coolacid / logstash-filter-virustotal Goto Github PK

Not sure if you want to add this to the code or just want to document it but if somebody is on a network where they need to connect via http proxy in order to connect to the internet then they can just change the code in virustotal.rb to

    connection = Faraday.new(baseurl, ssl: {verify:false}) do |connection|
      # middleware ...
      connection.adapter :em_http

      connection.proxy "http://172.20.1.2:8080"

Or if they are making use of an HTTP proxy that requires authentication then change the code in virustotal.rb to:

    connection = Faraday.new(baseurl, ssl: {verify:false}) do |connection|
      # middleware ...
      connection.adapter :em_http

      connection.proxy "http://username:[email protected]:8080"

Hi,
I want to check the domain list I have. But there are only ip, hash and url as types. I think it will be necessary to add the domain type as well. Or can I use the Url type? thanks.

I configured my Logstash with an extra filter to automatically search for MD5 hashed on VT. The filter is defined as follow:

filter {
if ( [event_type] == "fileinfo" and [fileinfo][filename] =~ /(?i).(doc|pdf|exe)/ {
virustotal {
apikey => ""
field => '[fileinfo][md5]'
lookup_type => 'hash'
target => 'virustotal'
}
}
}

When multiple requests are sent in parallel or with a short delay, the Logstash process enters a stuck state and don't process any new incoming event! (+ all my forwarders are disconnected)

Somebody reported that the VT API is facing some issues for a few days. Is it related?

/x

Hello Everyone

I am getting following error while installing this plugin can any one help??

I'm trying to use the plugin with Logstash2.0 without any results.
I've configured my conf file using the snippet code below

virustotal {
        apikey => "myapikey"
        field => [src_ip]
        lookup_type => "url"
        target => "virustotal"
} 

If Logstash is started in debug mode, i obtain this output

Exception in filterworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<JSON::ParserError: A JSON text must at least contain two octets!>

JSON::ParserError: A JSON text must at least contain two octets!
 initialize at json/ext/Parser.java:175
        new at json/ext/Parser.java:151
      parse at /opt/logstash/vendor/bundle/jruby/1.9/gems/json-1.8.3-java/lib/json/common.rb:155
     filter at /opt/logstash/vendor/local_gems/0f94f654/logstash-filter-virustotal-0.1.1/lib/logstash/filters/virustotal.rb:53
multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/filters/base.rb:152
       each at org/jruby/RubyArray.java:1613
multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/filters/base.rb:149
filter_func at (eval):1467
filterworker at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:219
start_filters at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:154

How can i avoid this issue?
Thanks