Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Logstash configuration + Virustotal API with http filter + memcached
# There's a virustotal filter for logstash if you search the Internet
# I have a field hash that contains the sha256 of the file downloaded on the honeypot
# memcached is used to store the query results in memory
# query is made to memcached, if there's nothing there then make the http request with the API key
# memcached is used to minimize the # of queries made given the same file hash
# the returned results is stored in vt.* field . You may need to remove fields that you don't need
# you'll also need to install memcached and the logstash memcached filter
input {}
filter {
if [hash] {
memcached {
hosts => ["127.0.0.1:11211"]
namespace => "virustotal"
get => {
"%{[hash]}" => "[vt]"
}
add_tag => ["hash_memcached_get"]
}
}
if ((! [vt]) and ("" in [hash])) {
http {
url => "https://www.virustotal.com/api/v3/files/%{hash}"
verb => "GET"
headers => { "x-apikey" => "INSERT_YOUR_VT_API_KEY_HERE" }
target_body => "[vt]"
target_headers => "[@metadata][vt-response-header]"
}
#set the results in memcached
if [vt] {
memcached {
hosts => ["127.0.0.1"]
namespace => "virustotal"
set => {
"[vt]" => "%{[hash]}"
}
#3600 * 24 hr, store for 24 hours
ttl => 86400
add_tag => ["hash_memcached_set"]
}
}
}
#remove field that you don't need (example)
# if [vt] {
# mutate{
# remove_field => [
# "[vt][data][type]",
# "[vt][data][id]"
# ]
# }
#}
}
output{}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment