damstux
(Damstux)
June 20, 2015, 10:34am
1
Hello,
I have an ELK for my Apache Logs, everything OK.
I would like to query a reputation IP database to detect tor, vpn, open-proxy .... traffic on my website.
have you got any idea ?
I havec contacted http://www.brightcloud.com/ and https://www.maxmind.com/ without success.
eperry
(Ed)
June 20, 2015, 5:28pm
2
Only 2 things I can think of if it is not already in your data
You can have a file dictionary but I don't think that is what you want.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-translate.html
The other idea, is just write the ruby code to fetch the data you need
https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html
pemontto
(Pemontto)
June 22, 2015, 11:08am
3
We currently do this using the translate filter pointing to a YAML file structured like
<IP>: "<category>"
The dictionary, around 200k items, is loaded into memory on startup so it's quite performant. Alhough not ideal it works for our tactical solution.