Add new filters for flow and intrusion (#79)

* Add new filters for flow and intrusion * Update intrusion_threat_intelligence.conf.erb * Update netflow_threat_intelligence.conf.erb * Update config.rb
redBorder · Dec 30, 2024 · fcbea79 · fcbea79
1 parent 2da3916
commit fcbea79
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 0 deletions.
diff --git a/resources/providers/config.rb b/resources/providers/config.rb
@@ -363,6 +363,19 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      memcached_servers = node['redborder']['memcached']['hosts']
+
+      template "#{pipelines_dir}/netflow/05_threat_intelligence.conf" do
+        source 'netflow_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/netflow/90_splitflow.conf" do
         source 'netflow_splitflow.conf.erb'
         owner user
@@ -912,6 +925,17 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      template "#{pipelines_dir}/intrusion/07_threat_intelligence.conf" do
+        source 'intrusion_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/intrusion/98_encode.conf" do
         source 'intrusion_encode.conf.erb'
         owner user

diff --git a/resources/templates/default/intrusion_threat_intelligence.conf.erb b/resources/templates/default/intrusion_threat_intelligence.conf.erb
@@ -0,0 +1,13 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "src" => "src_is_malicious"
+      "dst" => "dst_is_malicious"
+      "public_ip" => "src_is_malicious"
+      "sha256" => "sha256_is_malicious"
+      "file_uri" => "file_uri_is_malicious"
+      "file_hostname" => "file_hostname_is_malicious"
+    }
+  }
+}
diff --git a/resources/templates/default/netflow_threat_intelligence.conf.erb b/resources/templates/default/netflow_threat_intelligence.conf.erb
@@ -0,0 +1,10 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "lan_ip" => "lan_ip_is_malicious"
+      "wan_ip" => "wan_ip_is_malicious"
+      "public_ip" => "public_ip_is_malicious"
+    }
+  }
+}