I'm looking to flag any traffic hitting our edge that appears to come from a tor exit node.
I've pulled a list of all exit nodes, which I'll later cron updates to, with:
curl -s https://check.torproject.org/exit-addresses | awk '/ExitAddress/ {print $2": Torified"}'
Then I'm planning to add a translate filter to check the exit list, and mutate that into a tag:
translate {
field => "client_ip"
destination => "tor_status"
dictionary_path => "/etc/logstash/torexits.dict"
}
if [tor_status] {
mutate {
add_tag => "torified"
remove_field => "tor_status"
}
}
This works, but it seems a bit messy. On the other hand I'm not sure I want an array with 1000+ IPs sitting in my logstash config. It would make scheduled updates to the list trickier, too, requiring both templating and a restart.
Is there a way to check whether a field's contents exist in a list and, if so, add a tag... without adding unnecessary logic and without writing the list into config?