CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5a6c66bde50fb2ed73b5619851e33b61b83a051b
securityonion/salt/logstash/files/conf.d/2000_network_flow.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

60 lines
1.7 KiB
Plaintext
Raw Blame History

# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "sflow" {
if [message] =~ /CNTR/ {
drop { }
}
grok {
match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
}
if "_grokparsefailure" in [tags] {
drop { }
}
mutate {
add_field => {
"[source_hostname]" => "%{source_ip}"
"[destination_hostname]" => "%{destination_ip}"
"[sflow_source_hostname]" => "%{sflow_source_ip}"
}
}
translate {
field => "[source_port]"
destination => "[source_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[destination_port]"
destination => "[destination_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[protocol]"
destination => "[protocol_name]"
dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
}
translate {
field => "[tcp_flags]"
destination => "[tcp_flag]"
dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
}
mutate {
add_field => { "ips" => [ "%{sflow_source_ip}" ] }
}
mutate {
#add_tag => [ "conf_file_2000"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink