flb // suricata eve logs

in case you’re on a gateway relaying DNS, you might want to skip those noisy flows – beware of dns covert channels however

vi /etc/fluent-bit/streams.conf

[STREAM_TASK]
        Name flow_no_dns
        Exec CREATE STREAM flowfix WITH (tag='source.flowfix') AS SELECT * from STREAM:tail.0 WHERE NOT dest_port = 53;

vi /etc/fluent-bit/fluent-bit.conf

[SERVICE]
    ...
        streams_file streams.conf

[INPUT]
        name tail
        path /var/log/suricata/eve.json
        tag eve
        parser json

[FILTER]
        name geoip2
        match source.flowfix
        database /etc/fluent-bit/GeoLite2-City.mmdb
        lookup_key src_ip
        record src.rescue src_ip %{country.names.ru}

[FILTER]
        name geoip2
        match source.flowfix
        database /etc/fluent-bit/GeoLite2-City.mmdb
        lookup_key dest_ip
        record dest.rescue dest_ip %{country.names.ru}

[FILTER]
        name modify
        match source.flowfix
        add sensor suricata@HOSTNAME-HERE

[OUTPUT]
        name file
        match source.flowfix
        path /var/log
        file fluent-bit.OUTPUT.log

resources

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/geo-point.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun