From b7aaaa80bb48a5c42248ea8ddc56c735cbba7f5d Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:51:13 -0700 Subject: [PATCH 1/7] Create Ingest for DNP3 Objects extension --- salt/elasticsearch/files/ingest/dnp3_objects | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/dnp3_objects diff --git a/salt/elasticsearch/files/ingest/dnp3_objects b/salt/elasticsearch/files/ingest/dnp3_objects new file mode 100644 index 000000000..c78ae9e1f --- /dev/null +++ b/salt/elasticsearch/files/ingest/dnp3_objects @@ -0,0 +1,13 @@ +{ + "description" : "zeek.dnp3_objects", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } }, + { "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } }, + { "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 072bfd87b7b78f9696cec29480e755e7899e63ee Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:53:30 -0700 Subject: [PATCH 2/7] Create Ingest for Modbus Detailed --- salt/elasticsearch/files/ingest/modbus_detailed | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/modbus_detailed diff --git a/salt/elasticsearch/files/ingest/modbus_detailed b/salt/elasticsearch/files/ingest/modbus_detailed new file mode 100644 index 000000000..723027679 --- /dev/null +++ b/salt/elasticsearch/files/ingest/modbus_detailed @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_detailed", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 4ee083759c2e5dd4fb779a76c920ba439aa9527a Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:56:35 -0700 Subject: [PATCH 3/7] Rename dnp3_objects to zeek.dnp3_objects --- .../files/ingest/{dnp3_objects => zeek.dnp3_objects} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{dnp3_objects => zeek.dnp3_objects} (100%) diff --git a/salt/elasticsearch/files/ingest/dnp3_objects b/salt/elasticsearch/files/ingest/zeek.dnp3_objects similarity index 100% rename from salt/elasticsearch/files/ingest/dnp3_objects rename to salt/elasticsearch/files/ingest/zeek.dnp3_objects From 39f050c6e401041455ba41533c8bff7436bd677f Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:56:59 -0700 Subject: [PATCH 4/7] Rename modbus_detailed to zeek.modbus_detailed --- .../files/ingest/{modbus_detailed => zeek.modbus_detailed} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{modbus_detailed => zeek.modbus_detailed} (100%) diff --git a/salt/elasticsearch/files/ingest/modbus_detailed b/salt/elasticsearch/files/ingest/zeek.modbus_detailed similarity index 100% rename from salt/elasticsearch/files/ingest/modbus_detailed rename to salt/elasticsearch/files/ingest/zeek.modbus_detailed From e5c69c32360140ecb46be3f886c0566b5ef880db Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:58:36 -0700 Subject: [PATCH 5/7] Create zeek.modbus_mask_write_register --- .../files/ingest/zeek.modbus_mask_write_register | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register new file mode 100644 index 000000000..b03ff569a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_mask_write_register", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } }, + { "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 9ac06057c103ce879475cf0c4dc1145d580654d6 Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 13:00:12 -0700 Subject: [PATCH 6/7] Create zeek.read_write_multiple_registers --- .../ingest/zeek.read_write_multiple_registers | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers diff --git a/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers new file mode 100644 index 000000000..e60c593fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.read_write_multiple_registers @@ -0,0 +1,16 @@ +{ + "description" : "zeek.read_write_multiple_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } }, + { "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 7a60d0987c323bd9dc6c8037c43bcc603f658b0f Mon Sep 17 00:00:00 2001 From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com> Date: Fri, 21 Oct 2022 13:02:01 -0700 Subject: [PATCH 7/7] Update zeek.conn to include client.oui --- salt/elasticsearch/files/ingest/zeek.conn | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 5e3ae9c79..4cca15896 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -17,6 +17,7 @@ { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },