Ok, here is the entire configuration file:
input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/since.db"]
codec => json
}
}
filter{
if [event_type] == "alert" {
if [dest_ip] == "194.175.245.9" and [alert][signature_id] == "2009702" {
mutate{add_field => {"alert_confirm" => false}}
}
if [dest_ip] == "195.125.109.3" and [alert][signature_id] in ["2002157","2009475"] {
mutate{add_field => {"alert_confirm" => false}}
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "suricata"
user => "user"
password => "password"
}
}
And here on event which get processed:
{
"_index": "suricata",
"_type": "_doc",
"_id": "rTpQn3MBirb_Rfr8QbBc",
"_version": 1,
"_score": null,
"_source": {
"tx_id": 0,
"flow_id": 1724732766907214,
"@timestamp": "2020-07-30T10:41:43.665Z",
"vlan": [
1
],
"src_ip": "10.121.12.55",
"src_port": 58753,
"app_proto": "http",
"flow": {
"pkts_toserver": 4,
"bytes_toserver": 604,
"bytes_toclient": 219,
"pkts_toclient": 3,
"start": "2020-07-30T12:41:43.486222+0200"
},
"path": "/var/log/suricata/eve.json",
"timestamp": "2020-07-30T12:41:43.578856+0200",
"host": "ebjen-ids.vistec-eb.com",
"proto": "TCP",
"alert": {
"gid": 1,
"metadata": {
"created_at": [
"2010_07_30"
],
"updated_at": [
"2020_06_02"
]
},
"signature_id": 2009475,
"severity": 1,
"action": "allowed",
"rev": 12,
"signature": "ET POLICY TeamViewer Dyngate User-Agent",
"category": "Potential Corporate Privacy Violation"
},
"@version": "1",
"event_type": "alert",
"dest_ip": "194.175.245.4",
"in_iface": "enp5s0f1",
"dest_port": 8080,
"http": {
"http_user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)",
"status": 200,
"protocol": "HTTP/1.1",
"hostname": "client.teamviewer.com",
"length": 0,
"http_method": "CONNECT",
"url": "client.teamviewer.com:443",
"http_port": 443
}
},
"fields": {
"flow.start": [
"2020-07-30T10:41:43.486Z"
],
"@timestamp": [
"2020-07-30T10:41:43.665Z"
],
"timestamp": [
"2020-07-30T10:41:43.578Z"
]
},
"sort": [
1596105703665
]
}