Add/16980 intrusion pipeline

* Added intrusion template files * Modified config.rb to include intrusion templates
redBorder · Apr 16, 2024 · 69f4bc3 · 69f4bc3
1 parent a9fcdb6
commit 69f4bc3
Show file tree

Hide file tree

Showing 8 changed files with 243 additions and 0 deletions.
diff --git a/resources/providers/config.rb b/resources/providers/config.rb
@@ -890,6 +890,78 @@
         :namespaces => namespaces)
         notifies :restart, "service[logstash]", :delayed
       end
+
+    # Intrusion pipeline
+    if is_manager || is_sensor
+      template "#{pipelines_dir}/intrusion/00_input.conf" do #TODO add pipelines for ips and intrusion
+        source "intrusion_input.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        cookbook "logstash"
+        notifies :restart, "service[logstash]", :delayed
+      end
+
+      template "#{pipelines_dir}/intrusion/01_intrusion.conf" do
+        source "intrusion_intrusion.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        notifies :restart, "service[logstash]", :delayed
+        action :delete if (logstash_settings and logstash_settings["intrusion"] and !logstash_settings["intrusion"]["multienrichment"]) # Idk wtf to do with this
+      end
+
+
+      template "#{pipelines_dir}/intrusion/02_geoenrich.conf" do
+        source "intrusion_geoenrich.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        notifies :restart, "service[logstash]", :delayed
+        action :delete if (logstash_settings and logstash_settings["intrusion"] and logstash_settings["intrusion"]["geoip"] and logstash_settings["intrusion"]["geoip"] == "0")
+      end
+
+      template "#{pipelines_dir}/intrusion/03_macvendor.conf" do
+        source "intrusion_macvendor.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        notifies :restart, "service[logstash]", :delayed
+        action :delete if (logstash_settings and logstash_settings["intrusion"] and logstash_settings["intrusion"]["macvendor"] and logstash_settings["intrusion"]["macvendor"] == "0")
+      end
+
+      template "#{pipelines_dir}/intrusion/04_darklist.conf" do
+        source "intrusion_darklist.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        notifies :restart, "service[logstash]", :delayed
+        action :delete if (logstash_settings and logstash_settings["intrusion"] and logstash_settings["intrusion"]["darklist"] and logstash_settings["intrusion"]["darklist"] == "0")
+      end
+
+      template "#{pipelines_dir}/intrusion/98_encode.conf" do
+        source "intrusion_encode.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        notifies :restart, "service[logstash]", :delayed
+      end
+
+      template "#{pipelines_dir}/intrusion/99_output.conf" do
+        source "intrusion_output.conf.erb"
+        owner "root"
+        owner "root"
+        mode 0644
+        retries 2
+        variables(:namespaces => namespaces)
+        notifies :restart, "service[logstash]", :delayed
+      end
 
     # End of pipelines
 

diff --git a/resources/templates/default/intrusion_darklist.conf.erb b/resources/templates/default/intrusion_darklist.conf.erb
@@ -0,0 +1,3 @@
+filter {
+    darklist {  }
+}
diff --git a/resources/templates/default/intrusion_encode.conf.erb b/resources/templates/default/intrusion_encode.conf.erb
@@ -0,0 +1,12 @@
+filter {
+  if [file_uri] {
+    ruby {
+      code => '
+        def rb_easy_unescape(str, encoding = Encoding::UTF_8)
+          str.dup.force_encoding("ASCII-8BIT").gsub(/%((?:\p{XDigit}{2})+)/n) { [$1].pack("H*") }.force_encoding(encoding)
+        end
+        event.set("file_uri", rb_easy_unescape(event.get("file_uri")))
+      '
+    }
+  }
+}
diff --git a/resources/templates/default/intrusion_geoenrich.conf.erb b/resources/templates/default/intrusion_geoenrich.conf.erb
@@ -0,0 +1,125 @@
+filter {
+  if [lan_ip] {
+    cidr {
+      address => [ "%{lan_ip}" ]
+      network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128","169.254.0.0/16", "fe80::/10","224.0.0.0/4", "ff00::/8","255.255.255.255/32" ]
+      add_field => { "[src_locality]" => "private" }
+    }
+  }
+  if [wan_ip]{
+    cidr {
+      address => [ "%{wan_ip}" ]
+      network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128","169.254.0.0/16", "fe80::/10","224.0.0.0/4", "ff00::/8","255.255.255.255/32" ]
+      add_field => { "[dst_locality]" => "private" }
+    }
+  }
+
+  #carga de las BBDD de Geolite Asn y City
+  if [src_locality] != "private" {
+    geoip {
+      id => "geoip_city_lan"
+      source => "lan_ip"
+      default_database_type => "City"
+      target => "city_lan"
+      fields => [COUNTRY_CODE2]
+    }
+    geoip {
+      id => "geoip_asn_lan"
+      source => "lan_ip"
+      default_database_type => "ASN"
+      target => "asn_lan"
+      fields => [AUTONOMOUS_SYSTEM_ORGANIZATION]
+    }
+  }
+
+  if [dst_locality] != "private" {
+    geoip {
+      id => "geoip_city_wan"
+      source => "wan_ip"
+      default_database_type => "City"
+      target => "city_wan"
+      fields => [COUNTRY_CODE2]
+    }
+    geoip {
+      id => "geoip_asn_wan"
+      source => "wan_ip"
+      default_database_type => "ASN"
+      target => "asn_wan"
+      fields => [AUTONOMOUS_SYSTEM_ORGANIZATION]
+    }
+  }
+ #----------------------------------------------------------------------------------------------
+  #Testeamos el lan
+  if [lan_ip] {
+    #Si el IPV4 es valido o el IPV6 es valido
+    #country_code (src) y asn_name(src)
+    if [city_lan][country_code2] {
+      mutate {
+        add_field => { "src_country_code" => "%{[city_lan][country_code2]}" }
+      }
+    }
+    if [asn_lan][as_org] {
+      mutate {
+        add_field => { "src_asn_name" => "%{[asn_lan][as_org]}" }
+      }
+    }
+    #si existe src_country_code
+    if [src_country_code] {
+      mutate {
+        replace  => {
+          "public_ip" => "%{wan_ip}"
+          "ip_country_code" => "%{src_country_code}"
+          "lan_ip_country_code" => "%{src_country_code}"
+        }
+      }
+    }
+    #si existe src_asn_name
+    if [src_asn_name] {
+      mutate {
+        add_field => {
+          "lan_ip_as_name" => "%{src_asn_name}"
+          "ip_as_name" => "%{src_asn_name}"
+        }
+      }
+    }
+  }
+
+  #testeamos el wan
+  if [wan_ip]{
+    #Si el IPV4 es valido o el IPV6 es valido
+    #country_code (dst) y asn_name(dst)
+    #Si el country code no es vacio
+    if [city_wan][country_code2] {
+      mutate {
+        add_field => { "dst_country_code" => "%{[city_wan][country_code2]}" }
+      }
+    }
+    if [asn_wan][as_org]{
+      mutate {
+        add_field => {"dst_asn_name" => "%{[asn_wan][as_org]}"}
+      }
+    }
+    if [dst_country_code]{
+      mutate {
+        replace  => {
+          "public_ip" => "%{wan_ip}"
+          "ip_country_code" => "%{dst_country_code}"
+          "wan_ip_country_code" => "%{dst_country_code}"
+        }
+      }
+    }
+    if [dst_asn_name]{
+      mutate {
+        replace => {
+          "wan_ip_as_name" => "%{dst_asn_name}"
+          "ip_as_name" => "%{dst_asn_name}"
+        }
+      }
+    }
+  }
+
+  #eliminamos valores por defecto y añadidos en el procesamiento
+  mutate {
+    remove_field => ["@version","@timestamp", "asn_wan", "asn_lan", "city_wan", "city_lan", "src_asn_name", "dst_asn_name", "src_locality", "dst_locality"]
+  }
+}
diff --git a/resources/templates/default/intrusion_input.conf.erb b/resources/templates/default/intrusion_input.conf.erb
@@ -0,0 +1,7 @@
+input {
+  kafka {
+    codec => json
+    bootstrap_servers => "rbmanager.redborder.cluster:9092"
+    topics => ["rb_event"]
+  }
+}
diff --git a/resources/templates/default/intrusion_intrusion.conf.erb b/resources/templates/default/intrusion_intrusion.conf.erb
@@ -0,0 +1,8 @@
+filter {
+  intrusion { 
+  }
+
+  mutate {
+    remove_field => ["@version","@timestamp"]
+  }
+}
diff --git a/resources/templates/default/intrusion_macvendor.conf.erb b/resources/templates/default/intrusion_macvendor.conf.erb
@@ -0,0 +1,5 @@
+filter {
+    macvendorsenrich {
+        path => "/etc/objects/mac_vendors" <%# I could swear it's this one %>
+    }
+}
diff --git a/resources/templates/default/intrusion_output.conf.erb b/resources/templates/default/intrusion_output.conf.erb
@@ -0,0 +1,11 @@
+output {
+    if [namespace_uuid] {
+    } else {
+      kafka {
+        codec => json
+        topic_id => "rb_event_post"
+        bootstrap_servers => "rbmanager.redborder.cluster:9092"
+      }
+    }
+
+}