I have a list containing millions of malicious IP addresses, and I am using ELK to get and analyze data from multiple firewalls.
I received millions of logs per days from the firewall and my malicious IP address list is changing constantly.
I want to create a search or something else that compares the firewall logs and this malicious list of IP addresses.
If there is any match, the search should return the results, create an alarm, whatever. I just want to be aware of any match.
Can someone point me a direction ?
I have been exhausting my neuron on this task.
You need to anlayse this IP address in multi field search.
The first analyser can be a stop analyser where you can separate IP address on basis of . (dot).
The second analyser can be a standard analyser which a char filter which removes . out of IP address and makes the entire IP address as single string.
So when you run your analysis you can Multi search your new IP address with both analysed form of text we have. Any score of beyond 80 percent can be considered as malicious IP for you. The percentage can be tweaked as per use case.
Actually, I am following another approach...
I was trying to compare two indices in elastic, and I was consuming a lot of time not getting anywhere.
I think the best way to compare data from the malicius hosts and the logs from the fws is to create a lookup/translate as soon as we get logs and enrich the incoming log with additional information.
Basically, my plan is to do a lookup/translate on the src/dst IP. If there is a match, I will tag the src/dst IP as malicious.
Here is the logstash filter I am preparing:
filter {
translate {
field => "source_ip" //source IP from the original log.
destination => "malicious" //new field created to tag the IP as malicious
dictionary_path => '/opt/minemeld/ipv4.yaml' //list of Malicious addresses in YAML format
refresh_interval => '300' //refresh interval for YAML file
}
}
The YAML file should look like this:
“1.1.1.1”:”TRUE”
“2.2.2.2”:”TRUE”
…
I cant test today, but I believe it will work
Here is more info if for those who face the same issue
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.