# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This conf file is based on accepting logs for suricata json events
filter {
  if [type] == "suricata" {
    if "test_data" not in [tags] {
      date {
        match => [ "timestamp", "ISO8601" ]
      }
    } else {
      mutate {
        remove_field => [ "netflow.start","netflow.end","timestamp" ]
      }
    }
    if [event_type] == "fileinfo" {
      ruby {
        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
      }
    }
	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
    mutate {
      rename => [ "src_ip", "source_ip" ]
      rename => [ "dest_ip", "destination_ip" ]
      rename => [ "src_port", "source_port" ]
      rename => [ "dest_port", "destination_port" ]
    }
	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
    if [event_type] == "alert" {
      if [alert][severity] == 1 {
        mutate {
          add_field => { "severity" => "High" }
        }
      }
      if [alert][severity] == 2 {
        mutate {
          add_field => { "severity" => "Medium" }
        }
      }
      if [alert][severity] == 3 {
        mutate {
          add_field => { "severity" => "Low" }
        }
      }
	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
      if [alert][signature] =~ "GPL " {
	    # This will parse out the category type from the alert
        grok {
          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
        }
		# This will store the category
        mutate {
          add_field => { "rule_type" => "Snort GPL" }
          lowercase => [ "category" ]
        }
      }
	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
      if [alert][signature] =~ "ET " {
	    # This will parse out the category type from the alert
        grok {
          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
        }
		# This will store the category
        mutate {
          add_field => { "rule_type" => "Emerging Threats" }
          lowercase => [ "category" ]
        }
      }
	  # This section adds URLs to lookup information about a rule online
      if [rule_type] == "Snort GPL" {
        mutate {
          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
        }
      }
      if [rule_type] == "Emerging Threats" {
        mutate {
          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
        }
      }
    }
    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
    #  mutate {
    #    remove_field => [ "message" ]
    #  }
    }
	mutate {
		#add_tag => [ "conf_file_6400"]
	}
  }
}