From 5db643e53bbbd114360a833f7409431dcc3359db Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 29 Nov 2022 17:18:24 +0000
Subject: [PATCH 1/2] Add Zeek dnp3_control ingest pipeline

---
 .../elasticsearch/files/ingest/zeek.dnp3_control | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/zeek.dnp3_control

diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_control b/salt/elasticsearch/files/ingest/zeek.dnp3_control
new file mode 100644
index 000000000..0c465b5d2
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3_control
@@ -0,0 +1,16 @@
+{
+  "description" : "zeek.dnp3_control",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		        "ignore_failure": true	} },
+    { "rename":         { "field": "message2.block_type",       "target_field": "dnp3.block_type",              "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.function_code",	"target_field": "dnp3.function_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.index_number", 	"target_field": "dnp3.index_number",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.trip_control_code","target_field": "dnp3.trip_control_code",	"ignore_missing": true 	} },
+    { "rename":  	{ "field": "message2.operation_type",	"target_field": "dnp3.operation_type",  	"ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.execute_count", 	"target_field": "dnp3.execute_count",  		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.on_time",          "target_field": "dnp3.on_time",                 "ignore_missing": true  } },
+    { "rename":         { "field": "message2.off_time",         "target_field": "dnp3.off_time",                "ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

From 16cd1080be94ffc6b6297a32c45a1f1bd2ac95d2 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Tue, 29 Nov 2022 17:23:37 +0000
Subject: [PATCH 2/2] Add dnp3_control reference in various places

---
 salt/common/tools/sbin/so-zeek-logs      | 1 +
 salt/soc/files/soc/hunt.eventfields.json | 3 ++-
 setup/so-functions                       | 1 +
 setup/so-whiptail                        | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs
index 10c0c77d8..834a254c5 100755
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -58,6 +58,7 @@ whiptail_manager_adv_service_zeeklogs() {
   "cip_identity" "" ON \
   "cip_io" "" ON \
   "cotp" "" ON \
+  "dnp3_control" "" ON \
   "dnp3_objects" "" ON \
   "ecat_aoe_info" "" ON \
   "ecat_arp_info" "" ON \
diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json
index 530f145d7..0b452df14 100644
--- a/salt/soc/files/soc/hunt.eventfields.json
+++ b/salt/soc/files/soc/hunt.eventfields.json
@@ -5,7 +5,8 @@
           "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ],
           "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ],
           "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_request", "dnp3.fc_reply", "log.id.uid" ],
-          "::dnp3_objects": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.object_type", "log.id.uid" ],
+          "::dnp3_control": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.block_type", "log.id.uid" ],
+	  "::dnp3_objects": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.object_type", "log.id.uid" ],
           "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ],
           "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ],
           "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ],
diff --git a/setup/so-functions b/setup/so-functions
index 67f2c2957..c992b3f76 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2994,6 +2994,7 @@ zeek_logs_enabled() {
                         "    - cip_identity"\
                         "    - cip_io"\
                         "    - cotp"\
+			"    - dnp3_control"\
 			"    - dnp3_objects"\
 			"    - ecat_aoe_info"\
                         "    - ecat_coe_info"\
diff --git a/setup/so-whiptail b/setup/so-whiptail
index b87517545..16180708b 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -1328,6 +1328,7 @@ whiptail_manager_adv_service_zeeklogs() {
         "cip_identity" "" ON \
         "cip_io" "" ON \
         "cotp" "" ON \
+	"dnp3_control" "" ON \
 	"dnp3_objects" "" ON \
         "ecat_aoe_info" "" ON \
         "ecat_arp_info" "" ON \