如何将 Snort 警报日志提供给 Elasticsearch?

如何将 Snort 警报日志提供给 Elasticsearch?

我昨天开始ELK 指南并相当轻松地启动并运行了 ELK。接下来我想做的是将我的 Snort 警报日志插入其中。我使用过滤器和绝对讨厌的 Grok 正则表达式配置了 Logstash(如下所示),以使用以下方式拆分所有字段grok调试测试一下。然后我打开了 snort,警报日志开始填满,然后 logstash 重新启动(--configtest当然是在重新启动之后)。我安装了 ES“Head”插件,这样我就可以稍微探索一下。似乎我的 snort 警报正在与我的 syslog 映射进行映射,就像在 howto 中创建的一样(下图)。在 ES 中,我似乎无法使用 logstash 配置中定义的任何字段(ids_proto、src_ip、dst_ip)进行搜索。为什么会这样?我需要定义映射吗?还是这里出了其他问题?

在此处输入图片描述

input 
{
  file {
    path => "/var/log/snort/alert"
    type => "snort_tcp"  # a type to identify those logs (will need this later)
    start_position => beginning 
    ignore_older => 0      # Setting ignore_older to 0 disables file age checking so that the tutorial file is processed even though it’s older than a day. 
    sincedb_path => "/dev/null"
  }
}


filter {
 if [type] == "snort_tcp" {
      grok {
        add_tag => [ "IDS" ]
        match => [ "message", "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\]\s+\[Classification:\s+%{DATA:ids_classification}\]\s+\[Priority:\s+%{INT:priority}\]\s+\{%{WORD:ids_proto}\}\s+%{IP:src_ip}\:%{INT:src_port}\s+\-\>\s+%{IP:dst_ip}\:%{INT:dst_port}"]
      }
    }
    geoip {
      source => "[src_ip]"
      target => "SrcGeo"
    }
    geoip {
      source => "[dst_ip]"
      target => "DstGeo"
    }
        if [priority] == "1" {
      mutate {
        add_field => { "severity" => "High" }
      }
    }
    if [priority] == "2" {
      mutate {
        add_field => { "severity" => "Medium" }
      }
    }
    if [priority] == "3" {
      mutate {
        add_field => { "severity" => "Low" }
      }
    }
    if [ids_proto] {
      if [ids_proto] =~ /^GPL/ {
        mutate {
          add_tag => [ "Snort-ET-sig" ]
          add_field => [ "ids_rule_type", "Emerging Threats" ]
        }
      }
      if [ids_proto] =~ /^ET/ {
        mutate {
          add_tag => [ "Snort-ET-sig" ]
          add_field => [ "ids_rule_type", "Emerging Threats" ]
        }
      }
      if "Snort-ET-sig" not in [tags] {
        mutate {
          add_tag => [ "Snort-sig" ]
          add_field => [ "ids_rule_type", "Snort" ]
        }
      }
    }
if "Snort-sig" in [tags] {
      if [ids_gid] == "1" {
        mutate {
          add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
        }
      }
      if [ids_gid] != "1" {
        mutate {
          add_field => [ "Signature_Info", "http://rootedyour.com/snortsid?sid=%{ids_gid}-%{ids_sid}" ]
        }
      }
    }
    if "Snort-ET-sig" in [tags] {
      mutate {
        add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{ids_sid}" ]
      }
    }
  }



output 
{
  elasticsearch 
   {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "snort_tcp-%{+YYYY.MM.dd}"     
  }
}

答案1

这里有几件事:

  • logstash 创建的默认映射将所有字符串字段设置为未分析,这对下游查看工具来说更为友好。
  • 根本不设置映射,就像你正在做的那样,使用默认的 ElasticSearch动态映射,这不太适合 Logstash。

为了进行测试,我推荐以下输出部分:

output 
{
 elasticsearch 
  {
    hosts => ["localhost:9200"]
    manage_template => true
    index => "logstash-%{+YYYY.MM.dd}"     
  }
}

当以这种方式设置时,logstash 索引将获得默认的 logstash 映射,这可能更接近您的预期。如果是这种情况,您可能必须定义一个映射文件。

output 
{
 elasticsearch 
  {
    hosts => ["localhost:9200"]
    manage_template => true
    index => "snort_tcp-%{+YYYY.MM.dd}"
    template => "/etc/logstash/template.json"
    template_name => "snort_tcp"
  }
}

相关内容