From 4a60310dc8a4a0b7c7060bcf0236662aa65f6f2e Mon Sep 17 00:00:00 2001
From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com>
Date: Fri, 21 Oct 2022 14:04:40 -0700
Subject: [PATCH 1/2] Add Modbus, DNP3, BZAR, and oui-logging

This is an initial proof of concept.  Need to migrate these entries behind a flag.
---
 pillar/zeek/init.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls
index 5eeb273b9..76638522b 100644
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -48,6 +48,11 @@ zeek:
       - securityonion/bpfconf
       - securityonion/communityid
       - securityonion/file-extraction
+      - oui-logging
+      - bzar
+      - icsnpp-dnp3
+      - icsnpp-modbus
+      - 
     '@load-sigs':
       - frameworks/signatures/detect-windows-shells
     redef:

From cd4e0c1f8e94570f663e568b665a776821d9cc15 Mon Sep 17 00:00:00 2001
From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com>
Date: Fri, 21 Oct 2022 14:19:21 -0700
Subject: [PATCH 2/2] Add DNP3 and Modbus extensions to zeeklogs.sls

Add DNP3 and Modbus extenstions to zeeklogs to ensure filebeat.yml is configured properly to ship lots.  Need to move these behind the OT flag.
---
 setup/so-functions | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/setup/so-functions b/setup/so-functions
index c92b643cc..b0102a6ad 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -3013,6 +3013,10 @@ zeek_logs_enabled() {
 			"    - weird"\
 			"    - mysql"\
 			"    - socks"\
-			"    - x509" >> "$zeeklogs_pillar"
+			"    - x509" \
+			"    - dnp3_objects" \
+			"    - modbus_detailed" \
+			"    - modbus_mask_write_single_register" \
+			"    - modbus_read_write_multiple_registers" >> "$zeeklogs_pillar"
 	fi
 }