Logstash - IP range to CIDR

HaranKumar · April 7, 2019, 8:32am

Hello Logstash Community,

I have parsed a set of IOC which is continuously pulled from TCP port. I have a field called @indicator which has IP values in range format (though it is a single IP value).
for example my field is available as 96.70.80.177-96.70.80.177
is there a way to convert this range type into individual CIDR format using from logstash filters ? or how to edit a original parsed field into different format as we want ?

kindly help me with troubleshooting this.

input {
 tcp {
  port => 5514
  }
}
filter {
  # Tag minemeld events
  if "@origin" in [message] {
    mutate {
      add_tag => "minemeld"
    }
    json {
      source => "message"
    }
  }
}
output {
  elasticsearch {
    hosts => "http://192.168.56.10:9200"
    index => "threat-intel-%{+YYYY.MM.dd}"
    cacert => "/etc/nginx/minemeld.cer"
  }
}

Badger · April 7, 2019, 2:56pm

Exactly what do you want the final event to look like?

HaranKumar · April 7, 2019, 3:53pm

Thanks Badger for looking into it.

Indicator field is in range form currently as in my screenshot image above.

I want to have it as single IP only. Not as range format.

Regards,

Haran

Badger · April 7, 2019, 4:03pm

dissect { mapping => { "@indicator" => "%{ip}-%{}" } }

HaranKumar · April 8, 2019, 11:42am

Thank you so much for the help @Badger . Unfortunately dissect is not trimming the IP in @indicator field.

Below is my new conf file. kindly let me know if I am missing something. I used "IPV4" value which is parsing in a field called type as a if condition for dissect.

input {
 tcp {
  port => 5514
  }
}
filter {
  # Tag minemeld events
  if "@origin" in [message] {
    mutate {
      add_tag => "minemeld"
    }
    json {
      source => "message"
    }
 }
  #dissecting IPV4 into CIDR format
  if "IPv4" in [type] {
    dissect {
      mapping => { "@indicator" => "%{ip}-%{}" }
    }
  }
}
output {
  elasticsearch {
    hosts => "http://192.168.56.10:9200"
    index => "logstash-threatintel-%{+YYYY.MM.dd}"
 }
}

Screenshot of new log after new conf file.

Badger · April 8, 2019, 12:07pm

OK, so it parsed the ip address into the field ip. That's what you wanted, right?

HaranKumar · April 8, 2019, 1:17pm

No No. Sorry if my explanation/requirement was not clear.

I have two fields parsing by default.
field:value
type:IPV4
@indicator:196.52.43.112-196.52.43.255

my requirement is @indicator field should have only 192.52.43.112

so i used dissect mapping as you suggested with if "IPV4" in [type] as if condition

if "IPv4" in [type] {
    dissect {
      mapping => { "@indicator" => "%{ip}-%{}" }
  }
}

Badger · April 8, 2019, 1:31pm

If you want to overwrite the field then you can do that

dissect { mapping => { "@indicator" => "%{@indicator}-%{}" } }

HaranKumar · April 8, 2019, 2:19pm

Awesom. Thanks @Badger . It did the magic. I was able to trim the @indicator field from range to single CIDR format.

system · May 6, 2019, 2:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.