From 7001e9066791188d04814ab93d114a06cd7fa335 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 29 Nov 2023 12:00:46 -0500 Subject: [PATCH] Client and server fingerprints --- salt/elasticsearch/files/ingest/zeek.ssl | 54 +++++++++++++++--------- 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.ssl b/salt/elasticsearch/files/ingest/zeek.ssl index 8ae7c8728..87174d3d2 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssl +++ b/salt/elasticsearch/files/ingest/zeek.ssl @@ -1,26 +1,40 @@ { "description" : "zeek.ssl", "processors" : [ - { "set": { "field": "event.dataset", "value": "ssl" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, - { "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } }, - { "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } }, - { "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } }, - { "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } }, - { "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } }, - { "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, - { "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, - { "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } }, - { "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } }, - { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, - { "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, - { "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "ssl" } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, + { "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } }, + { "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } }, + { "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } }, + { "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } }, + { "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } }, + { "rename": { "if": "ctx.message2?.cert_chain_fps != null", "field": "message2.cert_chain_fps", "target_field": "tls.server.hash.sha256", "ignore_missing": true } }, + { "rename": { "field": "message2?.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } }, + { "rename": { "if": "ctx.message2?.client_cert_chain_fps != null", "field": "message2.client_cert_chain_fps", "target_field": "tls.client.hash.sha256", "ignore_failure": true, "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, + { "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } }, + { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, + { "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, + { "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, + { "foreach": + { + "if": "ctx?.tls?.client?.hash?.sha256 !=null", + "field": "tls.client.hash.sha256", + "processor": { + "append": { + "field": "hash.sha256", + "value": "{{_ingest._value}}" + } + } + } + }, { "pipeline": { "name": "zeek.common_ssl" } } ] }