From 86010a7bcd793b837b5e6718eebc4bde93c16c3b Mon Sep 17 00:00:00 2001
From: Peter Manev <petermanev@gmail.com>
Date: Mon, 31 Mar 2014 11:57:17 +0200
Subject: [PATCH] cookbook for Suricata IDPS

---
 index.md                            |  4 +++
 recipes/suricata-IDPS/index.md      | 42 +++++++++++++++++++++++++++++
 recipes/suricata-IDPS/logstash.conf | 35 ++++++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 recipes/suricata-IDPS/index.md
 create mode 100644 recipes/suricata-IDPS/logstash.conf

diff --git a/index.md b/index.md
index 1f940d6..6610d46 100644
--- a/index.md
+++ b/index.md
@@ -86,6 +86,10 @@ Have a NodeJS app? Get your logs into logstash efficiently with this cookbook.
 
 Sample configuration for parsing syslog messages from a Cisco ASA firewall
 
+## [ Suricata IDPS ](recipes/suricata-IDPS/)
+
+Sample configuration of Logstash for Suricata IDPS - Intrusion Detection and Prevention System - log analysis
+
 ## [The Logstash Book](http://www.logstashbook.com)
 
 An introductory Logstash book.
diff --git a/recipes/suricata-IDPS/index.md b/recipes/suricata-IDPS/index.md
new file mode 100644
index 0000000..e206615
--- /dev/null
+++ b/recipes/suricata-IDPS/index.md
@@ -0,0 +1,42 @@
+---
+layout: article
+title: logstash.conf for use with Suricata IDPS
+tags: Suricata,IDS,IPS
+---
+
+* Goal: Logstash configuration for Suricata IDPS log analysis.
+* Target audience: Users who wish to integrate Suricata IDPS logs for analysis in Logstash.
+
+# Usage
+
+- copy the provided logstash.conf in /etc/logstash/conf.d/logstash.conf
+- restart elasticsearch/logstash
+
+
+{% include_code logstash.conf %}
+
+
+# Kibana templates for Suricata IDPS
+
+https://github.com/pevma/Suricata-Logstash-Templates
+
+
+# Other instructions/tutorials - Suricata/Logstash installation
+
+https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
+
+http://pevma.blogspot.com/2014/03/suricata-and-grand-slam-of-open-source_26.html
+
+https://home.regit.org/2014/03/suricata-ulogd-splunk-logstash/
+
+http://blog.inliniac.net/2014/03/25/suricata-2-0-and-beyond/
+
+
+# About Suricata IDPS - Intrusion Detection and Prevention System
+
+http://suricata-ids.org/
+
+http://www.openinfosecfoundation.org/
+
+http://planet.suricata-ids.org/
+
diff --git a/recipes/suricata-IDPS/logstash.conf b/recipes/suricata-IDPS/logstash.conf
new file mode 100644
index 0000000..698693f
--- /dev/null
+++ b/recipes/suricata-IDPS/logstash.conf
@@ -0,0 +1,35 @@
+input {
+  file { 
+    path => ["/var/log/suricata/eve.json"]
+    codec =>   json 
+    type => "SuricataIDPS-logs" 
+  }
+
+}
+
+filter {
+  if [type] == "SuricataIDPS-logs" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
+  if [src_ip]  {
+    geoip {
+      source => "src_ip" 
+      target => "geoip" 
+      database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
+      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
+      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
+    }
+    mutate {
+      convert => [ "[geoip][coordinates]", "float" ]
+    }
+  }
+}
+
+output { 
+  elasticsearch {
+    host => localhost
+  }
+}