split intrusion (#74)

* Redmine bugfix #19198: Change vault default priority filter

* Feature/#18682 add way to split instrusion (#69)

* Fix lint

* Add check for dst address

* Change location of yml file

* fix splitting and order of execution

* Change template to use Ruby Code instead of cidr plugin

---------

Co-authored-by: jsotof <jsotof@localhost.localdomain>

* release 3.2.0

---------

Co-authored-by: ptorresred <ptorres@redborder.com>
Co-authored-by: Juan Soto <127120525+jsotofernandez@users.noreply.github.com>
Co-authored-by: jsotof <jsotof@localhost.localdomain>
Co-authored-by: Pablo Pérez <pperez@redborder.com>

CHANGELOG.md

@@ -1,6 +1,15 @@
 cookbook-logstash CHANGELOG
 ===============
 
+## 3.2.0
+
+  - Pablo Pérez
+    - [e92ec9a] Merge pull request #73 from redBorder/bugfix/#19198_vault_priorities_incorrect_values
+  - Juan Soto
+    - [e42caa4] Feature/#18682 add way to split instrusion (#69)
+  - ptorresred
+    - [3e65dd8] Redmine bugfix #19198: Change vault default priority filter
+
 ## 3.1.0
 
   - Miguel Negrón

resources/metadata.rb

@@ -3,4 +3,4 @@
 maintainer_email 'git@redborder.com'
 license          'AGPL-3.0'
 description      'Installs/Configures cookbook-logstash'
-version          '3.1.0'
+version          '3.2.0'

resources/providers/config.rb

@@ -18,10 +18,16 @@
     mongo_port = new_resource.mongo_port
     logstash_pipelines = new_resource.logstash_pipelines
     split_traffic_logstash = new_resource.split_traffic_logstash
+    split_intrusion_logstash = new_resource.split_intrusion_logstash
     intrusion_incidents_priority_filter = new_resource.intrusion_incidents_priority_filter
     vault_incidents_priority_filter = new_resource.vault_incidents_priority_filter
     is_proxy = is_proxy?
     is_manager = is_manager?
+    begin
+      sensors_data = YAML.load(::File.open('/etc/logstash/sensors_data.yml'))
+    rescue
+      sensors_data = { 'sensors' => {} }
+    end
 
     dnf_package 'logstash-rules' do
       only_if { is_manager }
@@ -886,7 +892,21 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
-      template "#{pipelines_dir}/intrusion/05_incident_enrichment.conf" do
+      # This is related with this task
+      # https://redmine.redborder.lan/issues/18682
+      # We should improve it but do not delete it
+      template "#{pipelines_dir}/intrusion/05_intrusion_tagging.conf" do
+        source 'intrusion_tagging.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(sensors: sensors_data['sensors'], split_intrusion_logstash: split_intrusion_logstash)
+        notifies :restart, 'service[logstash]', :delayed
+      end
+
+      template "#{pipelines_dir}/intrusion/06_incident_enrichment.conf" do
         source 'intrusion_incident_enrichment.conf.erb'
         owner user
         group user

resources/resources/config.rb

@@ -21,5 +21,6 @@
 attribute :mongo_port, kind_of: String, default: '27017'
 attribute :logstash_pipelines, kind_of: Array, default: []
 attribute :split_traffic_logstash, kind_of: [TrueClass, FalseClass], default: false
+attribute :split_intrusion_logstash, kind_of: [TrueClass, FalseClass], default: false
 attribute :intrusion_incidents_priority_filter, kind_of: String, default: 'high'
-attribute :vault_incidents_priority_filter, kind_of: String, default: 'high'
+attribute :vault_incidents_priority_filter, kind_of: String, default: 'error'

resources/templates/default/intrusion_tagging.conf.erb

@@ -0,0 +1,55 @@
+<% if @split_intrusion_logstash %>
+filter {
+  ruby {
+    code => "
+      require 'ipaddr'
+
+      event_ip = event.get('src')
+      if event_ip && !event.get('organization')
+        ip_src = IPAddr.new(event_ip) rescue nil
+        if ip_src
+          <% @sensors.each do |sensor_name, sensor_data| %>
+            subnets = [
+              <% sensor_data['subnets'].each_with_index do |subnet, index| %>
+                IPAddr.new('<%= subnet.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '?') %>')<%= ',' unless index == sensor_data['subnets'].length - 1 %>
+              <% end %>
+            ]
+            if subnets.any? { |subnet| subnet.include?(ip_src) }
+              <% sensor_data['fields'].each do |field_name, field_value| %>
+                event.set('<%= field_name %>', '<%= field_value.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '?').gsub("'", "\\\\'") %>')
+              <% end %>
+              break  # If found a match
+            end
+          <% end %>
+        end
+      end
+
+      # If there is not match in src ip's
+      if !event.get('organization')
+        event_ip = event.get('dst')
+        if event_ip
+          ip_dst = IPAddr.new(event_ip) rescue nil
+          if ip_dst
+            <% @sensors.each do |sensor_name, sensor_data| %>
+              subnets = [
+                <% sensor_data['subnets'].each_with_index do |subnet, index| %>
+                  IPAddr.new('<%= subnet.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '?') %>')<%= ',' unless index == sensor_data['subnets'].length - 1 %>
+                <% end %>
+              ]
+              if subnets.any? { |subnet| subnet.include?(ip_dst) }
+                <% sensor_data['fields'].each do |field_name, field_value| %>
+                  event.set('<%= field_name %>', '<%= field_value.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '?').gsub("'", "\\\\'") %>')
+                <% end %>
+                break # If found a match
+              end
+            <% end %>
+          end
+        end
+      end
+    "
+  }
+}
+<% else %>
+filter {
+}
+<% end %>