Mike Eriksson <swedishmike@users.noreply.github.com>
Date: Wed, 11 Sep 2019 11:01:37 +0100
Subject: [PATCH] Added capabilities to handle Snort data too.

---
 11-pf.conf  | 31 +++++++++++++++++++++++++++++++
 pfv100.grok |  3 +++
 2 files changed, 34 insertions(+)

diff --git a/11-pf.conf b/11-pf.conf
index d3f6f59..0045ec4 100644
--- a/11-pf.conf
+++ b/11-pf.conf
@@ -60,6 +60,37 @@ filter {
         }
       }
     }
+    if [prog] =~ /^snort/ {
+      mutate {
+        add_tag => [ "Snort" ]
+      }
+      grok {
+        patterns_dir => ["/etc/logstash/conf.d/patterns"]
+        match => [ "message", "%{SNORT}"]
+      }
+      if ![geoip] and [src_ip] {
+        # Check if source IP address is private.
+        cidr {
+          address => [ "%{[src_ip]}" ]
+          network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+          add_field => { "[@metadata][src_locality]" => "private" }
+        }
+        # Check to see if src_locality exists. If it doesn't the src_addr didn't match a private address space and locality must be public.
+        if ![@metadata][src_locality] {
+          geoip {
+            add_tag => [ "GeoIP" ]
+            source => "src_ip"
+            database => "/etc/logstash/GeoLite2-City.mmdb"
+          }
+        }
+        if [prog] =~ /^snort/ {
+          mutate {
+            add_tag => [ "ET-Sig" ]
+            add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{[ids_sig_id]}" ]
+          }
+        }
+      }
+    }
     if [prog] =~ /^charon$/ {
       mutate {
         add_tag => [ "ipsec" ]
diff --git a/pfv100.grok b/pfv100.grok
index 4e04e93..79dc54d 100644
--- a/pfv100.grok
+++ b/pfv100.grok
@@ -54,3 +54,6 @@ OPENVPN %{IP:vpn_src_ip}\:%{INT:vpn_src_port}%{SPACE}\[%{DATA:vpn_client}\]%{SPA
 
 # SURICATA
 SURICATA %{SPACE}\[%{NUMBER:ids_gen_id}:%{NUMBER:ids_sig_id}:%{NUMBER:ids_sig_rev}\]%{SPACE}%{GREEDYDATA:ids_desc}%{SPACE}\[Classification:%{SPACE}%{GREEDYDATA:ids_class}\]%{SPACE}\[Priority:%{SPACE}%{NUMBER:ids_pri}\]%{SPACE}{%{WORD:ids_proto}}%{SPACE}%{IP:ids_src_ip}:%{NUMBER:ids_src_port}%{SPACE}->%{SPACE}%{IP:ids_dest_ip}:%{NUMBER:ids_dest_port}
+
+# SNORT
+SNORT \[%{INT:ids_gen_id}\:%{INT:ids_sig_id}\:%{INT:ids_sig_rev}\].%{GREEDYDATA:ids_desc}.\[Classification\: %{DATA:ids_class}\].\[Priority\: %{INT:ids_pri}\].\{%{DATA:ids_proto}\}.%{IP:ids_src_ip}\:%{INT:ids_src_port}.->.%{IP:ids_dest_ip}\:%{INT:ids_dest_port}
-- 
GitLab