work on idaholab#19, added IR to countries of concern

mmguero-dev · Sep 2, 2021 · 5c02c57 · 5c02c57
1 parent f0148c8
commit 5c02c57
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -498,7 +498,7 @@ Various other environment variables inside of `docker-compose.yml` can be tweake
 
 * `CONNECTION_SECONDS_SEVERITY_THRESHOLD` - when [severity scoring](#Severity) is enabled, this variable indicates the duration threshold (in seconds) for assigning severity to long connections (default `3600`)
 
-* `QUESTIONABLE_COUNTRY_CODES` - when [severity scoring](#Severity) is enabled, this variable defines a comma-separated list of countries of concern (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'CN,KP,RU,UA'`)
+* `QUESTIONABLE_COUNTRY_CODES` - when [severity scoring](#Severity) is enabled, this variable defines a comma-separated list of countries of concern (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'CN,IR,KP,RU,UA'`)
 
 * `ES_EXTERNAL_HOSTS` – if specified (in the format `'10.0.0.123:9200'`), logs received by Logstash will be forwarded on to another external Elasticsearch instance in addition to the one maintained locally by Malcolm
 

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
@@ -112,7 +112,7 @@ x-common-lookup-variables: &common-lookup-variables
   FREQ_SEVERITY_THRESHOLD : '2.0'
   TOTAL_MEGABYTES_SEVERITY_THRESHOLD : 1000
   CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600
-  QUESTIONABLE_COUNTRY_CODES : 'CN,KP,RU,UA'
+  QUESTIONABLE_COUNTRY_CODES : 'CN,IR,KP,RU,UA'
 
 x-common-beats-variables: &common-beats-variables
   BEATS_SSL : 'false'

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -112,7 +112,7 @@ x-common-lookup-variables: &common-lookup-variables
   FREQ_SEVERITY_THRESHOLD : '2.0'
   TOTAL_MEGABYTES_SEVERITY_THRESHOLD : 1000
   CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600
-  QUESTIONABLE_COUNTRY_CODES : 'CN,KP,RU,UA'
+  QUESTIONABLE_COUNTRY_CODES : 'CN,IR,KP,RU,UA'
 
 x-common-beats-variables: &common-beats-variables
   BEATS_SSL : 'false'

diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
@@ -57,7 +57,7 @@ filter {
     if ([srcGEO]) or ([dstGEO]) or ([dns][GEO]) {
       ruby {
         id => "ruby_add_field_severity_geo"
-        init => "countriesStr = ENV['QUESTIONABLE_COUNTRY_CODES'] || 'CN,KP,RU,UA' ; $countries = countriesStr.gsub(/\s+/, '').upcase.split(',')"
+        init => "countriesStr = ENV['QUESTIONABLE_COUNTRY_CODES'] || 'CN,IR,KP,RU,UA' ; $countries = countriesStr.gsub(/\s+/, '').upcase.split(',')"
         code => "
           srcGEOs = event.get('[srcGEO]')
           dstGEOs = event.get('[dstGEO]')