Mark IP Value with an external list


(vomitar) #1

Hallo to everyone, it's my first topic here.
scenario
I have to check if some IP are SECURE and i do it checking the value (send me by apache logs) by an external list and so i have to mark or add a field .

Here an example with a static variable

if [clientip] == "192.168.0.1" {
mutate { add_field => [ "ORIGIN", "SAFE" ] }
} else {
mutate { add_field => [ "ORIGIN", "MALICIOUS" ]}
}

now I have to do the same but i must check the IP with a list (txt,csv etc) external.
I have tried to do with ruby :

if [clientip] != '' {
ruby {
code =>"
f = File.new("list.ip")
text = f.read
if text =~ event['clientip'] then
event[ORIGIN] = 'MALICIOUS'
end
"
}
}

Can You help me ? Thank you


(Christian Dahlqvist) #2

Have you looked at the translate plugin?


(vomitar) #3

thank you for the answer, yes i have looked but i don't know if is the better way ...


(Christian Dahlqvist) #4

It does cache the dictionary, so I would expect it to be considerably more efficient than a Ruby filter.


(vomitar) #5

Yes , load the list in RAM is more efficent but i don't know how to use the plugin for my needs


(Christian Dahlqvist) #6

Create a dictionary with all SECURE IPs mapped to e.g. the string 'SECURE'. The create a lookup and populate a field with this. If the field then is not set you can assume it is not secure and label it MALICIOUS. Would that work?


(vomitar) #7

If i undestood translate , transform a variable in other ... ad ex , IP convert in SECURE (or not SECURE) , i need match the variable with a list for mark an additional FLAG with the keyword.
My solutions :

   ruby { code => "
    f = File.open('/tmp/IP.lst','r')
    ip = event['clientip']
    text = f.read()
    if text =~ /#{ip}/
      event['ORIGIN'] = 'SECURE'
    else
      event['ORIGIN'] = 'MALICIOUS'
    end
      f.close()
    puts event['ORIGIN']
  "}

(Christian Dahlqvist) #8

Translate allows you to perform a lookup against a dictionary based on the contents of a field, e.g. clientip, and populate a different field with the result, which could be SECURE or MALICIOUS as in your example. You could combine this with a conditional (the field containing the result of the lookup is not set) and use a mutate filter to then set it to MALICIOUS, which would be the default value. This should do what your Ruby filter does but avoid loading the file once for every event.


Something wrong with notifications?
(vomitar) #9

Can you help me please ? I'd like use translate but don't know how to use it combinated with a conditional

thank you very much


(Christian Dahlqvist) #10

Have you had a look at the documentation? What have you tried so far?


(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.