CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

logstash cleanup - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/326

Browse Source
This commit is contained in:
m0duspwnens
2020-02-20 16:47:40 -05:00
parent 7604853c59
commit 2b34bdece9
153 changed files with 100 additions and 5198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
pillar/logstash/helix.sls
View File

@@ -1,4 +1,42 @@
logstash:
pipelines:
helix:
config: "/usr/share/logstash/pipelines/helix/*.conf"
config:
- 0010_input_hhbeats.conf
- 1033_preprocess_snort.conf
- 1100_preprocess_bro_conn.conf
- 1101_preprocess_bro_dhcp.conf
- 1102_preprocess_bro_dns.conf
- 1103_preprocess_bro_dpd.conf
- 1104_preprocess_bro_files.conf
- 1105_preprocess_bro_ftp.conf
- 1106_preprocess_bro_http.conf
- 1107_preprocess_bro_irc.conf
- 1108_preprocess_bro_kerberos.conf
- 1109_preprocess_bro_notice.conf
- 1110_preprocess_bro_rdp.conf
- 1111_preprocess_bro_signatures.conf
- 1112_preprocess_bro_smtp.conf
- 1113_preprocess_bro_snmp.conf
- 1114_preprocess_bro_software.conf
- 1115_preprocess_bro_ssh.conf
- 1116_preprocess_bro_ssl.conf
- 1117_preprocess_bro_syslog.conf
- 1118_preprocess_bro_tunnel.conf
- 1119_preprocess_bro_weird.conf
- 1121_preprocess_bro_mysql.conf
- 1122_preprocess_bro_socks.conf
- 1123_preprocess_bro_x509.conf
- 1124_preprocess_bro_intel.conf
- 1125_preprocess_bro_modbus.conf
- 1126_preprocess_bro_sip.conf
- 1127_preprocess_bro_radius.conf
- 1128_preprocess_bro_pe.conf
- 1129_preprocess_bro_rfb.conf
- 1130_preprocess_bro_dnp3.conf
- 1131_preprocess_bro_smb_files.conf
- 1132_preprocess_bro_smb_mapping.conf
- 1133_preprocess_bro_ntlm.conf
- 1134_preprocess_bro_dce_rpc.conf
- 8001_postprocess_common_ip_augmentation.conf
- 9997_output_helix.conf.jinja

4
pillar/logstash/master.sls
View File

@@ -1,4 +1,6 @@
logstash:
pipelines:
master:
config: "/usr/share/logstash/pipelines/master/*.conf"
config:
- 0010_input_hhbeats.conf
- 9999_output_redis.conf.jinja

53
pillar/logstash/search.sls
View File

@@ -1,4 +1,55 @@
logstash:
pipelines:
search:
config: "/usr/share/logstash/pipelines/search/*.conf"
config:
- 1000_preprocess_log_elapsed.conf
- 1001_preprocess_syslogng.conf
- 1002_preprocess_json.conf
- 1004_preprocess_syslog_types.conf
- 1026_preprocess_dhcp.conf
- 1029_preprocess_esxi.conf
- 1030_preprocess_greensql.conf
- 1031_preprocess_iis.conf
- 1032_preprocess_mcafee.conf
- 1033_preprocess_snort.conf
- 1034_preprocess_syslog.conf
- 2000_network_flow.conf
- 6002_syslog.conf
- 6101_switch_brocade.conf
- 6200_firewall_fortinet.conf
- 6201_firewall_pfsense.conf
- 6300_windows.conf
- 6301_dns_windows.conf
- 6400_suricata.conf
- 6500_ossec.conf
- 6501_ossec_sysmon.conf
- 6502_ossec_autoruns.conf
- 6600_winlogbeat_sysmon.conf
- 6700_winlogbeat.conf
- 7100_osquery_wel.conf
- 7200_strelka.conf
- 8001_postprocess_common_ip_augmentation.conf
- 8007_postprocess_http.conf
- 8200_postprocess_tagging.conf
- 8998_postprocess_log_elapsed.conf
- 8999_postprocess_rename_type.conf
- 0900_input_redis.conf.jinja
- 9000_output_bro.conf.jinja
- 9001_output_switch.conf.jinja
- 9002_output_import.conf.jinja
- 9004_output_flow.conf.jinja
- 9026_output_dhcp.conf.jinja
- 9029_output_esxi.conf.jinja
- 9030_output_greensql.conf.jinja
- 9031_output_iis.conf.jinja
- 9032_output_mcafee.conf.jinja
- 9033_output_snort.conf.jinja
- 9034_output_syslog.conf.jinja
- 9100_output_osquery.conf.jinja
- 9200_output_firewall.conf.jinja
- 9300_output_windows.conf.jinja
- 9301_output_dns_windows.conf.jinja
- 9400_output_suricata.conf.jinja
- 9500_output_beats.conf.jinja
- 9600_output_ossec.conf.jinja
- 9700_output_strelka.conf.jinja

204
salt/logstash/conf/pipelines/eval/0800_input_eval.conf
View File

@@ -1,204 +0,0 @@
# Updated by: Mike Reeves
# Last Update: 11/1/2018
input {
file {
path => "/suricata/eve.json"
type => "ids"
add_field => { "engine" => "suricata" }
}
file {
path => "/nsm/zeek/logs/current/conn*.log"
type => "bro_conn"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dce_rpc*.log"
type => "bro_dce_rpc"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dhcp*.log"
type => "bro_dhcp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dnp3*.log"
type => "bro_dnp3"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dns*.log"
type => "bro_dns"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dpd*.log"
type => "bro_dpd"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/files*.log"
type => "bro_files"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ftp*.log"
type => "bro_ftp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/http*.log"
type => "bro_http"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/intel*.log"
type => "bro_intel"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/irc*.log"
type => "bro_irc"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/kerberos*.log"
type => "bro_kerberos"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/modbus*.log"
type => "bro_modbus"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/mysql*.log"
type => "bro_mysql"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/notice*.log"
type => "bro_notice"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ntlm*.log"
type => "bro_ntlm"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/pe*.log"
type => "bro_pe"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/radius*.log"
type => "bro_radius"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/rdp*.log"
type => "bro_rdp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/rfb*.log"
type => "bro_rfb"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/signatures*.log"
type => "bro_signatures"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/sip*.log"
type => "bro_sip"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smb_files*.log"
type => "bro_smb_files"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smb_mapping*.log"
type => "bro_smb_mapping"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smtp*.log"
type => "bro_smtp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/snmp*.log"
type => "bro_snmp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/socks*.log"
type => "bro_socks"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/software*.log"
type => "bro_software"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ssh*.log"
type => "bro_ssh"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ssl*.log"
type => "bro_ssl"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/syslog*.log"
type => "bro_syslog"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/tunnel*.log"
type => "bro_tunnels"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/weird*.log"
type => "bro_weird"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/x509*.log"
type => "bro_x509"
tags => ["bro"]
}
file {
path => "/wazuh/alerts/alerts.json"
type => "ossec"
}
file {
path => "/wazuh/archives/archives.json"
type => "ossec_archive"
}
file {
path => "/osquery/logs/result.log"
type => "osquery"
tags => ["osquery"]
}
file {
path => "/strelka/strelka.log"
type => "strelka"
}
}
filter {
if "import" in [tags] {
mutate {
#add_tag => [ "conf_file_0007"]
}
}
}

13
salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
View File

@@ -1,13 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_start', Time.now.to_f)"
}
mutate {
#add_tag => [ "conf_file_1000"]
}
}

33
salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
View File

@@ -1,33 +0,0 @@
# Updated by: Doug Burks and Wes Lambert
# Last Update: 10/30/2018
filter {
if "syslogng" in [tags] {
mutate {
rename => { "MESSAGE" => "message" }
rename => { "PROGRAM" => "type" }
rename => { "FACILITY" => "syslog-facility" }
rename => { "FILE_NAME" => "syslog-file_name" }
rename => { "HOST" => "syslog-host" }
rename => { "HOST_FROM" => "syslog-host_from" }
rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
rename => { "PID" => "syslog-pid" }
rename => { "PRIORITY" => "syslog-priority" }
rename => { "SOURCEIP" => "syslog-sourceip" }
rename => { "TAGS" => "syslog-tags" }
lowercase => [ "syslog-host_from" ]
remove_field => [ "ISODATE" ]
remove_field => [ "SEQNUM" ]
#add_tag => [ "conf_file_1001"]
}
if "bro_" in [type] {
mutate {
add_tag => [ "bro" ]
}
} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}

18
salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
View File

@@ -1,18 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "json" in [tags]{
json {
source => "message"
}
mutate {
remove_tag => [ "json" ]
}
mutate {
#add_tag => [ "conf_file_1002"]
}
}
}

19
salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
View File

@@ -1,19 +0,0 @@
filter {
if "syslog" in [tags] {
if [host] == "172.16.1.1" {
mutate {
add_field => { "type" => "fortinet" }
add_tag => [ "firewall" ]
}
}
if [host] == "10.0.0.101" {
mutate {
add_field => { "type" => "brocade" }
add_tag => [ "switch" ]
}
}
mutate {
#add_tag => [ "conf_file_1004"]
}
}
}

140
salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
View File

@@ -1,140 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolutions.com
# Last Update: 12/9/2016
# This conf file is based on accepting logs for DHCP. It is currently based on Windows DHCP only.
filter {
if [type] == "dhcp" {
mutate {
add_field => { "Hostname" => "%{host}" }
}
mutate {
strip => "message"
}
# This is the initial parsing of the log
grok {
# Server 2008+
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
# Server 2003
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
}
# This section below translates the message ID into something humans can understand.
if [id] == "00" {
mutate {
add_field => [ "event", "The log was started"]
}
}
if [id] == "01" {
mutate {
add_field => [ "event", "The log was stopped"]
}
}
if [id] == "02" {
mutate {
add_field => [ "event", "The log was temporarily paused due to low disk space"]
}
}
if [id] == "10" {
mutate {
add_field => [ "event", "A new IP address was leased to a client"]
}
}
if [id] == "11" {
mutate {
add_field => [ "event", "A lease was renewed by a client"]
}
}
if [id] == "12" {
mutate {
add_field => [ "event", "A lease was released by a client"]
}
}
if [id] == "13" {
mutate {
add_field => [ "event", "An IP address was found to be in use on the network"]
}
}
if [id] == "14" {
mutate {
add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
}
}
if [id] == "15" {
mutate {
add_field => [ "event", "A lease was denied"]
}
}
if [id] == "16" {
mutate {
add_field => [ "event", "A lease was deleted"]
}
}
if [id] == "17" {
mutate {
add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
}
}
if [id] == "18" {
mutate {
add_field => [ "event", "A lease was expired and DNS records were deleted"]
}
}
if [id] == "20" {
mutate {
add_field => [ "event", "A BOOTP address was leased to a client"]
}
}
if [id] == "21" {
mutate {
add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
}
}
if [id] == "22" {
mutate {
add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
}
}
if [id] == "23" {
mutate {
add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
}
}
if [id] == "24" {
mutate {
add_field => [ "event", "IP address cleanup operation has began"]
}
}
if [id] == "25" {
mutate {
add_field => [ "event", "IP address cleanup statistics"]
}
}
if [id] == "30" {
mutate {
add_field => [ "event", "DNS update request to the named DNS server"]
}
}
if [id] == "31" {
mutate {
add_field => [ "event", "DNS update failed"]
}
}
if [id] == "32" {
mutate {
add_field => [ "event", "DNS update successful"]
}
}
if [id] == "33" {
mutate {
add_field => [ "event", "Packet dropped due to NAP policy"]
}
}
# If the message failed to parse correctly keep the message for debugging. Otherwise, drop it.
#if "_grokparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message"]
# }
#}
}
}

