CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
43f89adbd4a6a72a414049cb7d7b1b5495cc2dc6
securityonion/salt/logstash/pipelines/config/so/6201_firewall_pfsense.conf

57 lines
1.6 KiB
Plaintext
Raw Blame History

# Author: Wes Lambert
# Updated by: Doug Burks
filter {
if [type] == "filterlog" {
dissect {
mapping => {
"message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
}
}
if [ip_version] == "4" {
dissect {
mapping => {
"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [ip_version] == "6" {
dissect {
mapping => {
"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [protocol] == "tcp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
}
}
}
if [protocol] == "udp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
}
}
}
if [protocol] == "Options" {
mutate {
copy => { "ip_sub_msg" => "options" }
}
mutate {
split => { "options" => "," }
}
}
mutate {
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "ip_version", "integer" ]
replace => { "type" => "firewall" }
add_tag => [ "pfsense","firewall" ]
remove_field => [ "sub_msg", "ip_sub_msg" ]
}
}
}
Reference in New Issue View Git Blame Copy Permalink