forked from sysadminblog/barracuda-WF-logstash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path20-barracuda.conf
112 lines (98 loc) · 3.27 KB
/
20-barracuda.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# This filter will grok the log entries for the web access log.
filter {
if [type] == "barracuda" and [syslog_program] == "http_scan" {
grok { match => [ "message", "\d+ %{IP:src_ip} %{IP:dst_ip} %{DATA:content_type} \d+\.\d+\.\d+\.\d+ (?<request>(?<request_protocol>\w+)://(?<request_domain>[\w\.\-]+)(:(?<request_port>\d+))?(?<request_uri>[^\s]+)) (?<data_size>\d+) \w+ %{WORD:action} %{WORD:reason}\s+\w+ (?<match_flag>\d+) (?<time_qualified>\d+) (?<action_type>\d+) (?<source_type>\d+) \(%{DATA:src_detail}\) (?<dest_type>\d+) %{USERNAME:dest_detail} (?<spy_type>\d+) %{DATA:spy_id} (?<infection_score>\d+) (?<matched_part>[^\s]+) %{NOTSPACE:matched_category} \[%{NOTSPACE:user}\]\s+(?<referrer>(?<referrer_protocol>\w+)://(?<referrer_domain>[\w\.\-]+)(:(?<referrer_port>\d+))?(?<referrer_uri>[^\s]+)) [^\s]+ (?<referrer_category>[^\s]+)" ] }
if "_grokparsefailure" not in [tags] {
# Translations for action type
translate {
field => "action_type"
destination => "action_type"
override => true
dictionary => [
"0", "Allowed",
"1", "Denied",
"2", "Redirected",
"3", "Rewrite-New",
"4", "Rewrite-Existing",
"5", "Monitored",
"6", "Branched"
]
}
# Translations for the source type
translate {
field => "source_type"
destination => "source_type"
override => true
dictionary => [
"0", "Any",
"1", "Group",
"2", "IP",
"3", "Login",
"4", "Login-Any",
"5", "Score"
]
}
# Translations for the dest type
translate {
field => "dest_type"
destination => "dest_type"
override => true
dictionary => [
"0", "Any",
"1", "Category",
"2", "Category-Any",
"3", "Domain",
"4", "MIME",
"5", "Spyware",
"6", "URI-Patch",
"7", "URI",
"8", "Applications"
]
}
# Translations for the spyware type
translate {
field => "spy_type"
destination => "spy_type"
override => true
dictionary => [
"0", "Allow",
"1", "Block",
"2", "Infection"
]
}
# Set port number to 80 if none provided
if [request_port] !~ "\d+" {
mutate { add_field => [ "request_port", "80" ] }
}
# Set port number to 80 if none provided
if [referrer_port] !~ "\d+" {
mutate { add_field => [ "referrer_port", "80" ] }
}
# Get the DNS for the client IP
mutate { add_field => [ "src_ip_reverse", "%{src_ip}" ] }
dns {
reverse => [ "src_ip_reverse" ]
action => "replace"
}
# Get the destination server IP/reverse
mutate { add_field => [ "dst_ip_reverse" , "%{dst_ip}" ] }
dns {
reverse => [ "dst_ip_reverse" ]
action => "replace"
}
# Get the destination country
geoip {
add_tag => [ "GeoIP" ]
source => "dst_ip"
}
# Remove message field
mutate {
remove_field => [ "message" ]
}
# Convert Data_size field to integer to allow visualization of data transferred using average
mutate {
convert => { "data_size" => "integer" }
}
}
}
}