31
salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
View File

@@ -1,31 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
filter {
# This is an example of using an IP address range to classify a syslog message to a specific type of log
# This is helpful as so many devices only send logs via syslog
if [host] =~ "10\.[0-1]\.9\." {
mutate {
replace => ["type", "esxi"]
}
}
if [host] =~ "\.234$" {
mutate {
replace => ["type", "esxi"]
}
}
if [type] == "esxi" {
grok {
match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
}
mutate {
#add_tag => [ "conf_file_1029"]
}
}
}

21
salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
View File

@@ -1,21 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "greensql" {
# This section is parsing out the fields for GreenSQL syslog data
grok {
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
}
# Remove the message field as it is unnecessary
#mutate {
# remove_field => [ "message"]
#}
mutate {
#add_tag => [ "conf_file_1030"]
}
}
}

21
salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
View File

@@ -1,21 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "iis" {
# The log is expected to have come from NXLog and in JSON format. This allows for automatic parsing of fields
json {
source => "message"
}
# This removes the message field as it is unneccesary and tags the packet as web
mutate {
# remove_field => [ "message"]
add_tag => [ "web" ]
}
mutate {
#add_tag => [ "conf_file_1031"]
}
}
}

26
salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
View File

@@ -1,26 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This file looks for McAfee EPO logs
filter {
if [type] == "mcafee" {
# NXLog should be sending the logs in JSON format so they auto parse
json {
source => "message"
}
# This section converts the UTC fields to the proper time format
date {
match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "ReceivedUTC" ]
}
date {
match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "DetectedUTC" ]
}
mutate {
#add_tag => [ "conf_file_1032"]
}
}
}

181
salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
View File

@@ -1,181 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 3/15/2018
filter {
if [type] == "ids" {
# This is the initial parsing of the log
if [engine] == "suricata" {
json {
source => "message"
}
mutate {
rename => { "alert" => "orig_alert" }
rename => { "[orig_alert][gid]" => "gid" }
rename => { "[orig_alert][signature_id]" => "sid" }
rename => { "[orig_alert][rev]" => "rev" }
rename => { "[orig_alert][signature]" => "alert" }
rename => { "[orig_alert][category]" => "classification" }
rename => { "[orig_alert][severity]" => "priority" }
rename => { "[orig_alert][rule]" => "rule_signature" }
rename => { "app_proto" => "application_protocol" }
rename => { "dest_ip" => "destination_ip" }
rename => { "dest_port" => "destination_port" }
rename => { "in_iface" => "interface" }
rename => { "proto" => "protocol" }
rename => { "src_ip" => "source_ip" }
rename => { "src_port" => "source_port" }
#rename => { "[fileinfo][filename]" => "filename" }
#rename => { "[fileinfo][gaps]" => "gaps" }
#rename => { "[fileinfo][size]" => "size" }
#rename => { "[fileinfo][state]" => "state" }
#rename => { "[fileinfo][stored]" => "stored" }
#rename => { "[fileinfo][tx_id]" => "tx_id" }
#rename => { "[flow][age]" => "duration" }
#rename => { "[flow][alerted]" => "flow_alerted" }
#rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
#rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
#rename => { "[flow][end]" => "flow_end" }
#rename => { "[flow][pkts_toclient]" => "packets_to_client" }
#rename => { "[flow][pkts_toserver]" => "packets_to_server" }
#rename => { "[flow][reason]" => "reason" }
#rename => { "[flow][start]" => "flow_start" }
#rename => { "[flow][state]" => "state" }
#rename => { "[netflow][age]" => "duration" }
#rename => { "[netflow][bytes]" => "bytes" }
#rename => { "[netflow][end]" => "netflow_end" }
#rename => { "[netflow][start]" => "netflow_start" }
#rename => { "[netflow][pkts]" => "packets" }
rename => { "[alert][action]" => "action" }
rename => { "[alert][category]" => "category" }
rename => { "[alert][gid]" => "gid" }
rename => { "[alert][rev]" => "rev" }
rename => { "[alert][severity]" => "severity" }
rename => { "[alert][signature]" => "signature" }
rename => { "[alert][signature_id]" => "sid" }
#rename => { "[dns][aa]" => "aa" }
#rename => { "[dns][flags]" => "flags" }
#rename => { "[dns][id]" => "id" }
#rename => { "[dns][qr]" => "qr" }
#rename => { "[dns][rcode]" => "rcode_name" }
#rename => { "[dns][rrname]" => "rrname" }
#rename => { "[dns][rrtype]" => "rrtype" }
#rename => { "[dns][tx_id]" => "tx_id" }
#rename => { "[dns][type]" => "record_type" }
#rename => { "[dns][version]" => "version" }
rename => { "[http][hostname]" => "virtual_host" }
rename => { "[http][http_content_type]" => "content_type" }
rename => { "[http][http_port]" => "http_port" }
rename => { "[http][http_method]" => "method" }
rename => { "[http][http_user_agent]" => "useragent" }
#rename => { "[http][length]" => "payload_length" }
#rename => { "[http][protocol]" => "http_version" }
rename => { "[http][status]" => "status_message" }
rename => { "[http][url]" => "url" }
#rename => { "[metadata][flowbits]" => "flowbits" }
rename => { "[tls][fingerprint]" => "certificate_serial_number" }
rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
rename => { "[tls][notafter]" => "certificate_not_valid_after" }
rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
rename => { "[tls][subject]" => "certificate_common_name" }
rename => { "[tls][version]" => "tls_version" }
rename => { "event_type" => "ids_event_type" }
remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
add_tag => [ "eve" ]
}
} else {
grok {
match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
"message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
"message", "%{GREEDYDATA:alert}"]
}
}
if [timestamp] {
mutate {
add_field => { "logstash_timestamp" => "%{@timestamp}" }
}
mutate {
convert => { "logstash_timestamp" => "string" }
}
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => { "logstash_timestamp" => "timestamp" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category"]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category"]
}
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "source_port", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "gid", "integer" ]
convert => [ "sid", "integer" ]
# remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [priority] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# This section adds URLs to lookup information about a rule online
if [sid] and [sid] > 0 and [sid] < 1000000 {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
}
}
if [sid] and [sid] > 1999999 and [sid] < 2999999 {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
}
}
# mutate {
#add_tag => [ "conf_file_1033"]
# }
}
}

16
salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
View File

@@ -1,16 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/22/2017
filter {
if [type] == "syslog" {
# This drops syslog messages regarding license messages. You may want to comment it out.
#if [message] =~ "license" {
# drop { }
#}
mutate {
#convert => [ "status_code", "integer" ]
}
}
}

59
salt/logstash/conf/pipelines/eval/2000_network_flow.conf
View File

@@ -1,59 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "sflow" {
if [message] =~ /CNTR/ {
drop { }
}
grok {
match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
}
if "_grokparsefailure" in [tags] {
drop { }
}
mutate {
add_field => {
"[source_hostname]" => "%{source_ip}"
"[destination_hostname]" => "%{destination_ip}"
"[sflow_source_hostname]" => "%{sflow_source_ip}"
}
}
translate {
field => "[source_port]"
destination => "[source_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[destination_port]"
destination => "[destination_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[protocol]"
destination => "[protocol_name]"
dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
}
translate {
field => "[tcp_flags]"
destination => "[tcp_flag]"
dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
}
mutate {
add_field => { "ips" => [ "%{sflow_source_ip}" ] }
}
mutate {
#add_tag => [ "conf_file_2000"]
}
}
}

11
salt/logstash/conf/pipelines/eval/6002_syslog.conf
View File

@@ -1,11 +0,0 @@
# Updated by: Doug Burks
# Last Update: 5/16/2017
#
filter {
if "syslog" in [tags] {
mutate {
#convert => [ "status_code", "integer" ]
#add_tag => [ "conf_file_6002"]
}
}
}

33
salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
View File

@@ -1,33 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "brocade" {
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
}
grok {
match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
grok {
match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
}
mutate {
add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
}
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "America/Chicago"
remove_field => "syslog_timestamp"
remove_field => "received_at"
}
mutate {
#add_tag => [ "conf_file_6101"]
}
}
}

281
salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
View File

@@ -1,281 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "fortinet" {
mutate {
gsub => [ "message", "= ", "=NA " ]
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
tag_on_failure => []
}
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
tag_on_failure => []
}
kv {
source => "kv"
exclude_keys => [ "type" ]
}
mutate {
gsub => [ "log", "= ", "=NA " ]
}
kv {
source => "log"
target => "SubLog"
}
grok {
match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
tag_on_failure => [ "" ]
}
mutate {
rename => { "action" => "action" }
rename => { "addr" => "addr_ip" }
rename => { "age" => "age" }
rename => { "assigned" => "assigned_ip" }
rename => { "assignip" => "assign_ip" }
rename => { "ap" => "access_point" }
rename => { "app" => "application" }
rename => { "appcat" => "application_category" }
rename => { "applist" => "application_list" }
rename => { "apprisk" => "application_risk" }
rename => { "approfile" => "accessPoint_profile" }
rename => { "apscan" => "access_point_scan" }
rename => { "apstatus" => "acces_point_status" }
rename => { "aptype" => "access_point_type" }
rename => { "authproto" => "authentication_protocol" }
rename => { "bandwidth" => "bandwidth" }
rename => { "banned_src" => "banned_source" }
rename => { "cat" => "category" }
rename => { "catdesc" => "category_description" }
rename => { "cfgattr" => "configuration_attribute" }
rename => { "cfgobj" => "configuration_object" }
rename => { "cfgpath" => "configuration_path" }
rename => { "cfgtid" => "configuration_transaction_id" }
rename => { "channel" => "channel" }
rename => { "community" => "community" }
rename => { "cookies" => "cookies" }
rename => { "craction" => "cr_action" }
rename => { "crlevel" => "cr_level" }
rename => { "crscore" => "cr_score" }
rename => { "datarange" => "data_range" }
rename => { "desc" => "description" }
rename => { "detectionmethod" => "detection_method" }
rename => { "devid" => "device_id" }
rename => { "devname" => "device_name" }
rename => { "devtype" => "device_type" }
rename => { "dhcp_msg" => "dhcp_message" }
rename => { "disklograte" => "disk_lograte" }
rename => { "dstcountry" => "destination_country" }
rename => { "dstintf" => "destination_interface" }
rename => { "dstip" => "destination_ip" }
rename => { "dstport" => "destination_port" }
rename => { "duration" => "elapsed_time" }
rename => { "error_num" => "error_number" }
rename => { "espauth" => "esp_authentication" }
rename => { "esptransform" => "esp_transform" }
rename => { "eventid" => "event_id" }
rename => { "eventtype" => "event_type" }
rename => { "fazlograte" => "faz_lograte" }
rename => { "filename" => "file_name" }
rename => { "filesize" => "file_size" }
rename => { "filetype" => "file_type" }
rename => { "hostname" => "hostname" }
rename => { "ip" => "source_ip" }
rename => { "localip" => "source_ip" }
rename => { "locip" => "local_ip" }
rename => { "locport" => "source_port" }
rename => { "logid" => "log_id" }
rename => { "logver" => "log_version" }
rename => { "manuf" => "manufacturer" }
rename => { "mem" => "memory" }
rename => { "meshmode" => "mesh_mode" }
rename => { "msg" => "message" }
rename => { "nextstat" => "next_stat" }
rename => { "onwire" => "on_wire" }
rename => { "osname" => "os_name" }
rename => { "osversion" => "unauthenticated_user" }
rename => { "outintf" => "outbound_interface" }
rename => { "peer_notif" => "peer_notification" }
rename => { "phase2_name" => "phase2_name" }
rename => { "policyid" => "policy_id" }
rename => { "policytype" => "policy_type" }
rename => { "port" => "port" }
rename => { "probeproto" => "probe_protocol" }
rename => { "proto" => "protocol_number" }
rename => { "radioband" => "radio_band" }
rename => { "radioidclosest" => "radio_id_closest" }
rename => { "radioiddetected" => "radio_id_detected" }
rename => { "rcvd" => "bytes_received" }
rename => { "rcvdbyte" => "bytes_received" }
rename => { "rcvdpkt" => "packets_received" }
rename => { "remip" => "destination_ip" }
rename => { "remport" => "remote_port" }
rename => { "reqtype" => "request_type" }
rename => { "scantime" => "scan_time" }
rename => { "securitymode" => "security_mode" }
rename => { "sent" => "bytes_sent" }
rename => { "sentbyte" => "bytes_sent" }
rename => { "sentpkt" => "packets_sent" }
rename => { "session_id" => "session_id" }
rename => { "setuprate" => "setup_rate" }
rename => { "sn" => "serial" }
rename => { "snclosest" => "serial_closest_access_point" }
rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
rename => { "snmeshparent" => "serial_mesh_parent" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "stacount" => "station_count" }
rename => { "stamac" => "static_mac" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "sn" => "serial" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "total" => "total_bytes" }
rename => { "totalsession" => "total_sessions" }
rename => { "trandisp" => "nat_translation_type" }
rename => { "tranip" => "nat_destination_ip" }
rename => { "tranport" => "nat_destination_port" }
rename => { "transip" => "nat_source_ip" }
rename => { "transport" => "nat_source_port" }
rename => { "tunnelid" => "tunnel_id" }
rename => { "tunnelip" => "tunnel_ip" }
rename => { "tunneltype" => "tunnel_type" }
rename => { "unauthuser" => "unauthenticated_user_source" }
rename => { "unauthusersource" => "os_version" }
rename => { "vendorurl" => "vendor_url" }
rename => { "vpntunnel" => "vpn_tunnel" }
rename => { "vulncat" => "vulnerability_category" }
rename => { "vulncmt" => "vulnerability_count" }
rename => { "vulnid" => "vulnerability_id" }
rename => { "vulnname" => "vulnerability_name" }
rename => { "vulnref" => "vulnerability_reference" }
rename => { "vulnscore" => "vulnerability_score" }
rename => { "xauthgroup" => "x_authentication_group" }
rename => { "xauthuser" => "x_authentication_user" }
rename => { "[SubLog][appid]" => "sub_application_id" }
rename => { "[SubLog][devid]" => "sub_device_id" }
rename => { "[SubLog][dstip]" => "sub_destination_ip" }
rename => { "[SubLog][srcip]" => "sub_source_ip" }
rename => { "[SubLog][dstport]" => "sub_destination_port" }
rename => { "[SubLog][eventtype]" => "sub_event_type" }
rename => { "[SubLog][proto]" => "sub_protocol_number" }
rename => { "[SubLog][date]" => "sub_date" }
rename => { "[SubLog][time]" => "sub_time" }
rename => { "[SubLog][srcport]" => "sub_source_port" }
rename => { "[SubLog][subtype]" => "sub_subtype" }
rename => { "[SubLog][devname]" => "sub_device_name" }
rename => { "[SubLog][itime]" => "sub_itime" }
rename => { "[SubLog][level]" => "sub_level" }
rename => { "[SubLog][logid]" => "sub_log_id" }
rename => { "[SubLog][logver]" => "sub_log_version" }
rename => { "[SubLog][type]" => "sub_event_type" }
rename => { "[SubLog][vd]" => "sub_vd" }
rename => { "[SubLog][action]" => "sub_action" }
rename => { "[SubLog][logdesc]" => "sub_destination_ip" }
rename => { "[SubLog][policyid]" => "sub_olicy_id" }
rename => { "[SubLog][reason]" => "sub_reason" }
rename => { "[SubLog][service]" => "sub_service" }
rename => { "[SubLog][sessionid]" => "sub_session_id" }
rename => { "[SubLog][src]" => "sub_source_ip" }
rename => { "[SubLog][status]" => "sub_status" }
rename => { "[SubLog][ui]" => "sub_ui" }
rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
strip => [ "bytes_sent", "bytes_received" ]
convert => [ "bytes_sent", "integer" ]
convert => [ "bytes_received", "integer" ]
convert => [ "cr_score", "integer" ]
convert => [ "cr_action", "integer" ]
convert => [ "elapsed_time", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "local_port", "integer" ]
convert => [ "remote_port", "integer" ]
convert => [ "packets_sent", "integer" ]
convert => [ "packets_received", "integer" ]
convert => [ "port", "integer" ]
convert => [ "ProtocolNumber", "integer" ]
convert => [ "XAuthUser", "string" ]
remove_field => [ "kv", "log" ]
}
if [tunnel_ip] == "N/A" {
mutate {
remove_field => [ "tunnel_ip" ]
}
}
if [nat_destination_ip] {
mutate {
add_field => { "ips" => [ "%{nat_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
}
}
if [sub_destination_ip] {
mutate {
add_field => { "ips" => [ "%{sub_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
}
}
if [nat_source_ip] {
mutate {
add_field => { "ips" => [ "%{nat_source_ip}" ] }
add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
}
}
if [sub_source_ip] {
mutate {
add_field => { "ips" => [ "%{sub_source_ip}" ] }
add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
}
}
if [addr_ip] {
mutate {
add_field => { "ips" => [ "%{addr_ip}" ] }
}
}
if [assign_ip] {
mutate {
add_field => { "ips" => [ "%{assign_ip}" ] }
}
}
if [assigned_ip] {
mutate {
add_field => { "ips" => [ "%{assigned_ip}" ] }
}
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
}
if [date] and [time] {
mutate {
add_field => { "receive_time" => "%{date} %{time}" }
remove_field => [ "date", "time" ]
}
date {
timezone => "America/Chicago"
match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
target => "receive_time"
}
mutate {
rename => { "receive_time" => "@timestamp" }
}
} else {
mutate {
add_tag => [ "missing_date" ]
}
}
mutate {
#add_tag => [ "conf_file_6200"]
}
}
}

56
salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
View File

@@ -1,56 +0,0 @@
# Author: Wes Lambert
# Updated by: Doug Burks
filter {
if [type] == "filterlog" {
dissect {
mapping => {
"message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
}
}
if [ip_version] == "4" {
dissect {
mapping => {
"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [ip_version] == "6" {
dissect {
mapping => {
"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [protocol] == "tcp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
}
}
}
if [protocol] == "udp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
}
}
}
if [protocol] == "Options" {
mutate {
copy => { "ip_sub_msg" => "options" }
}
mutate {
split => { "options" => "," }
}
}
mutate {
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "ip_version", "integer" ]
replace => { "type" => "firewall" }
add_tag => [ "pfsense","firewall" ]
remove_field => [ "sub_msg", "ip_sub_msg" ]
}
}
}

161
salt/logstash/conf/pipelines/eval/6300_windows.conf
View File

@@ -1,161 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "windows" {
# json {
# source => "message"
# }
date {
match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
remove_field => [ "EventTime" ]
}
if [EventID] == 4634 {
mutate {
add_tag => [ "logoff" ]
}
}
if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
mutate {
add_tag => [ "logon" ]
add_tag => [ "alert_data" ]
}
}
if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
mutate {
add_tag => [ "logon_failure" ]
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
mutate {
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 5152 { drop {} }
if [EventID] == 4688 { drop {} }
if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
# Whitelist/Blacklist check
if [EventID] == 7045 {
translate {
field => "ServiceName"
destination => "ServiceCheck"
dictionary_path => "/lib/dictionaries/services.yaml"
}
}
if [EventID] == 7045 and !([ServiceCheck]) {
mutate {
add_tag => [ "alert_data","new_service" ]
}
}
if [ServiceCheck] == 'whitelist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "whitelist" ]
}
}
if [ServiceCheck] == 'blacklist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "blacklist" ]
}
}
if [EventID] == 5158 {
if [Application] == "System" { drop {} }
if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
if [Application] =~ "mcafee" { drop {} }
if [Application] =~ "carestream" { drop {} }
if [Application] =~ "Softdent" { drop {} }
}
if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
if [EventID] == 4690 { drop {} }
if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
if [EventID] == 5447 { drop {} }
mutate {
rename => [ "AccountName", "user" ]
rename => [ "AccountType", "account_type" ]
rename => [ "ActivityID", "activity_id" ]
rename => [ "Category", "category" ]
rename => [ "ClientAddress", "client_ip" ]
rename => [ "Channel", "channel" ]
rename => [ "DCIPAddress", "domain_controller_ip" ]
rename => [ "DCName", "domain_controller_name" ]
rename => [ "EventID", "event_id" ]
rename => [ "EventReceivedTime", "event_received_time" ]
rename => [ "EventType", "event_type" ]
rename => [ "GatewayIPAddress", "gateway_ip" ]
rename => [ "IPAddress", "client_ip" ]
rename => [ "Ipaddress", "client_ip" ]
rename => [ "IpAddress", "client_ip" ]
rename => [ "IPPort", "source_port" ]
rename => [ "OpcodeValue", "opcode_value" ]
rename => [ "PreAuthType", "preauthentication_type" ]
rename => [ "PrincipleSAMName", "user" ]
rename => [ "ProcessID", "process_id" ]
rename => [ "ProviderGUID", "providerguid" ]
rename => [ "RecordNumber", "record_number" ]
rename => [ "RemoteAddress", "destination_ip" ]
rename => [ "ServiceName", "service_name" ]
rename => [ "ServiceID", "service_id" ]
rename => [ "SeverityValue", "severity_value" ]
rename => [ "SourceAddress", "client_ip" ]
rename => [ "SourceModuleName", "source_module_name" ]
rename => [ "SourceModuleType", "source_module_type" ]
rename => [ "SourceName", "source_name" ]
rename => [ "SubjectUserName", "user" ]
rename => [ "TaskName", "task_name" ]
rename => [ "TargetDomainName", "target_domain_name" ]
rename => [ "TargetUserName", "user" ]
rename => [ "ThreadID", "thread_id" ]
rename => [ "User_ID", "user" ]
rename => [ "UserID", "user" ]
rename => [ "username", "user" ]
}
# For any accounts that are service accounts or special accounts add the tag of service_account
# This example applies the tag to any username that starts with SVC_. If you use a different
# standard change this.
if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
mutate {
add_tag => [ "service_account" ]
}
}
# This looks for events that are typically noisy but may be of use for deep dive investigations
# A tag of noise is added to quickly filter out noise
if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
mutate {
add_tag => [ "noise" ]
}
}
#Identify machine accounts
if [user] =~ /\$/ {
mutate {
add_tag => [ "machine", "noise" ]
}
}
# Lower case all field names
ruby {
code => "
event_hash = event.to_hash
new_event = {}
event_hash.keys.each do |key|
new_event[key.downcase] = event[key]
end
event.instance_variable_set(:@data, new_event)"
}
mutate {
#add_tag => [ "conf_file_6300"]
}
}
}

49
salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
View File

@@ -1,49 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "dns" and "bro" not in [tags] {
json {
source => "message"
}
# strip whitespace from message field
mutate {
strip => "message"
}
# If the message is blank, drop the log
if [Message] =~ /^$/ {
drop { }
} else {
if [type] == "dns" {
# This section is lookup for a match against the log and parsing out the fields
grok {
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
# Server 2003 DNS logs do not include slashes or AM/PM in timestamp
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
remove_field => [ "Message" ]
}
# This section attempts to convert the dns_domain into the traditional domain.com format
mutate {
gsub => [ "dns_domain", "(\(\d+\))", "." ]
}
grok {
match => { "dns_domain" => "\.%{DATA:query}\.$" }
remove_field => [ "dns_domain" ]
}
}
}
mutate {
#add_tag => [ "conf_file_6301"]
}
}
}

92
salt/logstash/conf/pipelines/eval/6400_suricata.conf
View File

@@ -1,92 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This conf file is based on accepting logs for suricata json events
filter {
if [type] == "suricata" {
if "test_data" not in [tags] {
date {
match => [ "timestamp", "ISO8601" ]
}
} else {
mutate {
remove_field => [ "netflow.start","netflow.end","timestamp" ]
}
}
if [event_type] == "fileinfo" {
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
# I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
mutate {
rename => [ "src_ip", "source_ip" ]
rename => [ "dest_ip", "destination_ip" ]
rename => [ "src_port", "source_port" ]
rename => [ "dest_port", "destination_port" ]
}
# This will translate the alert.severity field into a severity field of either High, Medium, or Low
if [event_type] == "alert" {
if [alert][severity] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [alert][severity] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [alert][severity] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert][signature] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category" ]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert][signature] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category" ]
}
}
# This section adds URLs to lookup information about a rule online
if [rule_type] == "Snort GPL" {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
}
}
if [rule_type] == "Emerging Threats" {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
}
}
}
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message" ]
# }
}
mutate {
#add_tag => [ "conf_file_6400"]
}
}
}

160
salt/logstash/conf/pipelines/eval/6500_ossec.conf
View File

@@ -1,160 +0,0 @@
# Author: Wes Lambert
#
# Last Update: 09/19/2018
#
# This conf file is based on accepting logs from OSSEC
filter {
# OSSEC Alerts
if [type] == "ossec" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "rule" => "wazuh-rule" }
rename => { "[wazuh-rule][level]" => "alert_level" }
rename => { "[wazuh-rule][description]" => "description" }
rename => { "[data][srcuser]" => "username" }
rename => { "[data][dstuser]" => "escalated_user" }
rename => { "[data][command]" => "command" }
rename => { "[predecoder][program_name]" => "process" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
} else {
grok {
match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
}
}
# Add tag for OSSEC alerts
if [alert_level] {
mutate {
add_tag => [ "alert" ]
}
}
translate {
field => "alert_level"
destination => "classification"
dictionary => [
"1", "None",
"2", "System low priority notification",
"3", "Successful/authorized event",
"4", "System low priority error",
"5", "User generated error",
"6", "Low relevance attack",
"7", '"Bad word" matching',
"8", "First time seen",
"9", "Error from invalid source",
"10", "Multiple user generated errors",
"11", "Integrity checking warning",
"12", "High importance event",
"13", "Unusal error (high importance)",
"14", "High importance security event",
"15", "Severe attack"
]
}
}
# OSSEC Archive Logs
if [type] == "ossec_archive" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => [ "rule", "wazuh-rule" ]
rename => [ "[wazuh-rule][level]", "alert_level" ]
rename => [ "[wazuh-rule][description]", "description" ]
rename => [ "[data][srcuser]", "username" ]
rename => [ "[data][dstuser]", "escalated_user" ]
rename => [ "[data][command]", "command" ]
rename => [ "[predecoder][program_name]", "process" ]
}
} else {
grok {
match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
remove_field => [ "ossec_timestamp" ]
}
mutate {
convert => [ "status_code", "integer" ]
}
}
}
}

118
salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
View File

@@ -1,118 +0,0 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# This conf file is based on accepting Sysmon logs from OSSEC
#
# Parse using grok
filter {
# OSSEC Logs and Alerts
if [type] == "sysmon" or "sysmon" in [tags] {
if [message] !~ /^{.*}$/ {
#mutate { replace => { "type" => "sysmon" } }
grok {
# match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
}
mutate {
convert => ["event_id", "integer"]
remove_field => ["timestamp"]
remove_field => ["year"]
}
if [event_id] == 1 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_creation"]
}
}
if [event_id] == 3 {
mutate {
remove_field => ["source_ip"]
}
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
convert => ["source_port", "integer"]
convert => ["destination_port", "integer"]
add_tag => ["network_connection"]
}
}
if [event_id] == 5 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_termination"]
}
}
if [event_id] == 11 {
grok {
match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["file_created"]
}
}
mutate {
remove_field => ["rest_of_msg"]
}
} else {
mutate {
rename => { "[data][srcuser]" => "username" }
rename => { "[data][id]" => "event_id" }
rename => { "[data][dstport]" => "destination_port" }
rename => { "[data][dstip]" => "destination_ip" }
rename => { "[data][srcip]" => "source_ip" }
rename => { "[data][sysmon][image]" => "image_path" }
rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][image]" => "image_path" }
rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
}
}
}

43
salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
View File

@@ -1,43 +0,0 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# Updated by: Dustin Lee
# Last Update: 06/13/2019
#
# This conf file is based on accepting Autoruns logs from OSSEC
#
# Parse using grok
filter {
if [type] == "autoruns" or "autoruns" in [tags] {
if [message] !~ /^{.*}$/ {
grok {
match => [
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
#csv {
# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
# separator => "|"
# }
mutate {
remove_field => [ "year" ]
remove_field => [ "timestamp" ]
}
} else {
grok {
match => [
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
mutate {
# Rename fields
}
}
date {
match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
target => "image_timestamp"
}
}
}

23
salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
View File

@@ -1,23 +0,0 @@
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat
filter {
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
rename => { "[event_data][User]" => "username" }
rename => { "[event_data][DestinationPort]" => "destination_port" }
rename => { "[event_data][DestinationIp]" => "destination_ip" }
rename => { "[event_data][SourceIp]" => "source_ip" }
rename => { "[event_data][Image]" => "image_path" }
rename => { "[event_data][ParentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[event_data][SourceHostname]" => "source_hostname" }
rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
rename => { "[event_data][TargetFilename]" => "target_filename" }
}
}
}

17
salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
View File

@@ -1,17 +0,0 @@
# Author: Doug Burks
#
# Last Update: 09/24/2018
#
# This conf file is for beat data
filter {
if "beat" in [tags] {
mutate {
# As of beats 6.3.0, host is now an object:
# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
# This creates a conflict with our existing host string.
# So let's rename the host object to beat_host.
rename => { "host" => "beat_host" }
}
}
}

23
salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
View File

@@ -1,23 +0,0 @@
# Author: Josh Brower
# Last Update: 12/28/2018
# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
filter {
if "osquery" in [tags] and [osquery][columns][eventid] {
mutate {
gsub => ["[osquery][columns][data]", "\\x0A", ""]
}
json {
source => "[osquery][columns][data]"
target => "[osquery][columns][data]"
}
mutate {
merge => { "[osquery][columns]" => "[osquery][columns][data]" }
remove_field => ["[osquery][columns][data]"]
}
}
}

8
salt/logstash/conf/pipelines/eval/7200_strelka.conf
View File

@@ -1,8 +0,0 @@
filter {
if [type] =~ "strelka" {
json {
source => "message"
}
}
}

58
salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
View File

@@ -1,58 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/20/2017
filter {
if [source_ip] {
if [source_ip] == "-" {
mutate {
replace => { "source_ip" => "0.0.0.0" }
}
}
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
mutate {
}
} else {
geoip {
source => "[source_ip]"
target => "source_geo"
}
}
if [source_ip] {
mutate {
add_field => { "ips" => "%{source_ip}" }
add_field => { "source_ips" => [ "%{source_ip}" ] }
}
}
}
if [destination_ip] {
if [destination_ip] == "-" {
mutate {
replace => { "destination_ip" => "0.0.0.0" }
}
}
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
mutate {
}
}
else {
geoip {
source => "[destination_ip]"
target => "destination_geo"
}
}
}
if [destination_ip] {
mutate {
add_field => { "ips" => "%{destination_ip}" }
add_field => { "destination_ips" => [ "%{destination_ip}" ] }
}
}
}
#if [source_ip] or [destination_ip] {
# mutate {
#add_tag => [ "conf_file_8001"]
# }
#}

27
salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
View File

@@ -1,27 +0,0 @@
# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
filter {
if [type] == "bro_http" {
if [uri] {
ruby {
code => "event.set('uri_length', event.get('uri').length)"
}
}
if [virtual_host] {
ruby {
code => "event.set('virtual_host_length', event.get('virtual_host').length)"
}
}
if [useragent] {
ruby {
code => "event.set('useragent_length', event.get('useragent').length)"
}
}
mutate {
##add_tag => [ "conf_file_8007"]
}
}
}

63
salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
View File

@@ -1,63 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [destination_ip] {
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_destination" ]
}
} else {
mutate {
add_tag => [ "external_destination" ]
}
}
if "internal_destination" not in [tags] {
if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
}
if [source_ip] {
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_source" ]
}
} else {
mutate {
add_tag => [ "external_source" ]
}
}
if "internal_source" not in [tags] {
if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
mutate {
##add_tag => [ "conf_file_8200"]
}
}
if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
mutate {
remove_tag => [ "syslog" ]
}
}
}

19
salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
View File

@@ -1,19 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_end', Time.now.to_f)"
}
ruby {
code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
}
mutate {
remove_field => [ 'task_start', 'task_end' ]
}
mutate {
#add_tag => [ "conf_file_8998"]
}
}

8
salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
View File

@@ -1,8 +0,0 @@
# Author: Doug Burks
# Last Update: 12/10/2017
filter {
mutate {
rename => [ "type", "event_type" ]
}
}

32
salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
View File

@@ -1,32 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- set NAME = grains.host -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
mutate {
add_field => { "sensor_name" => "{{ NAME }}" }
}
}
}
output {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
pipeline => "%{event_type}"
hosts => "{{ ES }}"
index => "logstash-bro-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "switch" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9001"]
}
}
}
output {
if "switch" in [tags] and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-switch-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Updated by: Doug Burks
# Last Update: 5/16/2017
filter {
if "import" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9002"]
}
}
}
output {
if "import" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-import-%{+YYYY.MM.dd}"
template_name => "logstash-*"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "sflow" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9004"]
}
}
}
output {
if [event_type] == "sflow" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-flow-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "dhcp" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9026"]
}
}
}
output {
if [event_type] == "dhcp" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
View File

@@ -1,25 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "esxi" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9029"]
}
}
}
output {
if [event_type] == "esxi" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
View File

@@ -1,25 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "greensql" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9030"]
}
}
}
output {
if [event_type] == "greensql" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "iis" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9031"]
}
}
}
output {
if [event_type] == "iis" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "mcafee" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9032"]
}
}
}
output {
if [event_type] == "mcafee" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
View File

@@ -1,29 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "ids" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9033"]
}
}
}
output {
if [event_type] == "ids" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

28
salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
View File

@@ -1,28 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/15/2017
filter {
if "syslog" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9034"]
}
}
}
output {
if "syslog" in [tags] and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

32
salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
View File

@@ -1,32 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Security Onion Solutions
# Last Update: 2/3/2020
# Output to ES for osquery tagged logs - EVAL install
filter {
if "osquery" in [tags] {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
}
json {
source => "message"
target => "osquery"
}
}
}
output {
if "osquery" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-osquery-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
View File

@@ -1,29 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "firewall" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9200"]
}
}
}
output {
if "firewall" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-firewall-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "windows" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9300"]
}
}
}
output {
if [event_type] == "windows" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-windows-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "dns" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9301"]
}
}
}
output {
if [event_type] == "dns" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

28
salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
View File

@@ -1,28 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- set NAME = grains.host -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "suricata" and "test_data" not in [tags] {
mutate {
add_field => { "sensor_name" => "{{ NAME }}" }
}
}
}
output {
if [event_type] == "suricata" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
View File

@@ -1,25 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Wes Lambert
# Last Update: 09/14/2018
filter {
if "beat" in [tags] {
mutate {
##add_tag => [ "conf_file_9500"]
}
}
}
output {
if "beat" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-beats-%{+YYYY.MM.dd}"
template_name => "logstash-beats"
template => "/beats-template.json"
template_overwrite => true
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
View File

@@ -1,29 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 9/19/2018
filter {
if [event_type] =~ "ossec" {
mutate {
##add_tag => [ "conf_file_9600"]
}
}
}
output {
if [event_type] =~ "ossec" or "ossec" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ossec-%{+YYYY.MM.dd}"
template_name => "logstash-ossec"
template => "/logstash-ossec-template.json"
template_overwrite => true
}
}
}

181
salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
View File

@@ -1,181 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 3/15/2018
filter {
if [type] == "ids" {
# This is the initial parsing of the log
if [engine] == "suricata" {
json {
source => "message"
}
mutate {
rename => { "alert" => "orig_alert" }
rename => { "[orig_alert][gid]" => "gid" }
rename => { "[orig_alert][signature_id]" => "sid" }
rename => { "[orig_alert][rev]" => "rev" }
rename => { "[orig_alert][signature]" => "alert" }
rename => { "[orig_alert][category]" => "classification" }
rename => { "[orig_alert][severity]" => "priority" }
rename => { "[orig_alert][rule]" => "rule_signature" }
rename => { "app_proto" => "application_protocol" }
rename => { "dest_ip" => "destination_ip" }
rename => { "dest_port" => "destination_port" }
rename => { "in_iface" => "interface" }
rename => { "proto" => "protocol" }
rename => { "src_ip" => "source_ip" }
rename => { "src_port" => "source_port" }
#rename => { "[fileinfo][filename]" => "filename" }
#rename => { "[fileinfo][gaps]" => "gaps" }
#rename => { "[fileinfo][size]" => "size" }
#rename => { "[fileinfo][state]" => "state" }
#rename => { "[fileinfo][stored]" => "stored" }
#rename => { "[fileinfo][tx_id]" => "tx_id" }
#rename => { "[flow][age]" => "duration" }
#rename => { "[flow][alerted]" => "flow_alerted" }
#rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
#rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
#rename => { "[flow][end]" => "flow_end" }
#rename => { "[flow][pkts_toclient]" => "packets_to_client" }
#rename => { "[flow][pkts_toserver]" => "packets_to_server" }
#rename => { "[flow][reason]" => "reason" }
#rename => { "[flow][start]" => "flow_start" }
#rename => { "[flow][state]" => "state" }
#rename => { "[netflow][age]" => "duration" }
#rename => { "[netflow][bytes]" => "bytes" }
#rename => { "[netflow][end]" => "netflow_end" }
#rename => { "[netflow][start]" => "netflow_start" }
#rename => { "[netflow][pkts]" => "packets" }
rename => { "[alert][action]" => "action" }
rename => { "[alert][category]" => "category" }
rename => { "[alert][gid]" => "gid" }
rename => { "[alert][rev]" => "rev" }
rename => { "[alert][severity]" => "severity" }
rename => { "[alert][signature]" => "signature" }
rename => { "[alert][signature_id]" => "sid" }
#rename => { "[dns][aa]" => "aa" }
#rename => { "[dns][flags]" => "flags" }
#rename => { "[dns][id]" => "id" }
#rename => { "[dns][qr]" => "qr" }
#rename => { "[dns][rcode]" => "rcode_name" }
#rename => { "[dns][rrname]" => "rrname" }
#rename => { "[dns][rrtype]" => "rrtype" }
#rename => { "[dns][tx_id]" => "tx_id" }
#rename => { "[dns][type]" => "record_type" }
#rename => { "[dns][version]" => "version" }
rename => { "[http][hostname]" => "virtual_host" }
rename => { "[http][http_content_type]" => "content_type" }
rename => { "[http][http_port]" => "http_port" }
rename => { "[http][http_method]" => "method" }
rename => { "[http][http_user_agent]" => "useragent" }
#rename => { "[http][length]" => "payload_length" }
#rename => { "[http][protocol]" => "http_version" }
rename => { "[http][status]" => "status_message" }
rename => { "[http][url]" => "url" }
#rename => { "[metadata][flowbits]" => "flowbits" }
rename => { "[tls][fingerprint]" => "certificate_serial_number" }
rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
rename => { "[tls][notafter]" => "certificate_not_valid_after" }
rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
rename => { "[tls][subject]" => "certificate_common_name" }
rename => { "[tls][version]" => "tls_version" }
rename => { "event_type" => "ids_event_type" }
remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
add_tag => [ "eve" ]
}
} else {
grok {
match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
"message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
"message", "%{GREEDYDATA:alert}"]
}
}
if [timestamp] {
mutate {
add_field => { "logstash_timestamp" => "%{@timestamp}" }
}
mutate {
convert => { "logstash_timestamp" => "string" }
}
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => { "logstash_timestamp" => "timestamp" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category"]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category"]
}
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "source_port", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "gid", "integer" ]
convert => [ "sid", "integer" ]
# remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [priority] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# This section adds URLs to lookup information about a rule online
if [sid] and [sid] > 0 and [sid] < 1000000 {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
}
}
if [sid] and [sid] > 1999999 and [sid] < 2999999 {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
}
}
# mutate {
#add_tag => [ "conf_file_1033"]
# }
}
}

58
salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
View File

@@ -1,58 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/20/2017
filter {
if [source_ip] {
if [source_ip] == "-" {
mutate {
replace => { "source_ip" => "0.0.0.0" }
}
}
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
mutate {
}
} else {
geoip {
source => "[source_ip]"
target => "source_geo"
}
}
if [source_ip] {
mutate {
add_field => { "ips" => "%{source_ip}" }
add_field => { "source_ips" => [ "%{source_ip}" ] }
}
}
}
if [destination_ip] {
if [destination_ip] == "-" {
mutate {
replace => { "destination_ip" => "0.0.0.0" }
}
}
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
mutate {
}
}
else {
geoip {
source => "[destination_ip]"
target => "destination_geo"
}
}
}
if [destination_ip] {
mutate {
add_field => { "ips" => "%{destination_ip}" }
add_field => { "destination_ips" => [ "%{destination_ip}" ] }
}
}
}
#if [source_ip] or [destination_ip] {
# mutate {
#add_tag => [ "conf_file_8001"]
# }
#}

40
salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
View File

@@ -1,40 +0,0 @@
input {
beats {
port => "5644"
ssl => true
ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
ssl_certificate => "/usr/share/logstash/filebeat.crt"
ssl_key => "/usr/share/logstash/filebeat.key"
tags => [ "beat" ]
}
}
filter {
if [type] == "ids" or [type] =~ "bro" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "sensor_name" => "%{[beat][name]}" }
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] =~ "ossec" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] == "osquery" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_tag => ["osquery"]
}
json {
source => "message"
target => "osquery"
}
}
}

13
salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
View File

@@ -1,13 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_start', Time.now.to_f)"
}
mutate {
#add_tag => [ "conf_file_1000"]
}
}

33
salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
View File

@@ -1,33 +0,0 @@
# Updated by: Doug Burks and Wes Lambert
# Last Update: 10/30/2018
filter {
if "syslogng" in [tags] {
mutate {
rename => { "MESSAGE" => "message" }
rename => { "PROGRAM" => "type" }
rename => { "FACILITY" => "syslog-facility" }
rename => { "FILE_NAME" => "syslog-file_name" }
rename => { "HOST" => "syslog-host" }
rename => { "HOST_FROM" => "syslog-host_from" }
rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
rename => { "PID" => "syslog-pid" }
rename => { "PRIORITY" => "syslog-priority" }
rename => { "SOURCEIP" => "syslog-sourceip" }
rename => { "TAGS" => "syslog-tags" }
lowercase => [ "syslog-host_from" ]
remove_field => [ "ISODATE" ]
remove_field => [ "SEQNUM" ]
#add_tag => [ "conf_file_1001"]
}
if "bro_" in [type] {
mutate {
add_tag => [ "bro" ]
}
} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}

18
salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
View File

@@ -1,18 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "json" in [tags]{
json {
source => "message"
}
mutate {
remove_tag => [ "json" ]
}
mutate {
#add_tag => [ "conf_file_1002"]
}
}
}

19
salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
View File

@@ -1,19 +0,0 @@
filter {
if "syslog" in [tags] {
if [host] == "172.16.1.1" {
mutate {
add_field => { "type" => "fortinet" }
add_tag => [ "firewall" ]
}
}
if [host] == "10.0.0.101" {
mutate {
add_field => { "type" => "brocade" }
add_tag => [ "switch" ]
}
}
mutate {
#add_tag => [ "conf_file_1004"]
}
}
}

140
salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
View File

@@ -1,140 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolutions.com
# Last Update: 12/9/2016
# This conf file is based on accepting logs for DHCP. It is currently based on Windows DHCP only.
filter {
if [type] == "dhcp" {
mutate {
add_field => { "Hostname" => "%{host}" }
}
mutate {
strip => "message"
}
# This is the initial parsing of the log
grok {
# Server 2008+
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
# Server 2003
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
}
# This section below translates the message ID into something humans can understand.
if [id] == "00" {
mutate {
add_field => [ "event", "The log was started"]
}
}
if [id] == "01" {
mutate {
add_field => [ "event", "The log was stopped"]
}
}
if [id] == "02" {
mutate {
add_field => [ "event", "The log was temporarily paused due to low disk space"]
}
}
if [id] == "10" {
mutate {
add_field => [ "event", "A new IP address was leased to a client"]
}
}
if [id] == "11" {
mutate {
add_field => [ "event", "A lease was renewed by a client"]
}
}
if [id] == "12" {
mutate {
add_field => [ "event", "A lease was released by a client"]
}
}
if [id] == "13" {
mutate {
add_field => [ "event", "An IP address was found to be in use on the network"]
}
}
if [id] == "14" {
mutate {
add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
}
}
if [id] == "15" {
mutate {
add_field => [ "event", "A lease was denied"]
}
}
if [id] == "16" {
mutate {
add_field => [ "event", "A lease was deleted"]
}
}
if [id] == "17" {
mutate {
add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
}
}
if [id] == "18" {
mutate {
add_field => [ "event", "A lease was expired and DNS records were deleted"]
}
}
if [id] == "20" {
mutate {
add_field => [ "event", "A BOOTP address was leased to a client"]
}
}
if [id] == "21" {
mutate {
add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
}
}
if [id] == "22" {
mutate {
add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
}
}
if [id] == "23" {
mutate {
add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
}
}
if [id] == "24" {
mutate {
add_field => [ "event", "IP address cleanup operation has began"]
}
}
if [id] == "25" {
mutate {
add_field => [ "event", "IP address cleanup statistics"]
}
}
if [id] == "30" {
mutate {
add_field => [ "event", "DNS update request to the named DNS server"]
}
}
if [id] == "31" {
mutate {
add_field => [ "event", "DNS update failed"]
}
}
if [id] == "32" {
mutate {
add_field => [ "event", "DNS update successful"]
}
}
if [id] == "33" {
mutate {
add_field => [ "event", "Packet dropped due to NAP policy"]
}
}
# If the message failed to parse correctly keep the message for debugging. Otherwise, drop it.
#if "_grokparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message"]
# }
#}
}
}

31
salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
View File

@@ -1,31 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
filter {
# This is an example of using an IP address range to classify a syslog message to a specific type of log
# This is helpful as so many devices only send logs via syslog
if [host] =~ "10\.[0-1]\.9\." {
mutate {
replace => ["type", "esxi"]
}
}
if [host] =~ "\.234$" {
mutate {
replace => ["type", "esxi"]
}
}
if [type] == "esxi" {
grok {
match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
}
mutate {
#add_tag => [ "conf_file_1029"]
}
}
}

21
salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
View File

@@ -1,21 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "greensql" {
# This section is parsing out the fields for GreenSQL syslog data
grok {
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
}
# Remove the message field as it is unnecessary
#mutate {
# remove_field => [ "message"]
#}
mutate {
#add_tag => [ "conf_file_1030"]
}
}
}

21
salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
View File

@@ -1,21 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "iis" {
# The log is expected to have come from NXLog and in JSON format. This allows for automatic parsing of fields
json {
source => "message"
}
# This removes the message field as it is unneccesary and tags the packet as web
mutate {
# remove_field => [ "message"]
add_tag => [ "web" ]
}
mutate {
#add_tag => [ "conf_file_1031"]
}
}
}

26
salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
View File

@@ -1,26 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This file looks for McAfee EPO logs
filter {
if [type] == "mcafee" {
# NXLog should be sending the logs in JSON format so they auto parse
json {
source => "message"
}
# This section converts the UTC fields to the proper time format
date {
match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "ReceivedUTC" ]
}
date {
match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "DetectedUTC" ]
}
mutate {
#add_tag => [ "conf_file_1032"]
}
}
}

181
salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
View File

@@ -1,181 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 3/15/2018
filter {
if [type] == "ids" {
# This is the initial parsing of the log
if [engine] == "suricata" {
json {
source => "message"
}
mutate {
rename => { "alert" => "orig_alert" }
rename => { "[orig_alert][gid]" => "gid" }
rename => { "[orig_alert][signature_id]" => "sid" }
rename => { "[orig_alert][rev]" => "rev" }
rename => { "[orig_alert][signature]" => "alert" }
rename => { "[orig_alert][category]" => "classification" }
rename => { "[orig_alert][severity]" => "priority" }
rename => { "[orig_alert][rule]" => "rule_signature" }
rename => { "app_proto" => "application_protocol" }
rename => { "dest_ip" => "destination_ip" }
rename => { "dest_port" => "destination_port" }
rename => { "in_iface" => "interface" }
rename => { "proto" => "protocol" }
rename => { "src_ip" => "source_ip" }
rename => { "src_port" => "source_port" }
#rename => { "[fileinfo][filename]" => "filename" }
#rename => { "[fileinfo][gaps]" => "gaps" }
#rename => { "[fileinfo][size]" => "size" }
#rename => { "[fileinfo][state]" => "state" }
#rename => { "[fileinfo][stored]" => "stored" }
#rename => { "[fileinfo][tx_id]" => "tx_id" }
#rename => { "[flow][age]" => "duration" }
#rename => { "[flow][alerted]" => "flow_alerted" }
#rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
#rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
#rename => { "[flow][end]" => "flow_end" }
#rename => { "[flow][pkts_toclient]" => "packets_to_client" }
#rename => { "[flow][pkts_toserver]" => "packets_to_server" }
#rename => { "[flow][reason]" => "reason" }
#rename => { "[flow][start]" => "flow_start" }
#rename => { "[flow][state]" => "state" }
#rename => { "[netflow][age]" => "duration" }
#rename => { "[netflow][bytes]" => "bytes" }
#rename => { "[netflow][end]" => "netflow_end" }
#rename => { "[netflow][start]" => "netflow_start" }
#rename => { "[netflow][pkts]" => "packets" }
rename => { "[alert][action]" => "action" }
rename => { "[alert][category]" => "category" }
rename => { "[alert][gid]" => "gid" }
rename => { "[alert][rev]" => "rev" }
rename => { "[alert][severity]" => "severity" }
rename => { "[alert][signature]" => "signature" }
rename => { "[alert][signature_id]" => "sid" }
#rename => { "[dns][aa]" => "aa" }
#rename => { "[dns][flags]" => "flags" }
#rename => { "[dns][id]" => "id" }
#rename => { "[dns][qr]" => "qr" }
#rename => { "[dns][rcode]" => "rcode_name" }
#rename => { "[dns][rrname]" => "rrname" }
#rename => { "[dns][rrtype]" => "rrtype" }
#rename => { "[dns][tx_id]" => "tx_id" }
#rename => { "[dns][type]" => "record_type" }
#rename => { "[dns][version]" => "version" }
rename => { "[http][hostname]" => "virtual_host" }
rename => { "[http][http_content_type]" => "content_type" }
rename => { "[http][http_port]" => "http_port" }
rename => { "[http][http_method]" => "method" }
rename => { "[http][http_user_agent]" => "useragent" }
#rename => { "[http][length]" => "payload_length" }
#rename => { "[http][protocol]" => "http_version" }
rename => { "[http][status]" => "status_message" }
rename => { "[http][url]" => "url" }
#rename => { "[metadata][flowbits]" => "flowbits" }
rename => { "[tls][fingerprint]" => "certificate_serial_number" }
rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
rename => { "[tls][notafter]" => "certificate_not_valid_after" }
rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
rename => { "[tls][subject]" => "certificate_common_name" }
rename => { "[tls][version]" => "tls_version" }
rename => { "event_type" => "ids_event_type" }
remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
add_tag => [ "eve" ]
}
} else {
grok {
match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
"message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
"message", "%{GREEDYDATA:alert}"]
}
}
if [timestamp] {
mutate {
add_field => { "logstash_timestamp" => "%{@timestamp}" }
}
mutate {
convert => { "logstash_timestamp" => "string" }
}
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => { "logstash_timestamp" => "timestamp" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category"]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category"]
}
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "source_port", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "gid", "integer" ]
convert => [ "sid", "integer" ]
# remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [priority] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# This section adds URLs to lookup information about a rule online
if [sid] and [sid] > 0 and [sid] < 1000000 {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
}
}
if [sid] and [sid] > 1999999 and [sid] < 2999999 {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
}
}
# mutate {
#add_tag => [ "conf_file_1033"]
# }
}
}

16
salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
View File

@@ -1,16 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/22/2017
filter {
if [type] == "syslog" {
# This drops syslog messages regarding license messages. You may want to comment it out.
#if [message] =~ "license" {
# drop { }
#}
mutate {
#convert => [ "status_code", "integer" ]
}
}
}

59
salt/logstash/conf/pipelines/search/2000_network_flow.conf
View File

@@ -1,59 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "sflow" {
if [message] =~ /CNTR/ {
drop { }
}
grok {
match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
}
if "_grokparsefailure" in [tags] {
drop { }
}
mutate {
add_field => {
"[source_hostname]" => "%{source_ip}"
"[destination_hostname]" => "%{destination_ip}"
"[sflow_source_hostname]" => "%{sflow_source_ip}"
}
}
translate {
field => "[source_port]"
destination => "[source_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[destination_port]"
destination => "[destination_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[protocol]"
destination => "[protocol_name]"
dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
}
translate {
field => "[tcp_flags]"
destination => "[tcp_flag]"
dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
}
mutate {
add_field => { "ips" => [ "%{sflow_source_ip}" ] }
}
mutate {
#add_tag => [ "conf_file_2000"]
}
}
}

11
salt/logstash/conf/pipelines/search/6002_syslog.conf
View File

@@ -1,11 +0,0 @@
# Updated by: Doug Burks
# Last Update: 5/16/2017
#
filter {
if "syslog" in [tags] {
mutate {
#convert => [ "status_code", "integer" ]
#add_tag => [ "conf_file_6002"]
}
}
}

33
salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
View File

@@ -1,33 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "brocade" {
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
}
grok {
match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
grok {
match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
}
mutate {
add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
}
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "America/Chicago"
remove_field => "syslog_timestamp"
remove_field => "received_at"
}
mutate {
#add_tag => [ "conf_file_6101"]
}
}
}

281
salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
View File

@@ -1,281 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "fortinet" {
mutate {
gsub => [ "message", "= ", "=NA " ]
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
tag_on_failure => []
}
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
tag_on_failure => []
}
kv {
source => "kv"
exclude_keys => [ "type" ]
}
mutate {
gsub => [ "log", "= ", "=NA " ]
}
kv {
source => "log"
target => "SubLog"
}
grok {
match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
tag_on_failure => [ "" ]
}
mutate {
rename => { "action" => "action" }
rename => { "addr" => "addr_ip" }
rename => { "age" => "age" }
rename => { "assigned" => "assigned_ip" }
rename => { "assignip" => "assign_ip" }
rename => { "ap" => "access_point" }
rename => { "app" => "application" }
rename => { "appcat" => "application_category" }
rename => { "applist" => "application_list" }
rename => { "apprisk" => "application_risk" }
rename => { "approfile" => "accessPoint_profile" }
rename => { "apscan" => "access_point_scan" }
rename => { "apstatus" => "acces_point_status" }
rename => { "aptype" => "access_point_type" }
rename => { "authproto" => "authentication_protocol" }
rename => { "bandwidth" => "bandwidth" }
rename => { "banned_src" => "banned_source" }
rename => { "cat" => "category" }
rename => { "catdesc" => "category_description" }
rename => { "cfgattr" => "configuration_attribute" }
rename => { "cfgobj" => "configuration_object" }
rename => { "cfgpath" => "configuration_path" }
rename => { "cfgtid" => "configuration_transaction_id" }
rename => { "channel" => "channel" }
rename => { "community" => "community" }
rename => { "cookies" => "cookies" }
rename => { "craction" => "cr_action" }
rename => { "crlevel" => "cr_level" }
rename => { "crscore" => "cr_score" }
rename => { "datarange" => "data_range" }
rename => { "desc" => "description" }
rename => { "detectionmethod" => "detection_method" }
rename => { "devid" => "device_id" }
rename => { "devname" => "device_name" }
rename => { "devtype" => "device_type" }
rename => { "dhcp_msg" => "dhcp_message" }
rename => { "disklograte" => "disk_lograte" }
rename => { "dstcountry" => "destination_country" }
rename => { "dstintf" => "destination_interface" }
rename => { "dstip" => "destination_ip" }
rename => { "dstport" => "destination_port" }
rename => { "duration" => "elapsed_time" }
rename => { "error_num" => "error_number" }
rename => { "espauth" => "esp_authentication" }
rename => { "esptransform" => "esp_transform" }
rename => { "eventid" => "event_id" }
rename => { "eventtype" => "event_type" }
rename => { "fazlograte" => "faz_lograte" }
rename => { "filename" => "file_name" }
rename => { "filesize" => "file_size" }
rename => { "filetype" => "file_type" }
rename => { "hostname" => "hostname" }
rename => { "ip" => "source_ip" }
rename => { "localip" => "source_ip" }
rename => { "locip" => "local_ip" }
rename => { "locport" => "source_port" }
rename => { "logid" => "log_id" }
rename => { "logver" => "log_version" }
rename => { "manuf" => "manufacturer" }
rename => { "mem" => "memory" }
rename => { "meshmode" => "mesh_mode" }
rename => { "msg" => "message" }
rename => { "nextstat" => "next_stat" }
rename => { "onwire" => "on_wire" }
rename => { "osname" => "os_name" }
rename => { "osversion" => "unauthenticated_user" }
rename => { "outintf" => "outbound_interface" }
rename => { "peer_notif" => "peer_notification" }
rename => { "phase2_name" => "phase2_name" }
rename => { "policyid" => "policy_id" }
rename => { "policytype" => "policy_type" }
rename => { "port" => "port" }
rename => { "probeproto" => "probe_protocol" }
rename => { "proto" => "protocol_number" }
rename => { "radioband" => "radio_band" }
rename => { "radioidclosest" => "radio_id_closest" }
rename => { "radioiddetected" => "radio_id_detected" }
rename => { "rcvd" => "bytes_received" }
rename => { "rcvdbyte" => "bytes_received" }
rename => { "rcvdpkt" => "packets_received" }
rename => { "remip" => "destination_ip" }
rename => { "remport" => "remote_port" }
rename => { "reqtype" => "request_type" }
rename => { "scantime" => "scan_time" }
rename => { "securitymode" => "security_mode" }
rename => { "sent" => "bytes_sent" }
rename => { "sentbyte" => "bytes_sent" }
rename => { "sentpkt" => "packets_sent" }
rename => { "session_id" => "session_id" }
rename => { "setuprate" => "setup_rate" }
rename => { "sn" => "serial" }
rename => { "snclosest" => "serial_closest_access_point" }
rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
rename => { "snmeshparent" => "serial_mesh_parent" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "stacount" => "station_count" }
rename => { "stamac" => "static_mac" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "sn" => "serial" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "total" => "total_bytes" }
rename => { "totalsession" => "total_sessions" }
rename => { "trandisp" => "nat_translation_type" }
rename => { "tranip" => "nat_destination_ip" }
rename => { "tranport" => "nat_destination_port" }
rename => { "transip" => "nat_source_ip" }
rename => { "transport" => "nat_source_port" }
rename => { "tunnelid" => "tunnel_id" }
rename => { "tunnelip" => "tunnel_ip" }
rename => { "tunneltype" => "tunnel_type" }
rename => { "unauthuser" => "unauthenticated_user_source" }
rename => { "unauthusersource" => "os_version" }
rename => { "vendorurl" => "vendor_url" }
rename => { "vpntunnel" => "vpn_tunnel" }
rename => { "vulncat" => "vulnerability_category" }
rename => { "vulncmt" => "vulnerability_count" }
rename => { "vulnid" => "vulnerability_id" }
rename => { "vulnname" => "vulnerability_name" }
rename => { "vulnref" => "vulnerability_reference" }
rename => { "vulnscore" => "vulnerability_score" }
rename => { "xauthgroup" => "x_authentication_group" }
rename => { "xauthuser" => "x_authentication_user" }
rename => { "[SubLog][appid]" => "sub_application_id" }
rename => { "[SubLog][devid]" => "sub_device_id" }
rename => { "[SubLog][dstip]" => "sub_destination_ip" }
rename => { "[SubLog][srcip]" => "sub_source_ip" }
rename => { "[SubLog][dstport]" => "sub_destination_port" }
rename => { "[SubLog][eventtype]" => "sub_event_type" }
rename => { "[SubLog][proto]" => "sub_protocol_number" }
rename => { "[SubLog][date]" => "sub_date" }
rename => { "[SubLog][time]" => "sub_time" }
rename => { "[SubLog][srcport]" => "sub_source_port" }
rename => { "[SubLog][subtype]" => "sub_subtype" }
rename => { "[SubLog][devname]" => "sub_device_name" }
rename => { "[SubLog][itime]" => "sub_itime" }
rename => { "[SubLog][level]" => "sub_level" }
rename => { "[SubLog][logid]" => "sub_log_id" }
rename => { "[SubLog][logver]" => "sub_log_version" }
rename => { "[SubLog][type]" => "sub_event_type" }
rename => { "[SubLog][vd]" => "sub_vd" }
rename => { "[SubLog][action]" => "sub_action" }
rename => { "[SubLog][logdesc]" => "sub_destination_ip" }
rename => { "[SubLog][policyid]" => "sub_olicy_id" }
rename => { "[SubLog][reason]" => "sub_reason" }
rename => { "[SubLog][service]" => "sub_service" }
rename => { "[SubLog][sessionid]" => "sub_session_id" }
rename => { "[SubLog][src]" => "sub_source_ip" }
rename => { "[SubLog][status]" => "sub_status" }
rename => { "[SubLog][ui]" => "sub_ui" }
rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
strip => [ "bytes_sent", "bytes_received" ]
convert => [ "bytes_sent", "integer" ]
convert => [ "bytes_received", "integer" ]
convert => [ "cr_score", "integer" ]
convert => [ "cr_action", "integer" ]
convert => [ "elapsed_time", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "local_port", "integer" ]
convert => [ "remote_port", "integer" ]
convert => [ "packets_sent", "integer" ]
convert => [ "packets_received", "integer" ]
convert => [ "port", "integer" ]
convert => [ "ProtocolNumber", "integer" ]
convert => [ "XAuthUser", "string" ]
remove_field => [ "kv", "log" ]
}
if [tunnel_ip] == "N/A" {
mutate {
remove_field => [ "tunnel_ip" ]
}
}
if [nat_destination_ip] {
mutate {
add_field => { "ips" => [ "%{nat_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
}
}
if [sub_destination_ip] {
mutate {
add_field => { "ips" => [ "%{sub_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
}
}
if [nat_source_ip] {
mutate {
add_field => { "ips" => [ "%{nat_source_ip}" ] }
add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
}
}
if [sub_source_ip] {
mutate {
add_field => { "ips" => [ "%{sub_source_ip}" ] }
add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
}
}
if [addr_ip] {
mutate {
add_field => { "ips" => [ "%{addr_ip}" ] }
}
}
if [assign_ip] {
mutate {
add_field => { "ips" => [ "%{assign_ip}" ] }
}
}
if [assigned_ip] {
mutate {
add_field => { "ips" => [ "%{assigned_ip}" ] }
}
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
}
if [date] and [time] {
mutate {
add_field => { "receive_time" => "%{date} %{time}" }
remove_field => [ "date", "time" ]
}
date {
timezone => "America/Chicago"
match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
target => "receive_time"
}
mutate {
rename => { "receive_time" => "@timestamp" }
}
} else {
mutate {
add_tag => [ "missing_date" ]
}
}
mutate {
#add_tag => [ "conf_file_6200"]
}
}
}

56
salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
View File

@@ -1,56 +0,0 @@
# Author: Wes Lambert
# Updated by: Doug Burks
filter {
if [type] == "filterlog" {
dissect {
mapping => {
"message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
}
}
if [ip_version] == "4" {
dissect {
mapping => {
"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [ip_version] == "6" {
dissect {
mapping => {
"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [protocol] == "tcp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
}
}
}
if [protocol] == "udp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
}
}
}
if [protocol] == "Options" {
mutate {
copy => { "ip_sub_msg" => "options" }
}
mutate {
split => { "options" => "," }
}
}
mutate {
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "ip_version", "integer" ]
replace => { "type" => "firewall" }
add_tag => [ "pfsense","firewall" ]
remove_field => [ "sub_msg", "ip_sub_msg" ]
}
}
}

161
salt/logstash/conf/pipelines/search/6300_windows.conf
View File

@@ -1,161 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "windows" {
# json {
# source => "message"
# }
date {
match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
remove_field => [ "EventTime" ]
}
if [EventID] == 4634 {
mutate {
add_tag => [ "logoff" ]
}
}
if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
mutate {
add_tag => [ "logon" ]
add_tag => [ "alert_data" ]
}
}
if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
mutate {
add_tag => [ "logon_failure" ]
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
mutate {
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 5152 { drop {} }
if [EventID] == 4688 { drop {} }
if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
# Whitelist/Blacklist check
if [EventID] == 7045 {
translate {
field => "ServiceName"
destination => "ServiceCheck"
dictionary_path => "/lib/dictionaries/services.yaml"
}
}
if [EventID] == 7045 and !([ServiceCheck]) {
mutate {
add_tag => [ "alert_data","new_service" ]
}
}
if [ServiceCheck] == 'whitelist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "whitelist" ]
}
}
if [ServiceCheck] == 'blacklist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "blacklist" ]
}
}
if [EventID] == 5158 {
if [Application] == "System" { drop {} }
if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
if [Application] =~ "mcafee" { drop {} }
if [Application] =~ "carestream" { drop {} }
if [Application] =~ "Softdent" { drop {} }
}
if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
if [EventID] == 4690 { drop {} }
if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
if [EventID] == 5447 { drop {} }
mutate {
rename => [ "AccountName", "user" ]
rename => [ "AccountType", "account_type" ]
rename => [ "ActivityID", "activity_id" ]
rename => [ "Category", "category" ]
rename => [ "ClientAddress", "client_ip" ]
rename => [ "Channel", "channel" ]
rename => [ "DCIPAddress", "domain_controller_ip" ]
rename => [ "DCName", "domain_controller_name" ]
rename => [ "EventID", "event_id" ]
rename => [ "EventReceivedTime", "event_received_time" ]
rename => [ "EventType", "event_type" ]
rename => [ "GatewayIPAddress", "gateway_ip" ]
rename => [ "IPAddress", "client_ip" ]
rename => [ "Ipaddress", "client_ip" ]
rename => [ "IpAddress", "client_ip" ]
rename => [ "IPPort", "source_port" ]
rename => [ "OpcodeValue", "opcode_value" ]
rename => [ "PreAuthType", "preauthentication_type" ]
rename => [ "PrincipleSAMName", "user" ]
rename => [ "ProcessID", "process_id" ]
rename => [ "ProviderGUID", "providerguid" ]
rename => [ "RecordNumber", "record_number" ]
rename => [ "RemoteAddress", "destination_ip" ]
rename => [ "ServiceName", "service_name" ]
rename => [ "ServiceID", "service_id" ]
rename => [ "SeverityValue", "severity_value" ]
rename => [ "SourceAddress", "client_ip" ]
rename => [ "SourceModuleName", "source_module_name" ]
rename => [ "SourceModuleType", "source_module_type" ]
rename => [ "SourceName", "source_name" ]
rename => [ "SubjectUserName", "user" ]
rename => [ "TaskName", "task_name" ]
rename => [ "TargetDomainName", "target_domain_name" ]
rename => [ "TargetUserName", "user" ]
rename => [ "ThreadID", "thread_id" ]
rename => [ "User_ID", "user" ]
rename => [ "UserID", "user" ]
rename => [ "username", "user" ]
}
# For any accounts that are service accounts or special accounts add the tag of service_account
# This example applies the tag to any username that starts with SVC_. If you use a different
# standard change this.
if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
mutate {
add_tag => [ "service_account" ]
}
}
# This looks for events that are typically noisy but may be of use for deep dive investigations
# A tag of noise is added to quickly filter out noise
if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
mutate {
add_tag => [ "noise" ]
}
}
#Identify machine accounts
if [user] =~ /\$/ {
mutate {
add_tag => [ "machine", "noise" ]
}
}
# Lower case all field names
ruby {
code => "
event_hash = event.to_hash
new_event = {}
event_hash.keys.each do |key|
new_event[key.downcase] = event[key]
end
event.instance_variable_set(:@data, new_event)"
}
mutate {
#add_tag => [ "conf_file_6300"]
}
}
}

