From 13a8cbdabbb6722d787273d1e6a73cd1fc5d27fd Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 29 Nov 2022 18:59:30 +0000 Subject: [PATCH 1/7] Add convert processor for opcua.encoding_mask --- salt/elasticsearch/files/ingest/zeek.opcua_binary | 2 ++ .../files/ingest/zeek.opcua_binary_activate_session | 1 + salt/elasticsearch/files/ingest/zeek.opcua_binary_browse | 2 ++ .../files/ingest/zeek.opcua_binary_create_session_endpoints | 1 + .../files/ingest/zeek.opcua_binary_get_endpoints_description | 2 ++ 5 files changed, 8 insertions(+) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index 4363804b4..a6106f3a0 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -14,6 +14,8 @@ { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true }}, { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session index c4bfeeed1..907e84b7c 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session @@ -6,6 +6,7 @@ { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true }}, { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index 83d388082..2932ed353 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -6,6 +6,8 @@ { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true }}, { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index 79d8ac067..d6a43b918 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -8,6 +8,7 @@ { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true }}, { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index 072d6bd31..742293cba 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -8,6 +8,8 @@ { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true }}, { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, From d44f8e495bde52c6031a517e87f4eb45d3fb0aa3 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 29 Nov 2022 19:00:47 +0000 Subject: [PATCH 2/7] Check if connection.state is populated before trying to assess its value --- salt/elasticsearch/files/ingest/zeek.conn | 26 +++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 4cca15896..14689f782 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -23,19 +23,19 @@ { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, { "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } }, - { "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, - { "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, - { "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, - { "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, - { "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } }, - { "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } }, - { "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } }, - { "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } }, - { "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, - { "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, - { "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, - { "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, - { "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, + { "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, + { "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, + { "set": { "if": "ctx.connection?.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, + { "set": { "if": "ctx.connection?.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, + { "set": { "if": "ctx.connection?.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } }, + { "set": { "if": "ctx.connection?.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } }, + { "set": { "if": "ctx.connection?.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } }, + { "set": { "if": "ctx.connection?.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } }, + { "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, + { "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, + { "set": { "if": "ctx.connection?.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, + { "set": { "if": "ctx.connection?.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, + { "set": { "if": "ctx.connection?.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, { "pipeline": { "name": "zeek.common" } } ] } From 5255c120c568e64a5508afdb9cf2d82814e60c80 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 29 Nov 2022 14:11:20 -0500 Subject: [PATCH 3/7] Add space per request --- salt/elasticsearch/files/ingest/zeek.opcua_binary | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index a6106f3a0..5ce836ca6 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -15,7 +15,7 @@ { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, { "convert": { "field": "opcua.encoding_mask", "type": "string", - "ignore_missing": true }}, + "ignore_missing": true } }, { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, From 266207cc18b1d649c34ac209e96f298d5be09483 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 29 Nov 2022 14:12:52 -0500 Subject: [PATCH 4/7] Add space per request --- .../files/ingest/zeek.opcua_binary_get_endpoints_description | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index 742293cba..b467196de 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -9,7 +9,7 @@ { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, { "convert": { "field": "opcua.encoding_mask", "type": "string", - "ignore_missing": true }}, + "ignore_missing": true } }, { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, From 80226a27cc2953c12536421be8c9ec354b45fb34 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 29 Nov 2022 14:13:41 -0500 Subject: [PATCH 5/7] Add space per request --- salt/elasticsearch/files/ingest/zeek.opcua_binary_browse | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index 2932ed353..f6e2f3630 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -7,7 +7,7 @@ { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, { "convert": { "field": "opcua.encoding_mask", "type": "string", - "ignore_missing": true }}, + "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, From ff8bbc399f1de57c4dd339f06dcdc2057acabf68 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 29 Nov 2022 14:14:08 -0500 Subject: [PATCH 6/7] Add space per request --- .../files/ingest/zeek.opcua_binary_activate_session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session index 907e84b7c..81f8e9392 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session @@ -6,7 +6,7 @@ { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true }}, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, From f947e501cba90d71a26687ed0ed148271557e2b7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 29 Nov 2022 14:14:37 -0500 Subject: [PATCH 7/7] Add space per request --- .../files/ingest/zeek.opcua_binary_create_session_endpoints | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index d6a43b918..0511211d5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -8,7 +8,7 @@ { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true }}, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } }, { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },