CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9238 from Security-Onion-Solutions/fix/opcua_encoding_mask_format

Browse Source 
Fix OP CUA Encoding Mask Format and Ensure Connection State Is Populated Before Assessing Its Value
This commit is contained in:
weslambert
2022-11-29 14:16:03 -05:00
committed by GitHub
parent c3c505f8ff f947e501cb
commit 56b0bae089
6 changed files with 21 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
salt/elasticsearch/files/ingest/zeek.conn
View File

@@ -23,19 +23,19 @@
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
{ "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection?.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection?.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection?.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection?.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection?.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection?.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection?.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection?.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection?.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "pipeline": { "name": "zeek.common" } }
]
}

2
salt/elasticsearch/files/ingest/zeek.opcua_binary
View File

@@ -14,6 +14,8 @@
{ "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } },
{ "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
"ignore_missing": true } },
{ "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } },
{ "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } },

1
salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
View File

@@ -6,6 +6,7 @@
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } },

2
salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
View File

@@ -6,6 +6,8 @@
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
"ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } },

1
salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
View File

@@ -8,6 +8,7 @@
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },

2
salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
View File

@@ -8,6 +8,8 @@
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
"ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },