-
-
Save Sylvain-69/d8c0d7ac60401105a78090e3307766f7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
if [identification] == "netflow-corpse" or [identification] == "netflow-cannibal"{ | |
# | |
#GEO LOCATION | |
# | |
if [netflow][ipv4_src_addr] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" { | |
mutate { add_field => {"sens" => "download"} } | |
geoip { | |
database => "/etc/logstash/GeoLite2-City.mmdb" | |
source => "[netflow][ipv4_src_addr]" | |
target => "SourceGeo" | |
} | |
if [SourceGeo][country_code2] == "NC" { | |
mutate { add_field => {"BandePassante" => "download_loc"} } | |
} | |
if [SourceGeo][country_code2] != "NC" { | |
mutate { add_field => {"BandePassante" => "download_int"} } | |
} | |
#Delete 0,0 in SourceGeo.coordinates if equal to 0,0 | |
if ([SourceGeo.coordinates] and [SourceGeo.coordinates] =~ "0,0") { | |
mutate { | |
replace => [ "[SourceGeo][coordinates]", "" ] | |
} | |
} | |
} | |
#Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address | |
if [netflow][ipv4_dst_addr] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" { | |
mutate { add_field => {"sens" => "upload"}} | |
geoip { | |
database => "/etc/logstash/GeoLite2-City.mmdb" | |
source => "[netflow][ipv4_dst_addr]" | |
target => "DestinationGeo" | |
} | |
if [DestinationGeo][country_code2] == "NC" { | |
mutate { add_field => {"BandePassante" => "upload_loc"} } | |
} | |
if [DestinationGeo][country_code2] != "NC" { | |
mutate { add_field => {"BandePassante" => "upload_int"} } | |
} | |
#Delete 0,0 in DestinationGeo.location if equal to 0,0 | |
if ([DestinationGeo.coordinates] and [DestinationGeo.coordinates] =~ "0,0") { | |
mutate { | |
replace => [ "[DestinationGeo][coordinates]", "" ] | |
} | |
} | |
} | |
#Takes the 5-tuple of source address, source port, destination address, destination port, and protocol and does a SHA1 hash to fingerprint the flow. This is a useful | |
#way to be able to do top N terms queries on flows, not just on one field. | |
if [netflow.ipv4_src_addr] and [netflow.ipv4_dst_addr] { | |
fingerprint { | |
concatenate_sources => true | |
method => "SHA1" | |
key => "logstash" | |
source => [ "SourceAddress", "SourcePort", "DestinationAddress", "DestinationPort", "Protocole" ] | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment