mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-24 01:43:11 +01:00
Merge pull request #9304 from Security-Onion-Solutions/feature/ics_scada_additions
Port STUN, TDS, WireGuard, and ICS/SCADA Changes from 2.3 to 2.4
This commit is contained in:
weslambert
GitHub
@@ -1,14 +1,14 @@
|
||||
{
|
||||
"description" : "zeek.bacnet",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,16 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.bacnet_discovery",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,16 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.bacnet_property",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_header",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,20 +1,20 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_rdb",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.length", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_len", "target_field": "bsap.data.length", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub_function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.value", "target_field": "bsap.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
{
|
||||
"description" : "zeek.bsap_ip_unknown",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,17 +1,17 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_header",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status_byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_rdb",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_rdb_ext",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq", "target_field": "bsap.message_sequence", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node_status_byte", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.extfun", "target_field": "bsap.extension.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.extension.function_data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
{
|
||||
"description" : "zeek.bsap_serial_unknown",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,19 +1,19 @@
|
||||
{
|
||||
"description" : "zeek.cip",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } },
|
||||
{ "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } },
|
||||
{ "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,21 +1,21 @@
|
||||
{
|
||||
"description" : "zeek.cip_identity",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
{
|
||||
"description" : "zeek.cip_io",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,19 +23,19 @@
|
||||
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } },
|
||||
{ "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
|
||||
{ "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
|
||||
{ "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
|
||||
{ "set": { "if": "ctx.connection?.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
16
salt/elasticsearch/files/ingest/zeek.dnp3_control
Normal file
16
salt/elasticsearch/files/ingest/zeek.dnp3_control
Normal file
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"description" : "zeek.dnp3_control",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.block_type", "target_field": "dnp3.block_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.index_number", "target_field": "dnp3.index_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.trip_control_code","target_field": "dnp3.trip_control_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.operation_type", "target_field": "dnp3.operation_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.execute_count", "target_field": "dnp3.execute_count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.on_time", "target_field": "dnp3.on_time", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.off_time", "target_field": "dnp3.off_time", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -5,7 +5,7 @@
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } },
|
||||
|
||||
@@ -2,17 +2,17 @@
|
||||
"description" : "zeek.ecat_dev_info",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } },
|
||||
{ "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.memory_mgmt_unit", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager_count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } },
|
||||
{ "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -5,10 +5,10 @@
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.packet_num", "target_field": "ecat.packet_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_code", "target_field": "ecat.error_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.is_orig", "target_field": "enip.is_orig", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } },
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
|
||||
|
||||
@@ -2,13 +2,13 @@
|
||||
"description" : "zeek.modbus_mask_write_register",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.and_mask", "target_field": "modbus.and_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.or_mask", "target_field": "modbus.or_mask", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -3,12 +3,12 @@
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_start_address", "target_field": "modbus.read.start.address", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
|
||||
32
salt/elasticsearch/files/ingest/zeek.opcua_binary
Normal file
32
salt/elasticsearch/files/ingest/zeek.opcua_binary
Normal file
@@ -0,0 +1,32 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
|
||||
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
|
||||
"ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
|
||||
{ "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_client_software_cert",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_activate_session_locale_id",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
18
salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
Normal file
18
salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
Normal file
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
|
||||
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
|
||||
"ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view_description_timestamp", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description_view_version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_description",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_encoding_mask", "target_field": "opcua.browse_description_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_numeric", "target_field": "opcua.browse_description_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_direction", "target_field": "opcua.browse_direction", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_ref_encoding_mask", "target_field": "opcua.browse_description_ref_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description_ref_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_description_include_subtypes", "target_field": "opcua.browse_description_include_subtypes", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_node_class_mask", "target_field": "opcua.browse_node_class_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_result_mask", "target_field": "opcua.browse_result_mask", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_request_continuation_point",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.continuation_point", "target_field": "opcua.continuation_point", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_response_references",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_browse_result",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.reference_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id_namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id_guid", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token_namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token_guid", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_discovery",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_uri", "target_field": "opcua.discovery_profile_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_endpoints",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
|
||||
{ "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_session_user_token",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_policy_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_type", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_create_subscription",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_diag_info_detail",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.inner_diag_level", "target_field": "opcua.inner_diag_level", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_symbolic_id", "target_field": "opcua.has_symbolic_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_namespace_uri", "target_field": "opcua.has_namespace_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_locale", "target_field": "opcua.has_locale", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_locale_txt", "target_field": "opcua.has_locale_txt", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_addl_info", "target_field": "opcua.has_addl_info", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.addl_info", "target_field": "opcua.addl_info", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_inner_stat_code", "target_field": "opcua.has_inner_stat_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.inner_stat_code", "target_field": "opcua.inner_stat_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.has_inner_diag_info", "target_field": "opcua.has_inner_diag_info", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_description",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
|
||||
{ "convert": { "field": "opcua.encoding_mask", "type": "string",
|
||||
"ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_discovery",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_locale_id",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_profile_uri",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.profile_uri", "target_field": "opcua.profile_uri", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_get_endpoints_user_token",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token_security_policy_uri", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_opensecure_channel",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server_proto_ver", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.sec_token_sec_channel_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sec_token_id", "target_field": "opcua.sec_token_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sec_token_created_at", "target_field": "opcua.sec_token_created_at", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sec_token_revised_time", "target_field": "opcua.sec_token_revised_time", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read
Normal file
10
salt/elasticsearch/files/ingest/zeek.opcua_binary_read
Normal file
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_array_dims",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.dimension", "target_field": "opcua.dimension", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_array_dims_link",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_diagnostic_info",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_extension_object",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_node_id_encoding_mask", "target_field": "opcua.ext_obj_node_id_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_node_id_namespace_idx", "target_field": "opcua.ext_obj_node_id_namespace_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_node_id_numeric", "target_field": "opcua.ext_obj_node_id_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.ext_obj_type_id_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.ext_obj_encoding", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_extension_object_link",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_nodes_to_read",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_results",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_variant_encoding_mask", "target_field": "opcua.data_variant_encoding_mask", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_variant_data_type", "target_field": "opcua.data_variant_data_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.data_variant_data_type_str", "target_field": "opcua.data_variant_data_type_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.built_in_data_type", "target_field": "opcua.built_in_data_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.built_in_data_type_str", "target_field": "opcua.built_in_data_type_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_results_link",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_status_code",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_variant_data",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.variant_data_value_signed_numeric", "target_field": "opcua.variant_data_value_signed_numeric", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_read_variant_data_link",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
"description" : "zeek.opcua_binary_status_code_detail",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -1,15 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.s7comm",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.s7comm_plus",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
15
salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
Normal file
15
salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
Normal file
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"description" : "zeek.s7comm_read_szl",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.method", "target_field": "s7.method", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.szl_id", "target_field": "s7.szl_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.szl_id_name", "target_field": "s7.szl_id_name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.szl_index", "target_field": "s7.szl_index", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.return_code", "target_field": "s7.return_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.return_code_name", "target_field": "s7.return_code_name", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
18
salt/elasticsearch/files/ingest/zeek.s7comm_upload_download
Normal file
18
salt/elasticsearch/files/ingest/zeek.s7comm_upload_download
Normal file
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"description" : "zeek.s7comm_upload_download",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.rosctr", "target_field": "s7.ros.control.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_code", "target_field": "s7.function_code", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.function_status", "target_field": "s7.function_status", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.session_id", "target_field": "s7.session_id", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.blocklength", "target_field": "s7.block.length", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.filename", "target_field": "s7.file.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.block_type", "target_field": "s7.block.type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.block_number", "target_field": "s7.block.number", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.destination_filesystem", "target_field": "s7.destination.filesystem", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
@@ -1,9 +1,9 @@
|
||||
{
|
||||
"description" : "zeek.tds",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.tds_rpc",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"description" : "zeek.tds_sql_batch",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
{ "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
{
|
||||
"description" : "zeek.wireguard",
|
||||
"processors" : [
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
|
||||
{ "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } },
|
||||
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
||||
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
||||
{ "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } },
|
||||
{ "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } },
|
||||
{ "pipeline": { "name": "zeek.common" } }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -14,6 +14,7 @@ filebeat:
|
||||
- irc
|
||||
- kerberos
|
||||
- modbus
|
||||
- mysql
|
||||
- notice
|
||||
- ntlm
|
||||
- pe
|
||||
@@ -25,20 +26,20 @@ filebeat:
|
||||
- smb_mapping
|
||||
- smtp
|
||||
- snmp
|
||||
- socks
|
||||
- ssh
|
||||
- ssl
|
||||
- tunnel
|
||||
- weird
|
||||
- mysql
|
||||
- socks
|
||||
- x509
|
||||
- dnp3_objects
|
||||
- modbus_detailed
|
||||
- modbus_mask_write_single_register
|
||||
- modbus_read_write_multiple_registers
|
||||
- bacnet
|
||||
- bacnet_discovery
|
||||
- bacnet_property
|
||||
- cip
|
||||
- cip_io
|
||||
- cip_identity
|
||||
- cotp
|
||||
- dnp3_objects
|
||||
- ecat_registers
|
||||
- ecat_log_address
|
||||
- ecat_dev_info
|
||||
@@ -48,45 +49,78 @@ filebeat:
|
||||
- ecat_soe_info
|
||||
- ecat_arp_info
|
||||
- enip
|
||||
- cip
|
||||
- cip_io
|
||||
- cip_identity
|
||||
- modbus_detailed
|
||||
- modbus_mask_write_single_register
|
||||
- modbus_read_write_multiple_registers
|
||||
- opcua
|
||||
- opcua_activate_session
|
||||
- opcua_activate_session_client_software_cert
|
||||
- opcua_activate_session_diagnostic_info
|
||||
- opcua_activate_session_locale_id
|
||||
- opcua_binary
|
||||
- opcua_binary_status_code_detail
|
||||
- opcua_binary_diag_info_detail
|
||||
- opcua_binary_get_endpoints
|
||||
- opcua_binary_get_endpoints_discovery
|
||||
- opcua_binary_get_endpoints_user_token
|
||||
- opcua_binary_get_endpoints_description
|
||||
- opcua_binary_get_endpoints_locale_id
|
||||
- opcua_binary_get_endpoints_profile_uri
|
||||
- opcua_binary_create_session
|
||||
- opcua_binary_create_session_user_token
|
||||
- opcua_binary_create_session_endpoints
|
||||
- opcua_binary_create_session_discovery
|
||||
- opcua_binary_activate_session
|
||||
- opcua_binary_activate_session_client_software_cert
|
||||
- opcua_binary_activate_session_locale_id
|
||||
- opcua_binary_activate_session_diagnostic_info
|
||||
- opcua_binary_activate_session_locale_id
|
||||
- opcua_binary_browse
|
||||
- opcua_binary_browse_description
|
||||
- opcua_binary_browse_request_continuation_point
|
||||
- opcua_binary_browse_result
|
||||
- opcua_binary_browse_response_references
|
||||
- opcua_binary_browse_diagnostic_info
|
||||
- opcua_binary_browse_request_continuation_point
|
||||
- opcua_binary_browse_response_references
|
||||
- opcua_binary_browse_result
|
||||
- opcua_binary_create_session
|
||||
- opcua_binary_create_session_discovery
|
||||
- opcua_binary_create_session_endpoints
|
||||
- opcua_binary_create_session_user_token
|
||||
- opcua_binary_create_subscription
|
||||
- opcua_binary_diag_info_detail
|
||||
- opcua_binary_get_endpoints
|
||||
- opcua_binary_get_endpoints_description
|
||||
- opcua_binary_get_endpoints_discovery
|
||||
- opcua_binary_get_endpoints_locale_id
|
||||
- opcua_binary_get_endpoints_profile_uri
|
||||
- opcua_binary_get_endpoints_user_token
|
||||
- opcua_binary_opensecure_channel
|
||||
- opcua_binary_read
|
||||
- cotp
|
||||
- opcua_binary_read_array_dims
|
||||
- opcua_binary_read_array_dims_link
|
||||
- opcua_binary_read_diagnostic_info
|
||||
- opcua_binary_read_extension_object
|
||||
- opcua_binary_read_extension_object_link
|
||||
- opcua_binary_read_nodes_to_read
|
||||
- opcua_binary_read_results
|
||||
- opcua_binary_read_results_link
|
||||
- opcua_binary_read_status_code
|
||||
- opcua_binary_read_variant_data
|
||||
- opcua_binary_read_variant_data_link
|
||||
- opcua_binary_status_code_detail
|
||||
- opcua_browse
|
||||
- opcua_browse_description
|
||||
- opcua_browse_response_references
|
||||
- opcua_browse_result
|
||||
- opcua_create_session
|
||||
- opcua_create_session_endpoints
|
||||
- opcua_create_session_user_token
|
||||
- opcua_create_subscription
|
||||
- opcua_get_endpoints
|
||||
- opcua_get_endpoints_description
|
||||
- opcua_get_endpoints_user_token
|
||||
- opcua_opensecure_channel
|
||||
- opcua_read
|
||||
- opcua_read_nodes_to_read
|
||||
- opcua_read_results
|
||||
- opcua_read_results_link
|
||||
- opcua_status_code_detail
|
||||
- profinet_dce_rpc
|
||||
- profinet
|
||||
- profinet_debug
|
||||
- s7comm
|
||||
- s7comm_read_szl
|
||||
- s7comm_upload_download
|
||||
- s7comm_plus
|
||||
- stun
|
||||
- stun_nat
|
||||
- tds
|
||||
- tds_rpc
|
||||
- tds_sql_batch
|
||||
- profinet_dce_rpc
|
||||
- profinet
|
||||
- profinet_debug
|
||||
- stun
|
||||
- stun_nat
|
||||
- wireguard
|
||||
|
||||
@@ -145,7 +145,7 @@ filebeat.inputs:
|
||||
dataset: {{ LOGNAME }}
|
||||
category: network
|
||||
processors:
|
||||
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
|
||||
{%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
|
||||
- add_tags:
|
||||
tags: ["ics"]
|
||||
{%- endif %}
|
||||
@@ -166,7 +166,7 @@ filebeat.inputs:
|
||||
category: network
|
||||
imported: true
|
||||
processors:
|
||||
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
|
||||
{%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
|
||||
- add_tags:
|
||||
tags: ["ics"]
|
||||
{%- endif %}
|
||||
|
||||
@@ -707,6 +707,384 @@ soc:
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::bacnet':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.bclv.function
|
||||
- bacnet.result.code
|
||||
- log.id.uid
|
||||
'::bacnet_discovery':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.vendor
|
||||
- bacnet.pdu.service
|
||||
- log.id.uid
|
||||
'::bacnet_property':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.property
|
||||
- bacnet.pdu.service
|
||||
- log.id.uid
|
||||
'::bsap_ip_header':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bsap.message.type
|
||||
- bsap.number.messages
|
||||
- log.id.uid
|
||||
'::bsap_ip_rdb':
|
||||
- soc_timestamp
|
||||
- bsap.application.function
|
||||
- bsap.application.sub.function
|
||||
- bsap.vector.variables
|
||||
- log.id.uid
|
||||
'::bsap_serial_header':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bsap.source.function
|
||||
- bsap.destination.function
|
||||
- bsap.message.type
|
||||
- log.id.uid
|
||||
'::bsap_serial_rdb':
|
||||
- soc_timestamp
|
||||
- bsap.rdb.function
|
||||
- bsap.vector.variables
|
||||
- log.id.uid
|
||||
'::cip':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.service
|
||||
- cip.status_code
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::cip_identity':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.device.type.name
|
||||
- cip.vendor.name
|
||||
- log.id.uid
|
||||
'::cip_io':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.connection.id
|
||||
- cip.io.data
|
||||
- log.id.uid
|
||||
'::cotp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cotp.pdu.name
|
||||
- log.id.uid
|
||||
'::ecat_arp_info':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- destination.ip
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.arp.type
|
||||
'::ecat_aoe_info':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- source.port
|
||||
- destination.mac
|
||||
- destination.port
|
||||
- ecat.command
|
||||
'::ecat_coe_info':
|
||||
- soc_timestamp
|
||||
- ecat.message.number
|
||||
- ecat.message.type
|
||||
- ecat.request.response.type
|
||||
- ecat.index
|
||||
- ecat.sub.index
|
||||
'::ecat_dev_info':
|
||||
- soc_timestamp
|
||||
- ecat.device.type
|
||||
- ecat.features
|
||||
- ecat.ram.size
|
||||
- ecat.revision
|
||||
- ecat.slave.address
|
||||
'::ecat_log_address':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.command
|
||||
'::ecat_registers':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.command
|
||||
- ecat.register.type
|
||||
'::enip':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- enip.command
|
||||
- enip.status_code
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::modbus_detailed':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- modbus.function
|
||||
- log.id.uid
|
||||
'::opcua_binary':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.identifier_string
|
||||
- opcua.message_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.identifier_string
|
||||
- opcua.user_name
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session_diagnostic_info':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.activate_session_diag_info_link_id
|
||||
- opcua.diag_info_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session_locale_id':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.local_id
|
||||
- opcua.locale_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.service_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_description':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_response_references':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.node_class
|
||||
- opcua.display_name_text
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_result':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.response_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session_endpoints':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_link_id
|
||||
- opcua.endpoint_url
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session_user_token':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.user_token_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_subscription':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_url
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints_description':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_description_link_id
|
||||
- opcua.endpoint_uri
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints_user_token':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.user_token_link_id
|
||||
- opcua.user_token_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_read':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.read_results_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_status_code_detail':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.info_type_string
|
||||
- opcua.source_string
|
||||
- log.id.uid
|
||||
'::profinet':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- profinet.index
|
||||
- profinet.operation_type
|
||||
- log.id.uid
|
||||
'::profinet_dce_rpc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- profinet.operation
|
||||
- log.id.uid
|
||||
'::s7comm':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.ros.control.name
|
||||
- s7.function.name
|
||||
- log.id.uid
|
||||
'::s7comm_plus':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.opcode.name
|
||||
- s7.version
|
||||
- log.id.uid
|
||||
'::s7comm_read_szl':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.szl_id_name
|
||||
- s7.return_code_name
|
||||
- log.id.uid
|
||||
'::s7comm_upload_download':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.ros.control.name
|
||||
- s7.function_code
|
||||
- log.id.uid
|
||||
'::tds':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.command
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::tds_rpc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.procedure_name
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::tds_sql_batch':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.header_type
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
queryBaseFilter: ''
|
||||
queryToggleFilters:
|
||||
- name: caseExcludeToggle
|
||||
@@ -1532,6 +1910,384 @@ soc:
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::bacnet':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.bclv.function
|
||||
- bacnet.result.code
|
||||
- log.id.uid
|
||||
'::bacnet_discovery':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.vendor
|
||||
- bacnet.pdu.service
|
||||
- log.id.uid
|
||||
'::bacnet_property':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bacnet.property
|
||||
- bacnet.pdu.service
|
||||
- log.id.uid
|
||||
'::bsap_ip_header':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bsap.message.type
|
||||
- bsap.number.messages
|
||||
- log.id.uid
|
||||
'::bsap_ip_rdb':
|
||||
- soc_timestamp
|
||||
- bsap.application.function
|
||||
- bsap.application.sub.function
|
||||
- bsap.vector.variables
|
||||
- log.id.uid
|
||||
'::bsap_serial_header':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- bsap.source.function
|
||||
- bsap.destination.function
|
||||
- bsap.message.type
|
||||
- log.id.uid
|
||||
'::bsap_serial_rdb':
|
||||
- soc_timestamp
|
||||
- bsap.rdb.function
|
||||
- bsap.vector.variables
|
||||
- log.id.uid
|
||||
'::cip':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.service
|
||||
- cip.status_code
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::cip_identity':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.device.type.name
|
||||
- cip.vendor.name
|
||||
- log.id.uid
|
||||
'::cip_io':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cip.connection.id
|
||||
- cip.io.data
|
||||
- log.id.uid
|
||||
'::cotp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- cotp.pdu.name
|
||||
- log.id.uid
|
||||
'::ecat_arp_info':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- destination.ip
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.arp.type
|
||||
'::ecat_aoe_info':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- source.port
|
||||
- destination.mac
|
||||
- destination.port
|
||||
- ecat.command
|
||||
'::ecat_coe_info':
|
||||
- soc_timestamp
|
||||
- ecat.message.number
|
||||
- ecat.message.type
|
||||
- ecat.request.response.type
|
||||
- ecat.index
|
||||
- ecat.sub.index
|
||||
'::ecat_dev_info':
|
||||
- soc_timestamp
|
||||
- ecat.device.type
|
||||
- ecat.features
|
||||
- ecat.ram.size
|
||||
- ecat.revision
|
||||
- ecat.slave.address
|
||||
'::ecat_log_address':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.command
|
||||
'::ecat_registers':
|
||||
- soc_timestamp
|
||||
- source.mac
|
||||
- destination.mac
|
||||
- ecat.command
|
||||
- ecat.register.type
|
||||
'::enip':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- enip.command
|
||||
- enip.status_code
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::modbus_detailed':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- modbus.function
|
||||
- log.id.uid
|
||||
'::opcua_binary':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.identifier_string
|
||||
- opcua.message_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.identifier_string
|
||||
- opcua.user_name
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session_diagnostic_info':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.activate_session_diag_info_link_id
|
||||
- opcua.diag_info_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_activate_session_locale_id':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.local_id
|
||||
- opcua.locale_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.service_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_description':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_response_references':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.node_class
|
||||
- opcua.display_name_text
|
||||
- log.id.uid
|
||||
'::opcua_binary_browse_result':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.response_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session_endpoints':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_link_id
|
||||
- opcua.endpoint_url
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_session_user_token':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.user_token_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_create_subscription':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_url
|
||||
- opcua.link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints_description':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.endpoint_description_link_id
|
||||
- opcua.endpoint_uri
|
||||
- log.id.uid
|
||||
'::opcua_binary_get_endpoints_user_token':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.user_token_link_id
|
||||
- opcua.user_token_type
|
||||
- log.id.uid
|
||||
'::opcua_binary_read':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.link_id
|
||||
- opcua.read_results_link_id
|
||||
- log.id.uid
|
||||
'::opcua_binary_status_code_detail':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- opcua.info_type_string
|
||||
- opcua.source_string
|
||||
- log.id.uid
|
||||
'::profinet':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- profinet.index
|
||||
- profinet.operation_type
|
||||
- log.id.uid
|
||||
'::profinet_dce_rpc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- profinet.operation
|
||||
- log.id.uid
|
||||
'::s7comm':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.ros.control.name
|
||||
- s7.function.name
|
||||
- log.id.uid
|
||||
'::s7comm_plus':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.opcode.name
|
||||
- s7.version
|
||||
- log.id.uid
|
||||
'::s7comm_read_szl':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.szl_id_name
|
||||
- s7.return_code_name
|
||||
- log.id.uid
|
||||
'::s7comm_upload_download':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- s7.ros.control.name
|
||||
- s7.function_code
|
||||
- log.id.uid
|
||||
'::tds':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.command
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::tds_rpc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.procedure_name
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
'::tds_sql_batch':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tds.header_type
|
||||
- log.id.uid
|
||||
- event.dataset
|
||||
queryBaseFilter: ''
|
||||
queryToggleFilters:
|
||||
- name: caseExcludeToggle
|
||||
@@ -1667,18 +2423,66 @@ soc:
|
||||
- name: SSL
|
||||
description: SSL logs
|
||||
query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: STUN
|
||||
description: STUN (Session Traversal Utilities for NAT) network metadata
|
||||
query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
|
||||
- name: SYSLOG
|
||||
description: SYSLOG logs
|
||||
query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: TDS
|
||||
description: TDS (Tabular Data Stream) network metadata
|
||||
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
|
||||
- name: Tunnel
|
||||
description: Tunnels seen by Zeek
|
||||
query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Weird
|
||||
description: Weird network traffic seen by Zeek
|
||||
query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
|
||||
- name: TDS
|
||||
description: TDS (Tabular Data Stream) network metadata
|
||||
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
|
||||
- name: WireGuard
|
||||
description: WireGuard VPN network metadata
|
||||
query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: x509
|
||||
description: x.509 certificates seen by Zeek
|
||||
query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
|
||||
- name: ICS Overview
|
||||
description: Overview of ICS (Industrial Control Systems) network metadata
|
||||
query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac'
|
||||
- name: ICS BACnet
|
||||
description: BACnet (Building Automation and Control Networks) network metadata
|
||||
query: 'event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS BSAP
|
||||
description: BSAP (Bristol Standard Asynchronous Protocol) network metadata
|
||||
query: 'event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS CIP
|
||||
description: CIP (Common Industrial Protocol) network metadata
|
||||
query: 'event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS COTP
|
||||
description: COTP (Connection Oriented Transport Protocol) network metadata
|
||||
query: 'event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS DNP3
|
||||
description: DNP3 (Distributed Network Protocol) network metadata
|
||||
query: 'event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS ECAT
|
||||
description: ECAT (Ethernet for Control Automation Technology) network metadata
|
||||
query: 'event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type'
|
||||
- name: ICS ENIP
|
||||
description: ENIP (Ethernet Industrial Protocol) network metadata
|
||||
query: 'event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS Modbus
|
||||
description: Modbus network metadata
|
||||
query: 'event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS OPC UA
|
||||
description: OPC UA (Unified Architecture) network metadata
|
||||
query: 'event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS Profinet
|
||||
description: Profinet (Process Field Network) network metadata
|
||||
query: 'event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: ICS S7
|
||||
description: S7 (Siemens) network metadata
|
||||
query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Firewall
|
||||
description: Firewall logs
|
||||
query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
|
||||
@@ -54,6 +54,19 @@ zeek:
|
||||
- securityonion/bpfconf
|
||||
- securityonion/communityid
|
||||
- securityonion/file-extraction
|
||||
- oui-logging
|
||||
- icsnpp-modbus
|
||||
- icsnpp-dnp3
|
||||
- icsnpp-bacnet
|
||||
- icsnpp-ethercat
|
||||
- icsnpp-enip
|
||||
- icsnpp-opcua-binary
|
||||
- icsnpp-bsap
|
||||
- icsnpp-s7comm
|
||||
- zeek-plugin-tds
|
||||
- zeek-plugin-profinet
|
||||
- zeek-spicy-wireguard
|
||||
- zeek-spicy-stun
|
||||
'@load-sigs':
|
||||
- frameworks/signatures/detect-windows-shells
|
||||
redef:
|
||||
|
||||
Reference in New Issue
Block a user