Flag traffic from Tor exit nodes

I'm looking to flag any traffic hitting our edge that appears to come from a tor exit node.

I've pulled a list of all exit nodes, which I'll later cron updates to, with:

curl -s https://check.torproject.org/exit-addresses | awk '/ExitAddress/ {print $2": Torified"}'

Then I'm planning to add a translate filter to check the exit list, and mutate that into a tag:

translate {
  field => "client_ip"
  destination => "tor_status"
  dictionary_path => "/etc/logstash/torexits.dict"
if [tor_status] {
  mutate {
    add_tag => "torified"
    remove_field => "tor_status"

This works, but it seems a bit messy. On the other hand I'm not sure I want an array with 1000+ IPs sitting in my logstash config. It would make scheduled updates to the list trickier, too, requiring both templating and a restart.

Is there a way to check whether a field's contents exist in a list and, if so, add a tag... without adding unnecessary logic and without writing the list into config?

You could add in an exec input to do the curl into the translate file every so often too.

But until dynamic reloading gets released (5.0 I think?), this is the best way.

1 Like