-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathbro.conf
90 lines (79 loc) · 2.9 KB
/
bro.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Created by Terrence Gareau "tuna" for honeypot project
# tuna@people.ops-trust.net
# Used Jason Smith's setup as a base
# Great Blog post http://www.appliednsm.com/parsing-bro-logs-with-logstash/
# http://blog.lusis.org/blog/2012/01/31/load-balancing-logstash-with-amqp/
# tuna@people.ops-trust.net
# https://home.regit.org/2014/01/a-bit-of-logstash-cooking/ geoip
# https://home.regit.org/tag/logstash/
#Logs being parsed:
#conn.log
#dns.log
#ntp.log
input {
#Production Logs#############################
file {
type => "BRO_connlog"
path => "/nsm/bro/logs/current/conn.log"
}
file {
type => "BRO_dnslog"
path => "/nsm/bro/logs/current/dns.log"
}
file {
type => "BRO_ntplog"
path => "/nsm/bro/logs/current/ntp.log"
}
file {
type => "SSHPOT_sshlog"
path => "/var/log/sshpot_auth.log"
}
###################################################
}
filter {
if [message] =~ /^#/ {
drop { }
} else {
# SSHPOT_sshlog ######################
if [type] == "SSHPOT_sshlog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<id.orig_h>(.*?))\t(?<user>(.*?))\t(?<pass>(.*?))\t" ]
}
}
# BRO_ntplog ######################
if [type] == "BRO_ntplog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.resp_h>(.*?))\t(?<refid>(.*?))\t(?<code>(.*?))\t(?<stratum>(.*?))\t(?<poll>(.*?))\t(?<preceission>(.*?))\t(?<reftime>(.*?))\t(?<excess>(.*?))" ]
}
if [code] =~ /^4/ {
drop { }
}
}
# BRO_dnslog ######################
if [type] == "BRO_dnslog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<trans_id>(.*?))\t(?<query>(.*?))\t(?<qclass>(.*?))\t(?<qclass_name>(.*?))\t(?<qtype>(.*?))\t(?<qtype_name>(.*?))\t(?<rcode>(.*?))\t(?<rcode_name>(.*?))\t(?<AA>(.*?))\t(?<TC>(.*?))\t(?<RD>(.*?))\t(?<RA>(.*?))\t(?<Z>(.*?))\t(?<answers>(.*?))\t(?<TTLs>(.*?))\t(?<rejected>(.*))" ]
}
}
# BRO_connlog ######################
if [type] == "BRO_connlog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_pkts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_pkts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tunnel_parents>(.*?))" ]
}
}
}
if [id.orig_h] {
geoip {
source => "id.orig_h"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
mutate {
uppercase => [ "geoip.country_code2" ]
}
}
}