Logstash and ip reputation


(Damstux) #1

Hello,

I have an ELK for my Apache Logs, everything OK.

I would like to query a reputation IP database to detect tor, vpn, open-proxy .... traffic on my website.

have you got any idea ?

I havec contacted http://www.brightcloud.com/ and https://www.maxmind.com/ without success.


(Ed) #2

Only 2 things I can think of if it is not already in your data

You can have a file dictionary but I don't think that is what you want.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-translate.html

The other idea, is just write the ruby code to fetch the data you need
https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html


(Pemontto) #3

We currently do this using the translate filter pointing to a YAML file structured like

<IP>: "<category>"

The dictionary, around 200k items, is loaded into memory on startup so it's quite performant. Alhough not ideal it works for our tactical solution.


(system) #4