Initial Commit

2026-02-22 06:55:27 +01:00 · 2018-02-05 12:36:27 -05:00
parent 44831f7f35
commit 5a6c66bde5
113 changed files with 7408 additions and 0 deletions
--- a/salt/logstash/files/dictionaries/iana_protocols.yaml
+++ b/salt/logstash/files/dictionaries/iana_protocols.yaml
@@ -0,0 +1,256 @@
+"0": HOPOPT
+"1": ICMP
+"2": IGMP
+"3": GGP
+"4": IPv4
+"5": ST
+"6": TCP
+"7": CBT
+"8": EGP
+"9": IGP
+"10": BBN-RCC-MON
+"11": NVP-II
+"12": PUP
+"13": ARGUS
+"14": EMCON
+"15": XNET
+"16": CHAOS
+"17": UDP
+"18": MUX
+"19": DCN-MEAS
+"20": HMP
+"21": PRM
+"22": XNS-IDP
+"23": TRUNK-1
+"24": TRUNK-2
+"25": LEAF-1
+"26": LEAF-2
+"27": RDP
+"28": IRTP
+"29": ISO-TP4
+"30": NETBLT
+"31": MFE-NSP
+"32": MERIT-INP
+"33": DCCP
+"34": 3PC
+"35": IDPR
+"36": XTP
+"37": DDP
+"38": IDPR-CMTP
+"39": TP++
+"40": IL
+"41": IPv6
+"42": SDRP
+"43": IPv6-Route
+"44": IPv6-Frag
+"45": IDRP
+"46": RSVP
+"47": GRE
+"48": DSR
+"49": BNA
+"50": ESP
+"51": AH
+"52": I-NLSP
+"53": SWIPE
+"54": NARP
+"55": MOBILE
+"56": TLSP
+"57": SKIP
+"58": IPv6-ICMP
+"59": IPv6-NoNxt
+"60": IPv6-Opts
+"61": Undefined
+"62": CFTP
+"63": Undefined
+"64": SAT-EXPAK
+"65": KRYPTOLAN
+"66": RVD
+"67": IPPC
+"68": Undefined
+"69": SAT-MON
+"70": VISA
+"71": IPCV
+"72": CPNX
+"73": CPHB
+"74": WSN
+"75": PVP
+"76": BR-SAT-MON
+"77": SUN-ND
+"78": WB-MON
+"79": WB-EXPAK
+"80": ISO-IP
+"81": VMTP
+"82": SECURE-VMTP
+"83": VINES
+"84": TTP/IPTM
+"85": NSFNET-IGP
+"86": DGP
+"87": TCF
+"88": EIGRP
+"89": OSPFIGP
+"90": Sprite-RPC
+"91": LARP
+"92": MTP
+"93": AX.25
+"94": IPIP
+"95": MICP
+"96": SCC-SP
+"97": ETHERIP
+"98": ENCAP
+"99": Undefined
+"100": GMTP
+"101": IFMP
+"102": PNNI
+"103": PIM
+"104": ARIS
+"105": SCPS
+"106": QNX
+"107": A/N
+"108": IPComp
+"109": SNP
+"110": Compaq-Peer
+"111": IPX-in-IP
+"112": VRRP
+"113": PGM
+"114": Undefined
+"115": L2TP
+"116": DDX
+"117": IATP
+"118": STP
+"119": SRP
+"120": UTI
+"121": SMP
+"122": SM
+"123": PTP
+"124": ISIS over IPv4
+"125": FIRE
+"126": CRTP
+"127": CRUDP
+"128": SSCOPMCE
+"129": IPLT
+"130": SPS
+"131": PIPE
+"132": SCTP
+"133": FC
+"134": RSVP-E2E-IGNORE
+"135": Mobility Header
+"136": UDPLite
+"137": MPLS-in-IP
+"138": manet
+"139": HIP
+"140": Shim6
+"141": WESP
+"142": ROHC
+"143": Undefined
+"144": Undefined
+"145": Undefined
+"146": Undefined
+"147": Undefined
+"148": Undefined
+"149": Undefined
+"150": Undefined
+"151": Undefined
+"152": Undefined
+"153": Undefined
+"154": Undefined
+"155": Undefined
+"156": Undefined
+"157": Undefined
+"158": Undefined
+"159": Undefined
+"160": Undefined
+"161": Undefined
+"162": Undefined
+"163": Undefined
+"164": Undefined
+"165": Undefined
+"166": Undefined
+"167": Undefined
+"168": Undefined
+"169": Undefined
+"170": Undefined
+"171": Undefined
+"172": Undefined
+"173": Undefined
+"174": Undefined
+"175": Undefined
+"176": Undefined
+"177": Undefined
+"178": Undefined
+"179": Undefined
+"180": Undefined
+"181": Undefined
+"182": Undefined
+"183": Undefined
+"184": Undefined
+"185": Undefined
+"186": Undefined
+"187": Undefined
+"188": Undefined
+"189": Undefined
+"190": Undefined
+"191": Undefined
+"192": Undefined
+"193": Undefined
+"194": Undefined
+"195": Undefined
+"196": Undefined
+"197": Undefined
+"198": Undefined
+"199": Undefined
+"200": Undefined
+"201": Undefined
+"202": Undefined
+"203": Undefined
+"204": Undefined
+"205": Undefined
+"206": Undefined
+"207": Undefined
+"208": Undefined
+"209": Undefined
+"210": Undefined
+"211": Undefined
+"212": Undefined
+"213": Undefined
+"214": Undefined
+"215": Undefined
+"216": Undefined
+"217": Undefined
+"218": Undefined
+"219": Undefined
+"220": Undefined
+"221": Undefined
+"222": Undefined
+"223": Undefined
+"224": Undefined
+"225": Undefined
+"226": Undefined
+"227": Undefined
+"228": Undefined
+"229": Undefined
+"230": Undefined
+"231": Undefined
+"232": Undefined
+"233": Undefined
+"234": Undefined
+"235": Undefined
+"236": Undefined
+"237": Undefined
+"238": Undefined
+"239": Undefined
+"240": Undefined
+"241": Undefined
+"242": Undefined
+"243": Undefined
+"244": Undefined
+"245": Undefined
+"246": Undefined
+"247": Undefined
+"248": Undefined
+"249": Undefined
+"250": Undefined
+"251": Undefined
+"252": Undefined
+"253": Undefined
+"254": Undefined
+"255": Reserved
--- a/salt/logstash/files/dictionaries/iana_services.yaml
+++ b/salt/logstash/files/dictionaries/iana_services.yaml
@@ -0,0 +1,345 @@
+"1": tcpmux
+"2": nbp
+"4": echo
+"6": zip
+"7": echo
+"9": discard
+"11": systat
+"13": daytime
+"15": netstat
+"17": qotd
+"18": msp
+"19": chargen
+"20": ftp-data
+"21": ftp
+"22": ssh
+"23": telnet
+"25": smtp
+"37": time
+"39": rlp
+"42": nameserver
+"43": whois
+"49": tacacs
+"50": re-mail-ck
+"53": domain
+"57": mtp
+"65": tacacs-ds
+"67": bootps
+"68": bootpc
+"69": tftp
+"70": gopher
+"77": rje
+"79": finger
+"80": http
+"87": link
+"88": kerberos
+"95": supdup
+"98": linuxconf
+"101": hostnames
+"102": iso-tsap
+"104": acr-nema
+"105": csnet-ns
+"106": poppassd
+"107": rtelnet
+"109": pop2
+"110": pop3
+"111": sunrpc
+"113": auth
+"115": sftp
+"117": uucp-path
+"119": nntp
+"123": ntp
+"129": pwdgen
+"135": loc-srv
+"137": netbios-ns
+"138": netbios-dgm
+"139": netbios-ssn
+"143": imap2
+"161": snmp
+"162": snmp-trap
+"163": cmip-man
+"164": cmip-agent
+"174": mailq
+"177": xdmcp
+"178": nextstep
+"179": bgp
+"191": prospero
+"194": irc
+"199": smux
+"201": at-rtmp
+"202": at-nbp
+"204": at-echo
+"206": at-zis
+"209": qmtp
+"210": z3950
+"213": ipx
+"220": imap3
+"345": pawserv
+"346": zserv
+"347": fatserv
+"369": rpc2portmap
+"370": codaauth2
+"371": clearcase
+"372": ulistserv
+"389": ldap
+"406": imsp
+"427": svrloc
+"443": https
+"444": snpp
+"445": microsoft-ds
+"464": kpasswd
+"465": urd
+"487": saft
+"500": isakmp
+"512": exec
+"512": biff
+"513": login
+"513": who
+"514": shell
+"514": syslog
+"515": printer
+"517": talk
+"518": ntalk
+"520": route
+"525": timed
+"526": tempo
+"530": courier
+"531": conference
+"532": netnews
+"533": netwall
+"538": gdomap
+"540": uucp
+"543": klogin
+"544": kshell
+"546": dhcpv6-client
+"547": dhcpv6-server
+"548": afpovertcp
+"549": idfp
+"554": rtsp
+"556": remotefs
+"563": nntps
+"587": submission
+"607": nqs
+"610": npmp-local
+"611": npmp-gui
+"612": hmmp-ind
+"623": asf-rmcp
+"628": qmqp
+"631": ipp
+"636": ldaps
+"655": tinc
+"706": silc
+"749": kerberos-adm
+"750": kerberos4
+"751": kerberos-master
+"752": passwd-server
+"754": krb-prop
+"760": krbupdate
+"765": webster
+"775": moira-db
+"777": moira-update
+"779": moira-ureg
+"783": spamd
+"808": omirr
+"871": supfilesrv
+"873": rsync
+"901": swat
+"989": ftps-data
+"990": ftps
+"992": telnets
+"993": imaps
+"994": ircs
+"995": pop3s
+"1001": customs
+"1080": socks
+"1093": proofd
+"1094": rootd
+"1099": rmiregistry
+"1109": kpop
+"1127": supfiledbg
+"1178": skkserv
+"1194": openvpn
+"1210": predict
+"1214": kazaa
+"1236": rmtcfg
+"1241": nessus
+"1300": wipld
+"1313": xtel
+"1314": xtelw
+"1352": lotusnote
+"1433": ms-sql-s
+"1434": ms-sql-m
+"1524": ingreslock
+"1525": prospero-np
+"1529": support
+"1645": datametrics
+"1646": sa-msg-port
+"1649": kermit
+"1677": groupwise
+"1701": l2f
+"1812": radius
+"1813": radius-acct
+"1863": msnp
+"1957": unix-status
+"1958": log-server
+"1959": remoteping
+"2000": cisco-sccp
+"2003": cfinger
+"2010": search
+"2010": pipe-server
+"2049": nfs
+"2053": knetd
+"2086": gnunet
+"2101": rtcm-sc104
+"2102": zephyr-srv
+"2103": zephyr-clt
+"2104": zephyr-hm
+"2105": eklogin
+"2111": kx
+"2119": gsigatekeeper
+"2121": iprop
+"2121": frox
+"2135": gris
+"2150": ninstall
+"2401": cvspserver
+"2430": venus
+"2431": venus-se
+"2432": codasrv
+"2433": codasrv-se
+"2583": mon
+"2600": zebrasrv
+"2601": zebra
+"2602": ripd
+"2603": ripngd
+"2604": ospfd
+"2605": bgpd
+"2606": ospf6d
+"2607": ospfapi
+"2608": isisd
+"2628": dict
+"2792": f5-globalsite
+"2811": gsiftp
+"2947": gpsd
+"2988": afbackup
+"2989": afmbackup
+"3050": gds-db
+"3130": icpv2
+"3260": iscsi-target
+"3306": mysql
+"3493": nut
+"3632": distcc
+"3689": daap
+"3690": svn
+"4031": suucp
+"4094": sysrqd
+"4190": sieve
+"4224": xtell
+"4353": f5-iquery
+"4369": epmd
+"4373": remctl
+"4500": ipsec-nat-t
+"4557": fax
+"4559": hylafax
+"4569": iax
+"4600": distmp3
+"4691": mtn
+"4899": radmin-port
+"4949": munin
+"5002": rfe
+"5050": mmcc
+"5051": enbd-cstatd
+"5052": enbd-sstatd
+"5060": sip
+"5061": sip-tls
+"5151": pcrd
+"5190": aol
+"5222": xmpp-client
+"5269": xmpp-server
+"5308": cfengine
+"5353": mdns
+"5354": noclog
+"5355": hostmon
+"5432": postgresql
+"5555": rplay
+"5556": freeciv
+"5666": nrpe
+"5667": nsca
+"5672": amqp
+"5674": mrtd
+"5675": bgpsim
+"5680": canna
+"5688": ggz
+"6000": x11
+"6001": x11-1
+"6002": x11-2
+"6003": x11-3
+"6004": x11-4
+"6005": x11-5
+"6006": x11-6
