Logstash snort

1. input {
2. #stdin {
3. # type => "stdin-type"
4. #}
5. file {
6. path => "/var/log/mymessages"
7. start_position => "end"
8. sincedb_path => "/opt/logstash/.sincedb*"
9. }
10. }
11.  
12. filter {
13. grok {
14. match => [ "message", "%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{WORD:snort}\[%{INT:snort_pid}\]\: \[%{INT:gid}\:%{INT:sid}\:%{INT:rev}\] %{DATA:ids_alert} \[Classification\: %{DATA:ids_classification}\] \[Priority\: %{INT:ids_priority}\] \{%{WORD:proto}\} %{IP:ids_src_ip}\:%{INT:ids_src_port} \-\> %{IP:ids_dst_ip}\:%{INT:ids_dst_port}" ]
15. match => [ "message", "%{SYSLOGTIMESTAMP:date} gateway %{WORD:kernel}: \[%{BASE10NUM:unixtime}\] IN=ppp0 OUT= MAC= SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{NUMBER:len} TOS=%{DATA:junk} PREC=%{DATA:junk} TTL=%{NUMBER:junk} ID=%{NUMBER:junk} DF PROTO=%{WORD:proto} SPT=%{NUMBER:src_port} DPT=%{NUMBER:dst_port} WINDOW=%{NUMBER:junk} RES=%{DATA:junk} %{DATA:flags} URGP=0" ]
16. match => [ "message", "%{SYSLOGTIMESTAMP:date} gateway %{WORD:kernel}: \[%{BASE10NUM:unixtime}\] IN=ppp0 OUT= MAC= SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{NUMBER:len} TOS=%{DATA:junk} PREC=%{DATA:junk} TTL=%{NUMBER:junk} ID=%{NUMBER:junk } PROTO=%{WORD:proto} SPT=%{NUMBER:src_port} DPT=%{NUMBER:dst_port} WINDOW=%{NUMBER:junk} RES=%{DATA:junk} %{DATA:flags} URGP=0" ]
17. match => [ "message", "%{SYSLOGTIMESTAMP:date} gateway kernel: \[%{BASE10NUM:unixtime}\] IN=ppp0 OUT= MAC= SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{POSINT:fullen} TOS=%{DATA:junk} PREC=%{DATA:junk} TTL=%{POSINT:junk} ID=%{NUMBER:junk} DF PROTO=%{WORD:proto} SPT=%{POSINT:src_port} DPT=%{POSINT:dst_port} LEN=%{POSINT:len}" ]
18. match => [ "message", "%{SYSLOGTIMESTAMP:date} gateway kernel: \[%{BASE10NUM:unixtime}\] IN=ppp0 OUT= MAC= SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{POSINT:fullen} TOS=%{DATA:junk} PREC=%{DATA:junk} TTL=%{POSINT:junk} ID=%{NUMBER:junk} PROTO=%{WORD:proto} SPT=%{POSINT:src_port} DPT=%{POSINT:dst_port} LEN=%{POSINT:len} MARK=%{DATA:junk}" ]
19. match => [ "message", "%{SYSLOGTIMESTAMP:date} gateway %{SYSLOGPROG}: warning: %{HOSTNAME}\[%{IP:src_ip}\]: %{WORD:sasl} %{GREEDYDATA:data}" ]
20. remove_field => [ "program", "pid", "data", "snort_pid", "ids_classification", "ids_priority", "junk", "unixtime" ]
21. }
22.  
23. if [message] !~ "snort\[[0-9]{1,6}\]: \[[0-9]{1,6}:[0-9]{1,10}:[0-9]{1,6}\]|IN=ppp0 OUT= MAC=|IN= OUT=ppp0 MAC=|SASL PLAIN authentication failed|SASL LOGIN authentication failed" {
24.  
25. drop { }
26.  
27. } else if [message] =~ "snort\[[0-9]{1,6}\]: \[[0-9]{1,6}:[0-9]{1,10}:[0-9]{1,6}\]" {
28. #ids source IP
29. geoip {
30. source => "ids_src_ip"
31. target => "ids_src_geoip"
32. fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
33. }
34. mutate {
35. add_field => [ "ids_src_coordinates", "%{[ids_src_geoip][longitude]}", "ids_src_tmplat", "%{[ids_src_geoip][latitude]}" ]
36. }
37. mutate {
38. merge => [ "ids_src_coordinates", "ids_src_tmplat" ]
39. }
40. mutate {
41. convert => [ "ids_src_coordinates", "float" ]
42. }
43.  
44. #ids dest ip
45. geoip {
46. source => "ids_dst_ip"
47. target => "ids_dst_geoip"
48. fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
49. }
50. mutate {
51. add_field => [ "ids_dst_coordinates", "%{[ids_dst_geoip][longitude]}", "ids_dst_tmplat", "%{[ids_dst_geoip][latitude]}" ]
52. }
53. mutate {
54. merge => [ "ids_dst_coordinates", "ids_dst_tmplat" ]
55. }
56. mutate {
57. convert => [ "ids_dst_coordinates", "float" ]
58. }
59.  
60. } else if [message] =~ "IN=ppp0 OUT= MAC=|IN= OUT=ppp0 MAC=" {
61. #iptables source ip
62. geoip {
63. source => "src_ip"
64. target => "src_geoip"
65. fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
66. }
67. mutate {
68. add_field => [ "src_coordinates", "%{[src_geoip][longitude]}", "src_tmplat", "%{[src_geoip][latitude]}" ]
69. }
70. mutate {
71. merge => [ "src_coordinates", "src_tmplat" ]
72. }
73. mutate {
74. convert => [ "src_coordinates", "float" ]
75. }
76.  
77. #iptables dest ip
78. geoip {
79. source => "dst_ip"
80. target => "dst_geoip"
81. fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
82. }
83. mutate {
84. add_field => [ "dst_coordinates", "%{[dst_geoip][longitude]}", "dst_tmplat", "%{[dst_geoip][latitude]}" ]
85. }
86. mutate {
87. merge => [ "dst_coordinates", "dst_tmplat" ]
88. }
89. mutate {
90. convert => [ "dst_coordinates", "float" ]
91. }
92.  
93. } else if [message] =~ "SASL PLAIN authentication failed|SASL LOGIN authentication failed" {
94. #sasl source ip
95. geoip {
96. source => "src_ip"
97. target => "src_geoip"
98. fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
99. }
100. mutate {
101. add_field => [ "src_coordinates", "%{[src_geoip][longitude]}", "src_tmplat", "%{[src_geoip][latitude]}" ]
102. }
103. mutate {
104. merge => [ "src_coordinates", "src_tmplat" ]
105. }
106. mutate {
107. convert => [ "src_coordinates", "float" ]
108. }
109. }
110.  
111. mutate {
112. gsub => [ "ids_alert", "[ \-\(\)]", "_" ]
113. gsub => [ "src_geoip.country_name", "[ ]", "_" ]
114. gsub => [ "dst_geoip.country_name", "[ ]", "_" ]
115. remove_field => [ "ids_src_tmplat", "ids_dst_tmplat", "src_tmplat", "dst_tmplat" ]
116. }
117. }
118.  
119.  
120. output {
121. #stdout { codec => rubydebug }
122. elasticsearch { embedded => true }
123. }