diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index ee0656dd8..21b7e61ae 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -53,6 +53,9 @@ zeek: - icsnpp-modbus - icsnpp-dnp3 - icsnpp-bacnet + - icsnpp-ethercat + - icsnpp-enip + - icsnpp-ocpua-binary '@load-sigs': - frameworks/signatures/detect-windows-shells redef: diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index f6df7f8aa..4f56ee7e5 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -42,7 +42,58 @@ whiptail_manager_adv_service_zeeklogs() { "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) + "x509" "x.509 Logs" ON \ + "modbus_detailed" "MODBUS Details" ON \ + "modbus_mask_write_register" "MODBUS Write Register" ON \ + "modbus_read_write_multiple_registers" "MODBUS Multi Registers" ON \ + "dnp3_objects" "DNP3 Objections" ON \ + "bacnet" "BACnet" ON \ + "bacnet_discovery" "BACnet Discovery" ON \ + "bacnet_property" "BACnet Property" ON \ + "bsap_ip_header" "BSAP IP Header" ON \ + "bsap_ip_rdb" "BSAP IP RDB" ON \ + "bsap_ip_unknown" "BSAP IP Unknown" ON \ + "bsap_serial_header" "BSAP Serial Header" ON \ + "bsap_serial_rdb" "BSAP Serial RDB" ON \ + "bsap_serial_rdb_ext" "BSAP Serial RDB Extenstion" ON \ + "bsap_serial_unknown" "BSAP Serial Unknown" ON \ + "ecat_registers" "Ethercat Registers" ON \ + "ecat_log_address" "Ethercat Address Read Write" ON \ + "ecat_dev_info" "Ethercat Device Info" ON \ + "ecat_aoe_info" "Ethercat AoE Info" ON \ + "ecat_coe_info" "Ethercat CoE Info" ON \ + "ecat_foe_info" "Ethercat FoE Info" ON \ + "ecat_soe_info" "Ethercat SoE Info" ON \ + "ecat_arp_info" "Ethercat ARP Info" ON \ + "enip" "ENIP Header" ON \ + "cip" "CIP Header" ON \ + "cip_io" "CIP I/O" ON \ + "cip_identity" "CIP Identity" ON \ + "opcua_binary.log" "OPC UA Binary Encoding" ON \ + "opcua_binary_status_code_detail" "OPC UA Detail" ON \ + "opcua_binary_diag_info_detail" "OPC UA Diag" ON \ + "opcua_binary_get_endpoints" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_discovery" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_user_token" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_description" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_locale_id" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_profile_uri" "OPC UA Endpoints" ON \ + "opcua_binary_create_session" "OPC UA Session" ON \ + "opcua_binary_create_session_user_token" "OPC UA Session" ON \ + "opcua_binary_create_session_endpoints" "OPC UA Session" ON \ + "opcua_binary_create_session_discovery" "OPC UA Session" ON \ + "opcua_binary_activate_session" "OPC UA Session" ON \ + "opcua_binary_activate_session_client_software_cert" "OPC UA Session" ON \ + "opcua_binary_activate_session_locale_id" "OPC UA Session" ON \ + "opcua_binary_activate_session_diagnostic_info" "OPC UA Session" ON \ + "opcua_binary_browse" "OPC UA Browse" ON \ + "opcua_binary_browse_description" "OPC UA Browse" ON \ + "opcua_binary_browse_request_continuation_point" "OPC UA Browse" ON \ + "opcua_binary_browse_result" "OPC UA Browse" ON \ + "opcua_binary_browse_response_references" "OPC UA Browse" ON \ + "opcua_binary_browse_diagnostic_info" "OPC UA Browse" ON \ + "opcua_binary_create_subscription" "OPC UA UA Browse" ON \ + "opcua_binary_read" "OPC UA Read" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip new file mode 100644 index 000000000..22f678594 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -0,0 +1,19 @@ +{ + "description" : "zeek.cip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, + { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, + { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity new file mode 100644 index 000000000..092f63fa7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -0,0 +1,21 @@ +{ + "description" : "zeek.cip_identity", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, + { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, + { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io new file mode 100644 index 000000000..4a66d83bf --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -0,0 +1,13 @@ +{ + "description" : "zeek.cip_io", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, + { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info new file mode 100644 index 000000000..009cd311f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -0,0 +1,17 @@ +{ + "description" : "zeek.ecat_aoe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.targetid", "target_field": "ecat.target.id", "ignore_missing": true } }, + { "rename": { "field": "message2.targetport", "target_field": "ecat.target.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.target.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.senderid", "target_field": "ecat.sender.id", "ignore_missing": true } }, + { "rename": { "field": "message2.senderport", "target_field": "ecat.sender.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.sender.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info new file mode 100644 index 000000000..522efecf5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_arp_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_src", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_dst", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.SPA", "target_field": "ecat.sender.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } }, + { "rename": { "field": "message2.TPA", "target_field": "ecat.target.protocol.address", "ignore_missing": true } }, + { "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info new file mode 100644 index 000000000..79721c920 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_coe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } }, + { "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } }, + { "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info new file mode 100644 index 000000000..aab20781b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info @@ -0,0 +1,18 @@ +{ + "description" : "zeek.ecat_dev_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } }, + { "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } }, + { "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } }, + { "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } }, + { "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } }, + { "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info new file mode 100644 index 000000000..11df775a9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_foe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address new file mode 100644 index 000000000..141eeda00 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_log_address", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers new file mode 100644 index 000000000..4b4d4eebe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "ecat.srcmac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "ecat.dstmac", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info new file mode 100644 index 000000000..bddc40efa --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_soe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } }, + { "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } }, + { "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } }, + { "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip new file mode 100644 index 000000000..456eb99d7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -0,0 +1,16 @@ +{ + "description" : "zeek.enip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } }, + { "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } }, + { "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_status", "target_field": "enip.status.code", "ignore_missing": true } }, + { "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } }, + { "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua b/salt/elasticsearch/files/ingest/zeek.opcua new file mode 100644 index 000000000..78e44c47c --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua @@ -0,0 +1,30 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session new file mode 100644 index 000000000..466e34236 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session @@ -0,0 +1,18 @@ +{ + "description" : "zeek.opcua.activate_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse b/salt/elasticsearch/files/ingest/zeek.opcua_browse new file mode 100644 index 000000000..fa0f8bf81 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description new file mode 100644 index 000000000..56d6ac655 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references new file mode 100644 index 000000000..07cec4813 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references @@ -0,0 +1,22 @@ +{ + "description" : "zeek.opcua_browse_response_references", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result new file mode 100644 index 000000000..7b29284f9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_browse_result", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_create_session new file mode 100644 index 000000000..637e5a7bb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session @@ -0,0 +1,19 @@ +{ + "description" : "zeek.opcua_create_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints new file mode 100644 index 000000000..2bee814b6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token new file mode 100644 index 000000000..ef621a5ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_create_session_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription new file mode 100644 index 000000000..372e6b4fd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_create_subscription", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } }, + { "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } }, + { "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } }, + { "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints new file mode 100644 index 000000000..a7b2b2f85 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_get_endpoints", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description new file mode 100644 index 000000000..ef3755c8d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description @@ -0,0 +1,20 @@ +{ + "description" : "zeek.opcua_get_endpoints_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token new file mode 100644 index 000000000..854c35cf0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_get_endpoints_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel new file mode 100644 index 000000000..4e8fb483a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_opensecure_channel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail new file mode 100644 index 000000000..0d4ae984a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_stats_code_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, + { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } }, + { "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/setup/so-functions b/setup/so-functions index 8858856be..85032e275 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3020,6 +3020,43 @@ zeek_logs_enabled() { " - modbus_read_write_multiple_registers"\ " - bacnet"\ " - bacnet_discovery"\ - " - bacnet_property" >> "$zeeklogs_pillar" + " - bacnet_property" + " - ecat_registers"\ + " - ecat_log_address"\ + " - ecat_dev_info"\ + " - ecat_aoe_info"\ + " - ecat_coe_info"\ + " - ecat_foe_info"\ + " - ecat_soe_info"\ + " - ecat_arp_info"\ + " - enip"\ + " - cip"\ + " - cip_io"\ + " - cip_identity"\ + " - opcua_binary"\ + " - opcua_binary_status_code_detail"\ + " - opcua_binary_diag_info_detail"\ + " - opcua_binary_get_endpoints"\ + " - opcua_binary_get_endpoints_discovery"\ + " - opcua_binary_get_endpoints_user_token"\ + " - opcua_binary_get_endpoints_description"\ + " - opcua_binary_get_endpoints_locale_id"\ + " - opcua_binary_get_endpoints_profile_uri"\ + " - opcua_binary_create_session"\ + " - opcua_binary_create_session_user_token"\ + " - opcua_binary_create_session_endpoints"\ + " - opcua_binary_create_session_discovery"\ + " - opcua_binary_activate_session"\ + " - opcua_binary_activate_session_client_software_cert"\ + " - opcua_binary_activate_session_locale_id"\ + " - opcua_binary_activate_session_diagnostic_info"\ + " - opcua_binary_browse"\ + " - opcua_binary_browse_description"\ + " - opcua_binary_browse_request_continuation_point"\ + " - opcua_binary_browse_result"\ + " - opcua_binary_browse_response_references"\ + " - opcua_binary_browse_diagnostic_info"\ + " - opcua_binary_create_subscription"\ + " - opcua_binary_read" >> "$zeeklogs_pillar" fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c60b7e3e..e7d5e4507 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1312,7 +1312,58 @@ whiptail_manager_adv_service_zeeklogs() { "weird" "Zeek Weird Logs" ON \ "mysql" "MySQL Logs" ON \ "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3) + "x509" "x.509 Logs" ON \ + "modbus_detailed" "MODBUS Details" ON \ + "modbus_mask_write_register" "MODBUS Write Register" ON \ + "modbus_read_write_multiple_registers" "MODBUS Multi Registers" ON \ + "dnp3_objects" "DNP3 Objections" ON \ + "bacnet" "BACnet" ON \ + "bacnet_discovery" "BACnet Discovery" ON \ + "bacnet_property" "BACnet Property" ON \ + "bsap_ip_header" "BSAP IP Header" ON \ + "bsap_ip_rdb" "BSAP IP RDB" ON \ + "bsap_ip_unknown" "BSAP IP Unknown" ON \ + "bsap_serial_header" "BSAP Serial Header" ON \ + "bsap_serial_rdb" "BSAP Serial RDB" ON \ + "bsap_serial_rdb_ext" "BSAP Serial RDB Extenstion" ON \ + "bsap_serial_unknown" "BSAP Serial Unknown" ON \ + "ecat_registers" "Ethercat Registers" ON \ + "ecat_log_address" "Ethercat Address Read Write" ON \ + "ecat_dev_info" "Ethercat Device Info" ON \ + "ecat_aoe_info" "Ethercat AoE Info" ON \ + "ecat_coe_info" "Ethercat CoE Info" ON \ + "ecat_foe_info" "Ethercat FoE Info" ON \ + "ecat_soe_info" "Ethercat SoE Info" ON \ + "ecat_arp_info" "Ethercat ARP Info" ON \ + "enip" "ENIP Header" ON \ + "cip" "CIP Header" ON \ + "cip_io" "CIP I/O" ON \ + "cip_identity" "CIP Identity" ON \ + "opcua_binary" "OPC UA Binary Encoding" ON \ + "opcua_binary_status_code_detail" "OPC UA Detail" ON \ + "opcua_binary_diag_info_detail" "OPC UA Diag" ON \ + "opcua_binary_get_endpoints" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_discovery" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_user_token" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_description" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_locale_id" "OPC UA Endpoints" ON \ + "opcua_binary_get_endpoints_profile_uri" "OPC UA Endpoints" ON \ + "opcua_binary_create_session" "OPC UA Session" ON \ + "opcua_binary_create_session_user_token" "OPC UA Session" ON \ + "opcua_binary_create_session_endpoints" "OPC UA Session" ON \ + "opcua_binary_create_session_discovery" "OPC UA Session" ON \ + "opcua_binary_activate_session" "OPC UA Session" ON \ + "opcua_binary_activate_session_client_software_cert" "OPC UA Session" ON \ + "opcua_binary_activate_session_locale_id" "OPC UA Session" ON \ + "opcua_binary_activate_session_diagnostic_info" "OPC UA Session" ON \ + "opcua_binary_browse" "OPC UA Browse" ON \ + "opcua_binary_browse_description" "OPC UA Browse" ON \ + "opcua_binary_browse_request_continuation_point" "OPC UA Browse" ON \ + "opcua_binary_browse_result" "OPC UA Browse" ON \ + "opcua_binary_browse_response_references" "OPC UA Browse" ON \ + "opcua_binary_browse_diagnostic_info" "OPC UA Browse" ON \ + "opcua_binary_create_subscription" "OPC UA UA Browse" ON \ + "opcua_binary_read" "OPC UA Read" ON 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus