CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #44 from weslambert/master

Browse Source 
Parsing Updates for Bro/Suricata
This commit is contained in:
Mike Reeves
2018-11-30 10:42:55 -05:00
committed by GitHub
parent 4c1ef81c33 7399172450
commit 02f9995cf5
5 changed files with 94 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/bro/files/local.bro
View File

@@ -141,4 +141,5 @@
#@load custom/somebropolicy.bro #@load custom/somebropolicy.bro
# Write logs in JSON # Write logs in JSON
#redef LogAscii::use_json = T; redef LogAscii::use_json = T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;

3
salt/bro/files/local.bro.community
View File

@@ -129,4 +129,5 @@
#@load custom/somebropolicy.bro #@load custom/somebropolicy.bro
# Use JSON # Use JSON
#redef LogAscii::use_json = T; redef LogAscii::use_json = T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;

4
salt/filebeat/etc/filebeat.yml
View File

@@ -30,9 +30,9 @@ filebeat.prospectors:
paths: paths:
- /suricata/eve.json - /suricata/eve.json
fields: fields:
type: snort type: ids
engine: suricata
fields_under_root: true fields_under_root: true
tags: ["ids"]
clean_removed: false clean_removed: false
close_removed: false close_removed: false

87
salt/logstash/etc/logstash-template.json
View File

@@ -5,7 +5,8 @@
"settings":{ "settings":{
"number_of_replicas":0, "number_of_replicas":0,
"number_of_shards":1, "number_of_shards":1,
"index.refresh_interval":"30s" "index.refresh_interval":"30s",
"index.mapping.total_fields.limit": 10000
}, },
"mappings":{ "mappings":{
"doc":{ "doc":{
@@ -206,6 +207,10 @@
"basic_constraints_path_length":{ "basic_constraints_path_length":{
"type":"long" "type":"long"
}, },
"beat_host":{
"type":"object",
"dynamic": true
},
"bound_port":{ "bound_port":{
"type":"long" "type":"long"
}, },
@@ -860,6 +865,10 @@
} }
} }
}, },
"dhcp":{
"type":"object",
"dynamic": true
},
"dir":{ "dir":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -884,6 +893,10 @@
} }
} }
}, },
"dns":{
"type":"object",
"dynamic": true
},
"domain_age":{ "domain_age":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -919,6 +932,10 @@
} }
} }
}, },
"email":{
"type":"object",
"dynamic": true
},
"enabled":{ "enabled":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -951,6 +968,14 @@
} }
} }
}, },
"engine":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"entry":{ "entry":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1066,6 +1091,10 @@
} }
} }
}, },
"fileinfo":{
"type":"object",
"dynamic": true
},
"file_ip":{ "file_ip":{
"type":"ip", "type":"ip",
"fields":{ "fields":{
@@ -1101,6 +1130,10 @@
} }
} }
}, },
"flow":{
"type":"object",
"dynamic": true
},
"flow_id":{ "flow_id":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1338,6 +1371,10 @@
} }
} }
}, },
"http":{
"type":"object",
"dynamic": true
},
"id":{ "id":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1346,6 +1383,14 @@
} }
} }
}, },
"ids_event_type":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"iin":{ "iin":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1647,6 +1692,10 @@
} }
} }
}, },
"krb5":{
"type":"object",
"dynamic": true
},
"last_alert":{ "last_alert":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1826,6 +1875,10 @@
} }
} }
}, },
"metadata":{
"type":"object",
"dynamic": true
},
"method":{ "method":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -1907,6 +1960,10 @@
} }
} }
}, },
"netflow":{
"type":"object",
"dynamic": true
},
"next_protocol":{ "next_protocol":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -2802,6 +2859,14 @@
} }
} }
}, },
"smb":{
"type":"object",
"dynamic": true
},
"smtp":{
"type":"object",
"dynamic": true
},
"software_type":{ "software_type":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -3094,6 +3159,10 @@
} }
} }
}, },
"tcp":{
"type":"object",
"dynamic": true
},
"tcp_flags":{ "tcp_flags":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -3243,6 +3312,14 @@
} }
} }
}, },
"tx_id":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"type":{ "type":{
"type":"text", "type":"text",
"fields":{ "fields":{
@@ -3294,6 +3371,14 @@
"uri_length":{ "uri_length":{
"type":"long" "type":"long"
}, },
"url":{
"type":"text",
"fields": {
"keyword":{
"type":"keyword"
}
}
},
"username":{ "username":{
"type":"text", "type":"text",
"fields": { "fields": {

4
salt/logstash/files/dynamic/9033_output_snort.conf
View File

@@ -9,14 +9,14 @@
# Last Update: 12/9/2016 # Last Update: 12/9/2016
filter { filter {
if [event_type] == "snort" and "test_data" not in [tags] { if [event_type] == "ids" and "test_data" not in [tags] {
mutate { mutate {
##add_tag => [ "conf_file_9033"] ##add_tag => [ "conf_file_9033"]
} }
} }
} }
output { output {
if [event_type] == "snort" and "test_data" not in [tags] { if [event_type] == "ids" and "test_data" not in [tags] {
#stdout { codec => rubydebug } #stdout { codec => rubydebug }
elasticsearch { elasticsearch {
hosts => "{{ ES }}" hosts => "{{ ES }}"