Release 5.0.0 (#82)

* Add new filters for flow and intrusion (#79) * Add new filters for flow and intrusion * Update intrusion_threat_intelligence.conf.erb * Update netflow_threat_intelligence.conf.erb * Update config.rb * Release --------- Co-authored-by: Miguel Álvarez <[email protected]>
redBorder · Dec 30, 2024 · f46969c · f46969c
1 parent ff35d01
commit f46969c
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 cookbook-logstash CHANGELOG
 ===============
 
+## 5.0.0
+
+  - Miguel Álvarez
+    - [fcbea79] Add new filters for flow and intrusion (#79)
+
 ## 4.0.0
 
   - manegron

diff --git a/resources/metadata.rb b/resources/metadata.rb
@@ -3,4 +3,4 @@
 maintainer_email '[email protected]'
 license          'AGPL-3.0'
 description      'Installs/Configures cookbook-logstash'
-version          '4.0.0'
+version          '5.0.0'
diff --git a/resources/providers/config.rb b/resources/providers/config.rb
@@ -363,6 +363,19 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      memcached_servers = node['redborder']['memcached']['hosts']
+
+      template "#{pipelines_dir}/netflow/05_threat_intelligence.conf" do
+        source 'netflow_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/netflow/90_splitflow.conf" do
         source 'netflow_splitflow.conf.erb'
         owner user
@@ -912,6 +925,17 @@
         notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
       end
 
+      template "#{pipelines_dir}/intrusion/07_threat_intelligence.conf" do
+        source 'intrusion_threat_intelligence.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        variables(memcached_servers: memcached_servers)
+        notifies :restart, 'service[logstash]', :delayed unless node['redborder']['leader_configuring']
+      end
+
       template "#{pipelines_dir}/intrusion/98_encode.conf" do
         source 'intrusion_encode.conf.erb'
         owner user

diff --git a/resources/templates/default/intrusion_threat_intelligence.conf.erb b/resources/templates/default/intrusion_threat_intelligence.conf.erb
@@ -0,0 +1,13 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "src" => "src_is_malicious"
+      "dst" => "dst_is_malicious"
+      "public_ip" => "src_is_malicious"
+      "sha256" => "sha256_is_malicious"
+      "file_uri" => "file_uri_is_malicious"
+      "file_hostname" => "file_hostname_is_malicious"
+    }
+  }
+}
diff --git a/resources/templates/default/netflow_threat_intelligence.conf.erb b/resources/templates/default/netflow_threat_intelligence.conf.erb
@@ -0,0 +1,10 @@
+filter {
+  threatintelligence {
+    memcached_servers => <%=@memcached_servers%>
+    key_mapping => {
+      "lan_ip" => "lan_ip_is_malicious"
+      "wan_ip" => "wan_ip_is_malicious"
+      "public_ip" => "public_ip_is_malicious"
+    }
+  }
+}