CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

update Suricata DHCP parser to set server.address

Browse Source
This commit is contained in:
Doug Burks
2023-01-30 15:57:47 -05:00
parent 48401f6a3f
commit 17bcf50ccb
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elasticsearch/files/ingest/suricata.dhcp
View File

@@ -10,6 +10,8 @@
{ "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } },
{ "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } },
{ "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } },
{ "set": { "if": "ctx.dhcp?.type == 'request'", "field": "server.address", "value": "{{destination.ip}}" } },
{ "set": { "if": "ctx.dhcp?.type == 'reply'", "field": "server.address", "value": "{{source.ip}}" } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }