CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9228 from Security-Onion-Solutions/fix/zeek-ics-eventfields

Browse Source 
More Zeek ICS changes
This commit is contained in:
Doug Burks
2022-11-29 09:18:40 -05:00
committed by GitHub
parent 92e238aa10 1bb76bb251
commit 45cdd16308
21 changed files with 159 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/elasticsearch/files/ingest/zeek.bacnet_discovery
View File

@@ -4,7 +4,6 @@
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },

1
salt/elasticsearch/files/ingest/zeek.bacnet_property
View File

@@ -3,7 +3,6 @@
"processors" : [ "processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },

6
salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb
View File

@@ -3,10 +3,10 @@
"processors" : [ "processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } }, { "rename": { "field": "message2.header_size", "target_field": "bsap.header.length", "ignore_missing": true } },
{ "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, { "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } }, { "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } }, { "rename": { "field": "message2.data_len", "target_field": "bsap.data.length", "ignore_missing": true } },
{ "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } }, { "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } }, { "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } },
{ "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } }, { "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } },
@@ -14,7 +14,7 @@
{ "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } }, { "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } },
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } }, { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, { "rename": { "field": "message2.value", "target_field": "bsap.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]
} }

4
salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext
View File

@@ -6,8 +6,8 @@
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } }, { "rename": { "field": "message2.extfun", "target_field": "bsap.extension.function", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } }, { "rename": { "field": "message2.data", "target_field": "bsap.extension.function.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } } { "pipeline": { "name": "zeek.common" } }
] ]
} }

2
salt/soc/files/soc/dashboards.queries.json
View File

@@ -43,7 +43,7 @@
{ "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query"},
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "},
{ "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},

4
salt/soc/files/soc/hunt.eventfields.json
View File

@@ -61,6 +61,10 @@
"::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ],
"::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ],
"::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ],
"::bsap_ip_header": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bsap.message.type", "bsap.number.messages", "log.id.uid" ],
"::bsap_ip_rdb": ["soc_timestamp", "bsap.application.function", "bsap.application.sub.function", "bsap.vector.variables", "log.id.uid" ],
"::bsap_serial_header": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bsap.source.function", "bsap.destination.function", "bsap.message.type", "log.id.uid" ],
"::bsap_serial_rdb": ["soc_timestamp", "bsap.rdb.function", "bsap.vector.variables", "log.id.uid" ],
"::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ],
"::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ],
"::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ], "::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ],