flb // suricata eve logs

in case you’re on a gateway relaying DNS, you might want to skip those noisy flows – beware of dns covert channels however

vi /etc/fluent-bit/fluent-bit.conf

[SERVICE]
    ...
    parsers_file custom_parsers.conf
    streams_file streams.conf

[INPUT]
    name tail
    path /var/log/suricata/eve.json
    tag eve
    parser json_no_time

[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/GeoLite2-City.mmdb
    lookup_key src_ip
    record src.rescue src_ip %{country.names.ru}

[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/GeoLite2-City.mmdb
    lookup_key dest_ip
    record dest.rescue dest_ip %{country.names.ru}

[FILTER]
    name modify
    match source.flowfix
    add sensor suricata@HOSTNAME-HERE

[OUTPUT]
    name file
    match source.flowfix
    path /var/log
    file fluent-bit.suricata.log

vi /etc/fluent-bit/custom_parsers.conf

[PARSER]
    name   json_no_time
    format json

vi /etc/fluent-bit/streams.conf

[STREAM_TASK]
    Name flow_no_dns
    Exec CREATE STREAM flowfix WITH (tag='source.flowfix') AS SELECT * from STREAM:tail.0 WHERE NOT dest_port = 53;

resources

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/geo-point.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT