From b7aaaa80bb48a5c42248ea8ddc56c735cbba7f5d Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:51:13 -0700 Subject: [PATCH 01/24] Create Ingest for DNP3 Objects extension --- salt/elasticsearch/files/ingest/dnp3_objects | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/dnp3_objects diff --git a/salt/elasticsearch/files/ingest/dnp3_objects b/salt/elasticsearch/files/ingest/dnp3_objects new file mode 100644 index 000000000..c78ae9e1f --- /dev/null +++ b/salt/elasticsearch/files/ingest/dnp3_objects @@ -0,0 +1,13 @@ +{ + "description" : "zeek.dnp3_objects", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } }, + { "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } }, + { "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 072bfd87b7b78f9696cec29480e755e7899e63ee Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:53:30 -0700 Subject: [PATCH 02/24] Create Ingest for Modbus Detailed --- salt/elasticsearch/files/ingest/modbus_detailed | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/modbus_detailed diff --git a/salt/elasticsearch/files/ingest/modbus_detailed b/salt/elasticsearch/files/ingest/modbus_detailed new file mode 100644 index 000000000..723027679 --- /dev/null +++ b/salt/elasticsearch/files/ingest/modbus_detailed @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_detailed", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 4ee083759c2e5dd4fb779a76c920ba439aa9527a Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:56:35 -0700 Subject: [PATCH 03/24] Rename dnp3_objects to zeek.dnp3_objects --- .../files/ingest/{dnp3_objects => zeek.dnp3_objects} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{dnp3_objects => zeek.dnp3_objects} (100%) diff --git a/salt/elasticsearch/files/ingest/dnp3_objects b/salt/elasticsearch/files/ingest/zeek.dnp3_objects similarity index 100% rename from salt/elasticsearch/files/ingest/dnp3_objects rename to salt/elasticsearch/files/ingest/zeek.dnp3_objects From 39f050c6e401041455ba41533c8bff7436bd677f Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:56:59 -0700 Subject: [PATCH 04/24] Rename modbus_detailed to zeek.modbus_detailed --- .../files/ingest/{modbus_detailed => zeek.modbus_detailed} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{modbus_detailed => zeek.modbus_detailed} (100%) diff --git a/salt/elasticsearch/files/ingest/modbus_detailed b/salt/elasticsearch/files/ingest/zeek.modbus_detailed similarity index 100% rename from salt/elasticsearch/files/ingest/modbus_detailed rename to salt/elasticsearch/files/ingest/zeek.modbus_detailed From e5c69c32360140ecb46be3f886c0566b5ef880db Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:58:36 -0700 Subject: [PATCH 05/24] Create zeek.modbus_mask_write_register --- .../files/ingest/zeek.modbus_mask_write_register | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register new file mode 100644 index 000000000..b03ff569a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_mask_write_register", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } }, + { "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 9ac06057c103ce879475cf0c4dc1145d580654d6 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 13:00:12 -0700 Subject: [PATCH 06/24] Create zeek.read_write_multiple_registers --- .../ingest/zeek.read_write_multiple_registers | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers diff --git a/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers new file mode 100644 index 000000000..e60c593fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers @@ -0,0 +1,16 @@ +{ + "description" : "zeek.read_write_multiple_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } }, + { "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 7a60d0987c323bd9dc6c8037c43bcc603f658b0f Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 13:02:01 -0700 Subject: [PATCH 07/24] Update zeek.conn to include client.oui --- salt/elasticsearch/files/ingest/zeek.conn | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 5e3ae9c79..4cca15896 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -17,6 +17,7 @@ { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, From 4a60310dc8a4a0b7c7060bcf0236662aa65f6f2e Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 14:04:40 -0700 Subject: [PATCH 08/24] Add Modbus, DNP3, BZAR, and oui-logging This is an initial proof of concept. Need to migrate these entries behind a flag. --- pillar/zeek/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 5eeb273b9..76638522b 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -48,6 +48,11 @@ zeek: - securityonion/bpfconf - securityonion/communityid - securityonion/file-extraction + - oui-logging + - bzar + - icsnpp-dnp3 + - icsnpp-modbus + - '@load-sigs': - frameworks/signatures/detect-windows-shells redef: From cd4e0c1f8e94570f663e568b665a776821d9cc15 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 14:19:21 -0700 Subject: [PATCH 09/24] Add DNP3 and Modbus extensions to zeeklogs.sls Add DNP3 and Modbus extenstions to zeeklogs to ensure filebeat.yml is configured properly to ship lots. Need to move these behind the OT flag. --- setup/so-functions | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index c92b643cc..b0102a6ad 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3013,6 +3013,10 @@ zeek_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$zeeklogs_pillar" + " - x509" \ + " - dnp3_objects" \ + " - modbus_detailed" \ + " - modbus_mask_write_single_register" \ + " - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar" fi } From 01d177366de4bb489247e58520b3820e02c1bd5d Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Mon, 24 Oct 2022 12:00:43 -0700 Subject: [PATCH 10/24] Fix Zeek Pillar --- pillar/zeek/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 76638522b..980aa27fb 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -52,7 +52,6 @@ zeek: - bzar - icsnpp-dnp3 - icsnpp-modbus - - '@load-sigs': - frameworks/signatures/detect-windows-shells redef: From 9cdc29c48208fae0635215ac407cd13b18ba7181 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Mon, 24 Oct 2022 14:30:15 -0700 Subject: [PATCH 11/24] Fix Syntax for zeeklogs pillar --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b0102a6ad..44d37e39b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3014,9 +3014,9 @@ zeek_logs_enabled() { " - mysql"\ " - socks"\ " - x509" \ - " - dnp3_objects" \ - " - modbus_detailed" \ - " - modbus_mask_write_single_register" \ + " - dnp3_objects"\ + " - modbus_detailed"\ + " - modbus_mask_write_single_register"\ " - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar" fi } From beb67847f985bb6b2c248e972bed001c63433c0d Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Mon, 24 Oct 2022 23:14:32 -0700 Subject: [PATCH 12/24] Remove modbus,bzar,dnp3,oui-logging --- pillar/zeek/init.sls | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 980aa27fb..5eeb273b9 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -48,10 +48,6 @@ zeek: - securityonion/bpfconf - securityonion/communityid - securityonion/file-extraction - - oui-logging - - bzar - - icsnpp-dnp3 - - icsnpp-modbus '@load-sigs': - frameworks/signatures/detect-windows-shells redef: From 4502e2c260c20aed31b01985d376cb1b8cacd7e3 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Mon, 24 Oct 2022 23:16:18 -0700 Subject: [PATCH 13/24] Remove logs for OT parsers --- setup/so-functions | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 44d37e39b..c92b643cc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3013,10 +3013,6 @@ zeek_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" \ - " - dnp3_objects"\ - " - modbus_detailed"\ - " - modbus_mask_write_single_register"\ - " - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar" + " - x509" >> "$zeeklogs_pillar" fi } From 2d343110cc20a30a80459642a0617aba3bc804fe Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Tue, 25 Oct 2022 07:09:11 -0700 Subject: [PATCH 14/24] Add DNP3 and Modbus extensions to zeeklogs.sls --- setup/so-functions | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index c92b643cc..7497a374b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3013,6 +3013,10 @@ zeek_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$zeeklogs_pillar" + " - x509"\ + " - dnp3_objects"\ + " - modbus_detailed"\ + " - modbus_mask_write_single_register"\ + " - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar" fi } From 61d36d584f98a18a9f0bce2bd7af3be49fb59575 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Tue, 25 Oct 2022 07:10:52 -0700 Subject: [PATCH 15/24] Add Modbus, DNP3, BZAR, and oui-logging --- pillar/zeek/init.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 5eeb273b9..53e681dba 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -48,6 +48,10 @@ zeek: - securityonion/bpfconf - securityonion/communityid - securityonion/file-extraction + - bzar + - oui-logging + - icsnpp-modbus + - icsnpp-dnp3 '@load-sigs': - frameworks/signatures/detect-windows-shells redef: From 2b51d725852b4b9d7859ddb9ac27937193af4f1d Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Tue, 25 Oct 2022 17:20:01 -0700 Subject: [PATCH 16/24] Rename zeek.read_write_multiple_registers to zeek.modbus_read_write_multiple_registers --- ...ltiple_registers => zeek.modbus_read_write_multiple_registers} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{zeek.read_write_multiple_registers => zeek.modbus_read_write_multiple_registers} (100%) diff --git a/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers similarity index 100% rename from salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers rename to salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers From 1ea6feca37d59795d4a3f3bea23d9b72979fcddb Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 27 Oct 2022 15:31:38 -0700 Subject: [PATCH 17/24] Add icsnpp-bacnet --- pillar/zeek/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 53e681dba..ee0656dd8 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -52,6 +52,7 @@ zeek: - oui-logging - icsnpp-modbus - icsnpp-dnp3 + - icsnpp-bacnet '@load-sigs': - frameworks/signatures/detect-windows-shells redef: From 326ba710ce4f63f6d7d5855c66c19819595061c3 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 27 Oct 2022 15:38:32 -0700 Subject: [PATCH 18/24] Add logs for bacnet bacnet bacnet_discovery bacnet_property --- setup/so-functions | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 7497a374b..8858856be 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3017,6 +3017,9 @@ zeek_logs_enabled() { " - dnp3_objects"\ " - modbus_detailed"\ " - modbus_mask_write_single_register"\ - " - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar" + " - modbus_read_write_multiple_registers"\ + " - bacnet"\ + " - bacnet_discovery"\ + " - bacnet_property" >> "$zeeklogs_pillar" fi } From 71e3b2d1fb8f19ac92143c34dbec6207ded9cdd5 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 27 Oct 2022 15:40:07 -0700 Subject: [PATCH 19/24] Create zeek.bacnet --- salt/elasticsearch/files/ingest/zeek.bacnet | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet b/salt/elasticsearch/files/ingest/zeek.bacnet new file mode 100644 index 000000000..d4484aa4a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet @@ -0,0 +1,14 @@ +{ + "description" : "zeek.bacnet", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } }, + { "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From b97c8228001fde18203a6aa42eecb4ecaa7724bf Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 27 Oct 2022 15:40:52 -0700 Subject: [PATCH 20/24] Add zeek.bacnet_discovery and zeek.bacnet_property --- .../files/ingest/zeek.bacnet_discovery | 13 +++++++++++++ .../elasticsearch/files/ingest/zeek.bacnet_property | 11 +++++++++++ 2 files changed, 24 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet_discovery create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet_property diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery new file mode 100644 index 000000000..e7be92931 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery @@ -0,0 +1,13 @@ +{ + "description" : "zeek.bacnet_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object,type", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } }, + { "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } }, + { "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_property b/salt/elasticsearch/files/ingest/zeek.bacnet_property new file mode 100644 index 000000000..09ea3dae2 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property @@ -0,0 +1,11 @@ +{ + "description" : "zeek.bacnet_property", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } }, + { "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 4b39ccec6d6f05590a5fda2817ab868de8f54fc4 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 3 Nov 2022 15:30:20 -0700 Subject: [PATCH 21/24] Update zeek.bacnet_property --- .../elasticsearch/files/ingest/zeek.bacnet_property | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_property b/salt/elasticsearch/files/ingest/zeek.bacnet_property index 09ea3dae2..9a39ae5a0 100644 --- a/salt/elasticsearch/files/ingest/zeek.bacnet_property +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property @@ -2,10 +2,15 @@ "description" : "zeek.bacnet_property", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } }, - { "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } }, - { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } }, + { "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } From 5ebf470a86a1645e07c7cdd1eba3db4ceae562dd Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Thu, 3 Nov 2022 22:27:04 -0700 Subject: [PATCH 22/24] Update zeek.bacnet_discovery --- .../files/ingest/zeek.bacnet_discovery | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery index e7be92931..a2b155bf1 100644 --- a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery @@ -3,11 +3,14 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.object_type", "target_field": "bacnet.object,type", "ignore_missing": true } }, - { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, - { "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } }, - { "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } }, - { "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } }, + { "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } }, + { "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } From 85d30520ceb7ee5954b516c68472d2bffacef034 Mon Sep 17 00:00:00 2001 From: lock-wire Date: Fri, 4 Nov 2022 20:28:20 -0700 Subject: [PATCH 23/24] Add BSAP protocol --- .../files/ingest/zeek.bsap_ip_header | 10 ++++++++++ .../files/ingest/zeek.bsap_ip_rdb | 20 +++++++++++++++++++ .../files/ingest/zeek.bsap_ip_unknown | 9 +++++++++ .../files/ingest/zeek.bsap_serial_header | 17 ++++++++++++++++ .../files/ingest/zeek.bsap_serial_rdb | 11 ++++++++++ .../files/ingest/zeek.bsap_serial_rdb_ext | 13 ++++++++++++ .../files/ingest/zeek.bsap_serial_unknown | 9 +++++++++ 7 files changed, 89 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_header create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_header create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header new file mode 100644 index 000000000..59f7bca04 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header @@ -0,0 +1,10 @@ +{ + "description" : "zeek.bsap_ip_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb new file mode 100644 index 000000000..6490e0aa9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb @@ -0,0 +1,20 @@ +{ + "description" : "zeek.bsap_ip_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } }, + { "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } }, + { "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub.function", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown new file mode 100644 index 000000000..2e94f55b5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_ip_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header new file mode 100644 index 000000000..1c81dbf2a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header @@ -0,0 +1,17 @@ +{ + "description" : "zeek.bsap_serial_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } }, + { "rename": { "field": "message2.sadd", "target_field": "bsap.scource.address", "ignore_missing": true } }, + { "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb new file mode 100644 index 000000000..71e0ad9e1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb @@ -0,0 +1,11 @@ +{ + "description" : "zeek.bsap_serial_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext new file mode 100644 index 000000000..9809d68a0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext @@ -0,0 +1,13 @@ +{ + "description" : "zeek.bsap_serial_rdb_ext", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown new file mode 100644 index 000000000..2b9331c93 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_serial_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 73b1e5949b896435b1bacd70c1f594dd7ed1985e Mon Sep 17 00:00:00 2001 From: lock-wire Date: Fri, 11 Nov 2022 12:15:54 -0800 Subject: [PATCH 24/24] Add ecat, enip, cip, and opcua --- pillar/zeek/init.sls | 3 ++ salt/common/tools/sbin/so-zeek-logs | 53 ++++++++++++++++++- salt/elasticsearch/files/ingest/zeek.cip | 19 +++++++ .../files/ingest/zeek.cip_identity | 21 ++++++++ salt/elasticsearch/files/ingest/zeek.cip_io | 13 +++++ .../files/ingest/zeek.ecat_aoe_info | 17 ++++++ .../files/ingest/zeek.ecat_arp_info | 15 ++++++ .../files/ingest/zeek.ecat_coe_info | 14 +++++ .../files/ingest/zeek.ecat_dev_info | 18 +++++++ .../files/ingest/zeek.ecat_foe_info | 14 +++++ .../files/ingest/zeek.ecat_log_address | 14 +++++ .../files/ingest/zeek.ecat_registers | 15 ++++++ .../files/ingest/zeek.ecat_soe_info | 14 +++++ salt/elasticsearch/files/ingest/zeek.enip | 16 ++++++ salt/elasticsearch/files/ingest/zeek.opcua | 30 +++++++++++ .../files/ingest/zeek.opcua_activate_session | 18 +++++++ .../files/ingest/zeek.opcua_browse | 16 ++++++ .../ingest/zeek.opcua_browse_description | 16 ++++++ .../zeek.opcua_browse_response_references | 22 ++++++++ .../files/ingest/zeek.opcua_browse_result | 11 ++++ .../files/ingest/zeek.opcua_create_session | 19 +++++++ .../zeek.opcua_create_session_endpoints | 21 ++++++++ .../zeek.opcua_create_session_user_token | 11 ++++ .../ingest/zeek.opcua_create_subscription | 15 ++++++ .../files/ingest/zeek.opcua_get_endpoints | 10 ++++ .../zeek.opcua_get_endpoints_description | 20 +++++++ .../zeek.opcua_get_endpoints_user_token | 11 ++++ .../ingest/zeek.opcua_opensecure_channel | 15 ++++++ .../ingest/zeek.opcua_status_code_detail | 21 ++++++++ setup/so-functions | 39 +++++++++++++- setup/so-whiptail | 53 ++++++++++++++++++- 31 files changed, 591 insertions(+), 3 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/zeek.cip create mode 100644 salt/elasticsearch/files/ingest/zeek.cip_identity create mode 100644 salt/elasticsearch/files/ingest/zeek.cip_io create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_aoe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_arp_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_coe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_dev_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_foe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_log_address create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_registers create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_soe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.enip create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_activate_session create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_description create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_result create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_subscription create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index ee0656dd8..21b7e61ae 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -53,6 +53,9 @@ zeek: - icsnpp-modbus - icsnpp-dnp3 - icsnpp-bacnet + - icsnpp-ethercat + - icsnpp-enip + - icsnpp-ocpua-binary '@load-sigs': - frameworks/signatures/detect-windows-shells redef: diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index f6df7f8aa..4f56ee7e5 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -42,7 +42,58 @@ whiptail_manager_adv_service_zeeklogs() { "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) + "x509" "x.509 Logs" ON \ + "modbus_detailed" "MODBUS Details" ON \ + "modbus_mask_write_register" "MODBUS Write Register" ON \ + "modbus_read_write_multiple_registers" "MODBUS Multi Registers" ON \ + "dnp3_objects" "DNP3 Objections" ON \ + "bacnet" "BACnet" ON \ + "bacnet_discovery" "BACnet Discovery" ON \ + "bacnet_property" "BACnet Property" ON \ + "bsap_ip_header" "BSAP IP Header" ON \ + "bsap_ip_rdb" "BSAP IP RDB" ON \ + "bsap_ip_unknown" "BSAP IP Unknown" ON \ + "bsap_serial_header" "BSAP Serial Header" ON \ + "bsap_serial_rdb" "BSAP Serial RDB" ON \ + "bsap_serial_rdb_ext" "BSAP Serial RDB Extenstion" ON \ + "bsap_serial_unknown" "BSAP Serial Unknown" ON \ + "ecat_registers" "Ethercat Registers" ON \ + "ecat_log_address" "Ethercat Address Read Write" ON \ + "ecat_dev_info" "Ethercat Device Info" ON \ + "ecat_aoe_info" "Ethercat AoE Info" ON \ + "ecat_coe_info" "Ethercat CoE Info" ON \ + "ecat_foe_info" "Ethercat FoE Info" ON \ + "ecat_soe_info" "Ethercat SoE Info" ON \ + "ecat_arp_info" "Ethercat ARP Info" ON \ + "enip" "ENIP Header" ON \ + "cip" "CIP Header" ON \ + "cip_io" "CIP I/O" ON \ + "cip_identity" "CIP Identity" ON \ + "opcua_binary.log" "OPC UA Binary Encoding" ON \ + "opcua_binary_status_code_detail" "OPC UA Detail" ON \ + "opcua_binary_diag_info_detail" "OPC UA Diag" ON \ + "opcua_binary_get_endpoints" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_discovery" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_user_token" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_description" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_locale_id" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_profile_uri" "OPC UA Endpoints" ON \ + "opcua_binary_create_session" "OPC UA Session" ON \ + "opcua_binary_create_session_user_token" "OPC UA Session" ON \ + "opcua_binary_create_session_endpoints" "OPC UA Session" ON \ + "opcua_binary_create_session_discovery" "OPC UA Session" ON \ + "opcua_binary_activate_session" "OPC UA Session" ON \ + "opcua_binary_activate_session_client_software_cert" "OPC UA Session" ON \ + "opcua_binary_activate_session_locale_id" "OPC UA Session" ON \ + "opcua_binary_activate_session_diagnostic_info" "OPC UA Session" ON \ + "opcua_binary_browse" "OPC UA Browse" ON \ + "opcua_binary_browse_description" "OPC UA Browse" ON \ + "opcua_binary_browse_request_continuation_point" "OPC UA Browse" ON \ + "opcua_binary_browse_result" "OPC UA Browse" ON \ + "opcua_binary_browse_response_references" "OPC UA Browse" ON \ + "opcua_binary_browse_diagnostic_info" "OPC UA Browse" ON \ + "opcua_binary_create_subscription" "OPC UA UA Browse" ON \ + "opcua_binary_read" "OPC UA Read" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip new file mode 100644 index 000000000..22f678594 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -0,0 +1,19 @@ +{ + "description" : "zeek.cip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, + { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, + { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity new file mode 100644 index 000000000..092f63fa7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -0,0 +1,21 @@ +{ + "description" : "zeek.cip_identity", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, + { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, + { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io new file mode 100644 index 000000000..4a66d83bf --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -0,0 +1,13 @@ +{ + "description" : "zeek.cip_io", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, + { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info new file mode 100644 index 000000000..009cd311f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -0,0 +1,17 @@ +{ + "description" : "zeek.ecat_aoe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.targetid", "target_field": "ecat.target.id", "ignore_missing": true } }, + { "rename": { "field": "message2.targetport", "target_field": "ecat.target.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.target.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.senderid", "target_field": "ecat.sender.id", "ignore_missing": true } }, + { "rename": { "field": "message2.senderport", "target_field": "ecat.sender.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.sender.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info new file mode 100644 index 000000000..522efecf5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_arp_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_src", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_dst", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.SPA", "target_field": "ecat.sender.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } }, + { "rename": { "field": "message2.TPA", "target_field": "ecat.target.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info new file mode 100644 index 000000000..79721c920 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_coe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } }, + { "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } }, + { "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info new file mode 100644 index 000000000..aab20781b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info @@ -0,0 +1,18 @@ +{ + "description" : "zeek.ecat_dev_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } }, + { "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } }, + { "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } }, + { "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } }, + { "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } }, + { "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info new file mode 100644 index 000000000..11df775a9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_foe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address new file mode 100644 index 000000000..141eeda00 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_log_address", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers new file mode 100644 index 000000000..4b4d4eebe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info new file mode 100644 index 000000000..bddc40efa --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_soe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } }, + { "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } }, + { "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } }, + { "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip new file mode 100644 index 000000000..456eb99d7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -0,0 +1,16 @@ +{ + "description" : "zeek.enip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } }, + { "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } }, + { "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_status", "target_field": "enip.status.code", "ignore_missing": true } }, + { "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } }, + { "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua b/salt/elasticsearch/files/ingest/zeek.opcua new file mode 100644 index 000000000..78e44c47c --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua @@ -0,0 +1,30 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session new file mode 100644 index 000000000..466e34236 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session @@ -0,0 +1,18 @@ +{ + "description" : "zeek.opcua.activate_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse b/salt/elasticsearch/files/ingest/zeek.opcua_browse new file mode 100644 index 000000000..fa0f8bf81 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description new file mode 100644 index 000000000..56d6ac655 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references new file mode 100644 index 000000000..07cec4813 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references @@ -0,0 +1,22 @@ +{ + "description" : "zeek.opcua_browse_response_references", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result new file mode 100644 index 000000000..7b29284f9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_browse_result", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_create_session new file mode 100644 index 000000000..637e5a7bb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session @@ -0,0 +1,19 @@ +{ + "description" : "zeek.opcua_create_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints new file mode 100644 index 000000000..2bee814b6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token new file mode 100644 index 000000000..ef621a5ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_create_session_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription new file mode 100644 index 000000000..372e6b4fd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_create_subscription", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } }, + { "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } }, + { "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } }, + { "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints new file mode 100644 index 000000000..a7b2b2f85 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_get_endpoints", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description new file mode 100644 index 000000000..ef3755c8d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description @@ -0,0 +1,20 @@ +{ + "description" : "zeek.opcua_get_endpoints_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token new file mode 100644 index 000000000..854c35cf0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_get_endpoints_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel new file mode 100644 index 000000000..4e8fb483a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_opensecure_channel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail new file mode 100644 index 000000000..0d4ae984a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_stats_code_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, + { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } }, + { "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/setup/so-functions b/setup/so-functions index 8858856be..85032e275 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3020,6 +3020,43 @@ zeek_logs_enabled() { " - modbus_read_write_multiple_registers"\ " - bacnet"\ " - bacnet_discovery"\ - " - bacnet_property" >> "$zeeklogs_pillar" + " - bacnet_property" + " - ecat_registers"\ + " - ecat_log_address"\ + " - ecat_dev_info"\ + " - ecat_aoe_info"\ + " - ecat_coe_info"\ + " - ecat_foe_info"\ + " - ecat_soe_info"\ + " - ecat_arp_info"\ + " - enip"\ + " - cip"\ + " - cip_io"\ + " - cip_identity"\ + " - opcua_binary"\ + " - opcua_binary_status_code_detail"\ + " - opcua_binary_diag_info_detail"\ + " - opcua_binary_get_endpoints"\ + " - opcua_binary_get_endpoints_discovery"\ + " - opcua_binary_get_endpoints_user_token"\ + " - opcua_binary_get_endpoints_description"\ + " - opcua_binary_get_endpoints_locale_id"\ + " - opcua_binary_get_endpoints_profile_uri"\ + " - opcua_binary_create_session"\ + " - opcua_binary_create_session_user_token"\ + " - opcua_binary_create_session_endpoints"\ + " - opcua_binary_create_session_discovery"\ + " - opcua_binary_activate_session"\ + " - opcua_binary_activate_session_client_software_cert"\ + " - opcua_binary_activate_session_locale_id"\ + " - opcua_binary_activate_session_diagnostic_info"\ + " - opcua_binary_browse"\ + " - opcua_binary_browse_description"\ + " - opcua_binary_browse_request_continuation_point"\ + " - opcua_binary_browse_result"\ + " - opcua_binary_browse_response_references"\ + " - opcua_binary_browse_diagnostic_info"\ + " - opcua_binary_create_subscription"\ + " - opcua_binary_read" >> "$zeeklogs_pillar" fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c60b7e3e..e7d5e4507 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1312,7 +1312,58 @@ whiptail_manager_adv_service_zeeklogs() { "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3) + "x509" "x.509 Logs" ON \ + "modbus_detailed" "MODBUS Details" ON \ + "modbus_mask_write_register" "MODBUS Write Register" ON \ + "modbus_read_write_multiple_registers" "MODBUS Multi Registers" ON \ + "dnp3_objects" "DNP3 Objections" ON \ + "bacnet" "BACnet" ON \ + "bacnet_discovery" "BACnet Discovery" ON \ + "bacnet_property" "BACnet Property" ON \ + "bsap_ip_header" "BSAP IP Header" ON \ + "bsap_ip_rdb" "BSAP IP RDB" ON \ + "bsap_ip_unknown" "BSAP IP Unknown" ON \ + "bsap_serial_header" "BSAP Serial Header" ON \ + "bsap_serial_rdb" "BSAP Serial RDB" ON \ + "bsap_serial_rdb_ext" "BSAP Serial RDB Extenstion" ON \ + "bsap_serial_unknown" "BSAP Serial Unknown" ON \ + "ecat_registers" "Ethercat Registers" ON \ + "ecat_log_address" "Ethercat Address Read Write" ON \ + "ecat_dev_info" "Ethercat Device Info" ON \ + "ecat_aoe_info" "Ethercat AoE Info" ON \ + "ecat_coe_info" "Ethercat CoE Info" ON \ + "ecat_foe_info" "Ethercat FoE Info" ON \ + "ecat_soe_info" "Ethercat SoE Info" ON \ + "ecat_arp_info" "Ethercat ARP Info" ON \ + "enip" "ENIP Header" ON \ + "cip" "CIP Header" ON \ + "cip_io" "CIP I/O" ON \ + "cip_identity" "CIP Identity" ON \ + "opcua_binary" "OPC UA Binary Encoding" ON \ + "opcua_binary_status_code_detail" "OPC UA Detail" ON \ + "opcua_binary_diag_info_detail" "OPC UA Diag" ON \ + "opcua_binary_get_endpoints" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_discovery" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_user_token" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_description" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_locale_id" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_profile_uri" "OPC UA Endpoints" ON \ + "opcua_binary_create_session" "OPC UA Session" ON \ + "opcua_binary_create_session_user_token" "OPC UA Session" ON \ + "opcua_binary_create_session_endpoints" "OPC UA Session" ON \ + "opcua_binary_create_session_discovery" "OPC UA Session" ON \ + "opcua_binary_activate_session" "OPC UA Session" ON \ + "opcua_binary_activate_session_client_software_cert" "OPC UA Session" ON \ + "opcua_binary_activate_session_locale_id" "OPC UA Session" ON \ + "opcua_binary_activate_session_diagnostic_info" "OPC UA Session" ON \ + "opcua_binary_browse" "OPC UA Browse" ON \ + "opcua_binary_browse_description" "OPC UA Browse" ON \ + "opcua_binary_browse_request_continuation_point" "OPC UA Browse" ON \ + "opcua_binary_browse_result" "OPC UA Browse" ON \ + "opcua_binary_browse_response_references" "OPC UA Browse" ON \ + "opcua_binary_browse_diagnostic_info" "OPC UA Browse" ON \ + "opcua_binary_create_subscription" "OPC UA UA Browse" ON \ + "opcua_binary_read" "OPC UA Read" ON 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus