CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 10:42:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make Zeek and Suricata great again

Browse Source
This commit is contained in:
Wes Lambert
2021-05-06 14:06:17 +00:00
parent ee92ba20b0
commit 728d1f7540
2 changed files with 134 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/filebeat/modules/suricata.yml Normal file
View File

@@ -0,0 +1,12 @@
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html
- module: suricata
# All logs
eve:
enabled: true
var.paths: ["/nsm/suricata/eve*.json"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

122
salt/filebeat/modules/zeek.yml Normal file
View File

@@ -0,0 +1,122 @@
# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html
- module: zeek
capture_loss:
enabled: false
var.paths: ["/nsm/zeek/logs/current/capture_loss.log"]
connection:
enabled: true
var.paths: ["/nsm/zeek/logs/current/conn.log"]
dce_rpc:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dce_rpc.log"]
dhcp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dhcp.log"]
dnp3:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dnp3.log"]
dns:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dns.log"]
dpd:
enabled: true
var.paths: ["/nsm/zeek/logs/current/dpd.log"]
files:
enabled: true
var.paths: ["/nsm/zeek/logs/current/files.log"]
ftp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ftp.log"]
http:
enabled: true
var.paths: ["/nsm/zeek/logs/current/http.log"]
intel:
enabled: true
var.paths: ["/nsm/zeek/logs/current/intel.log"]
irc:
enabled: true
var.paths: ["/nsm/zeek/logs/current/irc.log"]
kerberos:
enabled: true
var.paths: ["/nsm/zeek/logs/current/kerberos.log"]
modbus:
enabled: true
var.paths: ["/nsm/zeek/logs/current/modbus.log"]
mysql:
enabled: true
var.paths: ["/nsm/zeek/logs/current/mysql.log"]
notice:
enabled: true
var.paths: ["/nsm/zeek/logs/current/notice.log"]
ntlm:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ntlm.log"]
ocsp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/oscp.log"]
pe:
enabled: true
var.paths: ["/nsm/zeek/logs/current/pe.log"]
radius:
enabled: true
var.paths: ["/nsm/zeek/logs/current/radius.log"]
rdp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/rdp.log"]
rfb:
enabled: true
var.paths: ["/nsm/zeek/logs/current/rfb.log"]
signature:
enabled: true
var.paths: ["/nsm/zeek/logs/current/signature.log"]
sip:
enabled: true
var.paths: ["/nsm/zeek/logs/current/sip.log"]
smb_cmd:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_cmd.log"]
smb_files:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_files.log"]
smb_mapping:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smb_mapping.log"]
smtp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/smtp.log"]
snmp:
enabled: true
var.paths: ["/nsm/zeek/logs/current/snmp.log"]
socks:
enabled: true
var.paths: ["/nsm/zeek/logs/current/socks.log"]
ssh:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ssh.log"]
ssl:
enabled: true
var.paths: ["/nsm/zeek/logs/current/ssl.log"]
stats:
enabled: false
var.paths: ["/nsm/zeek/logs/current/stats.log"]
syslog:
enabled: false
var.paths: ["/nsm/zeek/logs/current/syslog.log"]
traceroute:
enabled: false
var.paths: ["/nsm/zeek/logs/current/traceroute.log.log"]
tunnel:
enabled: true
var.paths: ["/nsm/zeek/logs/current/tunnel.log"]
weird:
enabled: true
var.paths: ["/nsm/zeek/logs/current/weird.log"]
x509:
enabled: true
var.paths: ["/nsm/zeek/logs/current/x509.log"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: