Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
set -e
ENDPOINT=
# install java 8
add-apt-repository ppa:openjdk-r/ppa
apt-get update
apt-get install -y openjdk-8-jdk
# add elastic repository
wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://packages.elastic.co/logstash/2.3/debian stable main" | tee -a /etc/apt/sources.list
# install logstash
sudo apt-get update && sudo apt-get install -y logstash
# create configuration file
cat <<EOF >/etc/logstash/conf.d/snort-alert.conf
input {
file {
path => "/var/log/snort/alert"
start_position => beginning
ignore_older => 0
}
}
filter {
grok {
match => { "message" => "%{DATA:timestamp}\s+\[.*?\]\s+\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s+%{DATA:alert}\s+\[.*?\]\s+(\[Classification:\s+%{DATA:classification}\]\s+)?\[Priority:\s+%{INT:priority}\]\s+\{%{DATA:protocol}\}\s+%{IPV4:SrcIp}(:%{INT:SrcPort})?\s+->\s+%{IPV4:DstIp}(:%{INT:DstPort})?"}
}
geoip {
source => "[SrcIp]"
target => "SrcGeo"
}
geoip {
source => "[DstIp]"
target => "DstGeo"
}
mutate {
convert => [ "SrcPort", "integer" ]
convert => [ "DstPort", "integer" ]
}
}
output {
elasticsearch {
hosts => "http://${ENDPOINT}:80/"
index => "snort-alert"
}
stdout {}
}
EOF
service logstash start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment