diff --git a/docker/logstash/pipeline/30_network.conf b/docker/logstash/pipeline/30_network.conf index 34508775..622f00e7 100644 --- a/docker/logstash/pipeline/30_network.conf +++ b/docker/logstash/pipeline/30_network.conf @@ -1,158 +1,158 @@ filter { if [dest_ip] { cidr { address => [ "%{dest_ip}" ] network => [ "0::/16", # unknown "fc00::/7", # local private network range "fe80::/10", # link-local "ff00::/16", # reserved "ff01::/16", # interface-local "ff02::/16", # link-local "ff03::/16", # IPv4 local scope "ff04::/16", # admin-local "ff05::/16", # site-local "ff06::/16", # reserved "ff07::/16", # reserved "ff08::/16", # organization-local "ff09::/16", # reserved "ff0a::/16", # reserved "ff0b::/16", # reserved "ff0c::/16", # reserved "ff0d::/16", # reserved "ff0e::/16", # global scope "ff0f::/16" # reserved ] add_tag => [ "domestic_dest" ] } cidr { address => [ "%{dest_ip}" ] network => [ "0.0.0.0/32", # unknown "224.0.0.0/24", # local subnetwork "224.0.1.0/24", # internetwork control "224.0.2.0/24", # ad-hoc block 1 "224.3.0.0/16", # ad-hoc block 2 "224.4.0.0/16", # ad-hoc block 2 "232.0.0.0/8", # source-specific multicast "233.252.0.0/6", # ad-hoc block 3 "234.0.0.0/8", # unicast-prefix based "239.0.0.0/8", # administratively scoped "255.255.255.255/32" # broadcast ] add_tag => [ "domestic_dest" ] } cidr { - address => [ "%{src_ip}" ] + address => [ "%{dest_ip}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] add_tag => [ "domestic_dest" ] } cidr { add_tag => [ "localhost" ] address => [ "%{dest_ip}" ] - network => [ "127.0.0.1/8" ] + network => [ "127.0.0.0/8" ] } } if [src_ip] { cidr { address => [ "%{src_ip}" ] network => [ "0::/16", # unknown "fc00::/7", # local private network range "fe80::/10", # link-local "ff00::/16", # reserved "ff01::/16", # interface-local "ff02::/16", # link-local "ff03::/16", # IPv4 local scope "ff04::/16", # admin-local "ff05::/16", # site-local "ff06::/16", # reserved "ff07::/16", # reserved "ff08::/16", # organization-local "ff09::/16", # reserved "ff0a::/16", # reserved "ff0b::/16", # reserved "ff0c::/16", # reserved "ff0d::/16", # reserved "ff0e::/16", # global scope "ff0f::/16" # reserved ] add_tag => [ "domestic_src" ] } cidr { address => [ "%{src_ip}" ] network => [ "0.0.0.0/32", # unknown "224.0.0.0/24", # local subnetwork "224.0.1.0/24", # internetwork control "224.0.2.0/24", # ad-hoc block 1 "224.3.0.0/16", # ad-hoc block 2 "224.4.0.0/16", # ad-hoc block 2 "232.0.0.0/8", # source-specific multicast "233.252.0.0/6", # ad-hoc block 3 "234.0.0.0/8", # unicast-prefix based "239.0.0.0/8", # administratively scoped "255.255.255.255/32" # broadcast ] add_tag => [ "domestic_src" ] } cidr { address => [ "%{src_ip}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] add_tag => [ "domestic_src" ] } cidr { add_tag => [ "localhost" ] address => [ "%{src_ip}" ] - network => [ "127.0.0.1/8" ] + network => [ "127.0.0.0/8" ] } } if [dest_ip] or [src_ip] { if "localhost" in [tags] { mutate { remove_tag => [ "domestic_dest", "domestic_src" ] } } else { if "domestic_dest" in [tags] { if "domestic_src" in [tags] { mutate { add_tag => [ "domestic" ] remove_tag => [ "domestic_dest", "domestic_src" ] } } else { mutate { add_tag => [ "inbound" ] remove_tag => [ "domestic_dest" ] } } } else { if "domestic_src" in [tags] { mutate { add_tag => [ "outbound" ] remove_tag => [ "domestic_src" ] } } else { mutate { add_tag => [ "foreign" ] } } } } } }