From 015a441e79566aa7558609ebab1e0495f6248091 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 7 Oct 2020 15:20:26 +0000 Subject: [PATCH] Change rule.signature_info to rule.reference and ensure common.nids exists --- salt/elasticsearch/files/ingest/common.nids | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/common.nids diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids new file mode 100644 index 000000000..448abdd17 --- /dev/null +++ b/salt/elasticsearch/files/ingest/common.nids @@ -0,0 +1,15 @@ +{ + "description" : "common.nids", + "processors" : [ + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } }, + { "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/search?query={{rule.gid}}-{{rule.uuid}}" } }, + { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.referemce", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, + { "set": { "if": "ctx.rule?.name =~ /^GPL/", "field": "rule.ruleset", "value": "Snort GPL" } }, + { "set": { "if": "ctx.rule?.name =~ /^ET/", "field": "rule.ruleset", "value": "Emerging Threats" } }, + { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, + { "pipeline": { "name": "common" } } + ] +}