From 42938a4e673c41f1582d3304b9f5e093c6b69281 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 12 Jun 2020 12:14:48 -0400
Subject: [PATCH] Add the makor Suricata parsers

---
 salt/elasticsearch/files/ingest/suricata.ftp | 6 ++++++
 salt/elasticsearch/files/ingest/suricata.ssh | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/suricata.ftp b/salt/elasticsearch/files/ingest/suricata.ftp
index a1b9ef7e3..7d29fa708 100644
--- a/salt/elasticsearch/files/ingest/suricata.ftp
+++ b/salt/elasticsearch/files/ingest/suricata.ftp
@@ -3,6 +3,12 @@
   "processors" : [
     { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
     { "pipeline": { "name": "common" } }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/suricata.ssh b/salt/elasticsearch/files/ingest/suricata.ssh
index bf48968d7..894958906 100644
--- a/salt/elasticsearch/files/ingest/suricata.ssh
+++ b/salt/elasticsearch/files/ingest/suricata.ssh
@@ -2,7 +2,9 @@
   "description" : "suricata.ssh",
   "processors" : [
     { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.proto_version", 		"target_field": "ssh.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.software_version", 		"target_field": "ssh.client",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.server.proto_version", 		"target_field": "ssh.server",		"ignore_missing": true 	} },
     { "pipeline": { "name": "common" } }
   ]
 }