Any clue for my idea from graylog perspective?

(Blason) #1

Hi Guys,

Not sure how graylog will help me here and need your insights on this. Or if someone has already implemented similar kind of stuff can give me feedback?

I have honeypot setup at perimeter level which has ELK hence wondering if I do output from that Logstash to graylog and
Then set up stream
manage rules
and HTTP call backup action to firewall API to block the hosts on the fly? That is assuming if any of the IP hitting my honeypot more than 5 times it will send HTTP API to the firewall to block the IP.

Can we achieve something similar?

(Jan Doberstein) #2

something the other way around is already known to be implemented.

When someone log into the AD and was successfully authenticated the ip of the device is enabled for access to the production network / intranet. If the person logs out the access is removed.

(Blason) #3

Hmm…what is that? any clue? Or any such software you aware of?

(Jan Doberstein) #4

the known implementation is done with a palo alto firewall and plain vanilla Graylog.

(Blason) #5

Wow…would it be possible to share the codes? I need to try same with other firewalls? Or at least some idea how this was done?

(Jan Doberstein) #6

When Graylog 3.0 is out the customer will share the content pack for this.

currently the content pack does not include the processing pipelines. Thats why it is not easy shareable.

(Blason) #7

Okies…Where can I see the product Roadmap? Just curious to know when 3.0 is going to release?

(Jan Doberstein) #8

Kind of Roadmap you have when looking into Github:

But, we do not force a specific date, as that will burn only developers. We have set a feature set and that need to be in a stable working version.