Logstash and ip reputation

(Damstux) #1


I have an ELK for my Apache Logs, everything OK.

I would like to query a reputation IP database to detect tor, vpn, open-proxy .... traffic on my website.

have you got any idea ?

I havec contacted http://www.brightcloud.com/ and https://www.maxmind.com/ without success.

(Ed) #2

Only 2 things I can think of if it is not already in your data

You can have a file dictionary but I don't think that is what you want.

The other idea, is just write the ruby code to fetch the data you need

(Pemontto) #3

We currently do this using the translate filter pointing to a YAML file structured like

<IP>: "<category>"

The dictionary, around 200k items, is loaded into memory on startup so it's quite performant. Alhough not ideal it works for our tactical solution.

(system) #4