forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path8503-postprocess-freq_analysis_zeek_http.conf
38 lines (38 loc) · 1.33 KB
/
8503-postprocess-freq_analysis_zeek_http.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Author: Justin Henderson
# Email: jhenderson@tekrefresh.comes
# Last Update: 5/10/2016
#
# This conf file is based on accepting logs for http.log from Zeek systems
filter {
if [type] == "zeek_http" {
# If uri exists run a frequency analysis against it. In order for this to work you must have
# freq.py and the corresponding frequency table in /opt/freq/. This is a huge boost to security
# and I highly recommend you set this up. Example, if a frequency score less than 6 exists
# then there is a likelihood that something malicious is happening.
#
# For higher accuracy, please generate your own frequency tables. For questions on setup,
# please refer to https://github.com/SMAPPER
if [virtual_host]{
if [sub_domain] and [sub_domain_length] > 5 {
rest {
request => {
url => "http://localhost:10004"
method => "get"
params => {
"cmd" => "measure1"
"tgt" => "%{virtual_host}"
}
}
sprintf => true
target => "virtual_host_frequency_score"
}
}
if [virtual_host_frequency_score] {
mutate {
convert => { "virtual_host_frequency_score" => "float" }
add_field => { "frequency_scores" => "%{virtual_host_frequency_score}" }
}
}
}
}
}