From 18203513abf657cff09427665dcab09688b5e8fb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 10 Mar 2021 09:14:14 -0500 Subject: [PATCH 1/3] Update cert location for eval.import --- salt/filebeat/etc/filebeat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index b6aa218ef..c680d61c1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -261,6 +261,7 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] + ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" indices: From 85aaa710063e4b1bc414f794437fd935c888a3bf Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 11 Mar 2021 08:01:27 -0500 Subject: [PATCH 2/3] FIX: Improve DHCP leases query in Hunt #3395 --- salt/soc/files/soc/hunt.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 5f3a359b5..840b4b373 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -17,7 +17,7 @@ { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, - { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname host.domain"}, + { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, From b4ad7e73593bcf987b2d36663cbfe87ca938b377 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 11 Mar 2021 11:01:51 -0500 Subject: [PATCH 3/3] FIX: Improve Suricata DHCP logging and parsing #3397 --- salt/elasticsearch/files/ingest/suricata.dhcp | 15 ++++++++------- salt/suricata/suricata_meta.yaml | 4 ++-- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dhcp b/salt/elasticsearch/files/ingest/suricata.dhcp index 66ab1140e..9ecc41837 100644 --- a/salt/elasticsearch/files/ingest/suricata.dhcp +++ b/salt/elasticsearch/files/ingest/suricata.dhcp @@ -1,13 +1,14 @@ { "description" : "suricata.dhcp", "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml index 3b1c55d8b..90b220000 100644 --- a/salt/suricata/suricata_meta.yaml +++ b/salt/suricata/suricata_meta.yaml @@ -61,7 +61,7 @@ suricata: - sip - dhcp: enabled: "yes" - # extended: "no" + extended: "yes" - ssh #- stats: # totals: "yes" @@ -69,4 +69,4 @@ suricata: # deltas: "no" - flow #- netflow - #- metadata \ No newline at end of file + #- metadata