Displaying two geoips on Kibana Coordinate Map

Elastic Stack Kibana
1

Hi, i'm new with elk stack, and need some help with my problem.

I have read the topic, basically on how to emulate something like an attack map cyber map, but I'm not sure if it is possible or not.

My objective is to show IP addresses from both source and destination IP if only it is from the internet on a Kibana coordinate map. I'm using the cidr function to add tags for both destination and source ip if it is from internal IP. By doing this, I'm able to filter out IPs from the internet and create a geo location.

This is my logstash conf file

//

		filter {
	   grok {
			match => [ "message", "%{SYSLOGTIMESTAMP:mytime} %{WORD:unuse1} %{WORD:unuse2}\[%{NUMBER:unuse3}\]\: \[%{NUMBER:sid}\:%{NUMBER:gid}\:%{NUMBER:rev}\] %{DATA:ids_data} \[Classification\: %{DATA:classification}\] \[Priority:\s+%{INT:priority}\] \{%{WORD:ids_proto}\}\s+%{IP:src_ip}\:%{INT:src_port}\s+\-\>\s+%{IP:dst_ip}\:%{INT:dst_port}" ]
		}
		#add tag to source IP which is coming from internal IP
		cidr{
			add_tag => ["internal_ip_source"]
			address => [ "%{src_ip}" ]
			network => ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
		}
		# create geoip for those IPs without tag
		if [tags] != "internal_ip_source"
		{	
			geoip{
				source => "[src_ip]"
				target => "internet_ip"
				add_field => [ "[internet_ip][source_coordinates]", "%{[internet_ip][longitude]}" ]
				add_field => [ "[internet_ip][source_coordinates]", "%{[internet_ip][latitude]}" ]
			}
			mutate {
				convert => [ "[internet_ip][source_coordinates]", "float"]
			}
		}
		
		
		
		#add tag to destination IP which is coming from internal IP
		cidr{
			add_tag => ["internal_ip_destination"]
			address => [ "%{dst_ip}" ]
			network => ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
		}
		# create geoip for those IPs without tag
		if [tags] != "internal_ip_source"
		{	
			geoip{
				source => "[dst_ip]"
				target => "internet_ip"
				add_field => [ "[internet_ip][destination_coordinates]", "%{[internet_ip][longitude]}" ]
				add_field => [ "[internet_ip][destination_coordinates]", "%{[internet_ip][latitude]}" ]
			}
			mutate {
				convert => [ "[internet_ip][destination_coordinates]", "float"]
			}
		}
		date {
			match => [ "mytime", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "MMMM dd HH:mm:ss", "ISO8601"] #need to match the date log pattern exactly 100 percent all the spaces, special characters 
			target => "@timestamp"
		}
		}

This is part of my mapping

 "internet_ip"  : {
      "dynamic": true,
      "properties" : {
        "ip": { "type": "ip" },
        "location" : { "type" : "geo_point" },
		"source_coordinates" : { "type" : "geo_point" },
		"destination_coordinates" : { "type" : "geo_point" },
        "latitude" : { "type" : "half_float" },
        "longitude" : { "type" : "half_float" }
      }
    }

I tried to run it on kibana, but source_coordinates and destination_coordinates data type does not change to geo_point.

2

Is that the active mapping from the index, or one you are applying before indexing?

4

im not sure which is which, most probably im applying it before indexing, is it possible to create two geo location?

5 
  elasticsearch {
 hosts => "localhost:9200"
 index => "snort_tcp%{+YYYY.MM.dd}"
 manage_template => true
 template => "c:\Program Files\logstash-6.3.0\templates\snorttcp.json"
 template_name => "snort_tcp*" }  stdout { codec => rubydebug } }
6

You can have multiple geopoints, yes. You should look at the _mapping endpoint for your index to see what has been applied.

7

to be honest, im not sure what to look for, so sorry to trouble you, from _mapping, i got something similar with what has been defined on my snorttcp.json with changing index something like "snort_tcp2018.06.05" , "snort_tcp2018.06.15"

8

If you can call one index with that endpoint and then paste the output, that'll help.

Just make sure you format it with code tags (backticks) or use the </> button.

9 
  "snort_tcp2018.07.11": {
"mappings": {
  "doc": {
    "dynamic_templates": [
      {
        "message_field": {
          "path_match": "message",
          "match_mapping_type": "string",
          "mapping": {
            "norms": false,
            "type": "text"
          }
        }
      },
      {
        "string_fields": {
          "match": "*",
          "match_mapping_type": "string",
          "mapping": {
            "fields": {
              "keyword": {
                "ignore_above": 256,
                "type": "keyword"
              }
            },
            "norms": false,
            "type": "text"
          }
        }
      }
    ],
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "@version": {
        "type": "keyword"
      },
      "beat": {
        "properties": {
          "hostname": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "name": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "version": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "dst_geoip": {
        "dynamic": "true",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
      },
      "host": {
        "properties": {
          "name": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "input": {
        "properties": {
          "type": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "message": {
        "type": "text",
        "norms": false
      },
      "offset": {
        "type": "long"
      },
      "prospector": {
        "properties": {
          "type": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "source": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "src_geoip": {
        "dynamic": "true",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
      },
      "syslog_hostname": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "syslog_message": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "syslog_pid": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "syslog_program": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "syslog_timestamp": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "tags": {
        "type": "text",
        "norms": false,
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }
    }
  },
10 
 "_default_": {
    "dynamic_templates": [
      {
        "message_field": {
          "path_match": "message",
          "match_mapping_type": "string",
          "mapping": {
            "norms": false,
            "type": "text"
          }
        }
      },
      {
        "string_fields": {
          "match": "*",
          "match_mapping_type": "string",
          "mapping": {
            "fields": {
              "keyword": {
                "ignore_above": 256,
                "type": "keyword"
              }
            },
            "norms": false,
            "type": "text"
          }
        }
      }
    ],
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "@version": {
        "type": "keyword"
      },
      "dst_geoip": {
        "dynamic": "true",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
      },
      "src_geoip": {
        "dynamic": "true",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          } 
       } 
   }
   } 
   }
  } 
  }
11

So it's mapped fine then.
I don't think you can currently have more than one geopoint field on a map though, you may need to look at using the Vega plugin for that instead.

12

what if i store both source ip and destination ip to target => geoip

if [tags] != "internal_ip_source"
		{	
			geoip {
				source => "[src_ip]"
				target => "geoip"
			}
		}

if [tags] != "internal_ip_source"
		{	
			geoip {
				source => "[dst_ip]"
				target => "geoip"
			}
		}

and the mapping would be something like

"geoip"  : {
      "dynamic": true,
      "properties" : {
        "ip": { "type": "ip" },
        "location" : { "type" : "geo_point" },
        "latitude" : { "type" : "half_float" },
        "longitude" : { "type" : "half_float" }
      }
    }

logically, it would just store both IP addresses right?

Btw, thanks for your help, i'll try to do some research on your recommendation.

13

But in the one geo field, which would be overwritten by whichever of your filters runs second.

14

This project, might help provide some insights:

15

Mapster is really cool. Too bad it isn't maintained. :frowning:

16

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.