From 8c07c098f6007f5f7354966afc477b49a717851a Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 6 Oct 2020 20:14:15 +0000
Subject: [PATCH] Pipeline cleanup

---
 salt/elasticsearch/files/ingest/common_nids | 17 --------------
 salt/elasticsearch/files/ingest/sguild_nids | 25 ---------------------
 salt/elasticsearch/files/ingest/snort       | 21 -----------------
 3 files changed, 63 deletions(-)
 delete mode 100644 salt/elasticsearch/files/ingest/common_nids
 delete mode 100644 salt/elasticsearch/files/ingest/sguild_nids
 delete mode 100644 salt/elasticsearch/files/ingest/snort

diff --git a/salt/elasticsearch/files/ingest/common_nids b/salt/elasticsearch/files/ingest/common_nids
deleted file mode 100644
index 4fffab7c1..000000000
--- a/salt/elasticsearch/files/ingest/common_nids
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "description" : "common_nids",
-  "processors" : [
-    { "convert": 	{ "field": "sid", 			"type": "integer" 										} },
-    { "set": 		{ "if": "ctx.sid < 1000000",		"field": "signature_info", "value": "https://www.snort.org/search?query={{gid}}-{{sid}}"	} },
-    { "set": 		{ "if": "ctx.sid > 1999999",		"field": "signature_info", "value": "https://doc.emergingthreats.net/{{sid}}"			} },
-    { "remove":		{ "if": "ctx.sid > 2999999",		"field": "signature_info" 									} },
-    { "set": 		{ "if": "ctx.priority == '1'",		"field": "severity", "value": "High"	 							} },
-    { "set": 		{ "if": "ctx.priority == '2'",		"field": "severity", "value": "Medium" 								} },
-    { "set": 		{ "if": "ctx.priority == '3'",		"field": "severity", "value": "Low" 								} },
-    { "dissect": 	{ "field": "alert",			"pattern" : "%{rule_type} %{category} ",				"ignore_failure": true 	} },
-    { "set": 		{ "if": "ctx.rule_type == 'GPL'",	"field": "rule_type", "value": "Snort GPL"							} },
-    { "set": 		{ "if": "ctx.rule_type == 'ET'",	"field": "rule_type", "value": "Emerging Threats"						} },
-    { "lowercase": 	{ "field": "category",												"ignore_failure": true	} },
-    { "pipeline":       { "name": "common"															} }
-  ]
-}
diff --git a/salt/elasticsearch/files/ingest/sguild_nids b/salt/elasticsearch/files/ingest/sguild_nids
deleted file mode 100644
index c7bcdc418..000000000
--- a/salt/elasticsearch/files/ingest/sguild_nids
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  "description" : "sguild_nids",
-  "processors" : [
-    { 
-	"dissect": {
-		"field": "message",
-		"pattern" : "%{} %{} %{}  Alert Received: %{} %{priority} %{classification} %{interface} {%{alerttime}} %{} %{} {%{alert}} %{source_ip} %{destination_ip} %{protocol} %{source_port} %{destination_port} %{gid} %{sid} %{rev} ",
-		"on_failure": [ { "drop" : { } } ]
-	}
-    },
-    { "set":		{ "if": "ctx.protocol == '1'",		"field": "protocol", "value": "ICMP"							} },
-    { "set":		{ "if": "ctx.protocol == '6'",		"field": "protocol", "value": "TCP" 							} },
-    { "set":		{ "if": "ctx.protocol == '17'",		"field": "protocol", "value": "UDP" 							} },
-    { "remove":		{ "if": "ctx.source_ip == '{}'",  	"field": "source_ip"									} },
-    { "remove":		{ "if": "ctx.destination_ip == '{}'", 	"field": "destination_ip"								} },
-    { "remove":		{ "if": "ctx.protocol == '{}'", 	"field": "protocol"									} },
-    { "remove":		{ "if": "ctx.source_port == '{}'",  	"field": "source_port"									} },
-    { "remove":		{ "if": "ctx.destination_port == '{}'", "field": "destination_port"								} },
-    { "set":		{ "field": "type", "value": "snort" 												} },
-    { "rename":		{ "field": "@timestamp",	"target_field": "timestamp",						"ignore_missing": true  } },
-    { "date":		{ "field": "alerttime",		"target_field": "@timestamp",	"formats": ["yyyy-MM-dd HH:mm:ss"],	"ignore_failure": true  } },
-    { "remove":		{ "field": "alerttime",											"ignore_missing": true  } },
-    { "pipeline": 	{ "name": "common_nids" 													} }
-  ]
-}
diff --git a/salt/elasticsearch/files/ingest/snort b/salt/elasticsearch/files/ingest/snort
deleted file mode 100644
index b841ca917..000000000
--- a/salt/elasticsearch/files/ingest/snort
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  "description" : "snort",
-  "processors" : [
-    { 
-	"dissect": {
-		"field": "message",
-		"pattern" : "[%{gid}:%{sid}:%{rev}] %{alert} [Classification: %{classification}] [Priority: %{priority}]: <%{interface}> {%{protocol}} %{source_ip_port} -> %{destination_ip_port}",
-		"on_failure": [ { "drop" : { } } ]
-	}
-    },
-    { "split": { "field": "source_ip_port", 		"separator": ":", 			"ignore_failure": true 	} },
-    { "split": { "field": "destination_ip_port", 	"separator": ":", 			"ignore_failure": true 	} },
-    { "rename":{ "field": "source_ip_port.1",		"target_field": "source_port",		"ignore_failure": true 	} },
-    { "rename":{ "field": "destination_ip_port.1",	"target_field": "destination_port",	"ignore_failure": true 	} },
-    { "rename":{ "field": "source_ip_port.0",		"target_field": "source_ip",		"ignore_failure": true 	} },
-    { "rename":{ "field": "destination_ip_port.0",	"target_field": "destination_ip",	"ignore_failure": true 	} },
-    { "remove":{ "field": "source_ip_port", 							"ignore_failure": true	} },
-    { "remove":{ "field": "destination_ip_port", 						"ignore_failure": true	} },
-    { "pipeline": { "name": "common_nids" } }
-  ]
-}