CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #44 from weslambert/master

Browse Source 
Parsing Updates for Bro/Suricata
This commit is contained in:
Mike Reeves
2018-11-30 10:42:55 -05:00
committed by GitHub
parent 4c1ef81c33 7399172450
commit 02f9995cf5
5 changed files with 94 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/bro/files/local.bro
View File

@@ -141,4 +141,5 @@
#@load custom/somebropolicy.bro
# Write logs in JSON
#redef LogAscii::use_json = T;
redef LogAscii::use_json = T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;

3
salt/bro/files/local.bro.community
View File

@@ -129,4 +129,5 @@
#@load custom/somebropolicy.bro
# Use JSON
#redef LogAscii::use_json = T;
redef LogAscii::use_json = T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;

4
salt/filebeat/etc/filebeat.yml
View File

@@ -30,9 +30,9 @@ filebeat.prospectors:
paths:
- /suricata/eve.json
fields:
type: snort
type: ids
engine: suricata
fields_under_root: true
tags: ["ids"]
clean_removed: false
close_removed: false

87
salt/logstash/etc/logstash-template.json
View File

@@ -5,7 +5,8 @@
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
"index.refresh_interval":"30s",
"index.mapping.total_fields.limit": 10000
},
"mappings":{
"doc":{
@@ -206,6 +207,10 @@
"basic_constraints_path_length":{
"type":"long"
},
"beat_host":{
"type":"object",
"dynamic": true
},
"bound_port":{
"type":"long"
},
@@ -860,6 +865,10 @@
}
}
},
"dhcp":{
"type":"object",
"dynamic": true
},
"dir":{
"type":"text",
"fields":{
@@ -884,6 +893,10 @@
}
}
},
"dns":{
"type":"object",
"dynamic": true
},
"domain_age":{
"type":"text",
"fields":{
@@ -919,6 +932,10 @@
}
}
},
"email":{
"type":"object",
"dynamic": true
},
"enabled":{
"type":"text",
"fields":{
@@ -951,6 +968,14 @@
}
}
},
"engine":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"entry":{
"type":"text",
"fields":{
@@ -1066,6 +1091,10 @@
}
}
},
"fileinfo":{
"type":"object",
"dynamic": true
},
"file_ip":{
"type":"ip",
"fields":{
@@ -1101,6 +1130,10 @@
}
}
},
"flow":{
"type":"object",
"dynamic": true
},
"flow_id":{
"type":"text",
"fields":{
@@ -1338,6 +1371,10 @@
}
}
},
"http":{
"type":"object",
"dynamic": true
},
"id":{
"type":"text",
"fields":{
@@ -1346,6 +1383,14 @@
}
}
},
"ids_event_type":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"iin":{
"type":"text",
"fields":{
@@ -1647,6 +1692,10 @@
}
}
},
"krb5":{
"type":"object",
"dynamic": true
},
"last_alert":{
"type":"text",
"fields":{
@@ -1826,6 +1875,10 @@
}
}
},
"metadata":{
"type":"object",
"dynamic": true
},
"method":{
"type":"text",
"fields":{
@@ -1907,6 +1960,10 @@
}
}
},
"netflow":{
"type":"object",
"dynamic": true
},
"next_protocol":{
"type":"text",
"fields":{
@@ -2802,6 +2859,14 @@
}
}
},
"smb":{
"type":"object",
"dynamic": true
},
"smtp":{
"type":"object",
"dynamic": true
},
"software_type":{
"type":"text",
"fields":{
@@ -3094,6 +3159,10 @@
}
}
},
"tcp":{
"type":"object",
"dynamic": true
},
"tcp_flags":{
"type":"text",
"fields":{
@@ -3243,6 +3312,14 @@
}
}
},
"tx_id":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"type":{
"type":"text",
"fields":{
@@ -3294,6 +3371,14 @@
"uri_length":{
"type":"long"
},
"url":{
"type":"text",
"fields": {
"keyword":{
"type":"keyword"
}
}
},
"username":{
"type":"text",
"fields": {

4
salt/logstash/files/dynamic/9033_output_snort.conf
View File

@@ -9,14 +9,14 @@
# Last Update: 12/9/2016
filter {
if [event_type] == "snort" and "test_data" not in [tags] {
if [event_type] == "ids" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9033"]
}
}
}
output {
if [event_type] == "snort" and "test_data" not in [tags] {
if [event_type] == "ids" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"