From 35e131b888e6ec31ff65e8cf087da35a5e4480e3 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 16 Nov 2022 21:09:30 +0000 Subject: [PATCH] Update ingest node pipelines for ICS/SCADA protocols --- .../files/ingest/zeek.bsap_serial_header | 4 ++-- .../files/ingest/zeek.ecat_aoe_info | 12 +++++----- .../files/ingest/zeek.ecat_arp_info | 8 +++---- .../files/ingest/zeek.ecat_log_address | 4 ++-- .../files/ingest/zeek.ecat_registers | 4 ++-- .../files/ingest/zeek.opcua_browse | 14 +++++------ .../zeek.opcua_get_endpoints_description | 23 ++++++++++--------- .../files/ingest/zeek.opcua_read | 10 ++++++++ .../ingest/zeek.opcua_read_nodes_to_read | 16 +++++++++++++ .../files/ingest/zeek.opcua_read_results | 12 ++++++++++ .../files/ingest/zeek.opcua_read_results_link | 10 ++++++++ 11 files changed, 83 insertions(+), 34 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_results create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_results_link diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header index 1c81dbf2a..8647e94c8 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header @@ -5,7 +5,7 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } }, { "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } }, - { "rename": { "field": "message2.sadd", "target_field": "bsap.scource.address", "ignore_missing": true } }, + { "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } }, { "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } }, { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, @@ -14,4 +14,4 @@ { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info index 009cd311f..c5f9b9dc3 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -3,12 +3,12 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.targetid", "target_field": "ecat.target.id", "ignore_missing": true } }, - { "rename": { "field": "message2.targetport", "target_field": "ecat.target.port", "ignore_missing": true } }, - { "convert": { "field": "ecat.target.port", "type": "integer", "ignore_missing": true } }, - { "rename": { "field": "message2.senderid", "target_field": "ecat.sender.id", "ignore_missing": true } }, - { "rename": { "field": "message2.senderport", "target_field": "ecat.sender.port", "ignore_missing": true } }, - { "convert": { "field": "ecat.sender.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } }, + { "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } }, + { "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } }, { "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } }, { "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } }, { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info index 522efecf5..cbc3676ab 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -4,11 +4,11 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, - { "rename": { "field": "message2.mac_src", "target_field": "ecat.srcmac", "ignore_missing": true } }, - { "rename": { "field": "message2.mac_dst", "target_field": "ecat.dstmac", "ignore_missing": true } }, - { "rename": { "field": "message2.SPA", "target_field": "ecat.sender.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } }, { "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } }, - { "rename": { "field": "message2.TPA", "target_field": "ecat.target.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address index 141eeda00..ad0ee161f 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_log_address +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -3,8 +3,8 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, - { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, { "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } }, { "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } }, { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers index 4b4d4eebe..d0a11ba83 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_registers +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -3,8 +3,8 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, - { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, { "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } }, { "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse b/salt/elasticsearch/files/ingest/zeek.opcua_browse index fa0f8bf81..80cd86fd5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse @@ -4,13 +4,13 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, - { "rename": { "field": "browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, - { "rename": { "field": "browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, - { "rename": { "field": "browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, - { "rename": { "field": "req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description index ef3755c8d..c84a9f16a 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description @@ -4,17 +4,18 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.final", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.message_size", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.request_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read b/salt/elasticsearch/files/ingest/zeek.opcua_read new file mode 100644 index 000000000..e5d1c15fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read new file mode 100644 index 000000000..a531531ef --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua_read_nodes_to_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_read_results new file mode 100644 index 000000000..28c417eba --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_results @@ -0,0 +1,12 @@ +{ + "description" : "zeek.opcua_read_results", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link new file mode 100644 index 000000000..0a1edc57b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_read_results_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +}