Last active
January 22, 2020 00:59
-
-
Save linuxmalaysia/978e7fe76a2084f49932a3072caf5d64 to your computer and use it in GitHub Desktop.
logstash example filter by rules with if then else
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| # start if | |
| if "syslog" in [tags] and "sshd" in [program] { | |
| ### Start Rule 1 | |
| ## https://github.com/ossec/ossec-rules/blob/master/rules.d/50-sshd_rules.xml | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp}) %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:ssh_port} ssh2" ] | |
| } | |
| add_tag => [ "ssh_sucessful_login", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5715 SSHD sucessful login with accepted password" } | |
| add_field => { "event_id" => "5715" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| ### Start Rule 2 | |
| ## <38>Sep 12 13:14:11 server sshd[27418]: Received disconnect from 58.137.72.110: 11: Bye Bye [preauth] | |
| ## wiki.quadrantsec.com/bin/view/Main/5000408 | |
| # https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}Received disconnect from %{IP:src_ip}%{GREEDYDATA}" ] | |
| } | |
| add_tag => [ "ssh_disconnect", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5721 SSHD Disconnect" } | |
| add_field => { "event_id" => "5721" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 3 | |
| ## wiki.quadrantsec.com/bin/view/Main/5000022 | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp}) %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:ssh_port} ssh2" ] | |
| } | |
| add_tag => [ "ssh_brute_force_attack", "filter_sshd","correlation" ] | |
| add_field => { "EventDesc" => "5710 SSHD Attempt to login using a non-existent user" } | |
| add_field => { "event_id" => "5710" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 4 | |
| ### wiki.quadrantsec.com/bin/view/Main/5001647 | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp}) %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:ssh_port} ssh2" ] | |
| } | |
| add_tag => [ "ssh_failed_login", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5733 SSHD failed login with failed password. User entered incorrect password" } | |
| add_field => { "event_id" => "5733" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 5 | |
| ### wiki.quadrantsec.com/bin/view/Main/5000018 | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}reverse mapping checking getaddrinfo for%{SPACE}%{NOTSPACE}%{SPACE}\[%{IP:src_ip}]%{SPACE}failed - POSSIBLE BREAK-IN ATTEMPT!" ] | |
| } | |
| add_tag => [ "ssh_break-in_attempt", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5702 SSHD Reverse lookup error (bad ISP or attack)" } | |
| add_field => { "event_id" => "5702" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 6 | |
| ### wiki.quadrantsec.com/bin/view/Main/5000022 | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target}%{SPACE}sshd%{NOTSPACE}%{SPACE}input_userauth_request: invalid user%{SPACE}%{USERNAME:username}%{SPACE}\[preauth]" ] | |
| } | |
| add_tag => [ "ssh_input_userauth_request", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5711 SSHD input userauth request invalid user. Useless/Duplicated SSHD message without a user/ip" } | |
| add_field => { "event_id" => "5711" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 7 | |
| ## <85>Sep 13 10:38:49 cloudera-master sshd[5391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.46.97.107 user=root | |
| # wiki.quadrantsec.com/bin/view/Main/5000016 | |
| # https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0085-pam_rules.xml | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target}%{SPACE}%{NOTSPACE}%{SPACE}pam_unix%{NOTSPACE}%{SPACE}authentication failure;%{SPACE}logname=%{SPACE:logname}uid=%{BASE10NUM:uid}%{SPACE}euid=%{BASE10NUM:euid}%{SPACE}tty=%{NOTSPACE:tty}%{SPACE}ruser=%{SPACE:ruser}%{SPACE}rhost=%{IP:src_ip}%{SPACE}user=%{USERNAME:username}" ] | |
| } | |
| add_tag => [ "ssh_pam_authentication_failure", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5503 SSHD PAM authentication failure. User login failed" } | |
| add_field => { "event_id" => "5503" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 8 | |
| ## <86>Jan 31 01:41:47 server-192.168.90.105 sshd[6566]: pam_unix(sshd:session): session opened for user admin by (uid=0) | |
| # https://github.com/ossec/ossec-rules/blob/master/rules.d/50-pam_rules.xml | |
| # https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0085-pam_rules.xml | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target}%{SPACE}sshd\[%{BASE10NUM}]: pam_unix\(sshd:session\): session opened for user %{USERNAME:username} by \(uid=%{BASE10NUM:uid}\)" ] | |
| } | |
| add_tag => [ "ssh_pam_session_open", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5501 SSHD PAM session open" } | |
| add_field => { "event_id" => "5501" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ### Start Rule 9 | |
| # 2015-12-31T13:46:39.978184+08:00 192.168.90.205 sshd[5658]: pam_unix(sshd:session): session closed for user haris | |
| # wiki.quadrantsec.com/bin/view/Main/5000407 | |
| # https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0085-pam_rules.xml | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "(?:%{TIMESTAMP_ISO8601:timestamp}|%{SYSLOGTIMESTAMP:timestamp})%{SPACE}%{HOSTNAME:host_target} sshd\[%{BASE10NUM}]: pam_unix\(sshd:session\): session closed for user %{USERNAME:username}" ] | |
| } | |
| add_tag => [ "ssh_pam_session_closed", "filter_sshd", "correlation" ] | |
| add_field => { "EventDesc" => "5502 SSHD PAM session closed" } | |
| add_field => { "event_id" => "5502" } | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| ############## | |
| # grok ini mesti last | |
| # tujuan nak buang tag _grokparsefailure | |
| ##### | |
| if "syslog" in [tags] and "_grokparsefailure" in [tags] { | |
| grok { | |
| match => { | |
| "message" => [ "%{GREEDYDATA}" ] | |
| } | |
| remove_tag => [ "_grokparsefailure" ] | |
| remove_field => [ "timestamp" ] | |
| } | |
| } | |
| # end if | |
| } | |
| } | |
| ### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment