CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

zeek http2

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2024-11-14 09:09:23 -06:00
parent ba7a6dbbf0
commit 1113c3924f
4 changed files with 46 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
salt/elasticsearch/files/ingest/zeek.http2 Normal file
View File

@@ -0,0 +1,37 @@
{
"description" : "zeek.http2",
"processors" : [
{ "set": { "field": "event.dataset", "value": "http2" } },
{ "set": { "field": "network.transport", "value": "tcp" } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len", "target_field": "http.response.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } },
{ "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } },
{ "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } },
{ "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.stream_id", "target_field": "http2.stream_id", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

4
salt/kibana/files/saved_objects.ndjson
View File

File diff suppressed because one or more lines are too long

12
salt/soc/defaults.yaml
View File

@@ -1649,23 +1649,23 @@ soc:
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by destination port description: HTTP grouped by destination port
query: 'tags:http | groupby destination.port' query: 'tags:(http OR http2) | groupby destination.port'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by status code and message description: HTTP grouped by status code and message
query: 'tags:http | groupby http.status_code http.status_message' query: 'tags:(http OR http2) | groupby http.status_code http.status_message'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by method and user agent description: HTTP grouped by method and user agent
query: 'tags:http | groupby http.method http.useragent' query: 'tags:(http OR http2) | groupby http.method http.useragent'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by virtual host description: HTTP grouped by virtual host
query: 'tags:http | groupby http.virtual_host' query: 'tags:(http OR http2) | groupby http.virtual_host'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP with exe downloads description: HTTP with exe downloads
query: 'tags:http AND file.resp_mime_types:*exec* | groupby http.virtual_host' query: 'tags:(http OR http2) AND file.resp_mime_types:*exec* | groupby http.virtual_host'
showSubtitle: true showSubtitle: true
- name: Intel - name: Intel
description: Intel framework hits grouped by indicator description: Intel framework hits grouped by indicator
@@ -1892,7 +1892,7 @@ soc:
query: 'tags:ftp | groupby ftp.command | groupby -sankey ftp.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ftp.argument | groupby ftp.user' query: 'tags:ftp | groupby ftp.command | groupby -sankey ftp.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ftp.argument | groupby ftp.user'
- name: HTTP - name: HTTP
description: HTTP (Hyper Text Transport Protocol) network metadata description: HTTP (Hyper Text Transport Protocol) network metadata
query: 'tags:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'tags:(http OR http2) | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Intel - name: Intel
description: Zeek Intel framework hits description: Zeek Intel framework hits
query: 'tags:intel | groupby intel.indicator | groupby -sankey intel.indicator source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby intel.indicator_type | groupby intel.seen_where' query: 'tags:intel | groupby intel.indicator | groupby -sankey intel.indicator source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby intel.indicator_type | groupby intel.seen_where'

1
salt/zeek/defaults.yaml
View File

@@ -69,6 +69,7 @@ zeek:
- zeek-plugin-profinet - zeek-plugin-profinet
- zeek-spicy-wireguard - zeek-spicy-wireguard
- zeek-spicy-stun - zeek-spicy-stun
- http2
load-sigs: load-sigs:
- frameworks/signatures/detect-windows-shells - frameworks/signatures/detect-windows-shells
redef: redef: