Merge branch 'dev' into foxtrot

salt/elasticsearch/files/ingest/http.status

@@ -0,0 +1,70 @@
+{
+  "description" : "http.status",
+  "processors" : [
+	{ "set": { "if": "ctx.http.status_code == 100",    "field": "http.status_message", "value": "Continue" } },
+	{ "set": { "if": "ctx.http.status_code == 101",    "field": "http.status_message", "value": "Switching Protocols" } },
+	{ "set": { "if": "ctx.http.status_code == 102",    "field": "http.status_message", "value": "Processing" } },
+	{ "set": { "if": "ctx.http.status_code == 103",    "field": "http.status_message", "value": "Early Hints" } },
+	{ "set": { "if": "ctx.http.status_code == 200",    "field": "http.status_message", "value": "OK" } },
+	{ "set": { "if": "ctx.http.status_code == 201",    "field": "http.status_message", "value": "Created" } },
+	{ "set": { "if": "ctx.http.status_code == 202",    "field": "http.status_message", "value": "Accepted" } },
+	{ "set": { "if": "ctx.http.status_code == 203",    "field": "http.status_message", "value": "Non-Authoritative Information" } },
+	{ "set": { "if": "ctx.http.status_code == 204",    "field": "http.status_message", "value": "No Content" } },
+	{ "set": { "if": "ctx.http.status_code == 205",    "field": "http.status_message", "value": "Reset Content" } },
+	{ "set": { "if": "ctx.http.status_code == 206",    "field": "http.status_message", "value": "Partial Content" } },
+	{ "set": { "if": "ctx.http.status_code == 207",    "field": "http.status_message", "value": "Multi-Status" } },
+	{ "set": { "if": "ctx.http.status_code == 208",    "field": "http.status_message", "value": "Already Reported" } },
+	{ "set": { "if": "ctx.http.status_code == 226",    "field": "http.status_message", "value": "IM Used" } },
+	{ "set": { "if": "ctx.http.status_code == 300",    "field": "http.status_message", "value": "Multiple Choices" } },
+	{ "set": { "if": "ctx.http.status_code == 301",    "field": "http.status_message", "value": "Moved Permanently" } },
+	{ "set": { "if": "ctx.http.status_code == 302",    "field": "http.status_message", "value": "Found" } },
+	{ "set": { "if": "ctx.http.status_code == 303",    "field": "http.status_message", "value": "See Other" } },
+	{ "set": { "if": "ctx.http.status_code == 304",    "field": "http.status_message", "value": "Not Modified" } },
+	{ "set": { "if": "ctx.http.status_code == 305",    "field": "http.status_message", "value": "Use Proxy" } },
+	{ "set": { "if": "ctx.http.status_code == 306",    "field": "http.status_message", "value": "(Unused)" } },
+	{ "set": { "if": "ctx.http.status_code == 307",    "field": "http.status_message", "value": "Temporary Redirect" } },
+	{ "set": { "if": "ctx.http.status_code == 308",    "field": "http.status_message", "value": "Permanent Redirect" } },
+	{ "set": { "if": "ctx.http.status_code == 400",    "field": "http.status_message", "value": "Bad Request" } },
+	{ "set": { "if": "ctx.http.status_code == 401",    "field": "http.status_message", "value": "Unauthorized" } },
+	{ "set": { "if": "ctx.http.status_code == 402",    "field": "http.status_message", "value": "Payment Required" } },
+	{ "set": { "if": "ctx.http.status_code == 403",    "field": "http.status_message", "value": "Forbidden" } },
+	{ "set": { "if": "ctx.http.status_code == 404",    "field": "http.status_message", "value": "Not Found" } },
+	{ "set": { "if": "ctx.http.status_code == 405",    "field": "http.status_message", "value": "Method Not Allowed" } },
+	{ "set": { "if": "ctx.http.status_code == 406",    "field": "http.status_message", "value": "Not Acceptable" } },
+	{ "set": { "if": "ctx.http.status_code == 407",    "field": "http.status_message", "value": "Proxy Authentication Required" } },
+	{ "set": { "if": "ctx.http.status_code == 408",    "field": "http.status_message", "value": "Request Timeout" } },
+	{ "set": { "if": "ctx.http.status_code == 409",    "field": "http.status_message", "value": "Conflict" } },
+	{ "set": { "if": "ctx.http.status_code == 410",    "field": "http.status_message", "value": "Gone" } },
+	{ "set": { "if": "ctx.http.status_code == 411",    "field": "http.status_message", "value": "Length Required" } },
+	{ "set": { "if": "ctx.http.status_code == 412",    "field": "http.status_message", "value": "Precondition Failed" } },
+	{ "set": { "if": "ctx.http.status_code == 413",    "field": "http.status_message", "value": "Payload Too Large" } },
+	{ "set": { "if": "ctx.http.status_code == 414",    "field": "http.status_message", "value": "URI Too Long" } },
+	{ "set": { "if": "ctx.http.status_code == 415",    "field": "http.status_message", "value": "Unsupported Media Type" } },
+	{ "set": { "if": "ctx.http.status_code == 416",    "field": "http.status_message", "value": "Range Not Satisfiable" } },
+	{ "set": { "if": "ctx.http.status_code == 417",    "field": "http.status_message", "value": "Expectation Failed" } },
+	{ "set": { "if": "ctx.http.status_code == 421",    "field": "http.status_message", "value": "Misdirected Request" } },
+	{ "set": { "if": "ctx.http.status_code == 422",    "field": "http.status_message", "value": "Unprocessable Entity" } },
+	{ "set": { "if": "ctx.http.status_code == 423",    "field": "http.status_message", "value": "Locked" } },
+	{ "set": { "if": "ctx.http.status_code == 424",    "field": "http.status_message", "value": "Failed Dependency" } },
+	{ "set": { "if": "ctx.http.status_code == 425",    "field": "http.status_message", "value": "Too Early" } },
+	{ "set": { "if": "ctx.http.status_code == 426",    "field": "http.status_message", "value": "Upgrade Required" } },
+	{ "set": { "if": "ctx.http.status_code == 427",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 428",    "field": "http.status_message", "value": "Precondition Required" } },
+	{ "set": { "if": "ctx.http.status_code == 429",    "field": "http.status_message", "value": "Too Many Requests" } },
+	{ "set": { "if": "ctx.http.status_code == 430",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 431",    "field": "http.status_message", "value": "Request Header Fields Too Large" } },
+	{ "set": { "if": "ctx.http.status_code == 451",    "field": "http.status_message", "value": "Unavailable For Legal Reasons" } },
+	{ "set": { "if": "ctx.http.status_code == 500",    "field": "http.status_message", "value": "Internal Server Error" } },
+	{ "set": { "if": "ctx.http.status_code == 501",    "field": "http.status_message", "value": "Not Implemented" } },
+	{ "set": { "if": "ctx.http.status_code == 502",    "field": "http.status_message", "value": "Bad Gateway" } },
+	{ "set": { "if": "ctx.http.status_code == 503",    "field": "http.status_message", "value": "Service Unavailable" } },
+	{ "set": { "if": "ctx.http.status_code == 504",    "field": "http.status_message", "value": "Gateway Timeout" } },
+	{ "set": { "if": "ctx.http.status_code == 505",    "field": "http.status_message", "value": "HTTP Version Not Supported" } },
+	{ "set": { "if": "ctx.http.status_code == 506",    "field": "http.status_message", "value": "Variant Also Negotiates" } },
+	{ "set": { "if": "ctx.http.status_code == 507",    "field": "http.status_message", "value": "Insufficient Storage" } },
+	{ "set": { "if": "ctx.http.status_code == 508",    "field": "http.status_message", "value": "Loop Detected" } },
+	{ "set": { "if": "ctx.http.status_code == 509",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 510",    "field": "http.status_message", "value": "Not Extended" } },
+	{ "set": { "if": "ctx.http.status_code == 511",    "field": "http.status_message", "value": "Network Authentication Required" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.dhcp

@@ -1,13 +1,14 @@
 {
   "description" : "suricata.dhcp",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.client_mac", 		"target_field": "host.mac",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 		"target_field": "dhcp.message_types",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dhcp.type", 		"target_field": "dhcp.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.client_ip", 	"target_field": "client.address",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 	"target_field": "host.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 	"target_field": "dhcp.message_types",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.hostname", 	"target_field": "host.hostname",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.type", 	"target_field": "dhcp.type",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
     { "pipeline": { "name": "common" } }
   ]

salt/elasticsearch/files/ingest/suricata.http

@@ -1,17 +1,18 @@
 {
   "description" : "suricata.http",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_user_agent", 	"target_field": "http.useragent",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_content_type", 	"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_method", 	"target_field": "http.method",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",	"ignore_missing": true 	} },
+    { "pipeline": 	{ "if": "ctx.http?.status_code != null",	"name": "http.status"							} },
     { "pipeline": { "name": "common" } }
   ]
-}
+}

salt/nginx/etc/nginx.conf

@@ -25,8 +25,8 @@ events {
 
 http {
 	log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-					  '$status $body_bytes_sent "$http_referer" '
-					  '"$http_user_agent" "$http_x_forwarded_for"';
+						'$status $body_bytes_sent "$http_referer" '
+						'"$http_user_agent" "$http_x_forwarded_for"';
 
 	access_log  /var/log/nginx/access.log  main;
 
@@ -172,6 +172,8 @@ http {
 
 		location / {
 			auth_request          /auth/sessions/whoami;
+			auth_request_set      $userid $upstream_http_x_kratos_authenticated_identity_id;
+			proxy_set_header      x-user-id $userid;
 			proxy_pass            http://{{ manager_ip }}:9822/;
 			proxy_read_timeout    90;
 			proxy_connect_timeout 90;
@@ -231,15 +233,15 @@ http {
 		} 
 
 		{%- if airgap is sameas true %}
-        location /repo/ {
-            allow all;
-            sendfile on;
-            sendfile_max_chunk 1m;
-            autoindex on;
-            autoindex_exact_size off;
-            autoindex_format html;
-            autoindex_localtime on;
-        }
+		location /repo/ {
+			allow all;
+			sendfile on;
+			sendfile_max_chunk 1m;
+			autoindex on;
+			autoindex_exact_size off;
+			autoindex_format html;
+			autoindex_localtime on;
+		}
 		{%- endif %}
 		
 		location /grafana/ {

salt/suricata/suricata_meta.yaml

@@ -61,7 +61,7 @@ suricata:
             - sip
             - dhcp:
                 enabled: "yes"
-            #    extended: "no"
+                extended: "yes"
             - ssh
             #- stats:
             #    totals: "yes"
@@ -69,4 +69,4 @@ suricata:
             #    deltas: "no"
             - flow
             #- netflow
-            #- metadata
+            #- metadata