CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into idhskins

Browse Source
This commit is contained in:
Josh Brower
2022-11-22 18:04:38 -05:00
parent 7c8ce7899b 08d5f494ab
commit 5950771003
112 changed files with 1424 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.3.180
## Security Onion 2.3
Security Onion 2.3.180 is here!
Security Onion 2.3 is here!
## Screenshots

22
VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.3.181-20221021 ISO image built on 2022/10/21
### 2.3.182-20221109 ISO image built on 2022/11/09
### Download and Verify
2.3.181-20221021 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.181-20221021.iso
2.3.182-20221109 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso
MD5: 9389B35233DCA42AC5061053D772E922
SHA1: 83A162756136198CF1FABE7D94BA1D99650379B2
SHA256: FED4D7B27C16889F9588FE9568B0B10E0DAD551C34619DFED7801F18B1739040
MD5: E472D5A7C64662435F84FD56491D8967
SHA1: D2069317553AF0A1FB4FB6FE15583FF4E8CB2973
SHA256: A074EB38B88C0A00BDFD7FB75B4ECB7C46CB0B4CC993CAB81EFDC708B0075D2C
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.181-20221021.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.181-20221021.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.181-20221021.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.3.181-20221021.iso.sig securityonion-2.3.181-20221021.iso
gpg --verify securityonion-2.3.182-20221109.iso.sig securityonion-2.3.182-20221109.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Fri 21 Oct 2022 02:11:18 PM EDT using RSA key ID FE507013
gpg: Signature made Wed 09 Nov 2022 07:30:32 AM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.3.182
2.3.190

14
pillar/zeek/init.sls
View File

@@ -48,6 +48,20 @@ zeek:
- securityonion/bpfconf
- securityonion/communityid
- securityonion/file-extraction
- bzar
- oui-logging
- icsnpp-modbus
- icsnpp-dnp3
- icsnpp-bacnet
- icsnpp-ethercat
- icsnpp-enip
- icsnpp-opcua-binary
- icsnpp-bsap
- icsnpp-s7comm
- zeek-plugin-tds
- zeek-plugin-profinet
- zeek-spicy-wireguard
- zeek-spicy-stun
'@load-sigs':
- frameworks/signatures/detect-windows-shells
redef:

15
salt/common/files/sensor-rotate.conf
View File

@@ -19,4 +19,17 @@
extension .log
dateext
dateyesterday
}
}
/opt/so/log/strelka/filecheck.log
{
daily
rotate 14
missingok
copytruncate
compress
create
extension .log
dateext
dateyesterday
}

12
salt/common/init.sls
View File

@@ -38,15 +38,15 @@ socore:
soconfperms:
file.directory:
- name: /opt/so/conf
- uid: 939
- gid: 939
- user: 939
- group: 939
- dir_mode: 770
sostatusconf:
file.directory:
- name: /opt/so/conf/so-status
- uid: 939
- gid: 939
- user: 939
- group: 939
- dir_mode: 770
so-status.conf:
@@ -57,8 +57,8 @@ so-status.conf:
sosaltstackperms:
file.directory:
- name: /opt/so/saltstack
- uid: 939
- gid: 939
- user: 939
- group: 939
- dir_mode: 770
so_log_perms:

2
salt/common/tools/sbin/so-pcap-export
View File

@@ -20,7 +20,7 @@ if [ $# -lt 2 ]; then
exit 1
fi
docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
echo ""
echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"

131
salt/common/tools/sbin/so-zeek-logs
View File

@@ -10,39 +10,104 @@ zeek_logs_enabled() {
}
whiptail_manager_adv_service_zeeklogs() {
BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
"conn" "Connection Logging" ON \
"dce_rpc" "RPC Logs" ON \
"dhcp" "DHCP Logs" ON \
"dnp3" "DNP3 Logs" ON \
"dns" "DNS Logs" ON \
"dpd" "DPD Logs" ON \
"files" "Files Logs" ON \
"ftp" "FTP Logs" ON \
"http" "HTTP Logs" ON \
"intel" "Intel Hits Logs" ON \
"irc" "IRC Chat Logs" ON \
"kerberos" "Kerberos Logs" ON \
"modbus" "MODBUS Logs" ON \
"notice" "Zeek Notice Logs" ON \
"ntlm" "NTLM Logs" ON \
"pe" "PE Logs" ON \
"radius" "Radius Logs" ON \
"rfb" "RFB Logs" ON \
"rdp" "RDP Logs" ON \
"sip" "SIP Logs" ON \
"smb_files" "SMB Files Logs" ON \
"smb_mapping" "SMB Mapping Logs" ON \
"smtp" "SMTP Logs" ON \
"snmp" "SNMP Logs" ON \
"ssh" "SSH Logs" ON \
"ssl" "SSL Logs" ON \
"syslog" "Syslog Logs" ON \
"tunnel" "Tunnel Logs" ON \
"weird" "Zeek Weird Logs" ON \
"mysql" "MySQL Logs" ON \
"socks" "SOCKS Logs" ON \
"x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please select logs to send:" 24 78 12 \
"conn" "" ON \
"dce_rpc" "" ON \
"dhcp" "" ON \
"dnp3" "" ON \
"dns" "" ON \
"dpd" "" ON \
"files" "" ON \
"ftp" "" ON \
"http" "" ON \
"intel" "" ON \
"irc" "" ON \
"kerberos" "" ON \
"modbus" "" ON \
"notice" "" ON \
"ntlm" "" ON \
"pe" "" ON \
"radius" "" ON \
"rfb" "" ON \
"rdp" "" ON \
"sip" "" ON \
"smb_files" "" ON \
"smb_mapping" "" ON \
"smtp" "" ON \
"snmp" "" ON \
"ssh" "" ON \
"ssl" "" ON \
"syslog" "" ON \
"tunnel" "" ON \
"weird" "" ON \
"mysql" "" ON \
"socks" "" ON \
"x509" "" ON \
"modbus_detailed" "" ON \
"modbus_mask_write_register" "" ON \
"modbus_read_write_multiple_registers" "" ON \
"dnp3_objects" "" ON \
"bacnet" "" ON \
"bacnet_discovery" "" ON \
"bacnet_property" "" ON \
"bsap_ip_header" "" ON \
"bsap_ip_rdb" "" ON \
"bsap_ip_unknown" "" ON \
"bsap_serial_header" "" ON \
"bsap_serial_rdb" "" ON \
"bsap_serial_rdb_ext" "" ON \
"bsap_serial_unknown" "" ON \
"ecat_registers" "" ON \
"ecat_log_address" "" ON \
"ecat_dev_info" "" ON \
"ecat_aoe_info" "" ON \
"ecat_coe_info" "" ON \
"ecat_foe_info" "" ON \
"ecat_soe_info" "" ON \
"ecat_arp_info" "" ON \
"enip" "" ON \
"cip" "" ON \
"cip_io" "" ON \
"cip_identity" "" ON \
"opcua_binary" "" ON \
"opcua_binary_status_code_detail" "" ON \
"opcua_binary_diag_info_detail" "" ON \
"opcua_binary_get_endpoints" "" ON \
"opcua_binary_get_endpoints_discovery" "" ON \
"opcua_binary_get_endpoints_user_token" "" ON \
"opcua_binary_get_endpoints_description" "" ON \
"opcua_binary_get_endpoints_locale_id" "" ON \
"opcua_binary_get_endpoints_profile_uri" "" ON \
"opcua_binary_create_session" "" ON \
"opcua_binary_create_session_user_token" "" ON \
"opcua_binary_create_session_endpoints" "" ON \
"opcua_binary_create_session_discovery" "" ON \
"opcua_binary_activate_session" "" ON \
"opcua_binary_activate_session_client_software_cert" "" ON \
"opcua_binary_activate_session_locale_id" "" ON \
"opcua_binary_activate_session_diagnostic_info" "" ON \
"opcua_binary_browse" "" ON \
"opcua_binary_browse_description" "" ON \
"opcua_binary_browse_request_continuation_point" "" ON \
"opcua_binary_browse_result" "" ON \
"opcua_binary_browse_response_references" "" ON \
"opcua_binary_browse_diagnostic_info" "" ON \
"opcua_binary_create_subscription" "" ON \
"opcua_binary_read" "" ON \
"cotp" "" ON \
"s7comm" "" ON \
"s7comm_read_szl" "" ON \
"s7comm_upload_download" "" ON \
"s7comm_plus" "" ON \
"tds" "" ON \
"tds_rpc" "" ON \
"tds_sql_batch" "" ON \
"profinet" "" ON \
"profinet_dce_rpc" "" ON \
"profinet_debug" "" ON \
"stun" "" ON \
"stun_nat" "" ON \
"wireguard" "" ON 3>&1 1>&2 2>&3 )
local exitstatus=$?

14
salt/common/tools/sbin/soup
View File

@@ -550,6 +550,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180
[[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181
[[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
[[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
true
}
@@ -572,6 +573,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180
[[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181
[[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
[[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
true
}
@@ -685,6 +687,11 @@ post_to_2.3.182() {
POSTVERSION=2.3.182
}
post_to_2.3.190() {
echo "Nothing to do for .190"
POSTVERSION=2.3.190
}
stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
set +e
@@ -989,6 +996,13 @@ up_to_2.3.182() {
INSTALLEDVERSION=2.3.182
}
up_to_2.3.190() {
echo "Upgrading to 2.3.190"
chown -R zeek:socore /nsm/zeek/extracted/complete
chmod 770 /nsm/zeek/extracted/complete
INSTALLEDVERSION=2.3.190
}
verify_upgradespace() {
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
if [ "$CURRENTSPACE" -lt "10" ]; then

14
salt/elasticsearch/files/ingest/zeek.bacnet Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.bacnet",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } },
{ "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.bacnet_discovery Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.bacnet_discovery",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } },
{ "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } },
{ "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.bacnet_property Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.bacnet_property",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
{ "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } },
{ "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.bsap_ip_header Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.bsap_ip_header",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } },
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

20
salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb Normal file
View File

@@ -0,0 +1,20 @@
{
"description" : "zeek.bsap_ip_rdb",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } },
{ "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } },
{ "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } },
{ "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } },
{ "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub.function", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } },
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.bsap_ip_unknown",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.bsap_serial_header Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.bsap_serial_header",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } },
{ "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } },
{ "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } },
{ "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } },
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.bsap_serial_rdb",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } },
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.bsap_serial_rdb_ext",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.bsap_serial_unknown",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

19
salt/elasticsearch/files/ingest/zeek.cip Normal file
View File

@@ -0,0 +1,19 @@
{
"description" : "zeek.cip",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } },
{ "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } },
{ "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } },
{ "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.cip_identity Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.cip_identity",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } },
{ "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } },
{ "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } },
{ "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } },
{ "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } },
{ "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } },
{ "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } },
{ "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } },
{ "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } },
{ "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } },
{ "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.cip_io Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.cip_io",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } },
{ "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } },
{ "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } },
{ "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

1
salt/elasticsearch/files/ingest/zeek.conn
View File

@@ -17,6 +17,7 @@
{ "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },

10
salt/elasticsearch/files/ingest/zeek.cotp Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.cotp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_name", "target_field": "cotp.pdu.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.dnp3_objects Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.dnp3_objects",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } },
{ "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } },
{ "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } },
{ "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.ecat_aoe_info Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.ecat_aoe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } },
{ "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } },
{ "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.ecat_arp_info Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.ecat_arp_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } },
{ "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_coe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_coe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } },
{ "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } },
{ "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } },
{ "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } },
{ "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

18
salt/elasticsearch/files/ingest/zeek.ecat_dev_info Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.ecat_dev_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } },
{ "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } },
{ "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } },
{ "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } },
{ "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } },
{ "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } },
{ "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } },
{ "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } },
{ "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_foe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_foe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
{ "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } },
{ "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } },
{ "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_log_address Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_log_address",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.ecat_registers Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.ecat_registers",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } },
{ "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_soe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_soe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
{ "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } },
{ "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } },
{ "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } },
{ "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.enip Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.enip",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } },
{ "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } },
{ "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_status", "target_field": "enip.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } },
{ "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.modbus_detailed Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.modbus_detailed",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
{ "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } },
{ "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.modbus_mask_write_register",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
{ "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } },
{ "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.read_write_multiple_registers",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
{ "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } },
{ "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
{ "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } },
{ "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

30
salt/elasticsearch/files/ingest/zeek.opcua Normal file
View File

@@ -0,0 +1,30 @@
{
"description" : "zeek.opcua",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } },
{ "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } },
{ "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } },
{ "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } },
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } },
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } },
{ "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } },
{ "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

18
salt/elasticsearch/files/ingest/zeek.opcua_activate_session Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.opcua.activate_session",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_activate_session_client_software_cert Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua.activate_session_client_software_cert",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_activate_session_diagnostic_info Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua.activate_session_diagnostic_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_activate_session_locale_id Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua.activate_session_locale_id",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_browse Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua.browse",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_browse_description Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua.browse_description",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } },
{ "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } },
{ "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } },
{ "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

22
salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references Normal file
View File

@@ -0,0 +1,22 @@
{
"description" : "zeek.opcua_browse_response_references",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } },
{ "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_browse_result Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_browse_result",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

19
salt/elasticsearch/files/ingest/zeek.opcua_create_session Normal file
View File

@@ -0,0 +1,19 @@
{
"description" : "zeek.opcua_create_session",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } },
{ "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_create_session_user_token",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.opcua_create_subscription Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.opcua_create_subscription",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } },
{ "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } },
{ "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } },
{ "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_get_endpoints",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua_get_endpoints_description",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_get_endpoints_user_token",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.opcua_opensecure_channel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } },
{ "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua_read_nodes_to_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.opcua_read_results Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.opcua_read_results",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } },
{ "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read_results_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read_results_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua_stats_code_detail",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } },
{ "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } },
{ "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } },
{ "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } },
{ "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } },
{ "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } },
{ "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } },
{ "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.profinet Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.profinet",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.operation_type", "target_field": "profinet.operation_type", "ignore_missing": true } },
{ "rename": { "field": "message2.block_version", "target_field": "profinet.block_version", "ignore_missing": true } },
{ "rename": { "field": "message2.slot_number", "target_field": "profinet.slot_number", "ignore_missing": true } },
{ "rename": { "field": "message2.subslot_number", "target_field": "profinet.subslot_number", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "profinet.index", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.profinet_dce_rpc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.version", "target_field": "profinet.version", "ignore_missing": true } },
{ "rename": { "field": "message2.packet_type", "target_field": "profinet.packet_type", "ignore_missing": true } },
{ "rename": { "field": "message2.object_uuid", "target_field": "profinet.object_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.interface_uuid", "target_field": "profinet.interface_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.activity_uuid", "target_field": "profinet.activity_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_boot_time", "target_field": "profinet.server.boot_time", "ignore_missing": true } },
{ "rename": { "field": "message2.operation", "target_field": "profinet.operation", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.s7comm Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.s7comm",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } },
{ "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
{ "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } },
{ "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } },
{ "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } },
{ "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.s7comm_plus Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.s7comm_plus",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } },
{ "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } },
{ "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.stun Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.stun",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "stun.id", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "stun.method", "ignore_missing": true } },
{ "rename": { "field": "message2.class", "target_field": "stun.class", "ignore_missing": true } },
{ "rename": { "field": "message2.attr_types", "target_field": "stun.attribute.types", "ignore_missing": true } },
{ "rename": { "field": "message2.attr_vals", "target_field": "stun.attribute.values", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.stun_nat Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.stun_nat",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.wan_addrs", "target_field": "stun.wan.addresses", "ignore_missing": true } },
{ "rename": { "field": "message2.wan_ports", "target_field": "stun.wan.ports", "ignore_missing": true } },
{ "rename": { "field": "message2.lan_addrs", "target_field": "stun.lan.addresses", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.tds Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.tds",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.tds_rpc Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.tds_rpc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } },
{ "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.tds_sql_batch Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.tds_sql_batch",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } },
{ "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.wireguard Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.wireguard",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } },
{ "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } },
{ "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

8
salt/filebeat/etc/filebeat.yml
View File

@@ -144,6 +144,10 @@ filebeat.inputs:
dataset: {{ LOGNAME }}
category: network
processors:
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
- add_tags:
tags: ["ics"]
{%- endif %}
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
@@ -161,6 +165,10 @@ filebeat.inputs:
category: network
imported: true
processors:
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
- add_tags:
tags: ["ics"]
{%- endif %}
- add_tags:
tags: ["import"]
- dissect:

28
salt/sensoroni/files/analyzers/README.md
View File

@@ -5,20 +5,19 @@ Security Onion provides a means for performing data analysis on varying inputs.
## Supported Observable Types
The built-in analyzers support the following observable types:
| Name | Domain | Hash | IP | JA3 | Mail | Other | URI | URL | User Agent |
| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|------------
| Alienvault OTX |&check; |&check;|&check;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| EmailRep |&cross; |&cross;|&cross;|&cross;|&check;|&cross;|&cross;|&cross;|&cross;|
| Greynoise |&cross; |&cross;|&check;|&cross;|&cross;|&cross;|&cross;|&cross;|&cross;|
| JA3er |&cross; |&cross;|&cross;|&check;|&cross;|&cross;|&cross;|&cross;|&cross;|
| LocalFile |&check; |&check;|&check;|&check;|&cross;|&check;|&cross;|&check;|&cross;|
| Malware Hash Registry |&cross; |&check;|&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Pulsedive |&check; |&check;|&check;|&cross;|&cross;|&cross;|&check;|&check;|&check;|
| Spamhaus |&cross; |&cross;|&check;|&cross;|&cross;|&cross;|&cross;|&cross;|&cross;|
| Urlhaus |&cross; |&cross;|&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Urlscan |&cross; |&cross;|&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Virustotal |&check; |&check;|&check;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| WhoisLookup |&check; |&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|&cross;|
| Name | Domain | Hash | IP | Mail | Other | URI | URL | User Agent |
| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|
| Alienvault OTX |&check; |&check;|&check;|&cross;|&cross;|&cross;|&check;|&cross;|
| EmailRep |&cross; |&cross;|&cross;|&check;|&cross;|&cross;|&cross;|&cross;|
| Greynoise |&cross; |&cross;|&check;|&cross;|&cross;|&cross;|&cross;|&cross;|
| LocalFile |&check; |&check;|&check;|&cross;|&check;|&cross;|&check;|&cross;|
| Malware Hash Registry |&cross; |&check;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Pulsedive |&check; |&check;|&check;|&cross;|&cross;|&check;|&check;|&check;|
| Spamhaus |&cross; |&cross;|&check;|&cross;|&cross;|&cross;|&cross;|&cross;|
| Urlhaus |&cross; |&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Urlscan |&cross; |&cross;|&cross;|&cross;|&cross;|&cross;|&check;|&cross;|
| Virustotal |&check; |&check;|&check;|&cross;|&cross;|&cross;|&check;|&cross;|
| WhoisLookup |&check; |&cross;|&cross;|&cross;|&cross;|&check;|&cross;|&cross;|
## Authentication
Many analyzers require authentication, via an API key or similar. The table below illustrates which analyzers require authentication.
@@ -28,7 +27,6 @@ Many analyzers require authentication, via an API key or similar. The table belo
[AlienVault OTX](https://otx.alienvault.com/api) |&check;|
[EmailRep](https://emailrep.io/key) |&check;|
[GreyNoise](https://www.greynoise.io/plans/community) |&check;|
[JA3er](https://ja3er.com/) |&cross;|
LocalFile |&cross;|
[Malware Hash Registry](https://hash.cymru.com/docs_whois) |&cross;|
[Pulsedive](https://pulsedive.com/api/) |&check;|

2
salt/sensoroni/files/analyzers/emailrep/emailrep.py
View File

@@ -53,7 +53,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search Greynoise for a given artifact')
parser = argparse.ArgumentParser(description='Search EmailRep for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/emailrep.yaml", help='optional config file to use instead of the default config file')

0
salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

0
salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

0
salt/sensoroni/files/analyzers/ja3er/__init__.py
View File

7
salt/sensoroni/files/analyzers/ja3er/ja3er.json
View File

@@ -1,7 +0,0 @@
{
"name": "JA3er Hash Search",
"version": "0.1",
"author": "Security Onion Solutions",
"description": "This analyzer queries JA3er user agents and sightings",
"supportedTypes" : ["ja3"]
}

53
salt/sensoroni/files/analyzers/ja3er/ja3er.py
View File

@@ -1,53 +0,0 @@
import json
import os
import requests
import helpers
import argparse
def sendReq(conf, meta, hash):
url = conf['base_url'] + hash
response = requests.request('GET', url)
return response.json()
def prepareResults(raw):
if "error" in raw:
if "Sorry" in raw["error"]:
status = "ok"
summary = "no_results"
elif "Invalid hash" in raw["error"]:
status = "caution"
summary = "invalid_input"
else:
status = "caution"
summary = "internal_failure"
else:
status = "info"
summary = "suspicious"
results = {'response': raw, 'summary': summary, 'status': status}
return results
def analyze(conf, input):
meta = helpers.loadMetadata(__file__)
data = helpers.parseArtifact(input)
helpers.checkSupportedType(meta, data["artifactType"])
response = sendReq(conf, meta, data["value"])
return prepareResults(response)
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search JA3er for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/ja3er.yaml", help='optional config file to use instead of the default config file')
args = parser.parse_args()
if args.artifact:
results = analyze(helpers.loadConfig(args.config), args.artifact)
print(json.dumps(results))
if __name__ == "__main__":
main()

1
salt/sensoroni/files/analyzers/ja3er/ja3er.yaml
View File

@@ -1 +0,0 @@
base_url: https://ja3er.com/search/

72
salt/sensoroni/files/analyzers/ja3er/ja3er_test.py
View File

@@ -1,72 +0,0 @@
from io import StringIO
import sys
from unittest.mock import patch, MagicMock
from ja3er import ja3er
import unittest
class TestJa3erMethods(unittest.TestCase):
def test_main_missing_input(self):
with patch('sys.exit', new=MagicMock()) as sysmock:
with patch('sys.stderr', new=StringIO()) as mock_stderr:
sys.argv = ["cmd"]
ja3er.main()
self.assertEqual(mock_stderr.getvalue(), "usage: cmd [-h] [-c CONFIG_FILE] artifact\ncmd: error: the following arguments are required: artifact\n")
sysmock.assert_called_once_with(2)
def test_main_success(self):
output = {"foo": "bar"}
with patch('sys.stdout', new=StringIO()) as mock_stdout:
with patch('ja3er.ja3er.analyze', new=MagicMock(return_value=output)) as mock:
sys.argv = ["cmd", "input"]
ja3er.main()
expected = '{"foo": "bar"}\n'
self.assertEqual(mock_stdout.getvalue(), expected)
mock.assert_called_once()
def test_sendReq(self):
with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock:
meta = {}
conf = {"base_url": "myurl/"}
hash = "abcd1234"
response = ja3er.sendReq(conf=conf, meta=meta, hash=hash)
mock.assert_called_once_with("GET", "myurl/abcd1234")
self.assertIsNotNone(response)
def test_prepareResults_none(self):
raw = {"error": "Sorry no values found"}
results = ja3er.prepareResults(raw)
self.assertEqual(results["response"], raw)
self.assertEqual(results["summary"], "no_results")
self.assertEqual(results["status"], "ok")
def test_prepareResults_invalidHash(self):
raw = {"error": "Invalid hash"}
results = ja3er.prepareResults(raw)
self.assertEqual(results["response"], raw)
self.assertEqual(results["summary"], "invalid_input")
self.assertEqual(results["status"], "caution")
def test_prepareResults_internal_failure(self):
raw = {"error": "unknown"}
results = ja3er.prepareResults(raw)
self.assertEqual(results["response"], raw)
self.assertEqual(results["summary"], "internal_failure")
self.assertEqual(results["status"], "caution")
def test_prepareResults_info(self):
raw = [{"User-Agent": "Blah/5.0", "Count": 24874, "Last_seen": "2022-04-08 16:18:38"}, {"Comment": "Brave browser v1.36.122\n\n", "Reported": "2022-03-28 20:26:42"}]
results = ja3er.prepareResults(raw)
self.assertEqual(results["response"], raw)
self.assertEqual(results["summary"], "suspicious")
self.assertEqual(results["status"], "info")
def test_analyze(self):
output = {"info": "Results found."}
artifactInput = '{"value":"abcd1234","artifactType":"ja3"}'
conf = {"base_url": "myurl/"}
with patch('ja3er.ja3er.sendReq', new=MagicMock(return_value=output)) as mock:
results = ja3er.analyze(conf, artifactInput)
self.assertEqual(results["summary"], "suspicious")
mock.assert_called_once()

2
salt/sensoroni/files/analyzers/ja3er/requirements.txt
View File

@@ -1,2 +0,0 @@
requests>=2.27.1
pyyaml>=6.0

BIN
salt/sensoroni/files/analyzers/ja3er/source-packages/certifi-2021.10.8-py2.py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/ja3er/source-packages/charset_normalizer-2.0.12-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/ja3er/source-packages/idna-3.3-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/ja3er/source-packages/requests-2.27.1-py2.py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/ja3er/source-packages/urllib3-1.26.9-py2.py3-none-any.whl
View File

Binary file not shown.

0
salt/sensoroni/files/analyzers/ja3er/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

0
salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

2
salt/sensoroni/files/analyzers/pulsedive/README.md
View File

@@ -5,7 +5,7 @@ Search Pulsedive for a domain, hash, IP, URI, URL, or User Agent.
## Configuration Requirements
``api_key`` - API key used for communication with the Virustotal API
``api_key`` - API key used for communication with the Pulsedive API
This value should be set in the ``sensoroni`` pillar, like so:

2
salt/sensoroni/files/analyzers/pulsedive/pulsedive.py
View File

@@ -91,7 +91,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search VirusTotal for a given artifact')
parser = argparse.ArgumentParser(description='Search Pulsedive for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/pulsedive.yaml", help='optional config file to use instead of the default config file')

0
salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

0
salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

0
salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

2
salt/sensoroni/files/analyzers/urlscan/README.md
View File

@@ -5,7 +5,7 @@ Submit a URL to Urlscan for analysis.
## Configuration Requirements
``api_key`` - API key used for communication with the Virustotal API
``api_key`` - API key used for communication with the urlscan API
``enabled`` - Determines whether or not the analyzer is enabled. Defaults to ``False``
``visibility`` - Determines whether or not scan results are visibile publicly. Defaults to ``public``
``timeout`` - Time to wait for scan results. Defaults to ``180``s

0
salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

2
salt/sensoroni/files/analyzers/urlscan/urlscan.py
View File

@@ -77,7 +77,7 @@ def analyze(conf, input):
def main():
dir = os.path.dirname(os.path.realpath(__file__))
parser = argparse.ArgumentParser(description='Search Alienvault OTX for a given artifact')
parser = argparse.ArgumentParser(description='Search urlscan for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/urlscan.yaml", help='optional config file to use instead of the default config file')

BIN
salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
View File

Binary file not shown.

0
salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl → salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl
View File

6
salt/soc/files/soc/dashboards.queries.json
View File

@@ -47,5 +47,9 @@
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"},
{ "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}
]

26
salt/soc/files/soc/hunt.eventfields.json
View File

@@ -4,7 +4,8 @@
"::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ],
"::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ],
"::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ],
"::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ],
"::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_request", "dnp3.fc_reply", "log.id.uid" ],
"::dnp3_objects": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.object_type", "log.id.uid" ],
"::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ],
"::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ],
"::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ],
@@ -56,6 +57,27 @@
"::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"],
"::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],
"::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"],
"::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"]
"::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"],
"::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ],
"::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ],
"::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ],
"::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ],
"::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ],
"::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ],
"::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ],
"::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ],
"::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ],
"::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ],
"::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ],
"::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ],
"::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ],
"::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ],
"::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ],
"::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ],
"::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ],
"::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ],
"::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ]
}

2
salt/soc/files/soc/motd.md
View File

@@ -6,7 +6,7 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
## What's New
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/#release-notes) link.
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Customize This Space

Some files were not shown because too many files have changed in this diff Show More