# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016

filter {
  if [type] == "sflow" {
    if [message] =~ /CNTR/ {
      drop { }
    }

    grok {
      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
    }

    if "_grokparsefailure" in [tags] {
      drop { }
    }

    mutate {
      add_field => {
        "[source_hostname]" => "%{source_ip}"
        "[destination_hostname]" => "%{destination_ip}"
        "[sflow_source_hostname]" => "%{sflow_source_ip}"
      }
    }

    translate {
      field => "[source_port]"
      destination => "[source_service]"
      dictionary_path => "/lib/dictionaries/iana_services.yaml"
    }

    translate {
      field => "[destination_port]"
      destination => "[destination_service]"
      dictionary_path => "/lib/dictionaries/iana_services.yaml"
    }

    translate {
      field => "[protocol]"
      destination => "[protocol_name]"
      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
    }

    translate {
      field => "[tcp_flags]"
      destination => "[tcp_flag]"
      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
    }

    mutate {
      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
    }
	mutate {
		#add_tag => [ "conf_file_2000"]
	}
  }
}