From 124d56f4b9b5bfce7232b32056850536657c6f28 Mon Sep 17 00:00:00 2001 From: doug Date: Tue, 29 Nov 2022 07:36:30 -0500 Subject: [PATCH] update zeek cip parsers --- salt/elasticsearch/files/ingest/zeek.cip | 28 +++++++-------- .../files/ingest/zeek.cip_identity | 34 +++++++++---------- salt/elasticsearch/files/ingest/zeek.cip_io | 16 ++++----- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip index 22f678594..e03237ad6 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -1,19 +1,19 @@ { "description" : "zeek.cip", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, - { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, - { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, - { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, - { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, - { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, - { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, - { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, - { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, - { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, + { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, + { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity index 092f63fa7..8a9cacb29 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip_identity +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -1,21 +1,21 @@ { "description" : "zeek.cip_identity", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, - { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, - { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, - { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, - { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, - { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, - { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, - { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, - { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, - { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, - { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } }, - { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, - { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, + { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, + { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io index 4a66d83bf..73aed8cae 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip_io +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -1,13 +1,13 @@ { "description" : "zeek.cip_io", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, - { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, - { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, - { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, - { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, + { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] -} \ No newline at end of file +}