← All dashboards

Security center

Security feed from Pfsense snort Barnyard2 output

Using Logstash receiver and Elasticsearch , Snort add-on on Pfsenese Firewall and Barnyard2 sends syslogs sends to Logstasth act as syslog listener and store into elasticsearch Added few screenshot for configuratiuon tips , and in addition my Logstash input file config

Logstash config file

Author: Tal Bar-Or

Email: tbaror@dalet.com

Last Update: 11/18/2016

This conf file is based on accepting logs for snort

input { udp { port => 5142 type => snort } } filter { if [host] =~ /172.17.37.2/ or [host] =~ /10.0.8.2/ or [host] =~ /10.0.11.2/ or [host] =~ /10.0.10.2/ or [host] =~ /10.0.12.2/ or [host] =~ /10.0.14.2/ or [host] =~ /10.0.15.2/{ # This is the initial parsing of the log grok { match => { “message” => “|%{SPACE}[%{WORD:msg_source}[%{WORD:msg}]:%{SPACE}[%{GREEDYDATA:sensor_name}]%{SPACE}]%{SPACE}||%{SPACE}%{TIMESTAMP_ISO8601:event_timestamp}%{SPACE}%{INT:event_priority}%{SPACE}[%{INT:gid}:%{INT:sid}:%{INT:rev}]%{SPACE}%{DATA:alert_description}||%{SPACE}%{DATA:classification}%{SPACE}||%{SPACE}%{INT:protocol}%{SPACE}%{IP:SrcIp}%{SPACE}%{IP:DstIp}%{SPACE}||%{SPACE}%{INT:SrcPort}%{SPACE}%{INT:DstPort}%{SPACE}”} } # If you’d like to collect the DNS name for the SrcIP keep this section. Caution, this can cause an attacker to go into hiding. # If you do not want reverse DNS lookups of IPs keep this uncommented. #mutate { # add_field => { “SrcIP-resolved” => “%{SrcIp}” } #} #dns { # reverse => [ “[SrcIP-resolved]” ] # action => “replace” #}

# This will attempt to do a geoip lookup against the SrcIP
geoip {
  source => "SrcIp"
  target => "SrcGeoip"
  database => "/etc/logstash/GeoLite2-City.mmdb"
  add_field => [ "[SrcGeoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[SrcGeoip][coordinates]", "%{[geoip][latitude]}"  ]
}
mutate {
  convert => [ "[SrcGeoip][coordinates]", "float"]
}
#geoip {
#  source => "[SrcIp]"
#  target => "SrcGeo"
  
#}
  

# If you'd like to collect the DNS name for the DstIP keep this section.  Caution, this can cause an attacker to go into hiding.
# If you do not want reverse DNS lookups of IPs keep this uncommented.
#mutate {
#  add_field => { "DstIP-resolved" => "%{DstIp}" }
#}
#dns {
#  reverse => [ "[DstIP-resolved]" ]
#  action => "replace"
#}


# This will attempt to do a geoip lookup against the DstIP
geoip {
  source => "DstIp"
  target => "DstGeoip"
  database => "/etc/logstash/GeoLite2-City.mmdb"
  add_field => [ "[DstGeoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[DstGeoip][coordinates]", "%{[geoip][latitude]}"  ]
}
mutate {
  convert => [ "[DstGeoip][coordinates]", "float"]
}

#geoip {
#  source => "[DstIp]"
#  target => "DstGeo"
   
#}



# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert_description] =~ "GPL " {
  # This will parse out the category type from the alert
  grok {
    match => { "alert" => "GPL\s+%{DATA:category}\s" }
  }
  # This will store the category
  mutate {
    add_field => { "rule_type" => "Snort GPL" }
    lowercase => [ "category"]
    }
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert_description] =~ "ET " {
  # This will parse out the category type from the alert
  grok {
    match => { "alert" => "ET\s+%{DATA:category}\s" }
  }
  # This will store the category
  mutate {
    add_field => { "rule_type" => "Emerging Threats" }
    lowercase => [ "category"]
  }
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
  convert => [ "SrcPort", "integer" ]
  convert => [ "DstPort", "integer" ]
  convert => [ "event_priority", "integer" ]
  convert => [ "protocol", "integer" ]
  
  remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [event_priority] == 1 {
  mutate {
    add_field => { "severity" => "High" }
  }
}
if [event_priority] == 2 {
  mutate {
    add_field => { "severity" => "Medium" }
  }
}
if [event_priority] == 3 {
  mutate {
    add_field => { "severity" => "Low" }
  }
}
# This section adds URLs to lookup information about a rule online
  mutate {
  
	add_field => [ "ET_Signature_Info", "http://doc.emergingthreats.net/%{sid}" ]
	add_field => [ "Snort_Signature_Info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
	
	}


#protocol type detection
if [protocol] == 17 {
 mutate {
	replace => { "protocol" => "UDP" }
}

}

if [protocol] == 6 {
 mutate {
	replace => { "protocol" => "TCP" }
}

}


if [protocol] == 1 {
 mutate {
	replace => { "protocol" => "ICMP" }
}

}

if [protocol] == 2 {
 mutate {
	replace => { "protocol" => "IGMP" }
}

}

} }

output { if [msg_source]== “SNORTIDS” { elasticsearch { index => “ids_sensors” hosts => [“localhost:9200”]} stdout { codec => rubydebug }

} }

Dashboard revisions

RevisionDecscriptionCreated

Reviews

Login or Sign up to write a review

Reviews from the community

Get this dashboard

Data source:

Dependencies:

Import the dashboard template:

or

Download JSON

Docs: Importing dashboards

Downloads: 1,483