Improve support for Suricata metadata #2200

2025-12-06 17:22:49 +01:00 · 2021-02-22 10:27:24 -05:00
parent d4ee2b86e6
commit 3467f30603
5 changed files with 38 additions and 36 deletions
--- a/salt/elasticsearch/files/ingest/zeek.dns.tld
+++ b/salt/elasticsearch/files/ingest/zeek.dns.tld
--- a/salt/elasticsearch/files/ingest/suricata.dns
+++ b/salt/elasticsearch/files/ingest/suricata.dns
@@ -14,6 +14,7 @@
    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.grouped.A", 	"target_field": "dns.answers.data",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.grouped.CNAME", 	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
    { "pipeline": 	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"			} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.fileinfo
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -13,6 +13,7 @@
    { "rename": 	{ "field": "message2.fileinfo.size", 		"target_field": "file.size",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.state", 		"target_field": "file.state",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.stored", 		"target_field": "file.saved",		"ignore_missing": true 	} },
    { "set":		{ "if": "ctx.network?.protocol != null", 	"field": "file.source",	"value": "{{network.protocol}}"  	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.tls
+++ b/salt/elasticsearch/files/ingest/suricata.tls
@@ -7,7 +7,7 @@
    { "rename":         { "field": "message2.tls.subject",              "target_field": "ssl.certificate.subject",		"ignore_missing": true  } },
    { "rename":         { "field": "message2.tls.serial",               "target_field": "ssl.certificate.serial",		"ignore_missing": true  } },
    { "rename":         { "field": "message2.tls.fingerprint",          "target_field": "ssl.certificate.fingerprint",		"ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.version",                "target_field": "ssl.certificate.version",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.version",              "target_field": "ssl.version",				"ignore_missing": true  } },
    { "rename":         { "field": "message2.tls.ja3.hash",             "target_field": "hash.ja3",				"ignore_missing": true  } },
    { "rename":         { "field": "message2.tls.ja3.hash.string",      "target_field": "hash.ja3_string",			"ignore_missing": true  } },
    { "rename":         { "field": "message2.tls.ja3s.hash",            "target_field": "hash.ja3s",				"ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.dns
+++ b/salt/elasticsearch/files/ingest/zeek.dns
@@ -23,7 +23,7 @@
    { "rename": 	{ "field": "message2.TTLs", 		"target_field": "dns.ttls",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.rejected", 	"target_field": "dns.query.rejected",		"ignore_missing": true 	} },
    { "script": 	{ "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()",	"ignore_failure": true  } },
-    { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld" } },
+    { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
    { "pipeline":       { "name": "zeek.common"											} }
  ]
 }