From fcbea79608ae6caaabd0bbb1e085ad4f82f7318e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miguel=20=C3=81lvarez?=
 <128592227+malvads@users.noreply.github.com>
Date: Mon, 30 Dec 2024 14:04:10 +0000
Subject: [PATCH] Add new filters for flow and intrusion (#79)

* Add new filters for flow and intrusion

* Update intrusion_threat_intelligence.conf.erb

* Update netflow_threat_intelligence.conf.erb

* Update config.rb
---
 resources/providers/config.rb                 | 24 +++++++++++++++++++
 .../intrusion_threat_intelligence.conf.erb    | 13 ++++++++++
 .../netflow_threat_intelligence.conf.erb      | 10 ++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 resources/templates/default/intrusion_threat_intelligence.conf.erb
 create mode 100644 resources/templates/default/netflow_threat_intelligence.conf.erb

diff --git a/resources/providers/config.rb b/resources/providers/config.rb
index 9cb2563..bd094b1 100644
--- a/resources/providers/config.rb
+++ b/resources/providers/config.rb
@@ -363,6 +363,19 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      memcached_servers = node['redborder']['memcached']['hosts']
+
+      template "#{pipelines_dir}/netflow/05_threat_intelligence.conf" do
+        source 'netflow_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/netflow/90_splitflow.conf" do
         source 'netflow_splitflow.conf.erb'
         owner user
@@ -912,6 +925,17 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      template "#{pipelines_dir}/intrusion/07_threat_intelligence.conf" do
+        source 'intrusion_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/intrusion/98_encode.conf" do
         source 'intrusion_encode.conf.erb'
         owner user
diff --git a/resources/templates/default/intrusion_threat_intelligence.conf.erb b/resources/templates/default/intrusion_threat_intelligence.conf.erb
new file mode 100644
index 0000000..4c35d70
--- /dev/null
+++ b/resources/templates/default/intrusion_threat_intelligence.conf.erb
@@ -0,0 +1,13 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "src" => "src_is_malicious"
+      "dst" => "dst_is_malicious"
+      "public_ip" => "src_is_malicious"
+      "sha256" => "sha256_is_malicious"
+      "file_uri" => "file_uri_is_malicious"
+      "file_hostname" => "file_hostname_is_malicious"
+    }
+  }
+}
diff --git a/resources/templates/default/netflow_threat_intelligence.conf.erb b/resources/templates/default/netflow_threat_intelligence.conf.erb
new file mode 100644
index 0000000..d0f7c1f
--- /dev/null
+++ b/resources/templates/default/netflow_threat_intelligence.conf.erb
@@ -0,0 +1,10 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "lan_ip" => "lan_ip_is_malicious"
+      "wan_ip" => "wan_ip_is_malicious"
+      "public_ip" => "public_ip_is_malicious"
+    }
+  }
+}