adliwahid · January 14, 2021 01:48
diff --git a/gistfile1.txt b/gistfile1.txt
 # There's a virustotal filter for logstash if you search the Internet 
 # I have a field hash that contains the sha256 of the file downloaded on the honeypot 
 # memcached is used to store the query results in memory 
 # query is made to memcached, if there's nothing there then make the http request with the API key 
 # memcached is used to minimize the # of queries made given the same file hash 
 # the returned results is stored in vt.* field . You may need to remove fields that you don't need 
 # you'll also need to install memcached and the logstash memcached filter 

 input {}

 filter {

 if [hash] {
     memcached {
            hosts => ["127.0.0.1:11211"]
            namespace => "virustotal"
            get => {
            "%{[hash]}" => "[vt]"
             }
             add_tag => ["hash_memcached_get"]
       }
  }
 if ((! [vt]) and ("" in [hash])) {
   http {
      url => "https://www.virustotal.com/api/v3/files/%{hash}"
      verb => "GET"
      headers => { "x-apikey"  =>  "INSERT_YOUR_VT_API_KEY_HERE" }
      target_body => "[vt]"
      target_headers => "[@metadata][vt-response-header]"
  }
  #set the results in memcached 
  if [vt] {
    memcached {
    hosts => ["127.0.0.1"]
    namespace => "virustotal"
    set => {
         "[vt]" => "%{[hash]}"
        }
    #3600 * 24 hr, store for 24 hours 
    ttl => 86400
    add_tag =>  ["hash_memcached_set"]
    
    }
  } 
 }

 #remove field that you don't need (example) 
 # if [vt] {
 #  mutate{
 #   remove_field => [
 #   "[vt][data][type]",
 #   "[vt][data][id]"
 #  ]
 # }
 #}

 }

 output{}
	# There's a virustotal filter for logstash if you search the Internet
	# I have a field hash that contains the sha256 of the file downloaded on the honeypot
	# memcached is used to store the query results in memory
	# query is made to memcached, if there's nothing there then make the http request with the API key
	# memcached is used to minimize the # of queries made given the same file hash
	# the returned results is stored in vt.* field . You may need to remove fields that you don't need
	# you'll also need to install memcached and the logstash memcached filter

	input {}

	filter {

	if [hash] {
	memcached {
	hosts => ["127.0.0.1:11211"]
	namespace => "virustotal"
	get => {
	"%{[hash]}" => "[vt]"
	}
	add_tag => ["hash_memcached_get"]
	}
	}
	if ((! [vt]) and ("" in [hash])) {
	http {
	url => "https://www.virustotal.com/api/v3/files/%{hash}"
	verb => "GET"
	headers => { "x-apikey" => "INSERT_YOUR_VT_API_KEY_HERE" }
	target_body => "[vt]"
	target_headers => "[@metadata][vt-response-header]"
	}
	#set the results in memcached
	if [vt] {
	memcached {
	hosts => ["127.0.0.1"]
	namespace => "virustotal"
	set => {
	"[vt]" => "%{[hash]}"
	}
	#3600 * 24 hr, store for 24 hours
	ttl => 86400
	add_tag => ["hash_memcached_set"]

	}
	}
	}

	#remove field that you don't need (example)
	# if [vt] {
	# mutate{
	# remove_field => [
	# "[vt][data][type]",
	# "[vt][data][id]"
	# ]
	# }
	#}

	}

	output{}