From c29f11863e96b86540fae76386c5e5ec3b8fe7d4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 17 Jul 2025 10:47:00 -0500 Subject: [PATCH] ja4 ignore empty strings --- salt/elasticsearch/files/ingest/zeek.conn | 8 ++++---- salt/elasticsearch/files/ingest/zeek.http | 2 +- salt/elasticsearch/files/ingest/zeek.http2 | 2 +- salt/elasticsearch/files/ingest/zeek.ja4ssh | 2 +- salt/elasticsearch/files/ingest/zeek.ssl | 4 ++-- salt/elasticsearch/files/ingest/zeek.x509 | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index fe3d3b832..57558e863 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -24,10 +24,10 @@ { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, { "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } }, { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4l", "target_field": "hash.ja4l", "ignore_missing" : true }}, - { "rename": { "field": "message2.ja4ls", "target_field": "hash.ja4ls", "ignore_missing" : true }}, - { "rename": { "field": "message2.ja4t", "target_field": "hash.ja4t", "ignore_missing" : true }}, - { "rename": { "field": "message2.ja4ts", "target_field": "hash.ja4ts", "ignore_missing" : true }}, + { "rename": { "field": "message2.ja4l", "target_field": "hash.ja4l", "ignore_missing" : true, "if": "ctx.message2?.ja4l != null && ctx.message2.ja4l.length() > 0" }}, + { "rename": { "field": "message2.ja4ls", "target_field": "hash.ja4ls", "ignore_missing" : true, "if": "ctx.message2?.ja4ls != null && ctx.message2.ja4ls.length() > 0" }}, + { "rename": { "field": "message2.ja4t", "target_field": "hash.ja4t", "ignore_missing" : true, "if": "ctx.message2?.ja4t != null && ctx.message2.ja4t.length() > 0" }}, + { "rename": { "field": "message2.ja4ts", "target_field": "hash.ja4ts", "ignore_missing" : true, "if": "ctx.message2?.ja4ts != null && ctx.message2.ja4ts.length() > 0" }}, { "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } }, { "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, { "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, diff --git a/salt/elasticsearch/files/ingest/zeek.http b/salt/elasticsearch/files/ingest/zeek.http index 8b2a320f9..40642052a 100644 --- a/salt/elasticsearch/files/ingest/zeek.http +++ b/salt/elasticsearch/files/ingest/zeek.http @@ -27,7 +27,7 @@ { "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } }, { "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } }, { "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4h", "target_field": "hash.ja4h", "ignore_missing": true } }, + { "rename": { "field": "message2.ja4h", "target_field": "hash.ja4h", "ignore_missing": true, "if": "ctx?.message2?.ja4h != null && ctx.message2.ja4h.length() > 0" } }, { "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.http2 b/salt/elasticsearch/files/ingest/zeek.http2 index e72259dda..34cce0f7b 100644 --- a/salt/elasticsearch/files/ingest/zeek.http2 +++ b/salt/elasticsearch/files/ingest/zeek.http2 @@ -27,7 +27,7 @@ { "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } }, { "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } }, { "rename": { "field": "message2.stream_id", "target_field": "http2.stream_id", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4h", "target_field": "hash.ja4h", "ignore_missing": true } }, + { "rename": { "field": "message2.ja4h", "target_field": "hash.ja4h", "ignore_missing": true, "if": "ctx?.message2?.ja4h != null && ctx.message2.ja4h.length() > 0" } }, { "remove": { "field": "message2.tags", "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ja4ssh b/salt/elasticsearch/files/ingest/zeek.ja4ssh index 45a569792..5901e65f1 100644 --- a/salt/elasticsearch/files/ingest/zeek.ja4ssh +++ b/salt/elasticsearch/files/ingest/zeek.ja4ssh @@ -4,7 +4,7 @@ {"set": {"field": "event.dataset","value": "ja4ssh"}}, {"remove": {"field": "host","ignore_missing": true,"ignore_failure": true}}, {"json": {"field": "message","target_field": "message2","ignore_failure": true}}, - {"rename": {"field": "message2.ja4ssh", "target_field": "ja4.ja4ssh", "ignore_missing": true}}, + {"rename": {"field": "message2.ja4ssh", "target_field": "hash.ja4ssh", "ignore_missing": true, "if": "ctx?.message2?.ja4ssh != null && ctx.message2.ja4ssh.length() > 0" }}, {"pipeline": {"name": "zeek.common"}} ] } \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ssl b/salt/elasticsearch/files/ingest/zeek.ssl index c694ab333..0bd6fedb2 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssl +++ b/salt/elasticsearch/files/ingest/zeek.ssl @@ -23,8 +23,8 @@ { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, { "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, { "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4", "target_field": "hash.ja4", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4s", "target_field": "hash.ja4s", "ignore_missing": true } }, + { "rename": { "field": "message2.ja4", "target_field": "hash.ja4", "ignore_missing": true, "if": "ctx?.message2?.ja4 != null && ctx.message2.ja4.length() > 0" } }, + { "rename": { "field": "message2.ja4s", "target_field": "hash.ja4s", "ignore_missing": true, "if": "ctx?.message2?.ja4s != null && ctx.message2.ja4s.length() > 0" } }, { "foreach": { "if": "ctx?.tls?.client?.hash?.sha256 !=null", diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509 index daec96245..b639cb417 100644 --- a/salt/elasticsearch/files/ingest/zeek.x509 +++ b/salt/elasticsearch/files/ingest/zeek.x509 @@ -42,7 +42,7 @@ { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } }, { "rename": { "field": "message2.fingerprint", "target_field": "hash.sha256", "ignore_missing": true } }, - { "rename": { "field": "message2.ja4x", "target_field": "hash.ja4x", "ignore_missing": true } }, + { "rename": { "field": "message2.ja4x", "target_field": "hash.ja4x", "ignore_missing": true, "if": "ctx?.message2?.ja4x != null && ctx.message2.ja4x.length() > 0" } }, { "pipeline": { "name": "zeek.common_ssl" } } ] }