add more zeek ics parsers

2025-12-21 00:13:06 +01:00 · 2022-11-26 10:36:49 -05:00
parent 62c1bb2c0c
commit 73adc571de
26 changed files with 220 additions and 119 deletions
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
@@ -3,7 +3,7 @@
  "processors" : [
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
-    { "rename":   { "field": "message2.opcua_locale_link_id",                 "target_field": "opcua.locale.link_id",                 "ignore_missing": true } },
+    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
    { "rename":   { "field": "message2.local_id",		"target_field": "opcua.local_id",	"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_browse_diagnostic_info",
+  "processors" : [
+    { "remove":   { "field": ["host"],													"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id", 		"target_field": "opcua.diag_info.link_id",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_browse_request_continuation_point",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_next_link_id",	"target_field": "opcua.browse_next_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.continuation_point", 	"target_field": "opcua.continuation_point",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_create_session_discovery",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_uri", 		"target_field": "opcua.discovery_profile_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_url", 		"target_field": "opcua.discovery_profile_url",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
@@ -0,0 +1,21 @@
+{
+  "description" : "zeek.opcua_binary_diag_info_detail",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.diag_info_link_id",	"target_field": "opcua.diag_info_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.source", 		"target_field": "opcua.source",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.source_str", 		"target_field": "opcua.source_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.inner_diag_level",	"target_field": "opcua.inner_diag_level",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_symbolic_id",	"target_field": "opcua.has_symbolic_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_namespace_uri",	"target_field": "opcua.has_namespace_uri",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_locale",		"target_field": "opcua.has_locale",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_locale_txt",		"target_field": "opcua.has_locale_txt",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_addl_info",		"target_field": "opcua.has_addl_info",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.addl_info",		"target_field": "opcua.addl_info",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_inner_stat_code",	"target_field": "opcua.has_inner_stat_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.inner_stat_code",	"target_field": "opcua.inner_stat_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_inner_diag_info",	"target_field": "opcua.has_inner_diag_info",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
@@ -14,7 +14,7 @@
    { "rename":   { "field": "message2.message_security_mode",		"target_field": "opcua.message_security_mode",		"ignore_missing": true } },
    { "rename":   { "field": "message2.security_policy_uri",		"target_field": "opcua.security_policy_uri",		"ignore_missing": true } },
    { "rename":   { "field": "message2.user_token_link_id",		"target_field": "opcua.user_token_link_id",		"ignore_missing": true } },
-    { "rename":   { "field": "message2.transport_profile_uri",            "target_field": "transport_profile_uri",                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.transport_profile_uri",		"target_field": "opcua.transport_profile_uri",		"ignore_missing": true } },
    { "rename":   { "field": "message2.security_level",			"target_field": "opcua.security_level",			"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_discovery",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_url", 		"target_field": "opcua.discovery_profile_url",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_locale_id",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.local_id", 		"target_field": "opcua.local_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_profile_uri",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.profile_uri_link_id",	"target_field": "opcua.profile_uri_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.profile_uri",		"target_field": "opcua.profile_uri",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
@@ -4,12 +4,12 @@
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
-    { "rename":   { "field": "message2.server_proto_ver",               "target_field": "opcua.server.protocol.version",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.sec_token_sec_channel_id",       "target_field": "opcua.security_token.security_channel_id",    "ignore_missing": true } },
-    { "rename":   { "field": "message2.server_proto_ver",               "target_field": "opcua.security_token.id",                     "ignore_missing": true } },
-    { "rename":   { "field": "message2.server_proto_ver",               "target_field": "opcua.security_token.created",                "ignore_missing": true } },
-    { "rename":   { "field": "message2.server_proto_ver",               "target_field": "opcua.security_token.revised",                "ignore_missing": true } },
-    { "rename":   { "field": "message2.server_proto_ver",               "target_field": "opcua.server.nonce",                          "ignore_missing": true } },
+    { "rename":   { "field": "message2.server_proto_ver",		"target_field": "opcua.server_proto_ver",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_sec_channel_id",	"target_field": "opcua.sec_token_sec_channel_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_id",			"target_field": "opcua.sec_token_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_created_at",		"target_field": "opcua.sec_token_created_at",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_revised_time",		"target_field": "opcua.sec_token_revised_time",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.server_nonce",			"target_field": "opcua.server_nonce",			"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
@@ -4,7 +4,7 @@
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",		"target_field": "opcua.link_id",		"ignore_missing": true } },
-    { "rename":   { "field": "message2.read_results_link_id",           "target_field": "opcua.read_results.link_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.read_results_link_id",	"target_field": "opcua.read_results_link_id",	"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read
@@ -3,14 +3,13 @@
  "processors" : [
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
-    { "rename":   { "field": "message2.nodes_to_read_link_id",           "target_field": "opcua.nodes_to_read.link_id",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.node_id_encoding_mask",           "target_field": "opcua.node_id.encoding_mask",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.node_id_namespace_idx",           "target_field": "opcua.node_id.namespace_idx",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.node_id_string",           "target_field": "opcua.node_id.string",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.nodes_to_read_link_id",		"target_field": "opcua.nodes_to_read_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.node_id_encoding_mask",		"target_field": "opcua.node_id_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.node_id_numeric",		"target_field": "opcua.node_id_numeric",		"ignore_missing": true } },
    { "rename":   { "field": "message2.attribute_id",			"target_field": "opcua.attribute_id",			"ignore_missing": true } },
-    { "rename":   { "field": "message2.attribute_id_str",           "target_field": "opcua.attribute_id_str",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.data_encoding_name_idx",           "target_field": "opcua.encoding_name_idx",               "ignore_missing": true } },
-    { "rename":   { "field": "message2.data_encoding_name",           "target_field": "opcua.encoding_name",               "ignore_missing": true } }, 
+    { "rename":   { "field": "message2.attribute_id_str",		"target_field": "opcua.attribute_id_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_encoding_name_idx",		"target_field": "opcua.data_encoding_name_index",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_encoding_name",		"target_field": "opcua.data_encoding_name",		"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results
@@ -3,10 +3,15 @@
  "processors" : [
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
-    { "rename":   { "field": "message2.results_link_id",           "target_field": "opcua.results.link_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.results_link_id",			"target_field": "opcua.results_link_id",			"ignore_missing": true } },
    { "rename":   { "field": "message2.level",					"target_field": "opcua.level",					"ignore_missing": true } },
    { "rename":   { "field": "message2.data_value_encoding_mask",		"target_field": "opcua.data_value_encoding_mask",		"ignore_missing": true } },
-    { "rename":   { "field": "message2.status_code_link_id",           "target_field": "opcua.status_code.link_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_encoding_mask",		"target_field": "opcua.data_variant_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_data_type",			"target_field": "opcua.data_variant_data_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_data_type_str",		"target_field": "opcua.data_variant_data_type_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.built_in_data_type",			"target_field": "opcua.built_in_data_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.built_in_data_type_str",			"target_field": "opcua.built_in_data_type_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.read_results_variant_data_link_id",	"target_field": "opcua.read_results_variant_data_link_id",	"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link
@@ -3,8 +3,8 @@
  "processors" : [
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
-    { "rename":   { "field": "message2.read_results_link_id",               "target_field": "opcua.read_results.link_id",                           "ignore_missing": true } },
-    { "rename":   { "field": "message2.results_link_id",           "target_field": "opcua.results.link_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.read_results_link_id",	"target_field": "opcua.read_results_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.results_link_id",	"target_field": "opcua.results_link_id",	"ignore_missing": true } },
    { "pipeline": { "name": "zeek.common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
+++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl
@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.s7comm_read_szl",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.pdu_reference",		"target_field": "s7.pdu_reference",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.method",			"target_field": "s7.method",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_id",			"target_field": "s7.szl_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_id_name",		"target_field": "s7.szl_id_name",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_index",		"target_field": "s7.szl_index",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.return_code",		"target_field": "s7.return_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.return_code_name",	"target_field": "s7.return_code_name",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}