Hi all. I have to work with memcached for logstash to get the alerts about the destination IPs (belonging to C2 IPs) from my firewall's destination IPs. I have MISP for finding malicious/suspicious IPs about the traffic.
Keeping things simple I can say that I have the collection of malicious IPs and the comments for them (in the form of - IP : comments).
I tried memcached by installing on the logstash server and querying it. Populated one sample IP (using pymemcache), it worked 2 days back, but today I dont understand what went wrong I am not able to get it work (Lets leave it apart). I've a bunch of C2 IPs with the comments and want to use these with logstash. (PS- I cannot describe how much I've been loving logstash's capabilities, its amazing). But I cannot find any satisfactory layman guide on memcached (all guides on internet seem to just follow the copy-paste).
Can someone plz step-by-step guide on how to populate the IP:comment/detail relationship to memcahed running on the localserver!
PS- I've gone through every possible tutorial for memcached but didn't find a technically satisfying explanation. Hoping to get it here with a detailed configuration for memcached using input{.}, memcached{..}, output{..} real world examples and configs.
Also to meet the condition if any records are found meeting existence of IP with comment/detail and add a tag to it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.