CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add more zeek opcua parsers

Browse Source
This commit is contained in:
doug
2022-11-26 17:43:58 -05:00
parent 9ea59355d5
commit 6d814d3909
10 changed files with 97 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_array_dims",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.dimension", "target_field": "opcua.dimension", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_array_dims_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_diagnostic_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.opcua_binary_read_extension_object",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_node_id_encoding_mask", "target_field": "opcua.ext_obj_node_id_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_node_id_namespace_idx", "target_field": "opcua.ext_obj_node_id_namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_node_id_numeric", "target_field": "opcua.ext_obj_node_id_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.ext_obj_type_id_string", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.ext_obj_encoding", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_extension_object_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_status_code",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_variant_data",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.variant_data_value_signed_numeric", "target_field": "opcua.variant_data_value_signed_numeric", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_binary_read_variant_data_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}