49
salt/logstash/conf/pipelines/search/6301_dns_windows.conf
View File

@@ -1,49 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "dns" and "bro" not in [tags] {
json {
source => "message"
}
# strip whitespace from message field
mutate {
strip => "message"
}
# If the message is blank, drop the log
if [Message] =~ /^$/ {
drop { }
} else {
if [type] == "dns" {
# This section is lookup for a match against the log and parsing out the fields
grok {
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
# Server 2003 DNS logs do not include slashes or AM/PM in timestamp
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
remove_field => [ "Message" ]
}
# This section attempts to convert the dns_domain into the traditional domain.com format
mutate {
gsub => [ "dns_domain", "(\(\d+\))", "." ]
}
grok {
match => { "dns_domain" => "\.%{DATA:query}\.$" }
remove_field => [ "dns_domain" ]
}
}
}
mutate {
#add_tag => [ "conf_file_6301"]
}
}
}

92
salt/logstash/conf/pipelines/search/6400_suricata.conf
View File

@@ -1,92 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This conf file is based on accepting logs for suricata json events
filter {
if [type] == "suricata" {
if "test_data" not in [tags] {
date {
match => [ "timestamp", "ISO8601" ]
}
} else {
mutate {
remove_field => [ "netflow.start","netflow.end","timestamp" ]
}
}
if [event_type] == "fileinfo" {
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
# I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
mutate {
rename => [ "src_ip", "source_ip" ]
rename => [ "dest_ip", "destination_ip" ]
rename => [ "src_port", "source_port" ]
rename => [ "dest_port", "destination_port" ]
}
# This will translate the alert.severity field into a severity field of either High, Medium, or Low
if [event_type] == "alert" {
if [alert][severity] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [alert][severity] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [alert][severity] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert][signature] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category" ]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert][signature] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category" ]
}
}
# This section adds URLs to lookup information about a rule online
if [rule_type] == "Snort GPL" {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
}
}
if [rule_type] == "Emerging Threats" {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
}
}
}
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message" ]
# }
}
mutate {
#add_tag => [ "conf_file_6400"]
}
}
}

160
salt/logstash/conf/pipelines/search/6500_ossec.conf
View File

@@ -1,160 +0,0 @@
# Author: Wes Lambert
#
# Last Update: 09/19/2018
#
# This conf file is based on accepting logs from OSSEC
filter {
# OSSEC Alerts
if [type] == "ossec" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "rule" => "wazuh-rule" }
rename => { "[wazuh-rule][level]" => "alert_level" }
rename => { "[wazuh-rule][description]" => "description" }
rename => { "[data][srcuser]" => "username" }
rename => { "[data][dstuser]" => "escalated_user" }
rename => { "[data][command]" => "command" }
rename => { "[predecoder][program_name]" => "process" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
} else {
grok {
match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
}
}
# Add tag for OSSEC alerts
if [alert_level] {
mutate {
add_tag => [ "alert" ]
}
}
translate {
field => "alert_level"
destination => "classification"
dictionary => [
"1", "None",
"2", "System low priority notification",
"3", "Successful/authorized event",
"4", "System low priority error",
"5", "User generated error",
"6", "Low relevance attack",
"7", '"Bad word" matching',
"8", "First time seen",
"9", "Error from invalid source",
"10", "Multiple user generated errors",
"11", "Integrity checking warning",
"12", "High importance event",
"13", "Unusal error (high importance)",
"14", "High importance security event",
"15", "Severe attack"
]
}
}
# OSSEC Archive Logs
if [type] == "ossec_archive" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => [ "rule", "wazuh-rule" ]
rename => [ "[wazuh-rule][level]", "alert_level" ]
rename => [ "[wazuh-rule][description]", "description" ]
rename => [ "[data][srcuser]", "username" ]
rename => [ "[data][dstuser]", "escalated_user" ]
rename => [ "[data][command]", "command" ]
rename => [ "[predecoder][program_name]", "process" ]
}
} else {
grok {
match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
remove_field => [ "ossec_timestamp" ]
}
mutate {
convert => [ "status_code", "integer" ]
}
}
}
}

118
salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
View File

@@ -1,118 +0,0 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# This conf file is based on accepting Sysmon logs from OSSEC
#
# Parse using grok
filter {
# OSSEC Logs and Alerts
if [type] == "sysmon" or "sysmon" in [tags] {
if [message] !~ /^{.*}$/ {
#mutate { replace => { "type" => "sysmon" } }
grok {
# match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
}
mutate {
convert => ["event_id", "integer"]
remove_field => ["timestamp"]
remove_field => ["year"]
}
if [event_id] == 1 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_creation"]
}
}
if [event_id] == 3 {
mutate {
remove_field => ["source_ip"]
}
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
convert => ["source_port", "integer"]
convert => ["destination_port", "integer"]
add_tag => ["network_connection"]
}
}
if [event_id] == 5 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_termination"]
}
}
if [event_id] == 11 {
grok {
match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["file_created"]
}
}
mutate {
remove_field => ["rest_of_msg"]
}
} else {
mutate {
rename => { "[data][srcuser]" => "username" }
rename => { "[data][id]" => "event_id" }
rename => { "[data][dstport]" => "destination_port" }
rename => { "[data][dstip]" => "destination_ip" }
rename => { "[data][srcip]" => "source_ip" }
rename => { "[data][sysmon][image]" => "image_path" }
rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][image]" => "image_path" }
rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
}
}
}

43
salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
View File

@@ -1,43 +0,0 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# Updated by: Dustin Lee
# Last Update: 06/13/2019
#
# This conf file is based on accepting Autoruns logs from OSSEC
#
# Parse using grok
filter {
if [type] == "autoruns" or "autoruns" in [tags] {
if [message] !~ /^{.*}$/ {
grok {
match => [
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
#csv {
# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
# separator => "|"
# }
mutate {
remove_field => [ "year" ]
remove_field => [ "timestamp" ]
}
} else {
grok {
match => [
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
mutate {
# Rename fields
}
}
date {
match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
target => "image_timestamp"
}
}
}

23
salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
View File

@@ -1,23 +0,0 @@
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat
filter {
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
rename => { "[event_data][User]" => "username" }
rename => { "[event_data][DestinationPort]" => "destination_port" }
rename => { "[event_data][DestinationIp]" => "destination_ip" }
rename => { "[event_data][SourceIp]" => "source_ip" }
rename => { "[event_data][Image]" => "image_path" }
rename => { "[event_data][ParentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[event_data][SourceHostname]" => "source_hostname" }
rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
rename => { "[event_data][TargetFilename]" => "target_filename" }
}
}
}

17
salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
View File

@@ -1,17 +0,0 @@
# Author: Doug Burks
#
# Last Update: 09/24/2018
#
# This conf file is for beat data
filter {
if "beat" in [tags] {
mutate {
# As of beats 6.3.0, host is now an object:
# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
# This creates a conflict with our existing host string.
# So let's rename the host object to beat_host.
rename => { "host" => "beat_host" }
}
}
}

23
salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
View File

@@ -1,23 +0,0 @@
# Author: Josh Brower
# Last Update: 12/28/2018
# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
filter {
if "osquery" in [tags] and [osquery][columns][eventid] {
mutate {
gsub => ["[osquery][columns][data]", "\\x0A", ""]
}
json {
source => "[osquery][columns][data]"
target => "[osquery][columns][data]"
}
mutate {
merge => { "[osquery][columns]" => "[osquery][columns][data]" }
remove_field => ["[osquery][columns][data]"]
}
}
}

8
salt/logstash/conf/pipelines/search/7200_strelka.conf
View File

@@ -1,8 +0,0 @@
filter {
if [type] =~ "strelka" {
json {
source => "message"
}
}
}

58
salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
View File

@@ -1,58 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/20/2017
filter {
if [source_ip] {
if [source_ip] == "-" {
mutate {
replace => { "source_ip" => "0.0.0.0" }
}
}
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
mutate {
}
} else {
geoip {
source => "[source_ip]"
target => "source_geo"
}
}
if [source_ip] {
mutate {
add_field => { "ips" => "%{source_ip}" }
add_field => { "source_ips" => [ "%{source_ip}" ] }
}
}
}
if [destination_ip] {
if [destination_ip] == "-" {
mutate {
replace => { "destination_ip" => "0.0.0.0" }
}
}
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
mutate {
}
}
else {
geoip {
source => "[destination_ip]"
target => "destination_geo"
}
}
}
if [destination_ip] {
mutate {
add_field => { "ips" => "%{destination_ip}" }
add_field => { "destination_ips" => [ "%{destination_ip}" ] }
}
}
}
#if [source_ip] or [destination_ip] {
# mutate {
#add_tag => [ "conf_file_8001"]
# }
#}

27
salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
View File

@@ -1,27 +0,0 @@
# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
filter {
if [type] == "bro_http" {
if [uri] {
ruby {
code => "event.set('uri_length', event.get('uri').length)"
}
}
if [virtual_host] {
ruby {
code => "event.set('virtual_host_length', event.get('virtual_host').length)"
}
}
if [useragent] {
ruby {
code => "event.set('useragent_length', event.get('useragent').length)"
}
}
mutate {
##add_tag => [ "conf_file_8007"]
}
}
}

63
salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
View File

@@ -1,63 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [destination_ip] {
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_destination" ]
}
} else {
mutate {
add_tag => [ "external_destination" ]
}
}
if "internal_destination" not in [tags] {
if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
}
if [source_ip] {
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_source" ]
}
} else {
mutate {
add_tag => [ "external_source" ]
}
}
if "internal_source" not in [tags] {
if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
mutate {
##add_tag => [ "conf_file_8200"]
}
}
if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
mutate {
remove_tag => [ "syslog" ]
}
}
}

19
salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
View File

@@ -1,19 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_end', Time.now.to_f)"
}
ruby {
code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
}
mutate {
remove_field => [ 'task_start', 'task_end' ]
}
mutate {
#add_tag => [ "conf_file_8998"]
}
}

8
salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
View File

@@ -1,8 +0,0 @@
# Author: Doug Burks
# Last Update: 12/10/2017
filter {
mutate {
rename => [ "type", "event_type" ]
}
}

31
salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
View File

@@ -1,31 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
mutate {
##add_tag => [ "conf_file_9000"]
}
}
}
output {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
pipeline => "%{event_type}"
hosts => "{{ ES }}"
index => "logstash-bro-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "switch" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9001"]
}
}
}
output {
if "switch" in [tags] and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-switch-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Updated by: Doug Burks
# Last Update: 5/16/2017
filter {
if "import" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9002"]
}
}
}
output {
if "import" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-import-%{+YYYY.MM.dd}"
template_name => "logstash-*"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
View File

@@ -1,27 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "sflow" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9004"]
}
}
}
output {
if [event_type] == "sflow" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-flow-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "dhcp" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9026"]
}
}
}
output {
if [event_type] == "dhcp" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
View File

@@ -1,25 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "esxi" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9029"]
}
}
}
output {
if [event_type] == "esxi" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
View File

@@ -1,25 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "greensql" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9030"]
}
}
}
output {
if [event_type] == "greensql" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "iis" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9031"]
}
}
}
output {
if [event_type] == "iis" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
View File

@@ -1,26 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "mcafee" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9032"]
}
}
}
output {
if [event_type] == "mcafee" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
View File

@@ -1,29 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "ids" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9033"]
}
}
}
output {
if [event_type] == "ids" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

28
salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
View File

@@ -1,28 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/15/2017
filter {
if "syslog" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9034"]
}
}
}
output {
if "syslog" in [tags] and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

19
salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
View File

@@ -1,19 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Josh Brower
# Last Update: 12/29/2018
# Output to ES for osquery tagged logs
output {
if "osquery" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-osquery-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
View File

@@ -1,29 +0,0 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "firewall" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9200"]
}
}
}
output {
if "firewall" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-firewall-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

Some files were not shown because too many files have changed in this diff Show More