+"6007": x11-7
+"6346": gnutella-svc
+"6347": gnutella-rtr
+"6444": sge-qmaster
+"6445": sge-execd
+"6446": mysql-proxy
+"6514": syslog-tls
+"6566": sane-port
+"6667": ircd
+"7000": afs3-fileserver
+"7001": afs3-callback
+"7002": afs3-prserver
+"7003": afs3-vlserver
+"7004": afs3-kaserver
+"7005": afs3-volser
+"7006": afs3-errors
+"7007": afs3-bos
+"7008": afs3-update
+"7009": afs3-rmtsys
+"7100": font-service
+"8021": zope-ftp
+"8080": http-alt
+"8081": tproxy
+"8088": omniorb
+"8990": clc-build-daemon
+"9098": xinetd
+"9101": bacula-dir
+"9102": bacula-fd
+"9103": bacula-sd
+"9359": mandelspawn
+"9418": git
+"9667": xmms2
+"9673": zope
+"10000": webmin
+"10050": zabbix-agent
+"10051": zabbix-trapper
+"10080": amanda
+"10081": kamanda
+"10082": amandaidx
+"10083": amidxtape
+"10809": nbd
+"11112": dicom
+"11201": smsqp
+"11371": hkp
+"13720": bprd
+"13721": bpdbm
+"13722": bpjava-msvc
+"13724": vnetd
+"13782": bpcd
+"13783": vopied
+"15345": xpilot
+"17001": sgi-cmsd
+"17002": sgi-crsd
+"17003": sgi-gcd
+"17004": sgi-cad
+"17500": db-lsp
+"20011": isdnlog
+"20012": vboxd
+"22125": dcap
+"22128": gsidcap
+"22273": wnn6
+"24554": binkp
+"27374": asp
+"30865": csync2
+"57000": dircproxy
+"60177": tfido
+"60179": fido
--- a/salt/logstash/files/dictionaries/services.yaml
+++ b/salt/logstash/files/dictionaries/services.yaml
@@ -0,0 +1,3 @@
+"Windows Update": whitelist
+"SEC555 Service": whitelist
+"Evil Service": blacklist
--- a/salt/logstash/files/dictionaries/tcp_flags.yaml
+++ b/salt/logstash/files/dictionaries/tcp_flags.yaml
@@ -0,0 +1,64 @@
+"0x00": NULL
+"0x01": FIN
+"0x02": SYN
+"0x03": FIN-SYN
+"0x08": PSH
+"0x09": FIN-PSH
+"0x0A": SYN-PSH
+"0x0B": FIN-SYN-PSH
+"0x10": ACK
+"0x11": FIN-ACK
+"0x12": SYN-ACK
+"0x13": FIN-SYN-ACK
+"0x18": PSH-ACK
+"0x19": FIN-PSH-ACK
+"0x1A": SYN-PSH-ACK
+"0x1B": FIN-SYN-PSH-ACK
+"0x40": ECE
+"0x41": FIN-ECE
+"0x42": SYN-ECE
+"0x43": FIN-SYN-ECE
+"0x48": PSH-ECE
+"0x49": FIN-PSH-ECE
+"0x4A": SYN-PSH-ECE
+"0x4B": FIN-SYN-PSH-ECE
+"0x50": ACK-ECE
+"0x51": FIN-ACK-ECE
+"0x52": SYN-ACK-ECE
+"0x53": FIN-SYN-ACK-ECE
+"0x58": PSH-ACK-ECE
+"0x59": FIN-PSH-ACK-ECE
+"0x5A": SYN-PSH-ACK-ECE
+"0x5B": FIN-SYN-PSH-ACK-ECE
+"0x80": CWR
+"0x81": FIN-CWR
+"0x82": SYN-CWR
+"0x83": FIN-SYN-CWR
+"0x88": PSH-CWR
+"0x89": FIN-PSH-CWR
+"0x8A": SYN-PSH-CWR
+"0x8B": FIN-SYN-PSH-CWR
+"0x90": ACK-CWR
+"0x91": FIN-ACK-CWR
+"0x92": SYN-ACK-CWR
+"0x93": FIN-SYN-ACK-CWR
+"0x98": PSH-ACK-CWR
+"0x99": FIN-PSH-ACK-CWR
+"0x9A": SYN-PSH-ACK-CWR
+"0x9B": FIN-SYN-PSH-ACK-CWR
+"0xC0": ECE-CWR
+"0xC1": FIN-ECE-CWR
+"0xC2": SYN-ECE-CWR
+"0xC3": FIN-SYN-ECE-CWR
+"0xC8": PSH-ECE-CWR
+"0xC9": FIN-PSH-ECE-CWR
+"0xCA": SYN-PSH-ECE-CWR
+"0xCB": FIN-SYN-PSH-ECE-CWR
+"0xD0": ACK-ECE-CWR
+"0xD1": FIN-ACK-ECE-CWR
+"0xD2": SYN-ACK-ECE-CWR
+"0xD3": FIN-SYN-ACK-ECE-CWR
+"0xD8": PSH-ACK-ECE-CWR
+"0xD9": FIN-PSH-ACK-ECE-CWR
+"0xDA": SYN-PSH-ACK-ECE-CWR
+"0xDB": FIN-SYN-PSH-ACK-ECE-CWR