diff --git a/docs/configuration.md b/docs/configuration.md index d4e8af5..ec1569d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -228,7 +228,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s ## Dropping all data by ip or subnet In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update -the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without +the `vendor_product_by_source.conf` filter `f_null_queue` with one or more ip/subnet masks to drop events without logging. Note that drop metrics will be recorded. diff --git a/package/etc/conf.d/filters/misc/catchfirst.conf b/package/etc/conf.d/filters/misc/catchfirst.conf deleted file mode 100644 index 9005f11..0000000 --- a/package/etc/conf.d/filters/misc/catchfirst.conf +++ /dev/null @@ -1,5 +0,0 @@ -#f_catch_first -filter f_catch_first { - match("^catch_first", value("fields.sc4s_vendor_product")); - -}; \ No newline at end of file diff --git a/package/etc/conf.d/filters/misc/null_queue.conf b/package/etc/conf.d/filters/misc/null_queue.conf new file mode 100644 index 0000000..561a2a8 --- /dev/null +++ b/package/etc/conf.d/filters/misc/null_queue.conf @@ -0,0 +1,5 @@ +#f_null_queue +filter f_null_queue { + match("^null_queue", value("fields.sc4s_vendor_product")); + +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl b/package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl similarity index 85% rename from package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl rename to package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl index b8fac16..41ce1ee 100644 --- a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl @@ -2,7 +2,7 @@ # vulnerability scanners to be ignored log { - filter(f_catch_first); + filter(f_null_queue); flags(catchall,final); diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index 1115e34..1eb20df 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -2,7 +2,7 @@ filter f_test_test { host("testvp-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; -filter f_catch_first { +filter f_null_queue { netmask(169.254.100.0/24) }; diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 302b8ca..0ea93b5 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -1,6 +1,6 @@ f_test_test,sc4s_vendor_product,"test_test" f_brocade_syslog,sc4s_vendor_product,"brocade_syslog" -f_catch_first,sc4s_vendor_product,"catch_first" +f_null_queue,sc4s_vendor_product,"catch_first" f_cisco_meraki,sc4s_vendor_product,"cisco_meraki" f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"