malware.rb

# encoding: utf-8
require "logstash/filters/base"
require "logstash/namespace"
require 'elasticsearch'

# Check the content of a event field against an
# ES index. If the value is found, the target field of the event
# is filled with "malware", else "clean".
class LogStash::Filters::Malware < LogStash::Filters::Base

  config_name "malware"
  milestone 1

  # The field containing the ip or the host. If this field is an
  # array, only the first value will be used.
  config :source, :validate => :string, :required => true

  # The name of the field to assign result of check.
  config :target, :validate => :string, :required => true

  # The index of the blacklist
  config :index, :validate => :string, :required=>true

  # Field in the index
  config :field, :validate => :string, :required=>true, :default=>'ip'

  # The ElasticSearch server where the index is located
  config :es_host, :validate => :string, :required=>true, :default=>'localhost'

  # The ElasticSearch server port
  config :es_port, :validate => :string, :required=>true, :default=>'9200'


  public
  def register
    @client = Elasticsearch::Client.new host: @es_host + ":" + @es_port
  end #def register

  public
  def filter(event)
    # return nothing unless there's an actual filter event
    return unless filter?(event)
    iporhost = event[@source]
    iporhost = iporhost.first if iporhost.is_a? Array
    unless iporhost.nil?
      res = @client.search index: 'alienvault_blacklist', body: { query: { match: { @field => iporhost } } }
      res = res["hits"]["total"]
      if res.zero?
        event[@target] = "clean"
      else
        event[@target] = "malware"
      end
    else
    end

    # filter_matched should go in the last line of our successful code 
    filter_matched(event)
  end # def filter
end # class LogStash::Filters::UserAgent