CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Client and server fingerprints

Browse Source
This commit is contained in:
weslambert
2023-11-29 12:00:46 -05:00
committed by GitHub
parent 8953ffcc49
commit 7001e90667
1 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/elasticsearch/files/ingest/zeek.ssl
View File

@@ -12,7 +12,9 @@
{ "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } }, { "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } }, { "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } }, { "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } }, { "rename": { "if": "ctx.message2?.cert_chain_fps != null", "field": "message2.cert_chain_fps", "target_field": "tls.server.hash.sha256", "ignore_missing": true } },
{ "rename": { "field": "message2?.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "if": "ctx.message2?.client_cert_chain_fps != null", "field": "message2.client_cert_chain_fps", "target_field": "tls.client.hash.sha256", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, { "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } },
@@ -21,6 +23,18 @@
{ "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, { "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, { "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } },
{ "foreach":
{
"if": "ctx?.tls?.client?.hash?.sha256 !=null",
"field": "tls.client.hash.sha256",
"processor": {
"append": {
"field": "hash.sha256",
"value": "{{_ingest._value}}"
}
}
}
},
{ "pipeline": { "name": "zeek.common_ssl" } } { "pipeline": { "name": "zeek.common_ssl" } }
] ]
} }