tag elastiflow from ip list

elastiflow-tagging.py

#!/usr/bin/env python

from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
from elasticsearch_dsl import query as q
from elasticsearch_dsl import Q
from elasticsearch_dsl.query import MultiMatch, Match
from elasticsearch_dsl import UpdateByQuery
import re, sys

s_index="elastiflow-4.0.1-2022.*.*"
tags = [ "suspicious", "fake" ]

def cleanup(l):
    # whitespaces und carriage return wegnehmen
    c = l.strip().rstrip("\n")
    # falls :443 dran ist, wegwerfen
    ip = c.split(":")[0]
    return ip


def search(ip):
    x=(Search(using=client, index=s_index).extra(track_total_hits=True).filter(
      q.QueryString(query="server.domain=%s" % ip))[1:10000].execute())
    return x


def store_or_not(hit):
    if hit['network']['packets'] >0:
        update_it(hit.meta.id, hit.meta.index)


def update_it(doc_id, doc_index):
    response  = client.update(doc_index, doc_type="_doc", id=doc_id, body=tag_update)
    if response['result'] not in [ "successful", "updated", "noop" ]:
        print ("%s update result: %s" % ip, response['result'])


tag_update = {
  "doc" : {
    "flow" : {
      "server_rep_tags" : tags,
      "src_rep_tags"    : tags,
      "rep_tags"        : tags
    }
  }
}


client = Elasticsearch()

with open('xx.txt', 'r') as iplist:
    lines = iplist.readlines()
    for line in lines:
        ip = cleanup(line)
        hits = search(ip)
        if len(hits) > 0:
            for hit in hits:
                store_or_not(hit)