From 040d65c64ce211b14fc518d0fbc4e14fea0c7b95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Negr=C3=B3n?= Date: Mon, 25 Nov 2024 13:56:07 +0000 Subject: [PATCH 1/2] Fix geoip filter for intrusion pipeline --- .../default/intrusion_geoenrich.conf.erb | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/resources/templates/default/intrusion_geoenrich.conf.erb b/resources/templates/default/intrusion_geoenrich.conf.erb index 05efda7..0d823b4 100644 --- a/resources/templates/default/intrusion_geoenrich.conf.erb +++ b/resources/templates/default/intrusion_geoenrich.conf.erb @@ -1,14 +1,14 @@ filter { - if [lan_ip] { + if [src] { cidr { - address => [ "%{lan_ip}" ] + address => [ "%{src}" ] network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128","169.254.0.0/16", "fe80::/10","224.0.0.0/4", "ff00::/8","255.255.255.255/32" ] add_field => { "[src_locality]" => "private" } } } - if [wan_ip]{ + if [dst]{ cidr { - address => [ "%{wan_ip}" ] + address => [ "%{dst}" ] network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128","169.254.0.0/16", "fe80::/10","224.0.0.0/4", "ff00::/8","255.255.255.255/32" ] add_field => { "[dst_locality]" => "private" } } @@ -17,14 +17,14 @@ filter { if [src_locality] != "private" { geoip { id => "geoip_city_lan" - source => "lan_ip" + source => "src" default_database_type => "City" target => "city_lan" fields => [COUNTRY_CODE2] } geoip { id => "geoip_asn_lan" - source => "lan_ip" + source => "src" default_database_type => "ASN" target => "asn_lan" fields => [AUTONOMOUS_SYSTEM_ORGANIZATION] @@ -34,21 +34,21 @@ filter { if [dst_locality] != "private" { geoip { id => "geoip_city_wan" - source => "wan_ip" + source => "dst" default_database_type => "City" target => "city_wan" fields => [COUNTRY_CODE2] } geoip { id => "geoip_asn_wan" - source => "wan_ip" + source => "dst" default_database_type => "ASN" target => "asn_wan" fields => [AUTONOMOUS_SYSTEM_ORGANIZATION] } } - if [lan_ip] { + if [src] { if [city_lan][country_code2] { mutate { add_field => { "src_country_code" => "%{[city_lan][country_code2]}" } @@ -62,23 +62,20 @@ filter { if [src_country_code] { mutate { replace => { - "public_ip" => "%{wan_ip}" - "ip_country_code" => "%{src_country_code}" - "lan_ip_country_code" => "%{src_country_code}" + "src_country_code" => "%{src_country_code}" } } } if [src_asn_name] { mutate { add_field => { - "lan_ip_as_name" => "%{src_asn_name}" - "ip_as_name" => "%{src_asn_name}" + "src_as_name" => "%{src_asn_name}" } } } } - if [wan_ip]{ + if [dst]{ if [city_wan][country_code2] { mutate { add_field => { "dst_country_code" => "%{[city_wan][country_code2]}" } @@ -92,24 +89,21 @@ filter { if [dst_country_code]{ mutate { replace => { - "public_ip" => "%{wan_ip}" - "ip_country_code" => "%{dst_country_code}" - "wan_ip_country_code" => "%{dst_country_code}" + "dst_country_code" => "%{dst_country_code}" } } } if [dst_asn_name]{ mutate { replace => { - "wan_ip_as_name" => "%{dst_asn_name}" - "ip_as_name" => "%{dst_asn_name}" + "dst_as_name" => "%{dst_asn_name}" } } } } mutate { - remove_field => ["@version","@timestamp", "asn_wan", "asn_lan", "city_wan", "city_lan", "src_country_code", "src_asn_name", "dst_country_code", "dst_asn_name", "src_locality", "dst_locality"] + remove_field => ["@version","@timestamp", "asn_wan", "asn_lan", "city_wan", "city_lan", "src_asn_name", "dst_asn_name", "src_locality", "dst_locality"] } } From 2b511cddf7190a07e6e051328f97e1c71f1f7edc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Negr=C3=B3n?= Date: Mon, 25 Nov 2024 13:57:11 +0000 Subject: [PATCH 2/2] Bump version --- CHANGELOG.md | 5 +++++ resources/metadata.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2958df0..80d0f95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ cookbook-logstash CHANGELOG =============== +## 3.3.0 + + - Miguel Negrón + - [040d65c] Fix geoip filter for intrusion pipeline + ## 3.2.1 - Juan Soto diff --git a/resources/metadata.rb b/resources/metadata.rb index 8ab2749..652b2e8 100644 --- a/resources/metadata.rb +++ b/resources/metadata.rb @@ -3,4 +3,4 @@ maintainer_email 'git@redborder.com' license 'AGPL-3.0' description 'Installs/Configures cookbook-logstash' -version '3.2.1' +version '3.3.0'