CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into feature/script-fixes

Browse Source 
# Conflicts:
#	salt/auth/init.sls
#	salt/common/tools/sbin/so-bro-restart
#	salt/common/tools/sbin/so-bro-start
#	salt/common/tools/sbin/so-bro-stop
#	salt/wazuh/files/wazuh-manager-whitelist
This commit is contained in:
William Wernert
2020-02-05 10:58:51 -05:00
parent 50d4693a09 dc89f95d4b
commit 3e97930506
117 changed files with 3671 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pillar/logstash/eval.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
eval:
config: "/usr/share/logstash/pipelines/eval/*.conf"

2
pillar/logstash/mastersearch.sls → pillar/logstash/master.sls
View File

@@ -2,5 +2,3 @@ logstash:
pipelines:
master:
config: "/usr/share/logstash/pipelines/master/*.conf"
search:
config: "/usr/share/logstash/pipelines/search/*.conf"

4
pillar/logstash/search.sls Normal file
View File

@@ -0,0 +1,4 @@
logstash:
pipelines:
search:
config: "/usr/share/logstash/pipelines/search/*.conf"

16
pillar/top.sls
View File

@@ -2,8 +2,10 @@ base:
'*':
- patch.needs_restarting
'G@role:so-mastersearch':
- logstash.mastersearch
'G@role:so-mastersearch or G@role:so-heavynode':
- match: compound
- logstash.master
- logstash.search
'G@role:so-sensor':
- static
@@ -19,12 +21,16 @@ base:
- auth
- minions.{{ grains.id }}
'G@role:so-master':
- logstash.master
'G@role:so-eval':
- static
- firewall.*
- data.*
- brologs
- auth
- logstash.eval
- minions.{{ grains.id }}
'G@role:so-node':
@@ -32,6 +38,12 @@ base:
- firewall.*
- minions.{{ grains.id }}
'G@role:so-heavynode':
- static
- firewall.*
- brologs
- minions.{{ grains.id }}
'G@role:so-helix':
- static
- firewall.*

6
salt/auth/init.sls
View File

@@ -1,4 +1,4 @@
{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
so-auth-api-dir:
@@ -10,7 +10,7 @@ so-auth-api-dir:
so-auth-api:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:HH{{ VERSION }}
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
- hostname: so-auth-api
- name: so-auth-api
- environment:
@@ -22,7 +22,7 @@ so-auth-api:
so-auth-ui:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:HH{{ VERSION }}
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
- hostname: so-auth-ui
- name: so-auth-ui
- port_bindings:

4
salt/common/grafana/grafana_dashboards/eval/eval.json
View File

@@ -1395,7 +1395,7 @@
"condition": "AND",
"key": "container_name",
"operator": "=",
"value": "so-bro"
"value": "so-zeek"
}
]
}
@@ -1913,7 +1913,7 @@
"condition": "AND",
"key": "container_name",
"operator": "=",
"value": "so-bro"
"value": "so-zeek"
}
]
}

4
salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
View File

@@ -1396,7 +1396,7 @@
"condition": "AND",
"key": "container_name",
"operator": "=",
"value": "so-bro"
"value": "so-zeek"
}
]
}
@@ -1901,7 +1901,7 @@
"condition": "AND",
"key": "container_name",
"operator": "=",
"value": "so-bro"
"value": "so-zeek"
}
]
}

4
salt/common/init.sls
View File

@@ -1,6 +1,6 @@
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
# Add socore Group
socoregroup:
group.present:
@@ -343,7 +343,7 @@ dashboard-{{ SN }}:
{% if salt['pillar.get']('nodestab', False) %}
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
dashboard-{{ SN }}:
dashboardsearch-{{ SN }}:
file.managed:
- name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
- user: 939

89
salt/common/nginx/nginx.conf.so-heavynode Normal file
View File

@@ -0,0 +1,89 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

4
salt/common/telegraf/scripts/broloss.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2)
declare RESULT=($BROLOG)
ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
declare RESULT=($ZEEKLOG)
CURRENTDROP=${RESULT[3]}
PASTDROP=${RESULT[9]}
DROPPED=$(($CURRENTDROP - $PASTDROP))

20
salt/common/tools/sbin/so-bro-restart
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker stop so-bro && docker rm so-bro && salt-call state.apply bro

20
salt/common/tools/sbin/so-bro-start
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker rm so-bro && salt-call state.apply bro

20
salt/common/tools/sbin/so-bro-stop
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
docker stop so-bro

1
salt/common/tools/sbin/so-elastic-clear
View File

@@ -14,6 +14,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
. /usr/sbin/so-common
SKIP=0

1
salt/common/tools/sbin/so-restart
View File

@@ -31,5 +31,6 @@ fi
case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
esac

25
salt/common/tools/sbin/so-salt-start Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
echo $banner
printf "Starting local Salt Minion...\n"
echo $banner
service salt-minion start
service salt-minion status

25
salt/common/tools/sbin/so-salt-stop Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
echo $banner
printf "Stopping local Salt Minion...\n"
echo $banner
service salt-minion stop
service salt-minion status

4
salt/common/tools/sbin/so-start
View File

@@ -29,8 +29,8 @@ then
salt-call saltutil.kill_all_jobs
fi
case $1 in
"all") salt-call state.highstate queue=True;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;;
esac

141
salt/common/tools/sbin/so-status Normal file
View File

@@ -0,0 +1,141 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# {% raw %}
if ! [ $(id -u)=0 ]; then
echo "This command must be run as root"
exit 1
fi
# Constants
ERROR_STRING="ERROR"
SUCCESS_STRING="OK"
PENDING_STRING="PENDING"
declare -a BAD_STATUSES=("removing", "paused", "exited", "dead")
declare -a PENDING_STATUSES=("paused", "created", "restarting")
declare -a GOOD_STATUSES=("running")
declare -a container_name_list=()
declare -a container_state_list=()
populate_container_lists() {
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}')
else
exit 1
fi
local container_name=""
local container_state=""
for line in ${docker_raw_list[@]}; do
container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
container_name_list+=( "${container_name}" )
container_state_list+=( "${container_state}" )
done
}
parse_status() {
local container_state=${1}
local found=0
for state in "${GOOD_STATUSES[@]}"; do
[[ $container_state = $state ]] && printf $SUCCESS_STRING && return 0
done
if [[ $found = 0 ]]; then
for state in "${PENDING_STATUSES[@]}"; do
[[ $container_state = $state ]] && printf $PENDING_STRING && return 0
done
fi
# This is technically not needed since the default is error state
if [[ $found = 0 ]]; then
for state in "${BAD_STATUSES[@]}"; do
[[ $container_state = $state ]] && printf $ERROR_STRING && return 1
done
fi
printf $ERROR_STRING && return 1
}
columns=$(tput cols)
print_line() {
local service_name=${1}
local service_state=$( parse_status ${2} )
local PADDING_CONSTANT=14
local state_color="\e[0m"
if [[ $service_state = $ERROR_STRING ]]; then
state_color="\e[1;31m"
elif [[ $service_state = $SUCCESS_STRING ]]; then
state_color="\e[1;32m"
elif [[ $service_state = $PENDING_STRING ]]; then
state_color="\e[1;33m"
else
state_color="\e[0m"
fi
printf " $service_name "
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
printf "-"
done
printf " [ "
printf "${state_color}%b\e[0m" "$service_state"
printf "%s \n" " ]"
}
main() {
local focus_color="\e[1;34m"
printf "\n"
printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
print_line "Docker" "running"
else
print_line "Docker" "exited"
fi
populate_container_lists
printf "\n"
printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
local num_containers=${#docker_raw_list[@]}
local container_name=""
local container_state=""
for i in $(seq 0 $(($num_containers - 1 ))); do
print_line ${container_name_list[$i]} ${container_state_list[$i]}
done
printf "\n"
}
main
# {% endraw %}

11
salt/common/tools/sbin/so-suricata-restart
View File

@@ -1,7 +1,7 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-suricata && sudo docker rm so-suricata && salt-call state.apply suricata
. /usr/sbin/so-common
/usr/sbin/so-restart suricata $1

11
salt/common/tools/sbin/so-suricata-start
View File

@@ -1,7 +1,7 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-suricata && salt-call state.apply suricata
. /usr/sbin/so-common
/usr/sbin/so-start suricata $1

11
salt/common/tools/sbin/so-suricata-stop
View File

@@ -1,7 +1,7 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-suricata
. /usr/sbin/so-common
/usr/sbin/so-stop suricata $1

6
salt/common/tools/sbin/so-tcpreplay
View File

@@ -15,14 +15,16 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-tcpreplay "/opt/so/samples/*"
REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
if [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
docker cp so-tcpreplay:/opt/samples /opt/samples
docker exec -it so-tcpreplay /usr/bin/tcpreplay -i bond0 -M10 $1
docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 $1
else
echo "Replay functionality not enabled! To enable, run `so-tcpreplay-start`"
echo
echo "Note that you will need internet access to download the appropiriate components"
echo "Note that you will need internet access to download the appropriate components"
fi

2
salt/common/tools/sbin/so-tcpreplay-restart
View File

@@ -17,5 +17,5 @@
. /usr/sbin/so-common
/usr/sbin/so-restart tcreplay $1
/usr/sbin/so-restart tcpreplay $1

2
salt/common/tools/sbin/so-zeek-restart
View File

@@ -17,4 +17,4 @@
. /usr/sbin/so-common
/usr/sbin/so-restart bro $1
/usr/sbin/so-restart zeek $1

2
salt/common/tools/sbin/so-zeek-start
View File

@@ -17,4 +17,4 @@
. /usr/sbin/so-common
/usr/sbin/so-start bro $1
/usr/sbin/so-start zeek $1

2
salt/common/tools/sbin/so-zeek-stop
View File

@@ -17,4 +17,4 @@
. /usr/sbin/so-common
/usr/sbin/so-stop bro $1
/usr/sbin/so-stop zeek $1

0
salt/bro/cron/packetloss.sh → salt/deprecated-bro/cron/packetloss.sh
View File

0
salt/bro/cron/zeek_clean → salt/deprecated-bro/cron/zeek_clean
View File

3
salt/bro/files/local.bro → salt/deprecated-bro/files/local.bro
View File

@@ -102,6 +102,9 @@
# is currently considered a preview and therefore not loaded by default.
@load base/protocols/smb
# BPF Configuration
@load securityonion/bpfconf
# Add the interface to the log event
#@load securityonion/add-interface-to-logs.bro

0
salt/bro/files/local.bro.community → salt/deprecated-bro/files/local.bro.community
View File

0
salt/bro/files/node.cfg → salt/deprecated-bro/files/node.cfg
View File

34
salt/bro/init.sls → salt/deprecated-bro/init.sls
View File

@@ -1,3 +1,7 @@
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
{% set BPF_STATUS = 0 %}
# Bro Salt State
# Add Bro group
brogroup:
@@ -103,6 +107,32 @@ zeekcleanscript:
- month: '*'
- dayweek: '*'
# BPF compilation and configuration
{% if BPF_ZEEK %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ") ) %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
zeekbpfcompilationfailure:
test.configurable_test_state:
- changes: False
- result: False
- comment: "BPF Syntax Error - Discarding Specified BPF"
{% endif %}
{% endif %}
zeekbpf:
file.managed:
- name: /opt/so/conf/bro/bpf
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents_pillar: zeek:bpf
{% else %}
- contents:
- "ip or not ip"
{% endif %}
# Sync local.bro
{% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
localbrosync:
@@ -163,6 +193,7 @@ so-bro:
- /nsm/bro/extracted:/nsm/bro/extracted:rw
- /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
- /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
- /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro
- /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
- /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
- /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
@@ -171,6 +202,5 @@ so-bro:
- file: /opt/so/conf/bro/local.bro
- file: /opt/so/conf/bro/node.cfg
- file: /opt/so/conf/bro/policy
- file: /opt/so/conf/bro/bpf
{% endif %}

0
salt/bro/policy/intel/__load__.bro → salt/deprecated-bro/policy/intel/__load__.bro
View File

0
salt/bro/policy/securityonion/add-interface-to-logs.bro → salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
View File

0
salt/bro/policy/securityonion/apt1/__load__.bro → salt/deprecated-bro/policy/securityonion/apt1/__load__.bro
View File

0
salt/bro/policy/securityonion/apt1/apt1-certs.dat → salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
View File

0
salt/bro/policy/securityonion/apt1/apt1-fqdn.dat → salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
View File

0
salt/bro/policy/securityonion/apt1/apt1-md5.dat → salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
View File

106
salt/deprecated-bro/policy/securityonion/bpfconf.bro Normal file
View File

@@ -0,0 +1,106 @@
##! This script is to support the bpf.conf file like other network monitoring tools use.
##! Please don't try to learn from this script right now, there are a large number of
##! hacks in it to work around bugs discovered in Bro.
@load base/frameworks/notice
module BPFConf;
export {
## The file that is watched on disk for BPF filter changes.
## Two templated variables are available; "sensorname" and "interface".
## They can be used by surrounding the term by doubled curly braces.
const filename = "/opt/bro/share/bro/site/bpf" &redef;
redef enum Notice::Type += {
## Invalid filter notice.
InvalidFilter
};
}
global filter_parts: vector of string = vector();
global current_filter_filename = "";
type FilterLine: record {
s: string;
};
redef enum PcapFilterID += {
BPFConfPcapFilter,
};
event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
{
local part = sub(s, /[[:blank:]]*#.*$/, "");
# We don't want any blank parts.
if ( part != "" )
filter_parts[|filter_parts|] = part;
}
event Input::end_of_data(name: string, source:string)
{
if ( name == "bpfconf" )
{
local filter = join_string_vec(filter_parts, " ");
capture_filters["bpf.conf"] = filter;
if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
{
PacketFilter::install();
}
else
{
NOTICE([$note=InvalidFilter,
$msg=fmt("Compiling packet filter from %s failed", filename),
$sub=filter]);
}
filter_parts=vector();
}
}
function add_filter_file()
{
local real_filter_filename = BPFConf::filename;
# Support the interface template value.
#if ( SecurityOnion::sensorname != "" )
# real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
# Support the interface template value.
#if ( SecurityOnion::interface != "" )
# real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
#if ( /\{\{/ in real_filter_filename )
# {
# return;
# }
#else
# Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
if ( real_filter_filename != current_filter_filename )
{
current_filter_filename = real_filter_filename;
Input::add_event([$source=real_filter_filename,
$name="bpfconf",
$reader=Input::READER_RAW,
$mode=Input::REREAD,
$want_record=F,
$fields=FilterLine,
$ev=BPFConf::line]);
}
}
#event SecurityOnion::found_sensorname(name: string)
# {
# add_filter_file();
# }
event bro_init() &priority=5
{
if ( BPFConf::filename != "" )
add_filter_file();
}

0
salt/bro/policy/securityonion/conn-add-sensorname.bro → salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
View File

0
salt/bro/policy/securityonion/file-extraction/__load__.bro → salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro
View File

0
salt/bro/policy/securityonion/file-extraction/extract.bro → salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
View File

0
salt/bro/policy/securityonion/json-logs/__load__.bro → salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro
View File

4
salt/elastalert/files/elastalert_config.yaml
View File

@@ -82,3 +82,7 @@ writeback_index: elastalert_status
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
index_settings:
shards: 1
replicas: 0

2
salt/elasticsearch/init.sls
View File

@@ -31,7 +31,7 @@
{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% elif grains['role'] == 'so-node' %}
{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
{% set esclustername = salt['pillar.get']('node:esclustername', '') %}
{% set esheap = salt['pillar.get']('node:esheap', '') %}

10
salt/filebeat/etc/filebeat.yml
View File

@@ -1,4 +1,10 @@
{%- if grains.role == 'so-heavynode' %}
{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %}
{%- else %}
{%- set MASTER = grains['master'] %}
{%- endif %}
{%- set HOSTNAME = salt['grains.get']('host', '') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
@@ -67,12 +73,12 @@ filebeat.modules:
# List of prospectors to fetch data.
filebeat.prospectors:
#------------------------------ Log prospector --------------------------------
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
{%- if BROVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
- type: log
paths:
- /nsm/bro/logs/current/{{ LOGNAME }}.log
- /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields:
type: bro_{{ LOGNAME }}
fields_under_root: true

16
salt/filebeat/init.sls
View File

@@ -1,5 +1,4 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -14,36 +13,31 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
{% if FEATURES %}
{% set FEATURES = "-features" %}
{% else %}
{% set FEATURES = '' %}
{% endif %}
# Filebeat Setup
filebeatetcdir:
file.directory:
- name: /opt/so/conf/filebeat/etc
- user: 939
- group: 939
- makedirs: True
filebeatlogdir:
file.directory:
- name: /opt/so/log/filebeat
- user: 939
- group: 939
- makedirs: True
filebeatpkidir:
file.directory:
- name: /opt/so/conf/filebeat/etc/pki
- user: 939
- group: 939
- makedirs: True
# This needs to be owned by root
filebeatconfsync:
file.managed:
@@ -52,7 +46,6 @@ filebeatconfsync:
- user: 0
- group: 0
- template: jinja
so-filebeat:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
@@ -67,13 +60,8 @@ so-filebeat:
- /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
- /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
- /opt/so/log/fleet/:/osquery/logs:ro
{%- if grains['role'] == 'so-master' %}
- /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
- /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
{%- else %}
- /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
- /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
{%- endif %}
- /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
- watch:
- file: /opt/so/conf/filebeat/etc/filebeat.yml

40
salt/firewall/init.sls
View File

@@ -1,7 +1,7 @@
# Firewall Magic for the grid
{%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
{%- set ip = salt['pillar.get']('static:masterip', '') %}
{%- elif grains['role'] == 'so-node' %}
{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
{%- set ip = salt['pillar.get']('node:mainip', '') %}
{%- elif grains['role'] == 'so-sensor' %}
{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -584,7 +584,7 @@ enable_standard_analyst_443_{{ip}}:
{% endif %}
# Rules if you are a Node
{% if grains['role'] == 'so-node' %}
{% if 'node' in grains['role'] %}
#This should be more granular
iptables_allow_docker:
@@ -655,3 +655,39 @@ iptables_drop_all_the_things:
- chain: LOGGING
- jump: DROP
- save: True
{% if grains['role'] == 'so-heavynode' %}
# Allow Redis
enable_heavynode_redis_6379_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 6379
- position: 1
- save: True
enable_forwardnode_beats_5044_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 5044
- position: 1
- save: True
enable_forwardnode_beats_5644_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 5644
- position: 1
- save: True
{% endif %}

204
salt/logstash/conf/pipelines/eval/0800_input_eval.conf Normal file
View File

@@ -0,0 +1,204 @@
# Updated by: Mike Reeves
# Last Update: 11/1/2018
input {
file {
path => "/suricata/eve.json"
type => "ids"
add_field => { "engine" => "suricata" }
}
file {
path => "/nsm/zeek/logs/current/conn*.log"
type => "bro_conn"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dce_rpc*.log"
type => "bro_dce_rpc"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dhcp*.log"
type => "bro_dhcp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dnp3*.log"
type => "bro_dnp3"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dns*.log"
type => "bro_dns"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/dpd*.log"
type => "bro_dpd"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/files*.log"
type => "bro_files"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ftp*.log"
type => "bro_ftp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/http*.log"
type => "bro_http"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/intel*.log"
type => "bro_intel"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/irc*.log"
type => "bro_irc"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/kerberos*.log"
type => "bro_kerberos"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/modbus*.log"
type => "bro_modbus"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/mysql*.log"
type => "bro_mysql"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/notice*.log"
type => "bro_notice"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ntlm*.log"
type => "bro_ntlm"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/pe*.log"
type => "bro_pe"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/radius*.log"
type => "bro_radius"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/rdp*.log"
type => "bro_rdp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/rfb*.log"
type => "bro_rfb"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/signatures*.log"
type => "bro_signatures"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/sip*.log"
type => "bro_sip"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smb_files*.log"
type => "bro_smb_files"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smb_mapping*.log"
type => "bro_smb_mapping"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/smtp*.log"
type => "bro_smtp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/snmp*.log"
type => "bro_snmp"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/socks*.log"
type => "bro_socks"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/software*.log"
type => "bro_software"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ssh*.log"
type => "bro_ssh"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/ssl*.log"
type => "bro_ssl"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/syslog*.log"
type => "bro_syslog"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/tunnel*.log"
type => "bro_tunnels"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/weird*.log"
type => "bro_weird"
tags => ["bro"]
}
file {
path => "/nsm/zeek/logs/current/x509*.log"
type => "bro_x509"
tags => ["bro"]
}
file {
path => "/wazuh/alerts/alerts.json"
type => "ossec"
}
file {
path => "/wazuh/archives/archive.json"
type => "ossec_archive"
}
file {
path => "/osquery/logs/result.log"
type => "osquery"
tags => ["osquery"]
}
file {
path => "/strelka/strelka.log"
type => "strelka"
}
}
filter {
if "import" in [tags] {
mutate {
#add_tag => [ "conf_file_0007"]
}
}
}

13
salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf Normal file
View File

@@ -0,0 +1,13 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_start', Time.now.to_f)"
}
mutate {
#add_tag => [ "conf_file_1000"]
}
}

33
salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf Normal file
View File

@@ -0,0 +1,33 @@
# Updated by: Doug Burks and Wes Lambert
# Last Update: 10/30/2018
filter {
if "syslogng" in [tags] {
mutate {
rename => { "MESSAGE" => "message" }
rename => { "PROGRAM" => "type" }
rename => { "FACILITY" => "syslog-facility" }
rename => { "FILE_NAME" => "syslog-file_name" }
rename => { "HOST" => "syslog-host" }
rename => { "HOST_FROM" => "syslog-host_from" }
rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
rename => { "PID" => "syslog-pid" }
rename => { "PRIORITY" => "syslog-priority" }
rename => { "SOURCEIP" => "syslog-sourceip" }
rename => { "TAGS" => "syslog-tags" }
lowercase => [ "syslog-host_from" ]
remove_field => [ "ISODATE" ]
remove_field => [ "SEQNUM" ]
#add_tag => [ "conf_file_1001"]
}
if "bro_" in [type] {
mutate {
add_tag => [ "bro" ]
}
} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}

18
salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf Normal file
View File

@@ -0,0 +1,18 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "json" in [tags]{
json {
source => "message"
}
mutate {
remove_tag => [ "json" ]
}
mutate {
#add_tag => [ "conf_file_1002"]
}
}
}

19
salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf Normal file
View File

@@ -0,0 +1,19 @@
filter {
if "syslog" in [tags] {
if [host] == "172.16.1.1" {
mutate {
add_field => { "type" => "fortinet" }
add_tag => [ "firewall" ]
}
}
if [host] == "10.0.0.101" {
mutate {
add_field => { "type" => "brocade" }
add_tag => [ "switch" ]
}
}
mutate {
#add_tag => [ "conf_file_1004"]
}
}
}

140
salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf Normal file
View File

@@ -0,0 +1,140 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolutions.com
# Last Update: 12/9/2016
# This conf file is based on accepting logs for DHCP. It is currently based on Windows DHCP only.
filter {
if [type] == "dhcp" {
mutate {
add_field => { "Hostname" => "%{host}" }
}
mutate {
strip => "message"
}
# This is the initial parsing of the log
grok {
# Server 2008+
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
# Server 2003
match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
}
# This section below translates the message ID into something humans can understand.
if [id] == "00" {
mutate {
add_field => [ "event", "The log was started"]
}
}
if [id] == "01" {
mutate {
add_field => [ "event", "The log was stopped"]
}
}
if [id] == "02" {
mutate {
add_field => [ "event", "The log was temporarily paused due to low disk space"]
}
}
if [id] == "10" {
mutate {
add_field => [ "event", "A new IP address was leased to a client"]
}
}
if [id] == "11" {
mutate {
add_field => [ "event", "A lease was renewed by a client"]
}
}
if [id] == "12" {
mutate {
add_field => [ "event", "A lease was released by a client"]
}
}
if [id] == "13" {
mutate {
add_field => [ "event", "An IP address was found to be in use on the network"]
}
}
if [id] == "14" {
mutate {
add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
}
}
if [id] == "15" {
mutate {
add_field => [ "event", "A lease was denied"]
}
}
if [id] == "16" {
mutate {
add_field => [ "event", "A lease was deleted"]
}
}
if [id] == "17" {
mutate {
add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
}
}
if [id] == "18" {
mutate {
add_field => [ "event", "A lease was expired and DNS records were deleted"]
}
}
if [id] == "20" {
mutate {
add_field => [ "event", "A BOOTP address was leased to a client"]
}
}
if [id] == "21" {
mutate {
add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
}
}
if [id] == "22" {
mutate {
add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
}
}
if [id] == "23" {
mutate {
add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
}
}
if [id] == "24" {
mutate {
add_field => [ "event", "IP address cleanup operation has began"]
}
}
if [id] == "25" {
mutate {
add_field => [ "event", "IP address cleanup statistics"]
}
}
if [id] == "30" {
mutate {
add_field => [ "event", "DNS update request to the named DNS server"]
}
}
if [id] == "31" {
mutate {
add_field => [ "event", "DNS update failed"]
}
}
if [id] == "32" {
mutate {
add_field => [ "event", "DNS update successful"]
}
}
if [id] == "33" {
mutate {
add_field => [ "event", "Packet dropped due to NAP policy"]
}
}
# If the message failed to parse correctly keep the message for debugging. Otherwise, drop it.
#if "_grokparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message"]
# }
#}
}
}

31
salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf Normal file
View File

@@ -0,0 +1,31 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
filter {
# This is an example of using an IP address range to classify a syslog message to a specific type of log
# This is helpful as so many devices only send logs via syslog
if [host] =~ "10\.[0-1]\.9\." {
mutate {
replace => ["type", "esxi"]
}
}
if [host] =~ "\.234$" {
mutate {
replace => ["type", "esxi"]
}
}
if [type] == "esxi" {
grok {
match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
}
mutate {
#add_tag => [ "conf_file_1029"]
}
}
}

21
salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf Normal file
View File

@@ -0,0 +1,21 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "greensql" {
# This section is parsing out the fields for GreenSQL syslog data
grok {
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
}
# Remove the message field as it is unnecessary
#mutate {
# remove_field => [ "message"]
#}
mutate {
#add_tag => [ "conf_file_1030"]
}
}
}

21
salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf Normal file
View File

@@ -0,0 +1,21 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "iis" {
# The log is expected to have come from NXLog and in JSON format. This allows for automatic parsing of fields
json {
source => "message"
}
# This removes the message field as it is unneccesary and tags the packet as web
mutate {
# remove_field => [ "message"]
add_tag => [ "web" ]
}
mutate {
#add_tag => [ "conf_file_1031"]
}
}
}

26
salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf Normal file
View File

@@ -0,0 +1,26 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This file looks for McAfee EPO logs
filter {
if [type] == "mcafee" {
# NXLog should be sending the logs in JSON format so they auto parse
json {
source => "message"
}
# This section converts the UTC fields to the proper time format
date {
match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "ReceivedUTC" ]
}
date {
match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
target => [ "DetectedUTC" ]
}
mutate {
#add_tag => [ "conf_file_1032"]
}
}
}

181
salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf Normal file
View File

@@ -0,0 +1,181 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 3/15/2018
filter {
if [type] == "ids" {
# This is the initial parsing of the log
if [engine] == "suricata" {
json {
source => "message"
}
mutate {
rename => { "alert" => "orig_alert" }
rename => { "[orig_alert][gid]" => "gid" }
rename => { "[orig_alert][signature_id]" => "sid" }
rename => { "[orig_alert][rev]" => "rev" }
rename => { "[orig_alert][signature]" => "alert" }
rename => { "[orig_alert][category]" => "classification" }
rename => { "[orig_alert][severity]" => "priority" }
rename => { "[orig_alert][rule]" => "rule_signature" }
rename => { "app_proto" => "application_protocol" }
rename => { "dest_ip" => "destination_ip" }
rename => { "dest_port" => "destination_port" }
rename => { "in_iface" => "interface" }
rename => { "proto" => "protocol" }
rename => { "src_ip" => "source_ip" }
rename => { "src_port" => "source_port" }
#rename => { "[fileinfo][filename]" => "filename" }
#rename => { "[fileinfo][gaps]" => "gaps" }
#rename => { "[fileinfo][size]" => "size" }
#rename => { "[fileinfo][state]" => "state" }
#rename => { "[fileinfo][stored]" => "stored" }
#rename => { "[fileinfo][tx_id]" => "tx_id" }
#rename => { "[flow][age]" => "duration" }
#rename => { "[flow][alerted]" => "flow_alerted" }
#rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
#rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
#rename => { "[flow][end]" => "flow_end" }
#rename => { "[flow][pkts_toclient]" => "packets_to_client" }
#rename => { "[flow][pkts_toserver]" => "packets_to_server" }
#rename => { "[flow][reason]" => "reason" }
#rename => { "[flow][start]" => "flow_start" }
#rename => { "[flow][state]" => "state" }
#rename => { "[netflow][age]" => "duration" }
#rename => { "[netflow][bytes]" => "bytes" }
#rename => { "[netflow][end]" => "netflow_end" }
#rename => { "[netflow][start]" => "netflow_start" }
#rename => { "[netflow][pkts]" => "packets" }
rename => { "[alert][action]" => "action" }
rename => { "[alert][category]" => "category" }
rename => { "[alert][gid]" => "gid" }
rename => { "[alert][rev]" => "rev" }
rename => { "[alert][severity]" => "severity" }
rename => { "[alert][signature]" => "signature" }
rename => { "[alert][signature_id]" => "sid" }
#rename => { "[dns][aa]" => "aa" }
#rename => { "[dns][flags]" => "flags" }
#rename => { "[dns][id]" => "id" }
#rename => { "[dns][qr]" => "qr" }
#rename => { "[dns][rcode]" => "rcode_name" }
#rename => { "[dns][rrname]" => "rrname" }
#rename => { "[dns][rrtype]" => "rrtype" }
#rename => { "[dns][tx_id]" => "tx_id" }
#rename => { "[dns][type]" => "record_type" }
#rename => { "[dns][version]" => "version" }
rename => { "[http][hostname]" => "virtual_host" }
rename => { "[http][http_content_type]" => "content_type" }
rename => { "[http][http_port]" => "http_port" }
rename => { "[http][http_method]" => "method" }
rename => { "[http][http_user_agent]" => "useragent" }
#rename => { "[http][length]" => "payload_length" }
#rename => { "[http][protocol]" => "http_version" }
rename => { "[http][status]" => "status_message" }
rename => { "[http][url]" => "url" }
#rename => { "[metadata][flowbits]" => "flowbits" }
rename => { "[tls][fingerprint]" => "certificate_serial_number" }
rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
rename => { "[tls][notafter]" => "certificate_not_valid_after" }
rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
rename => { "[tls][subject]" => "certificate_common_name" }
rename => { "[tls][version]" => "tls_version" }
rename => { "event_type" => "ids_event_type" }
remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
add_tag => [ "eve" ]
}
} else {
grok {
match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
"message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
"message", "%{GREEDYDATA:alert}"]
}
}
if [timestamp] {
mutate {
add_field => { "logstash_timestamp" => "%{@timestamp}" }
}
mutate {
convert => { "logstash_timestamp" => "string" }
}
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => { "logstash_timestamp" => "timestamp" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category"]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category"]
}
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "source_port", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "gid", "integer" ]
convert => [ "sid", "integer" ]
# remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [priority] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# This section adds URLs to lookup information about a rule online
if [sid] and [sid] > 0 and [sid] < 1000000 {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
}
}
if [sid] and [sid] > 1999999 and [sid] < 2999999 {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
}
}
# mutate {
#add_tag => [ "conf_file_1033"]
# }
}
}

16
salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf Normal file
View File

@@ -0,0 +1,16 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/22/2017
filter {
if [type] == "syslog" {
# This drops syslog messages regarding license messages. You may want to comment it out.
#if [message] =~ "license" {
# drop { }
#}
mutate {
#convert => [ "status_code", "integer" ]
}
}
}

59
salt/logstash/conf/pipelines/eval/2000_network_flow.conf Normal file
View File

@@ -0,0 +1,59 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "sflow" {
if [message] =~ /CNTR/ {
drop { }
}
grok {
match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
}
if "_grokparsefailure" in [tags] {
drop { }
}
mutate {
add_field => {
"[source_hostname]" => "%{source_ip}"
"[destination_hostname]" => "%{destination_ip}"
"[sflow_source_hostname]" => "%{sflow_source_ip}"
}
}
translate {
field => "[source_port]"
destination => "[source_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[destination_port]"
destination => "[destination_service]"
dictionary_path => "/lib/dictionaries/iana_services.yaml"
}
translate {
field => "[protocol]"
destination => "[protocol_name]"
dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
}
translate {
field => "[tcp_flags]"
destination => "[tcp_flag]"
dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
}
mutate {
add_field => { "ips" => [ "%{sflow_source_ip}" ] }
}
mutate {
#add_tag => [ "conf_file_2000"]
}
}
}

11
salt/logstash/conf/pipelines/eval/6002_syslog.conf Normal file
View File

@@ -0,0 +1,11 @@
# Updated by: Doug Burks
# Last Update: 5/16/2017
#
filter {
if "syslog" in [tags] {
mutate {
#convert => [ "status_code", "integer" ]
#add_tag => [ "conf_file_6002"]
}
}
}

33
salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf Normal file
View File

@@ -0,0 +1,33 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "brocade" {
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
}
grok {
match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
grok {
match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
}
mutate {
add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
}
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "America/Chicago"
remove_field => "syslog_timestamp"
remove_field => "received_at"
}
mutate {
#add_tag => [ "conf_file_6101"]
}
}
}

281
salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf Normal file
View File

@@ -0,0 +1,281 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "fortinet" {
mutate {
gsub => [ "message", "= ", "=NA " ]
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
tag_on_failure => []
}
grok {
match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
tag_on_failure => []
}
kv {
source => "kv"
exclude_keys => [ "type" ]
}
mutate {
gsub => [ "log", "= ", "=NA " ]
}
kv {
source => "log"
target => "SubLog"
}
grok {
match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
tag_on_failure => [ "" ]
}
mutate {
rename => { "action" => "action" }
rename => { "addr" => "addr_ip" }
rename => { "age" => "age" }
rename => { "assigned" => "assigned_ip" }
rename => { "assignip" => "assign_ip" }
rename => { "ap" => "access_point" }
rename => { "app" => "application" }
rename => { "appcat" => "application_category" }
rename => { "applist" => "application_list" }
rename => { "apprisk" => "application_risk" }
rename => { "approfile" => "accessPoint_profile" }
rename => { "apscan" => "access_point_scan" }
rename => { "apstatus" => "acces_point_status" }
rename => { "aptype" => "access_point_type" }
rename => { "authproto" => "authentication_protocol" }
rename => { "bandwidth" => "bandwidth" }
rename => { "banned_src" => "banned_source" }
rename => { "cat" => "category" }
rename => { "catdesc" => "category_description" }
rename => { "cfgattr" => "configuration_attribute" }
rename => { "cfgobj" => "configuration_object" }
rename => { "cfgpath" => "configuration_path" }
rename => { "cfgtid" => "configuration_transaction_id" }
rename => { "channel" => "channel" }
rename => { "community" => "community" }
rename => { "cookies" => "cookies" }
rename => { "craction" => "cr_action" }
rename => { "crlevel" => "cr_level" }
rename => { "crscore" => "cr_score" }
rename => { "datarange" => "data_range" }
rename => { "desc" => "description" }
rename => { "detectionmethod" => "detection_method" }
rename => { "devid" => "device_id" }
rename => { "devname" => "device_name" }
rename => { "devtype" => "device_type" }
rename => { "dhcp_msg" => "dhcp_message" }
rename => { "disklograte" => "disk_lograte" }
rename => { "dstcountry" => "destination_country" }
rename => { "dstintf" => "destination_interface" }
rename => { "dstip" => "destination_ip" }
rename => { "dstport" => "destination_port" }
rename => { "duration" => "elapsed_time" }
rename => { "error_num" => "error_number" }
rename => { "espauth" => "esp_authentication" }
rename => { "esptransform" => "esp_transform" }
rename => { "eventid" => "event_id" }
rename => { "eventtype" => "event_type" }
rename => { "fazlograte" => "faz_lograte" }
rename => { "filename" => "file_name" }
rename => { "filesize" => "file_size" }
rename => { "filetype" => "file_type" }
rename => { "hostname" => "hostname" }
rename => { "ip" => "source_ip" }
rename => { "localip" => "source_ip" }
rename => { "locip" => "local_ip" }
rename => { "locport" => "source_port" }
rename => { "logid" => "log_id" }
rename => { "logver" => "log_version" }
rename => { "manuf" => "manufacturer" }
rename => { "mem" => "memory" }
rename => { "meshmode" => "mesh_mode" }
rename => { "msg" => "message" }
rename => { "nextstat" => "next_stat" }
rename => { "onwire" => "on_wire" }
rename => { "osname" => "os_name" }
rename => { "osversion" => "unauthenticated_user" }
rename => { "outintf" => "outbound_interface" }
rename => { "peer_notif" => "peer_notification" }
rename => { "phase2_name" => "phase2_name" }
rename => { "policyid" => "policy_id" }
rename => { "policytype" => "policy_type" }
rename => { "port" => "port" }
rename => { "probeproto" => "probe_protocol" }
rename => { "proto" => "protocol_number" }
rename => { "radioband" => "radio_band" }
rename => { "radioidclosest" => "radio_id_closest" }
rename => { "radioiddetected" => "radio_id_detected" }
rename => { "rcvd" => "bytes_received" }
rename => { "rcvdbyte" => "bytes_received" }
rename => { "rcvdpkt" => "packets_received" }
rename => { "remip" => "destination_ip" }
rename => { "remport" => "remote_port" }
rename => { "reqtype" => "request_type" }
rename => { "scantime" => "scan_time" }
rename => { "securitymode" => "security_mode" }
rename => { "sent" => "bytes_sent" }
rename => { "sentbyte" => "bytes_sent" }
rename => { "sentpkt" => "packets_sent" }
rename => { "session_id" => "session_id" }
rename => { "setuprate" => "setup_rate" }
rename => { "sn" => "serial" }
rename => { "snclosest" => "serial_closest_access_point" }
rename => { "sndetected" => "serial_access_point_that_detected_rogue_ap" }
rename => { "snmeshparent" => "serial_mesh_parent" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "stacount" => "station_count" }
rename => { "stamac" => "static_mac" }
rename => { "srccountry" => "source_country" }
rename => { "srcip" => "source_ip" }
rename => { "srcmac" => "source_mac" }
rename => { "srcname" => "source_name" }
rename => { "sn" => "serial" }
rename => { "srcintf" => "source_interface" }
rename => { "srcport" => "source_port" }
rename => { "total" => "total_bytes" }
rename => { "totalsession" => "total_sessions" }
rename => { "trandisp" => "nat_translation_type" }
rename => { "tranip" => "nat_destination_ip" }
rename => { "tranport" => "nat_destination_port" }
rename => { "transip" => "nat_source_ip" }
rename => { "transport" => "nat_source_port" }
rename => { "tunnelid" => "tunnel_id" }
rename => { "tunnelip" => "tunnel_ip" }
rename => { "tunneltype" => "tunnel_type" }
rename => { "unauthuser" => "unauthenticated_user_source" }
rename => { "unauthusersource" => "os_version" }
rename => { "vendorurl" => "vendor_url" }
rename => { "vpntunnel" => "vpn_tunnel" }
rename => { "vulncat" => "vulnerability_category" }
rename => { "vulncmt" => "vulnerability_count" }
rename => { "vulnid" => "vulnerability_id" }
rename => { "vulnname" => "vulnerability_name" }
rename => { "vulnref" => "vulnerability_reference" }
rename => { "vulnscore" => "vulnerability_score" }
rename => { "xauthgroup" => "x_authentication_group" }
rename => { "xauthuser" => "x_authentication_user" }
rename => { "[SubLog][appid]" => "sub_application_id" }
rename => { "[SubLog][devid]" => "sub_device_id" }
rename => { "[SubLog][dstip]" => "sub_destination_ip" }
rename => { "[SubLog][srcip]" => "sub_source_ip" }
rename => { "[SubLog][dstport]" => "sub_destination_port" }
rename => { "[SubLog][eventtype]" => "sub_event_type" }
rename => { "[SubLog][proto]" => "sub_protocol_number" }
rename => { "[SubLog][date]" => "sub_date" }
rename => { "[SubLog][time]" => "sub_time" }
rename => { "[SubLog][srcport]" => "sub_source_port" }
rename => { "[SubLog][subtype]" => "sub_subtype" }
rename => { "[SubLog][devname]" => "sub_device_name" }
rename => { "[SubLog][itime]" => "sub_itime" }
rename => { "[SubLog][level]" => "sub_level" }
rename => { "[SubLog][logid]" => "sub_log_id" }
rename => { "[SubLog][logver]" => "sub_log_version" }
rename => { "[SubLog][type]" => "sub_event_type" }
rename => { "[SubLog][vd]" => "sub_vd" }
rename => { "[SubLog][action]" => "sub_action" }
rename => { "[SubLog][logdesc]" => "sub_destination_ip" }
rename => { "[SubLog][policyid]" => "sub_olicy_id" }
rename => { "[SubLog][reason]" => "sub_reason" }
rename => { "[SubLog][service]" => "sub_service" }
rename => { "[SubLog][sessionid]" => "sub_session_id" }
rename => { "[SubLog][src]" => "sub_source_ip" }
rename => { "[SubLog][status]" => "sub_status" }
rename => { "[SubLog][ui]" => "sub_ui" }
rename => { "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
strip => [ "bytes_sent", "bytes_received" ]
convert => [ "bytes_sent", "integer" ]
convert => [ "bytes_received", "integer" ]
convert => [ "cr_score", "integer" ]
convert => [ "cr_action", "integer" ]
convert => [ "elapsed_time", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "local_port", "integer" ]
convert => [ "remote_port", "integer" ]
convert => [ "packets_sent", "integer" ]
convert => [ "packets_received", "integer" ]
convert => [ "port", "integer" ]
convert => [ "ProtocolNumber", "integer" ]
convert => [ "XAuthUser", "string" ]
remove_field => [ "kv", "log" ]
}
if [tunnel_ip] == "N/A" {
mutate {
remove_field => [ "tunnel_ip" ]
}
}
if [nat_destination_ip] {
mutate {
add_field => { "ips" => [ "%{nat_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
}
}
if [sub_destination_ip] {
mutate {
add_field => { "ips" => [ "%{sub_destination_ip}" ] }
add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
}
}
if [nat_source_ip] {
mutate {
add_field => { "ips" => [ "%{nat_source_ip}" ] }
add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
}
}
if [sub_source_ip] {
mutate {
add_field => { "ips" => [ "%{sub_source_ip}" ] }
add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
}
}
if [addr_ip] {
mutate {
add_field => { "ips" => [ "%{addr_ip}" ] }
}
}
if [assign_ip] {
mutate {
add_field => { "ips" => [ "%{assign_ip}" ] }
}
}
if [assigned_ip] {
mutate {
add_field => { "ips" => [ "%{assigned_ip}" ] }
}
}
grok {
match => ["message", "type=%{DATA:event_type}\s+"]
}
if [date] and [time] {
mutate {
add_field => { "receive_time" => "%{date} %{time}" }
remove_field => [ "date", "time" ]
}
date {
timezone => "America/Chicago"
match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
target => "receive_time"
}
mutate {
rename => { "receive_time" => "@timestamp" }
}
} else {
mutate {
add_tag => [ "missing_date" ]
}
}
mutate {
#add_tag => [ "conf_file_6200"]
}
}
}

56
salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf Normal file
View File

@@ -0,0 +1,56 @@
# Author: Wes Lambert
# Updated by: Doug Burks
filter {
if [type] == "filterlog" {
dissect {
mapping => {
"message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
}
}
if [ip_version] == "4" {
dissect {
mapping => {
"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [ip_version] == "6" {
dissect {
mapping => {
"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
}
}
}
if [protocol] == "tcp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
}
}
}
if [protocol] == "udp" {
dissect {
mapping => {
"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
}
}
}
if [protocol] == "Options" {
mutate {
copy => { "ip_sub_msg" => "options" }
}
mutate {
split => { "options" => "," }
}
}
mutate {
convert => [ "destination_port", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "ip_version", "integer" ]
replace => { "type" => "firewall" }
add_tag => [ "pfsense","firewall" ]
remove_field => [ "sub_msg", "ip_sub_msg" ]
}
}
}

161
salt/logstash/conf/pipelines/eval/6300_windows.conf Normal file
View File

@@ -0,0 +1,161 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "windows" {
# json {
# source => "message"
# }
date {
match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
remove_field => [ "EventTime" ]
}
if [EventID] == 4634 {
mutate {
add_tag => [ "logoff" ]
}
}
if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
mutate {
add_tag => [ "logon" ]
add_tag => [ "alert_data" ]
}
}
if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
mutate {
add_tag => [ "logon_failure" ]
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
mutate {
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 5152 { drop {} }
if [EventID] == 4688 { drop {} }
if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
# Whitelist/Blacklist check
if [EventID] == 7045 {
translate {
field => "ServiceName"
destination => "ServiceCheck"
dictionary_path => "/lib/dictionaries/services.yaml"
}
}
if [EventID] == 7045 and !([ServiceCheck]) {
mutate {
add_tag => [ "alert_data","new_service" ]
}
}
if [ServiceCheck] == 'whitelist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "whitelist" ]
}
}
if [ServiceCheck] == 'blacklist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "blacklist" ]
}
}
if [EventID] == 5158 {
if [Application] == "System" { drop {} }
if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
if [Application] =~ "mcafee" { drop {} }
if [Application] =~ "carestream" { drop {} }
if [Application] =~ "Softdent" { drop {} }
}
if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
if [EventID] == 4690 { drop {} }
if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
if [EventID] == 5447 { drop {} }
mutate {
rename => [ "AccountName", "user" ]
rename => [ "AccountType", "account_type" ]
rename => [ "ActivityID", "activity_id" ]
rename => [ "Category", "category" ]
rename => [ "ClientAddress", "client_ip" ]
rename => [ "Channel", "channel" ]
rename => [ "DCIPAddress", "domain_controller_ip" ]
rename => [ "DCName", "domain_controller_name" ]
rename => [ "EventID", "event_id" ]
rename => [ "EventReceivedTime", "event_received_time" ]
rename => [ "EventType", "event_type" ]
rename => [ "GatewayIPAddress", "gateway_ip" ]
rename => [ "IPAddress", "client_ip" ]
rename => [ "Ipaddress", "client_ip" ]
rename => [ "IpAddress", "client_ip" ]
rename => [ "IPPort", "source_port" ]
rename => [ "OpcodeValue", "opcode_value" ]
rename => [ "PreAuthType", "preauthentication_type" ]
rename => [ "PrincipleSAMName", "user" ]
rename => [ "ProcessID", "process_id" ]
rename => [ "ProviderGUID", "providerguid" ]
rename => [ "RecordNumber", "record_number" ]
rename => [ "RemoteAddress", "destination_ip" ]
rename => [ "ServiceName", "service_name" ]
rename => [ "ServiceID", "service_id" ]
rename => [ "SeverityValue", "severity_value" ]
rename => [ "SourceAddress", "client_ip" ]
rename => [ "SourceModuleName", "source_module_name" ]
rename => [ "SourceModuleType", "source_module_type" ]
rename => [ "SourceName", "source_name" ]
rename => [ "SubjectUserName", "user" ]
rename => [ "TaskName", "task_name" ]
rename => [ "TargetDomainName", "target_domain_name" ]
rename => [ "TargetUserName", "user" ]
rename => [ "ThreadID", "thread_id" ]
rename => [ "User_ID", "user" ]
rename => [ "UserID", "user" ]
rename => [ "username", "user" ]
}
# For any accounts that are service accounts or special accounts add the tag of service_account
# This example applies the tag to any username that starts with SVC_. If you use a different
# standard change this.
if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
mutate {
add_tag => [ "service_account" ]
}
}
# This looks for events that are typically noisy but may be of use for deep dive investigations
# A tag of noise is added to quickly filter out noise
if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
mutate {
add_tag => [ "noise" ]
}
}
#Identify machine accounts
if [user] =~ /\$/ {
mutate {
add_tag => [ "machine", "noise" ]
}
}
# Lower case all field names
ruby {
code => "
event_hash = event.to_hash
new_event = {}
event_hash.keys.each do |key|
new_event[key.downcase] = event[key]
end
event.instance_variable_set(:@data, new_event)"
}
mutate {
#add_tag => [ "conf_file_6300"]
}
}
}

49
salt/logstash/conf/pipelines/eval/6301_dns_windows.conf Normal file
View File

@@ -0,0 +1,49 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "dns" and "bro" not in [tags] {
json {
source => "message"
}
# strip whitespace from message field
mutate {
strip => "message"
}
# If the message is blank, drop the log
if [Message] =~ /^$/ {
drop { }
} else {
if [type] == "dns" {
# This section is lookup for a match against the log and parsing out the fields
grok {
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
# Server 2003 DNS logs do not include slashes or AM/PM in timestamp
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
remove_field => [ "Message" ]
}
# This section attempts to convert the dns_domain into the traditional domain.com format
mutate {
gsub => [ "dns_domain", "(\(\d+\))", "." ]
}
grok {
match => { "dns_domain" => "\.%{DATA:query}\.$" }
remove_field => [ "dns_domain" ]
}
}
}
mutate {
#add_tag => [ "conf_file_6301"]
}
}
}

92
salt/logstash/conf/pipelines/eval/6400_suricata.conf Normal file
View File

@@ -0,0 +1,92 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This conf file is based on accepting logs for suricata json events
filter {
if [type] == "suricata" {
if "test_data" not in [tags] {
date {
match => [ "timestamp", "ISO8601" ]
}
} else {
mutate {
remove_field => [ "netflow.start","netflow.end","timestamp" ]
}
}
if [event_type] == "fileinfo" {
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
# I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
mutate {
rename => [ "src_ip", "source_ip" ]
rename => [ "dest_ip", "destination_ip" ]
rename => [ "src_port", "source_port" ]
rename => [ "dest_port", "destination_port" ]
}
# This will translate the alert.severity field into a severity field of either High, Medium, or Low
if [event_type] == "alert" {
if [alert][severity] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [alert][severity] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [alert][severity] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert][signature] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category" ]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert][signature] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category" ]
}
}
# This section adds URLs to lookup information about a rule online
if [rule_type] == "Snort GPL" {
mutate {
add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
}
}
if [rule_type] == "Emerging Threats" {
mutate {
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
}
}
}
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
# mutate {
# remove_field => [ "message" ]
# }
}
mutate {
#add_tag => [ "conf_file_6400"]
}
}
}

160
salt/logstash/conf/pipelines/eval/6500_ossec.conf Normal file
View File

@@ -0,0 +1,160 @@
# Author: Wes Lambert
#
# Last Update: 09/19/2018
#
# This conf file is based on accepting logs from OSSEC
filter {
# OSSEC Alerts
if [type] == "ossec" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "rule" => "wazuh-rule" }
rename => { "[wazuh-rule][level]" => "alert_level" }
rename => { "[wazuh-rule][description]" => "description" }
rename => { "[data][srcuser]" => "username" }
rename => { "[data][dstuser]" => "escalated_user" }
rename => { "[data][command]" => "command" }
rename => { "[predecoder][program_name]" => "process" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
} else {
grok {
match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
}
}
# Add tag for OSSEC alerts
if [alert_level] {
mutate {
add_tag => [ "alert" ]
}
}
translate {
field => "alert_level"
destination => "classification"
dictionary => [
"1", "None",
"2", "System low priority notification",
"3", "Successful/authorized event",
"4", "System low priority error",
"5", "User generated error",
"6", "Low relevance attack",
"7", '"Bad word" matching',
"8", "First time seen",
"9", "Error from invalid source",
"10", "Multiple user generated errors",
"11", "Integrity checking warning",
"12", "High importance event",
"13", "Unusal error (high importance)",
"14", "High importance security event",
"15", "Severe attack"
]
}
}
# OSSEC Archive Logs
if [type] == "ossec_archive" {
# Sysmon/Autoruns logs transported by OSSEC
if [message] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
add_tag => [ "ossec" ]
}
}
if [message] =~ "AR-LOG" {
mutate {
replace => { "type" => "autoruns" }
add_tag => [ "ossec" ]
}
}
# If message looks like json, try to parse it as such. Otherwise, grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => [ "rule", "wazuh-rule" ]
rename => [ "[wazuh-rule][level]", "alert_level" ]
rename => [ "[wazuh-rule][description]", "description" ]
rename => [ "[data][srcuser]", "username" ]
rename => [ "[data][dstuser]", "escalated_user" ]
rename => [ "[data][command]", "command" ]
rename => [ "[predecoder][program_name]", "process" ]
}
} else {
grok {
match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
remove_field => [ "ossec_timestamp" ]
}
mutate {
convert => [ "status_code", "integer" ]
}
}
}
}

118
salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf Normal file
View File

@@ -0,0 +1,118 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# This conf file is based on accepting Sysmon logs from OSSEC
#
# Parse using grok
filter {
# OSSEC Logs and Alerts
if [type] == "sysmon" or "sysmon" in [tags] {
if [message] !~ /^{.*}$/ {
#mutate { replace => { "type" => "sysmon" } }
grok {
# match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
}
mutate {
convert => ["event_id", "integer"]
remove_field => ["timestamp"]
remove_field => ["year"]
}
if [event_id] == 1 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_creation"]
}
}
if [event_id] == 3 {
mutate {
remove_field => ["source_ip"]
}
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
convert => ["source_port", "integer"]
convert => ["destination_port", "integer"]
add_tag => ["network_connection"]
}
}
if [event_id] == 5 {
grok {
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["process_termination"]
}
}
if [event_id] == 11 {
grok {
match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
}
mutate {
convert => ["process_guid", "integer"]
convert => ["process_id", "integer"]
add_tag => ["file_created"]
}
}
mutate {
remove_field => ["rest_of_msg"]
}
} else {
mutate {
rename => { "[data][srcuser]" => "username" }
rename => { "[data][id]" => "event_id" }
rename => { "[data][dstport]" => "destination_port" }
rename => { "[data][dstip]" => "destination_ip" }
rename => { "[data][srcip]" => "source_ip" }
rename => { "[data][sysmon][image]" => "image_path" }
rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
}
# Wazuh 3.8.2
if [data][EventChannel] {
mutate {
rename => { "[data][EventChannel][EventData][User]" => "username" }
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
}
}
# Wazuh 3.9.2
if [data][win] {
mutate {
rename => { "[data][win][eventdata][user]" => "username" }
rename => { "[data][win][system][eventID]" => "event_id" }
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
rename => { "[data][win][eventdata][image]" => "image_path" }
rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
}
}
}
}
}

43
salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf Normal file
View File

@@ -0,0 +1,43 @@
# Author: Wes Lambert
# wlambertts@gmail.com
#
# Updated by: Dustin Lee
# Last Update: 06/13/2019
#
# This conf file is based on accepting Autoruns logs from OSSEC
#
# Parse using grok
filter {
if [type] == "autoruns" or "autoruns" in [tags] {
if [message] !~ /^{.*}$/ {
grok {
match => [
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
#csv {
# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
# separator => "|"
# }
mutate {
remove_field => [ "year" ]
remove_field => [ "timestamp" ]
}
} else {
grok {
match => [
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
"full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
]
}
mutate {
# Rename fields
}
}
date {
match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
target => "image_timestamp"
}
}
}

23
salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf Normal file
View File

@@ -0,0 +1,23 @@
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat
filter {
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
mutate {
replace => { "type" => "sysmon" }
rename => { "[event_data][User]" => "username" }
rename => { "[event_data][DestinationPort]" => "destination_port" }
rename => { "[event_data][DestinationIp]" => "destination_ip" }
rename => { "[event_data][SourceIp]" => "source_ip" }
rename => { "[event_data][Image]" => "image_path" }
rename => { "[event_data][ParentImage]" => "parent_image_path" }
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
rename => { "[event_data][SourceHostname]" => "source_hostname" }
rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
rename => { "[event_data][TargetFilename]" => "target_filename" }
}
}
}

17
salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf Normal file
View File

@@ -0,0 +1,17 @@
# Author: Doug Burks
#
# Last Update: 09/24/2018
#
# This conf file is for beat data
filter {
if "beat" in [tags] {
mutate {
# As of beats 6.3.0, host is now an object:
# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
# This creates a conflict with our existing host string.
# So let's rename the host object to beat_host.
rename => { "host" => "beat_host" }
}
}
}

23
salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf Normal file
View File

@@ -0,0 +1,23 @@
# Author: Josh Brower
# Last Update: 12/28/2018
# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
filter {
if "osquery" in [tags] and [osquery][columns][eventid] {
mutate {
gsub => ["[osquery][columns][data]", "\\x0A", ""]
}
json {
source => "[osquery][columns][data]"
target => "[osquery][columns][data]"
}
mutate {
merge => { "[osquery][columns]" => "[osquery][columns][data]" }
remove_field => ["[osquery][columns][data]"]
}
}
}

58
salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf Normal file
View File

@@ -0,0 +1,58 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/20/2017
filter {
if [source_ip] {
if [source_ip] == "-" {
mutate {
replace => { "source_ip" => "0.0.0.0" }
}
}
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
mutate {
}
} else {
geoip {
source => "[source_ip]"
target => "source_geo"
}
}
if [source_ip] {
mutate {
add_field => { "ips" => "%{source_ip}" }
add_field => { "source_ips" => [ "%{source_ip}" ] }
}
}
}
if [destination_ip] {
if [destination_ip] == "-" {
mutate {
replace => { "destination_ip" => "0.0.0.0" }
}
}
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
mutate {
}
}
else {
geoip {
source => "[destination_ip]"
target => "destination_geo"
}
}
}
if [destination_ip] {
mutate {
add_field => { "ips" => "%{destination_ip}" }
add_field => { "destination_ips" => [ "%{destination_ip}" ] }
}
}
}
#if [source_ip] or [destination_ip] {
# mutate {
#add_tag => [ "conf_file_8001"]
# }
#}

27
salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf Normal file
View File

@@ -0,0 +1,27 @@
# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
filter {
if [type] == "bro_http" {
if [uri] {
ruby {
code => "event.set('uri_length', event.get('uri').length)"
}
}
if [virtual_host] {
ruby {
code => "event.set('virtual_host_length', event.get('virtual_host').length)"
}
}
if [useragent] {
ruby {
code => "event.set('useragent_length', event.get('useragent').length)"
}
}
mutate {
##add_tag => [ "conf_file_8007"]
}
}
}

63
salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf Normal file
View File

@@ -0,0 +1,63 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [destination_ip] {
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_destination" ]
}
} else {
mutate {
add_tag => [ "external_destination" ]
}
}
if "internal_destination" not in [tags] {
if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
}
if [source_ip] {
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_source" ]
}
} else {
mutate {
add_tag => [ "external_source" ]
}
}
if "internal_source" not in [tags] {
if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
mutate {
##add_tag => [ "conf_file_8200"]
}
}
if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
mutate {
remove_tag => [ "syslog" ]
}
}
}

19
salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf Normal file
View File

@@ -0,0 +1,19 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_end', Time.now.to_f)"
}
ruby {
code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
}
mutate {
remove_field => [ 'task_start', 'task_end' ]
}
mutate {
#add_tag => [ "conf_file_8998"]
}
}

8
salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf Normal file
View File

@@ -0,0 +1,8 @@
# Author: Doug Burks
# Last Update: 12/10/2017
filter {
mutate {
rename => [ "type", "event_type" ]
}
}

31
salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf Normal file
View File

@@ -0,0 +1,31 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
mutate {
##add_tag => [ "conf_file_9000"]
}
}
}
output {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
pipeline => "%{event_type}"
hosts => "{{ ES }}"
index => "logstash-bro-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "switch" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9001"]
}
}
}
output {
if "switch" in [tags] and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-switch-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Updated by: Doug Burks
# Last Update: 5/16/2017
filter {
if "import" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9002"]
}
}
}
output {
if "import" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-import-%{+YYYY.MM.dd}"
template_name => "logstash-*"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "sflow" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9004"]
}
}
}
output {
if [event_type] == "sflow" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-flow-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf Normal file
View File

@@ -0,0 +1,26 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "dhcp" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9026"]
}
}
}
output {
if [event_type] == "dhcp" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf Normal file
View File

@@ -0,0 +1,25 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "esxi" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9029"]
}
}
}
output {
if [event_type] == "esxi" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf Normal file
View File

@@ -0,0 +1,25 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "greensql" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9030"]
}
}
}
output {
if [event_type] == "greensql" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf Normal file
View File

@@ -0,0 +1,26 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "iis" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9031"]
}
}
}
output {
if [event_type] == "iis" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf Normal file
View File

@@ -0,0 +1,26 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "mcafee" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9032"]
}
}
}
output {
if [event_type] == "mcafee" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf Normal file
View File

@@ -0,0 +1,29 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "ids" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9033"]
}
}
}
output {
if [event_type] == "ids" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

28
salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf Normal file
View File

@@ -0,0 +1,28 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/15/2017
filter {
if "syslog" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9034"]
}
}
}
output {
if "syslog" in [tags] and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

32
salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf Normal file
View File

@@ -0,0 +1,32 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Security Onion Solutions
# Last Update: 2/3/2020
# Output to ES for osquery tagged logs - EVAL install
filter {
if "osquery" in [tags] {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
}
json {
source => "message"
target => "osquery"
}
}
}
output {
if "osquery" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-osquery-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf Normal file
View File

@@ -0,0 +1,29 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "firewall" in [tags] and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9200"]
}
}
}
output {
if "firewall" in [tags] and "test_data" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-firewall-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template_overwrite => true
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "windows" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9300"]
}
}
}
output {
if [event_type] == "windows" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-windows-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "dns" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9301"]
}
}
}
output {
if [event_type] == "dns" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

27
salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf Normal file
View File

@@ -0,0 +1,27 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [event_type] == "suricata" and "test_data" not in [tags] {
mutate {
##add_tag => [ "conf_file_9400"]
}
}
}
output {
if [event_type] == "suricata" and "test_data" not in [tags] {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}

25
salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf Normal file
View File

@@ -0,0 +1,25 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Wes Lambert
# Last Update: 09/14/2018
filter {
if "beat" in [tags] {
mutate {
##add_tag => [ "conf_file_9500"]
}
}
}
output {
if "beat" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-beats-%{+YYYY.MM.dd}"
template_name => "logstash-beats"
template => "/beats-template.json"
template_overwrite => true
}
}
}

29
salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf Normal file
View File

@@ -0,0 +1,29 @@
{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 9/19/2018
filter {
if [event_type] =~ "ossec" {
mutate {
##add_tag => [ "conf_file_9600"]
}
}
}
output {
if [event_type] =~ "ossec" or "ossec" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ossec-%{+YYYY.MM.dd}"
template_name => "logstash-ossec"
template => "/logstash-ossec-template.json"
template_overwrite => true
}
}
}

26
salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf Normal file
View File

@@ -0,0 +1,26 @@
{%- if salt['grains.get']('role') == 'so-master' %}
{% set master = salt['pillar.get']('static:masterip', '') %}
{%- set nodetype = 'master' %}
{% elif grains.role == 'so-heavynode' %}
{% set master = salt['pillar.get']('node:mainip', '') %}
{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
{%- else %}
{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
{% set master = salt['pillar.get']('static:masterip', '') %}
{%- endif %}
output {
redis {
host => '{{ master }}'
data_type => 'list'
{%- if nodetype == 'parser' %}
key => 'logstash:parsed'
{%- else %}
key => 'logstash:unparsed'
{%- endif %}
congestion_interval => 1
congestion_threshold => 50000000
# batch_events => 500
}
}

5
salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
View File

@@ -1,10 +1,15 @@
{%- if salt['grains.get']('role') == 'so-master' %}
{% set master = salt['pillar.get']('static:masterip', '') %}
{%- set nodetype = 'master' %}
{% elif grains.role == 'so-heavynode' %}
{% set master = salt['pillar.get']('node:mainip', '') %}
{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
{%- else %}
{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
{% set master = salt['pillar.get']('static:masterip', '') %}
{%- endif %}
output {
redis {
host => '{{ master }}'

Some files were not shown because too many files have changed in this diff Show More