diff --git a/README.md b/README.md index 933c22abb..1c0a31212 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.182 +## Security Onion 2.3 -Security Onion 2.3.182 is here! +Security Onion 2.3 is here! ## Screenshots diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 03cd694db..148598b37 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.182-20221109 ISO image built on 2022/11/09 +### 2.3.190-20221205 ISO image built on 2022/12/05 ### Download and Verify -2.3.182-20221109 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso +2.3.190-20221205 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221205.iso -MD5: E472D5A7C64662435F84FD56491D8967 -SHA1: D2069317553AF0A1FB4FB6FE15583FF4E8CB2973 -SHA256: A074EB38B88C0A00BDFD7FB75B4ECB7C46CB0B4CC993CAB81EFDC708B0075D2C +MD5: E8D0BB6F43F67EC64F04AE239781E674 +SHA1: BC58236BDF8DBD86870182B6F79009406DC04138 +SHA256: 34A98078538060486C70A934839A271A5AD66CF50D55EEC04DA0B325B13D56AC Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221205.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.182-20221109.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221205.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.182-20221109.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221205.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.182-20221109.iso.sig securityonion-2.3.182-20221109.iso +gpg --verify securityonion-2.3.190-20221205.iso.sig securityonion-2.3.190-20221205.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 09 Nov 2022 07:30:32 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 05 Dec 2022 12:27:49 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 273a340a5..eba1e6a4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.182 +2.3.190 diff --git a/pillar/zeek/init.sls b/pillar/zeek/init.sls index 5eeb273b9..b4bce17fd 100644 --- a/pillar/zeek/init.sls +++ b/pillar/zeek/init.sls @@ -48,6 +48,19 @@ zeek: - securityonion/bpfconf - securityonion/communityid - securityonion/file-extraction + - oui-logging + - icsnpp-modbus + - icsnpp-dnp3 + - icsnpp-bacnet + - icsnpp-ethercat + - icsnpp-enip + - icsnpp-opcua-binary + - icsnpp-bsap + - icsnpp-s7comm + - zeek-plugin-tds + - zeek-plugin-profinet + - zeek-spicy-wireguard + - zeek-spicy-stun '@load-sigs': - frameworks/signatures/detect-windows-shells redef: diff --git a/salt/common/files/sensor-rotate.conf b/salt/common/files/sensor-rotate.conf index cefd3944e..797eb8a45 100644 --- a/salt/common/files/sensor-rotate.conf +++ b/salt/common/files/sensor-rotate.conf @@ -19,4 +19,17 @@ extension .log dateext dateyesterday -} \ No newline at end of file +} + +/opt/so/log/strelka/filecheck.log +{ + daily + rotate 14 + missingok + copytruncate + compress + create + extension .log + dateext + dateyesterday +} diff --git a/salt/common/init.sls b/salt/common/init.sls index 0eaf5e77e..94a1b4869 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -38,15 +38,15 @@ socore: soconfperms: file.directory: - name: /opt/so/conf - - uid: 939 - - gid: 939 + - user: 939 + - group: 939 - dir_mode: 770 sostatusconf: file.directory: - name: /opt/so/conf/so-status - - uid: 939 - - gid: 939 + - user: 939 + - group: 939 - dir_mode: 770 so-status.conf: @@ -57,8 +57,8 @@ so-status.conf: sosaltstackperms: file.directory: - name: /opt/so/saltstack - - uid: 939 - - gid: 939 + - user: 939 + - group: 939 - dir_mode: 770 so_log_perms: diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export index 25b89d4b7..bdeb76917 100755 --- a/salt/common/tools/sbin/so-pcap-export +++ b/salt/common/tools/sbin/so-pcap-export @@ -20,7 +20,7 @@ if [ $# -lt 2 ]; then exit 1 fi -docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap +docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap echo "" echo "If successful, the output was written to: /nsm/pcapout/$2.pcap" diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index f6df7f8aa..a78949c95 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -10,39 +10,118 @@ zeek_logs_enabled() { } whiptail_manager_adv_service_zeeklogs() { - BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \ - "conn" "Connection Logging" ON \ - "dce_rpc" "RPC Logs" ON \ - "dhcp" "DHCP Logs" ON \ - "dnp3" "DNP3 Logs" ON \ - "dns" "DNS Logs" ON \ - "dpd" "DPD Logs" ON \ - "files" "Files Logs" ON \ - "ftp" "FTP Logs" ON \ - "http" "HTTP Logs" ON \ - "intel" "Intel Hits Logs" ON \ - "irc" "IRC Chat Logs" ON \ - "kerberos" "Kerberos Logs" ON \ - "modbus" "MODBUS Logs" ON \ - "notice" "Zeek Notice Logs" ON \ - "ntlm" "NTLM Logs" ON \ - "pe" "PE Logs" ON \ - "radius" "Radius Logs" ON \ - "rfb" "RFB Logs" ON \ - "rdp" "RDP Logs" ON \ - "sip" "SIP Logs" ON \ - "smb_files" "SMB Files Logs" ON \ - "smb_mapping" "SMB Mapping Logs" ON \ - "smtp" "SMTP Logs" ON \ - "snmp" "SNMP Logs" ON \ - "ssh" "SSH Logs" ON \ - "ssl" "SSL Logs" ON \ - "syslog" "Syslog Logs" ON \ - "tunnel" "Tunnel Logs" ON \ - "weird" "Zeek Weird Logs" ON \ - "mysql" "MySQL Logs" ON \ - "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) + BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please select logs to send:" 24 78 12 \ + "conn" "" ON \ + "dce_rpc" "" ON \ + "dhcp" "" ON \ + "dnp3" "" ON \ + "dns" "" ON \ + "dpd" "" ON \ + "files" "" ON \ + "ftp" "" ON \ + "http" "" ON \ + "intel" "" ON \ + "irc" "" ON \ + "kerberos" "" ON \ + "modbus" "" ON \ + "notice" "" ON \ + "ntlm" "" ON \ + "pe" "" ON \ + "radius" "" ON \ + "rfb" "" ON \ + "rdp" "" ON \ + "sip" "" ON \ + "smb_files" "" ON \ + "smb_mapping" "" ON \ + "smtp" "" ON \ + "snmp" "" ON \ + "software" "" ON \ + "ssh" "" ON \ + "ssl" "" ON \ + "syslog" "" ON \ + "tunnel" "" ON \ + "weird" "" ON \ + "mysql" "" ON \ + "socks" "" ON \ + "x509" "" ON \ + "bacnet" "" ON \ + "bacnet_discovery" "" ON \ + "bacnet_property" "" ON \ + "bsap_ip_header" "" ON \ + "bsap_ip_rdb" "" ON \ + "bsap_ip_unknown" "" ON \ + "bsap_serial_header" "" ON \ + "bsap_serial_rdb" "" ON \ + "bsap_serial_rdb_ext" "" ON \ + "bsap_serial_unknown" "" ON \ + "cip" "" ON \ + "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_control" "" ON \ + "dnp3_objects" "" ON \ + "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" OFF \ + "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ + "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ + "ecat_soe_info" "" ON \ + "enip" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ + "opcua_binary" "" ON \ + "opcua_binary_activate_session" "" ON \ + "opcua_binary_activate_session_client_software_cert" "" ON \ + "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ + "opcua_binary_browse" "" ON \ + "opcua_binary_browse_description" "" ON \ + "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ + "opcua_binary_create_subscription" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ + "opcua_binary_read" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ + "opcua_binary_status_code_detail" "" ON \ + "profinet" "" ON \ + "profinet_dce_rpc" "" ON \ + "profinet_debug" "" ON \ + "s7comm" "" ON \ + "s7comm_plus" "" ON \ + "s7comm_read_szl" "" ON \ + "s7comm_upload_download" "" ON \ + "stun" "" ON \ + "stun_nat" "" ON \ + "tds" "" ON \ + "tds_rpc" "" ON \ + "tds_sql_batch" "" ON \ + "wireguard" "" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d97bc2573..31f5bb290 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -550,6 +550,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180 [[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181 [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182 + [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190 true } @@ -572,6 +573,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180 [[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181 [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182 + [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190 true } @@ -685,6 +687,11 @@ post_to_2.3.182() { POSTVERSION=2.3.182 } +post_to_2.3.190() { + echo "Nothing to do for .190" + POSTVERSION=2.3.190 +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -989,6 +996,15 @@ up_to_2.3.182() { INSTALLEDVERSION=2.3.182 } +up_to_2.3.190() { + echo "Upgrading to 2.3.190" + if [ -d /nsm/zeek/extracted/complete ]; then + chown -R zeek:socore /nsm/zeek/extracted/complete + chmod 770 /nsm/zeek/extracted/complete + fi + INSTALLEDVERSION=2.3.190 +} + verify_upgradespace() { CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') if [ "$CURRENTSPACE" -lt "10" ]; then diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet b/salt/elasticsearch/files/ingest/zeek.bacnet new file mode 100644 index 000000000..a96a05b56 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet @@ -0,0 +1,14 @@ +{ + "description" : "zeek.bacnet", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } }, + { "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery new file mode 100644 index 000000000..c51cbf5c1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery @@ -0,0 +1,15 @@ +{ + "description" : "zeek.bacnet_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } }, + { "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } }, + { "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_property b/salt/elasticsearch/files/ingest/zeek.bacnet_property new file mode 100644 index 000000000..d04c4c327 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property @@ -0,0 +1,15 @@ +{ + "description" : "zeek.bacnet_property", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } }, + { "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header new file mode 100644 index 000000000..b92d7f233 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header @@ -0,0 +1,10 @@ +{ + "description" : "zeek.bsap_ip_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb new file mode 100644 index 000000000..f5ebd3a0a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb @@ -0,0 +1,20 @@ +{ + "description" : "zeek.bsap_ip_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.header_size", "target_field": "bsap.header.length", "ignore_missing": true } }, + { "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.data_len", "target_field": "bsap.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } }, + { "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub_function", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bsap.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown new file mode 100644 index 000000000..15d9a8fd9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_ip_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header new file mode 100644 index 000000000..b4b499ff1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header @@ -0,0 +1,17 @@ +{ + "description" : "zeek.bsap_serial_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ser", "target_field": "bsap.message.serial_number", "ignore_missing": true } }, + { "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } }, + { "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } }, + { "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status_byte", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb new file mode 100644 index 000000000..f45d8c0cd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb @@ -0,0 +1,11 @@ +{ + "description" : "zeek.bsap_serial_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext new file mode 100644 index 000000000..2ca85ad78 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext @@ -0,0 +1,13 @@ +{ + "description" : "zeek.bsap_serial_rdb_ext", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message_sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node_status_byte", "ignore_missing": true } }, + { "rename": { "field": "message2.extfun", "target_field": "bsap.extension.function", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.extension.function_data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown new file mode 100644 index 000000000..ea0c5e471 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_serial_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip new file mode 100644 index 000000000..5182a7037 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -0,0 +1,19 @@ +{ + "description" : "zeek.cip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, + { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, + { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity new file mode 100644 index 000000000..a3522f86a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -0,0 +1,21 @@ +{ + "description" : "zeek.cip_identity", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, + { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, + { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial_number", "ignore_missing": true } }, + { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io new file mode 100644 index 000000000..68c376b05 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -0,0 +1,13 @@ +{ + "description" : "zeek.cip_io", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 5e3ae9c79..14689f782 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -17,24 +17,25 @@ { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, { "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } }, - { "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, - { "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, - { "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, - { "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, - { "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } }, - { "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } }, - { "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } }, - { "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } }, - { "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, - { "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, - { "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, - { "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, - { "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, + { "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, + { "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, + { "set": { "if": "ctx.connection?.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, + { "set": { "if": "ctx.connection?.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, + { "set": { "if": "ctx.connection?.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } }, + { "set": { "if": "ctx.connection?.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } }, + { "set": { "if": "ctx.connection?.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } }, + { "set": { "if": "ctx.connection?.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } }, + { "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, + { "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, + { "set": { "if": "ctx.connection?.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, + { "set": { "if": "ctx.connection?.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, + { "set": { "if": "ctx.connection?.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.cotp b/salt/elasticsearch/files/ingest/zeek.cotp new file mode 100644 index 000000000..fb4b090cd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cotp @@ -0,0 +1,10 @@ +{ + "description" : "zeek.cotp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_name", "target_field": "cotp.pdu.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_control b/salt/elasticsearch/files/ingest/zeek.dnp3_control new file mode 100644 index 000000000..0c465b5d2 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dnp3_control @@ -0,0 +1,16 @@ +{ + "description" : "zeek.dnp3_control", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.block_type", "target_field": "dnp3.block_type", "ignore_missing": true } }, + { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.index_number", "target_field": "dnp3.index_number", "ignore_missing": true } }, + { "rename": { "field": "message2.trip_control_code","target_field": "dnp3.trip_control_code", "ignore_missing": true } }, + { "rename": { "field": "message2.operation_type", "target_field": "dnp3.operation_type", "ignore_missing": true } }, + { "rename": { "field": "message2.execute_count", "target_field": "dnp3.execute_count", "ignore_missing": true } }, + { "rename": { "field": "message2.on_time", "target_field": "dnp3.on_time", "ignore_missing": true } }, + { "rename": { "field": "message2.off_time", "target_field": "dnp3.off_time", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_objects b/salt/elasticsearch/files/ingest/zeek.dnp3_objects new file mode 100644 index 000000000..c78ae9e1f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dnp3_objects @@ -0,0 +1,13 @@ +{ + "description" : "zeek.dnp3_objects", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } }, + { "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } }, + { "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info new file mode 100644 index 000000000..c5f9b9dc3 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -0,0 +1,17 @@ +{ + "description" : "zeek.ecat_aoe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } }, + { "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } }, + { "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info new file mode 100644 index 000000000..cbc3676ab --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_arp_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } }, + { "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info new file mode 100644 index 000000000..e425e3173 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_coe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } }, + { "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response_type", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } }, + { "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info new file mode 100644 index 000000000..d01289e9a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info @@ -0,0 +1,18 @@ +{ + "description" : "zeek.ecat_dev_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } }, + { "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } }, + { "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.memory_mgmt_unit", "ignore_missing": true } }, + { "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager_count", "ignore_missing": true } }, + { "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } }, + { "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info new file mode 100644 index 000000000..6655f2cb7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_foe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_num", "target_field": "ecat.packet_number", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "ecat.error_code", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address new file mode 100644 index 000000000..ad0ee161f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_log_address", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers new file mode 100644 index 000000000..d0a11ba83 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info new file mode 100644 index 000000000..bddc40efa --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_soe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } }, + { "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } }, + { "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } }, + { "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip new file mode 100644 index 000000000..fee3b058b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -0,0 +1,16 @@ +{ + "description" : "zeek.enip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "enip.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } }, + { "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } }, + { "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_status", "target_field": "enip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } }, + { "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_detailed b/salt/elasticsearch/files/ingest/zeek.modbus_detailed new file mode 100644 index 000000000..635566c6a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_detailed @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_detailed", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register new file mode 100644 index 000000000..d548fe615 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_mask_write_register", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.and_mask", "target_field": "modbus.and_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.or_mask", "target_field": "modbus.or_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers new file mode 100644 index 000000000..234faa34f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers @@ -0,0 +1,16 @@ +{ + "description" : "zeek.read_write_multiple_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } }, + { "rename": { "field": "message2.read_start_address", "target_field": "modbus.read.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary new file mode 100644 index 000000000..37a9cdf1a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -0,0 +1,32 @@ +{ + "description" : "zeek.opcua_binary", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session new file mode 100644 index 000000000..81f8e9392 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session @@ -0,0 +1,19 @@ +{ + "description" : "zeek.opcua_binary_activate_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert new file mode 100644 index 000000000..fe6f577eb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_activate_session_client_software_cert", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info new file mode 100644 index 000000000..283d1c78e --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_activate_session_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id new file mode 100644 index 000000000..08d8a672e --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_activate_session_locale_id", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse new file mode 100644 index 000000000..8c4d919cd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -0,0 +1,18 @@ +{ + "description" : "zeek.opcua_binary_browse", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view_description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description_view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description new file mode 100644 index 000000000..f1439f192 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description @@ -0,0 +1,17 @@ +{ + "description" : "zeek.opcua_binary_browse_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_encoding_mask", "target_field": "opcua.browse_description_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_numeric", "target_field": "opcua.browse_description_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_direction", "target_field": "opcua.browse_direction", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_encoding_mask", "target_field": "opcua.browse_description_ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description_ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_include_subtypes", "target_field": "opcua.browse_description_include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_node_class_mask", "target_field": "opcua.browse_node_class_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_result_mask", "target_field": "opcua.browse_result_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info new file mode 100644 index 000000000..43560f4f0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point new file mode 100644 index 000000000..ce971109b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_request_continuation_point", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.continuation_point", "target_field": "opcua.continuation_point", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references new file mode 100644 index 000000000..960a0a939 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references @@ -0,0 +1,22 @@ +{ + "description" : "zeek.opcua_binary_browse_response_references", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result new file mode 100644 index 000000000..d9eabbd87 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_browse_result", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.reference_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session new file mode 100644 index 000000000..d7e0d3d87 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session @@ -0,0 +1,19 @@ +{ + "description" : "zeek.opcua_binary_create_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id_guid", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token_guid", "ignore_missing": true } }, + { "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery new file mode 100644 index 000000000..cf9a56135 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_create_session_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_uri", "target_field": "opcua.discovery_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints new file mode 100644 index 000000000..0511211d5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -0,0 +1,22 @@ +{ + "description" : "zeek.opcua_binary_create_session_endpoints", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token new file mode 100644 index 000000000..b86ec066d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_create_session_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription new file mode 100644 index 000000000..832ac75b1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_binary_create_subscription", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } }, + { "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } }, + { "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } }, + { "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail new file mode 100644 index 000000000..170c35be0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_binary_diag_info_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_diag_level", "target_field": "opcua.inner_diag_level", "ignore_missing": true } }, + { "rename": { "field": "message2.has_symbolic_id", "target_field": "opcua.has_symbolic_id", "ignore_missing": true } }, + { "rename": { "field": "message2.has_namespace_uri", "target_field": "opcua.has_namespace_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale", "target_field": "opcua.has_locale", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale_txt", "target_field": "opcua.has_locale_txt", "ignore_missing": true } }, + { "rename": { "field": "message2.has_addl_info", "target_field": "opcua.has_addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.addl_info", "target_field": "opcua.addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_stat_code", "target_field": "opcua.has_inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_stat_code", "target_field": "opcua.inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_diag_info", "target_field": "opcua.has_inner_diag_info", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints new file mode 100644 index 000000000..51f9349fc --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description new file mode 100644 index 000000000..b467196de --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -0,0 +1,23 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "convert": { "field": "opcua.encoding_mask", "type": "string", + "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery new file mode 100644 index 000000000..eeaf91dcb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id new file mode 100644 index 000000000..3716b3bb5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_locale_id", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri new file mode 100644 index 000000000..65309e588 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_profile_uri", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.profile_uri", "target_field": "opcua.profile_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token new file mode 100644 index 000000000..33a3687cc --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token_type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token_security_policy_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel new file mode 100644 index 000000000..59c41206d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_binary_opensecure_channel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server_proto_ver", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.sec_token_sec_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_id", "target_field": "opcua.sec_token_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_created_at", "target_field": "opcua.sec_token_created_at", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_revised_time", "target_field": "opcua.sec_token_revised_time", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read new file mode 100644 index 000000000..9eee12ff7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims new file mode 100644 index 000000000..a0955f534 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.dimension", "target_field": "opcua.dimension", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link new file mode 100644 index 000000000..94644246f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info new file mode 100644 index 000000000..64376bd08 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object new file mode 100644 index 000000000..8ef46251b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object @@ -0,0 +1,14 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_encoding_mask", "target_field": "opcua.ext_obj_node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_namespace_idx", "target_field": "opcua.ext_obj_node_id_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_numeric", "target_field": "opcua.ext_obj_node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.ext_obj_type_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.ext_obj_encoding", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link new file mode 100644 index 000000000..0aae27ca1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read new file mode 100644 index 000000000..39c0c25b1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_binary_read_nodes_to_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results new file mode 100644 index 000000000..49d14d404 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results @@ -0,0 +1,17 @@ +{ + "description" : "zeek.opcua_binary_read_results", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_encoding_mask", "target_field": "opcua.data_variant_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type", "target_field": "opcua.data_variant_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type_str", "target_field": "opcua.data_variant_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type", "target_field": "opcua.built_in_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type_str", "target_field": "opcua.built_in_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link new file mode 100644 index 000000000..75245d212 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_results_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code new file mode 100644 index 000000000..d3b6ece54 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_status_code", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data new file mode 100644 index 000000000..d77404bc5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.variant_data_value_signed_numeric", "target_field": "opcua.variant_data_value_signed_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link new file mode 100644 index 000000000..8585789ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail new file mode 100644 index 000000000..e1bff04a4 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_binary_status_code_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, + { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, + { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } }, + { "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.profinet b/salt/elasticsearch/files/ingest/zeek.profinet new file mode 100644 index 000000000..e9d69c0dc --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.profinet @@ -0,0 +1,13 @@ +{ + "description" : "zeek.profinet", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.operation_type", "target_field": "profinet.operation_type", "ignore_missing": true } }, + { "rename": { "field": "message2.block_version", "target_field": "profinet.block_version", "ignore_missing": true } }, + { "rename": { "field": "message2.slot_number", "target_field": "profinet.slot_number", "ignore_missing": true } }, + { "rename": { "field": "message2.subslot_number", "target_field": "profinet.subslot_number", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "profinet.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc new file mode 100644 index 000000000..e89fd7d95 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc @@ -0,0 +1,15 @@ +{ + "description" : "zeek.profinet_dce_rpc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.version", "target_field": "profinet.version", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_type", "target_field": "profinet.packet_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_uuid", "target_field": "profinet.object_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.interface_uuid", "target_field": "profinet.interface_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.activity_uuid", "target_field": "profinet.activity_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.server_boot_time", "target_field": "profinet.server.boot_time", "ignore_missing": true } }, + { "rename": { "field": "message2.operation", "target_field": "profinet.operation", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm b/salt/elasticsearch/files/ingest/zeek.s7comm new file mode 100644 index 000000000..e9f5e6318 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } }, + { "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } }, + { "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } }, + { "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_plus b/salt/elasticsearch/files/ingest/zeek.s7comm_plus new file mode 100644 index 000000000..cbb7d5723 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_plus @@ -0,0 +1,11 @@ +{ + "description" : "zeek.s7comm_plus", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl new file mode 100644 index 000000000..c044c08a5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm_read_szl", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "s7.method", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id", "target_field": "s7.szl_id", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id_name", "target_field": "s7.szl_id_name", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_index", "target_field": "s7.szl_index", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code", "target_field": "s7.return_code", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code_name", "target_field": "s7.return_code_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download b/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download new file mode 100644 index 000000000..51d8ca03f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download @@ -0,0 +1,18 @@ +{ + "description" : "zeek.s7comm_upload_download", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.rosctr", "target_field": "s7.ros.control.name", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.function_code", "target_field": "s7.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.function_status", "target_field": "s7.function_status", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id", "target_field": "s7.session_id", "ignore_missing": true } }, + { "rename": { "field": "message2.blocklength", "target_field": "s7.block.length", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "s7.file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.block_type", "target_field": "s7.block.type", "ignore_missing": true } }, + { "rename": { "field": "message2.block_number", "target_field": "s7.block.number", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_filesystem", "target_field": "s7.destination.filesystem", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.stun b/salt/elasticsearch/files/ingest/zeek.stun new file mode 100644 index 000000000..48f648d74 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.stun @@ -0,0 +1,15 @@ +{ + "description" : "zeek.stun", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.trans_id", "target_field": "stun.id", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "stun.method", "ignore_missing": true } }, + { "rename": { "field": "message2.class", "target_field": "stun.class", "ignore_missing": true } }, + { "rename": { "field": "message2.attr_types", "target_field": "stun.attribute.types", "ignore_missing": true } }, + { "rename": { "field": "message2.attr_vals", "target_field": "stun.attribute.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.stun_nat b/salt/elasticsearch/files/ingest/zeek.stun_nat new file mode 100644 index 000000000..45f9b3055 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.stun_nat @@ -0,0 +1,13 @@ +{ + "description" : "zeek.stun_nat", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.wan_addrs", "target_field": "stun.wan.addresses", "ignore_missing": true } }, + { "rename": { "field": "message2.wan_ports", "target_field": "stun.wan.ports", "ignore_missing": true } }, + { "rename": { "field": "message2.lan_addrs", "target_field": "stun.lan.addresses", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds b/salt/elasticsearch/files/ingest/zeek.tds new file mode 100644 index 000000000..43c2cad18 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds @@ -0,0 +1,9 @@ +{ + "description" : "zeek.tds", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds_rpc b/salt/elasticsearch/files/ingest/zeek.tds_rpc new file mode 100644 index 000000000..75a73c6ba --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds_rpc @@ -0,0 +1,10 @@ +{ + "description" : "zeek.tds_rpc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } }, + { "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch new file mode 100644 index 000000000..560cd1ef3 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch @@ -0,0 +1,10 @@ +{ + "description" : "zeek.tds_sql_batch", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } }, + { "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.wireguard b/salt/elasticsearch/files/ingest/zeek.wireguard new file mode 100644 index 000000000..1df929666 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.wireguard @@ -0,0 +1,11 @@ +{ + "description" : "zeek.wireguard", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } }, + { "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } }, + { "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 75b45d4e6..f87e8bb59 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -144,6 +144,10 @@ filebeat.inputs: dataset: {{ LOGNAME }} category: network processors: + {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} + - add_tags: + tags: ["ics"] + {%- endif %} - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] @@ -161,6 +165,10 @@ filebeat.inputs: category: network imported: true processors: + {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} + - add_tags: + tags: ["ics"] + {%- endif %} - add_tags: tags: ["import"] - dissect: diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index a86730734..2025b85cb 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -5,20 +5,19 @@ Security Onion provides a means for performing data analysis on varying inputs. ## Supported Observable Types The built-in analyzers support the following observable types: -| Name | Domain | Hash | IP | JA3 | Mail | Other | URI | URL | User Agent | -| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|------------ -| Alienvault OTX |✓ |✓|✓|✗|✗|✗|✗|✓|✗| -| EmailRep |✗ |✗|✗|✗|✓|✗|✗|✗|✗| -| Greynoise |✗ |✗|✓|✗|✗|✗|✗|✗|✗| -| JA3er |✗ |✗|✗|✓|✗|✗|✗|✗|✗| -| LocalFile |✓ |✓|✓|✓|✗|✓|✗|✓|✗| -| Malware Hash Registry |✗ |✓|✗|✗|✗|✗|✗|✓|✗| -| Pulsedive |✓ |✓|✓|✗|✗|✗|✓|✓|✓| -| Spamhaus |✗ |✗|✓|✗|✗|✗|✗|✗|✗| -| Urlhaus |✗ |✗|✗|✗|✗|✗|✗|✓|✗| -| Urlscan |✗ |✗|✗|✗|✗|✗|✗|✓|✗| -| Virustotal |✓ |✓|✓|✗|✗|✗|✗|✓|✗| -| WhoisLookup |✓ |✗|✗|✗|✗|✗|✓|✗|✗| +| Name | Domain | Hash | IP | Mail | Other | URI | URL | User Agent | +| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------| +| Alienvault OTX |✓ |✓|✓|✗|✗|✗|✓|✗| +| EmailRep |✗ |✗|✗|✓|✗|✗|✗|✗| +| Greynoise |✗ |✗|✓|✗|✗|✗|✗|✗| +| LocalFile |✓ |✓|✓|✗|✓|✗|✓|✗| +| Malware Hash Registry |✗ |✓|✗|✗|✗|✗|✓|✗| +| Pulsedive |✓ |✓|✓|✗|✗|✓|✓|✓| +| Spamhaus |✗ |✗|✓|✗|✗|✗|✗|✗| +| Urlhaus |✗ |✗|✗|✗|✗|✗|✓|✗| +| Urlscan |✗ |✗|✗|✗|✗|✗|✓|✗| +| Virustotal |✓ |✓|✓|✗|✗|✗|✓|✗| +| WhoisLookup |✓ |✗|✗|✗|✗|✓|✗|✗| ## Authentication Many analyzers require authentication, via an API key or similar. The table below illustrates which analyzers require authentication. @@ -28,7 +27,6 @@ Many analyzers require authentication, via an API key or similar. The table belo [AlienVault OTX](https://otx.alienvault.com/api) |✓| [EmailRep](https://emailrep.io/key) |✓| [GreyNoise](https://www.greynoise.io/plans/community) |✓| -[JA3er](https://ja3er.com/) |✗| LocalFile |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| [Pulsedive](https://pulsedive.com/api/) |✓| diff --git a/salt/sensoroni/files/analyzers/emailrep/emailrep.py b/salt/sensoroni/files/analyzers/emailrep/emailrep.py index d48977a07..0897c541a 100755 --- a/salt/sensoroni/files/analyzers/emailrep/emailrep.py +++ b/salt/sensoroni/files/analyzers/emailrep/emailrep.py @@ -53,7 +53,7 @@ def analyze(conf, input): def main(): dir = os.path.dirname(os.path.realpath(__file__)) - parser = argparse.ArgumentParser(description='Search Greynoise for a given artifact') + parser = argparse.ArgumentParser(description='Search EmailRep for a given artifact') parser.add_argument('artifact', help='the artifact represented in JSON format') parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/emailrep.yaml", help='optional config file to use instead of the default config file') diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/ja3er/__init__.py b/salt/sensoroni/files/analyzers/ja3er/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/sensoroni/files/analyzers/ja3er/ja3er.json b/salt/sensoroni/files/analyzers/ja3er/ja3er.json deleted file mode 100644 index de072d0b7..000000000 --- a/salt/sensoroni/files/analyzers/ja3er/ja3er.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "JA3er Hash Search", - "version": "0.1", - "author": "Security Onion Solutions", - "description": "This analyzer queries JA3er user agents and sightings", - "supportedTypes" : ["ja3"] -} diff --git a/salt/sensoroni/files/analyzers/ja3er/ja3er.py b/salt/sensoroni/files/analyzers/ja3er/ja3er.py deleted file mode 100755 index c1018a880..000000000 --- a/salt/sensoroni/files/analyzers/ja3er/ja3er.py +++ /dev/null @@ -1,53 +0,0 @@ -import json -import os -import requests -import helpers -import argparse - - -def sendReq(conf, meta, hash): - url = conf['base_url'] + hash - response = requests.request('GET', url) - return response.json() - - -def prepareResults(raw): - if "error" in raw: - if "Sorry" in raw["error"]: - status = "ok" - summary = "no_results" - elif "Invalid hash" in raw["error"]: - status = "caution" - summary = "invalid_input" - else: - status = "caution" - summary = "internal_failure" - else: - status = "info" - summary = "suspicious" - results = {'response': raw, 'summary': summary, 'status': status} - return results - - -def analyze(conf, input): - meta = helpers.loadMetadata(__file__) - data = helpers.parseArtifact(input) - helpers.checkSupportedType(meta, data["artifactType"]) - response = sendReq(conf, meta, data["value"]) - return prepareResults(response) - - -def main(): - dir = os.path.dirname(os.path.realpath(__file__)) - parser = argparse.ArgumentParser(description='Search JA3er for a given artifact') - parser.add_argument('artifact', help='the artifact represented in JSON format') - parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/ja3er.yaml", help='optional config file to use instead of the default config file') - - args = parser.parse_args() - if args.artifact: - results = analyze(helpers.loadConfig(args.config), args.artifact) - print(json.dumps(results)) - - -if __name__ == "__main__": - main() diff --git a/salt/sensoroni/files/analyzers/ja3er/ja3er.yaml b/salt/sensoroni/files/analyzers/ja3er/ja3er.yaml deleted file mode 100644 index 40d6f64dd..000000000 --- a/salt/sensoroni/files/analyzers/ja3er/ja3er.yaml +++ /dev/null @@ -1 +0,0 @@ -base_url: https://ja3er.com/search/ diff --git a/salt/sensoroni/files/analyzers/ja3er/ja3er_test.py b/salt/sensoroni/files/analyzers/ja3er/ja3er_test.py deleted file mode 100644 index 41de4e9c7..000000000 --- a/salt/sensoroni/files/analyzers/ja3er/ja3er_test.py +++ /dev/null @@ -1,72 +0,0 @@ -from io import StringIO -import sys -from unittest.mock import patch, MagicMock -from ja3er import ja3er -import unittest - - -class TestJa3erMethods(unittest.TestCase): - - def test_main_missing_input(self): - with patch('sys.exit', new=MagicMock()) as sysmock: - with patch('sys.stderr', new=StringIO()) as mock_stderr: - sys.argv = ["cmd"] - ja3er.main() - self.assertEqual(mock_stderr.getvalue(), "usage: cmd [-h] [-c CONFIG_FILE] artifact\ncmd: error: the following arguments are required: artifact\n") - sysmock.assert_called_once_with(2) - - def test_main_success(self): - output = {"foo": "bar"} - with patch('sys.stdout', new=StringIO()) as mock_stdout: - with patch('ja3er.ja3er.analyze', new=MagicMock(return_value=output)) as mock: - sys.argv = ["cmd", "input"] - ja3er.main() - expected = '{"foo": "bar"}\n' - self.assertEqual(mock_stdout.getvalue(), expected) - mock.assert_called_once() - - def test_sendReq(self): - with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: - meta = {} - conf = {"base_url": "myurl/"} - hash = "abcd1234" - response = ja3er.sendReq(conf=conf, meta=meta, hash=hash) - mock.assert_called_once_with("GET", "myurl/abcd1234") - self.assertIsNotNone(response) - - def test_prepareResults_none(self): - raw = {"error": "Sorry no values found"} - results = ja3er.prepareResults(raw) - self.assertEqual(results["response"], raw) - self.assertEqual(results["summary"], "no_results") - self.assertEqual(results["status"], "ok") - - def test_prepareResults_invalidHash(self): - raw = {"error": "Invalid hash"} - results = ja3er.prepareResults(raw) - self.assertEqual(results["response"], raw) - self.assertEqual(results["summary"], "invalid_input") - self.assertEqual(results["status"], "caution") - - def test_prepareResults_internal_failure(self): - raw = {"error": "unknown"} - results = ja3er.prepareResults(raw) - self.assertEqual(results["response"], raw) - self.assertEqual(results["summary"], "internal_failure") - self.assertEqual(results["status"], "caution") - - def test_prepareResults_info(self): - raw = [{"User-Agent": "Blah/5.0", "Count": 24874, "Last_seen": "2022-04-08 16:18:38"}, {"Comment": "Brave browser v1.36.122\n\n", "Reported": "2022-03-28 20:26:42"}] - results = ja3er.prepareResults(raw) - self.assertEqual(results["response"], raw) - self.assertEqual(results["summary"], "suspicious") - self.assertEqual(results["status"], "info") - - def test_analyze(self): - output = {"info": "Results found."} - artifactInput = '{"value":"abcd1234","artifactType":"ja3"}' - conf = {"base_url": "myurl/"} - with patch('ja3er.ja3er.sendReq', new=MagicMock(return_value=output)) as mock: - results = ja3er.analyze(conf, artifactInput) - self.assertEqual(results["summary"], "suspicious") - mock.assert_called_once() diff --git a/salt/sensoroni/files/analyzers/ja3er/requirements.txt b/salt/sensoroni/files/analyzers/ja3er/requirements.txt deleted file mode 100644 index a8980057f..000000000 --- a/salt/sensoroni/files/analyzers/ja3er/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -requests>=2.27.1 -pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/ja3er/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/ja3er/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/ja3er/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/ja3er/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/ja3er/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/ja3er/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/ja3er/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/ja3er/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/ja3er/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/ja3er/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/ja3er/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/ja3er/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/pulsedive/README.md b/salt/sensoroni/files/analyzers/pulsedive/README.md index d3879fb8d..7550457a8 100644 --- a/salt/sensoroni/files/analyzers/pulsedive/README.md +++ b/salt/sensoroni/files/analyzers/pulsedive/README.md @@ -5,7 +5,7 @@ Search Pulsedive for a domain, hash, IP, URI, URL, or User Agent. ## Configuration Requirements -``api_key`` - API key used for communication with the Virustotal API +``api_key`` - API key used for communication with the Pulsedive API This value should be set in the ``sensoroni`` pillar, like so: diff --git a/salt/sensoroni/files/analyzers/pulsedive/pulsedive.py b/salt/sensoroni/files/analyzers/pulsedive/pulsedive.py index fd9e0072f..68e08bfa2 100644 --- a/salt/sensoroni/files/analyzers/pulsedive/pulsedive.py +++ b/salt/sensoroni/files/analyzers/pulsedive/pulsedive.py @@ -91,7 +91,7 @@ def analyze(conf, input): def main(): dir = os.path.dirname(os.path.realpath(__file__)) - parser = argparse.ArgumentParser(description='Search VirusTotal for a given artifact') + parser = argparse.ArgumentParser(description='Search Pulsedive for a given artifact') parser.add_argument('artifact', help='the artifact represented in JSON format') parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/pulsedive.yaml", help='optional config file to use instead of the default config file') diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/urlscan/README.md b/salt/sensoroni/files/analyzers/urlscan/README.md index 9f33c3106..cab1e7aa6 100644 --- a/salt/sensoroni/files/analyzers/urlscan/README.md +++ b/salt/sensoroni/files/analyzers/urlscan/README.md @@ -5,7 +5,7 @@ Submit a URL to Urlscan for analysis. ## Configuration Requirements -``api_key`` - API key used for communication with the Virustotal API +``api_key`` - API key used for communication with the urlscan API ``enabled`` - Determines whether or not the analyzer is enabled. Defaults to ``False`` ``visibility`` - Determines whether or not scan results are visibile publicly. Defaults to ``public`` ``timeout`` - Time to wait for scan results. Defaults to ``180``s diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/urlscan/urlscan.py b/salt/sensoroni/files/analyzers/urlscan/urlscan.py index a07e61c89..1f226da53 100755 --- a/salt/sensoroni/files/analyzers/urlscan/urlscan.py +++ b/salt/sensoroni/files/analyzers/urlscan/urlscan.py @@ -77,7 +77,7 @@ def analyze(conf, input): def main(): dir = os.path.dirname(os.path.realpath(__file__)) - parser = argparse.ArgumentParser(description='Search Alienvault OTX for a given artifact') + parser = argparse.ArgumentParser(description='Search urlscan for a given artifact') parser.add_argument('artifact', help='the artifact represented in JSON format') parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/urlscan.yaml", help='optional config file to use instead of the default config file') diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl deleted file mode 100644 index d2b6c37f9..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl rename to salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 55d269a8b..de1c2a703 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,8 +1,8 @@ [ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, + { "name": "SOC Auth", "description": "SOC (Security Onion Console) authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -11,41 +11,54 @@ { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, - { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, - { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, + { "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, + { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, + { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, + { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, - { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "FTP", "description": "FTP (File Transfer Protocol) network metadata", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "HTTP", "description": "HTTP (Hyper Text Transport Protocol) network metadata", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "IRC", "description": "IRC (Internet Relay Chat) network metadata", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Kerberos", "description": "Kerberos network metadata", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "MySQL", "description": "MySQL network metadata", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, - { "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "PE", "description": "PE (Portable Executable) files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, + { "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, - { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block)", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Software", "description": "Software seen by Zeek via network traffic", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, + { "name": "SSH", "description": "SSH (Secure Shell) connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset"}, + { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query"}, + { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, + { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, + { "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) network metadata", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) network metadata", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) network metadata", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) network metadata", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS COTP", "description": "COTP (Connection Oriented Transport Protocol) network metadata", "query": "event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) network metadata", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) network metadata", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) network metadata", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Modbus", "description": "Modbus network metadata", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) network metadata", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet (Process Field Network) network metadata", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 (Siemens) network metadata", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 0c7959b70..9c0c9b114 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -4,7 +4,9 @@ "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ], "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ], - "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ], + "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_request", "dnp3.fc_reply", "log.id.uid" ], + "::dnp3_control": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.block_type", "log.id.uid" ], + "::dnp3_objects": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.object_type", "log.id.uid" ], "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ], "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ], "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ], @@ -56,6 +58,53 @@ "::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"], "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], - "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"] + "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], + "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], + "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], + "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], + "::bsap_ip_header": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bsap.message.type", "bsap.number.messages", "log.id.uid" ], + "::bsap_ip_rdb": ["soc_timestamp", "bsap.application.function", "bsap.application.sub.function", "bsap.vector.variables", "log.id.uid" ], + "::bsap_serial_header": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bsap.source.function", "bsap.destination.function", "bsap.message.type", "log.id.uid" ], + "::bsap_serial_rdb": ["soc_timestamp", "bsap.rdb.function", "bsap.vector.variables", "log.id.uid" ], + "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], + "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], + "::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ], + "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], + "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], + "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], + "::ecat_coe_info": ["soc_timestamp", "ecat.message.number", "ecat.message.type", "ecat.request.response.type", "ecat.index", "ecat.sub.index" ], + "::ecat_dev_info": ["soc_timestamp", "ecat.device.type", "ecat.features", "ecat.ram.size", "ecat.revision", "ecat.slave.address" ], + "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], + "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], + "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], + "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], + "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], + "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], + "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info_link_id", "opcua.diag_info_link_id", "log.id.uid" ], + "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale_link_id", "log.id.uid" ], + "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], + "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], + "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response_link_id", "log.id.uid" ], + "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_create_session_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_link_id", "opcua.endpoint_url", "log.id.uid" ], + "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token_link_id", "log.id.uid" ], + "::opcua_binary_create_subscription": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_description_link_id", "opcua.endpoint_uri", "log.id.uid" ], + "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token_link_id", "opcua.user_token_type", "log.id.uid" ], + "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results_link_id", "log.id.uid" ], + "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], + "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], + "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], + "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], + "::s7comm_read_szl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.szl_id_name", "s7.return_code_name", "log.id.uid" ], + "::s7comm_upload_download": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function_code", "log.id.uid" ], + "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], + "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], + "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] + + } diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index fbc643993..061707fac 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -6,7 +6,7 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to ## What's New -To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/#release-notes) link. +To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link. ## Customize This Space diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index e6ee71b51..7c58796e3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -123,15 +123,9 @@ } }, "client": { - {%- if ISAIRGAP is sameas true %} "docsUrl": "/docs/", "cheatsheetUrl": "/docs/cheatsheet.pdf", - "releaseNotesUrl": "/docs/#release-notes", - {%- else %} - "docsUrl": "https://docs.securityonion.net/en/2.3/", - "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", - "releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes", - {%- endif %} + "releaseNotesUrl": "/docs/release-notes.html", "apiTimeoutMs": {{ API_TIMEOUT }}, "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, "tipTimeoutMs": {{ TIP_TIMEOUT }}, diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 2ac90ede3..8df73a212 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -8,3 +8,11 @@ strelka: - general_cloaking.yar - thor_inverse_matches.yar - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck new file mode 100644 index 000000000..146625552 --- /dev/null +++ b/salt/strelka/filecheck/filecheck @@ -0,0 +1,104 @@ +#!/usr/bin/env python3 + +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import shutil +import time +import hashlib +import logging +import yaml +from watchdog.observers import Observer +from watchdog.events import FileSystemEventHandler + +with open("/opt/so/conf/strelka/filecheck.yaml", "r") as ymlfile: + cfg = yaml.load(ymlfile) + +extract_path = cfg["filecheck"]["extract_path"] +historypath = cfg["filecheck"]["historypath"] +strelkapath = cfg["filecheck"]["strelkapath"] +logfile = cfg["filecheck"]["logfile"] +recycle_secs = cfg["filecheck"].get("recycle_secs", 300) + +logging.basicConfig(filename=logfile, filemode='w', format='%(asctime)s - %(message)s', datefmt='%d-%b-%y %H:%M:%S', level=logging.INFO) + +def checkexisting(): + logging.info("Checking for existing files"); + for root, dirs, files in os.walk(extract_path): + for file in files: + try: + path = os.path.join(root, file) + filename = os.path.join(extract_path, path) + checksum(filename) + except Exception as err: + logging.error("Failed to process file: " + file) + +def checksum(filename): + if os.path.isfile(filename) and "/tmp/" not in filename: + with open(filename, 'rb') as afile: + logging.info("Processing file: " + filename) + shawnuff = hashlib.sha1() + buf = afile.read(8192) + while len(buf) > 0: + shawnuff.update(buf) + buf = afile.read(8192) + hizash=shawnuff.hexdigest() + process(filename, hizash) + +def process(filename, hizash): + if os.path.exists(historypath + hizash): + logging.info(filename + " Already exists.. removing") + os.remove(filename) + else: + # Write the file + logging.info(filename + " is new. Creating a record and sending to Strelka") + with open(os.path.join(historypath + hizash), 'w') as fp: + pass + head, tail = os.path.split(filename) + + # Move the file + shutil.move(filename, strelkapath + tail) + +class CreatedEventHandler(FileSystemEventHandler): + def on_created(self, event): + checksum(event.src_path) + +if __name__ == "__main__": + logging.info("Starting filecheck") + + checkexisting() + + event_handler =CreatedEventHandler() + + shutdown = False + while not shutdown: + logging.info("Scheduling observer") + observer = Observer() + observer.schedule(event_handler, extract_path, recursive=True) + observer.start() + try: + time.sleep(recycle_secs) + except KeyboardInterrupt: + logging.warn("User requested shutdown") + shutdown = True + + observer.stop() + observer.join() + + if not shutdown: + logging.info("Recycling observer to pick up new subdirectories") + + logging.info("Exiting filecheck") diff --git a/salt/strelka/filecheck/filecheck.yaml b/salt/strelka/filecheck/filecheck.yaml new file mode 100644 index 000000000..2b46afdf5 --- /dev/null +++ b/salt/strelka/filecheck/filecheck.yaml @@ -0,0 +1,11 @@ +{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} +filecheck: + {%- if ENGINE == "SURICATA" %} + extract_path: '/nsm/suricata/extracted' + {%- else %} + extract_path: '/nsm/zeek/extracted/complete' + {%- endif %} + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' + diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 56a5b9dcc..b372e6f6c 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -24,6 +24,26 @@ {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} {% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %} +{% if ENGINE == "SURICATA" %} + {% set filecheck_runas = 'suricata' %} +{% else %} + {% set filecheck_runas = 'socore' %} +{% endif %} + +{% if grains['os'] != 'CentOS' %} +strelkapkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - python3-watchdog +{% else %} +strelkapkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - securityonion-python36-watchdog +{% endif %} + # Strelka config strelkaconfdir: file.directory: @@ -79,7 +99,7 @@ strelkarepos: {% endif %} strelkadatadir: - file.directory: + file.directory: - name: /nsm/strelka - user: 939 - group: 939 @@ -93,30 +113,73 @@ strelkalogdir: - makedirs: True strelkaprocessed: - file.directory: + file.directory: - name: /nsm/strelka/processed - user: 939 - group: 939 - makedirs: True strelkastaging: - file.directory: + file.directory: - name: /nsm/strelka/staging - user: 939 - group: 939 - makedirs: True strelkaunprocessed: - file.directory: + file.directory: - name: /nsm/strelka/unprocessed - user: 939 - group: 939 + - mode: 775 - makedirs: True # Check to see if Strelka frontend port is available strelkaportavailable: - cmd.run: - - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 + cmd.run: + - name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0 + +# Filecheck Section +filecheck_logdir: + file.directory: + - name: /opt/so/log/strelka + - user: 939 + - group: 939 + - mode: 775 + - makedirs: True + +filecheck_history: + file.directory: + - name: /nsm/strelka/history + - user: 939 + - group: 939 + - mode: 775 + - makedirs: True + +filecheck_conf: + file.managed: + - name: /opt/so/conf/strelka/filecheck.yaml + - source: salt://strelka/filecheck/filecheck.yaml + - template: jinja + +filecheck_script: + file.managed: + - name: /opt/so/conf/strelka/filecheck + - source: salt://strelka/filecheck/filecheck + - user: 939 + - group: 939 + - mode: 755 + +filecheck_run: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - user: {{ filecheck_runas }} + +filcheck_history_clean: + cron.present: + - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1' + - minute: '33' +# End Filecheck Section strelka_coordinator: docker_container.running: @@ -212,7 +275,7 @@ strelka_zeek_extracted_sync_old: {% if ENGINE == "SURICATA" %} strelka_suricata_extracted_sync: - cron.present: + cron.absent: - user: root - identifier: zeek-extracted-strelka-sync - name: '[ -d /nsm/suricata/extracted/ ] && find /nsm/suricata/extracted/* -not \( -path /nsm/suricata/extracted/tmp -prune \) -type f -print0 | xargs -0 -I {} mv {} /nsm/strelka/unprocessed/ > /dev/null 2>&1' @@ -220,7 +283,7 @@ strelka_suricata_extracted_sync: {% else %} strelka_zeek_extracted_sync: - cron.present: + cron.absent: - user: root - identifier: zeek-extracted-strelka-sync - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/unprocessed/ > /dev/null 2>&1' diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index db09e310b..cef56bdb1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -44,6 +44,13 @@ suricata: - home: /nsm/suricata - createhome: False +socoregroupwithsuricata: + group.present: + - name: socore + - gid: 939 + - addusers: + - suricata + suridir: file.directory: - name: /opt/so/conf/suricata @@ -68,6 +75,7 @@ suridatadir: - name: /nsm/suricata/extracted - user: 940 - group: 939 + - mode: 770 - makedirs: True surirulesync: diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index ff91762f5..dda1bed52 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -70,12 +70,15 @@ zeekextractdir: - name: /nsm/zeek/extracted - user: 937 - group: 939 + - mode: 770 - makedirs: True zeekextractcompletedir: file.directory: - name: /nsm/zeek/extracted/complete - user: 937 + - group: 939 + - mode: 770 - makedirs: True # Sync the policies diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index 8cdaf42dd..2ea98037b 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -47,7 +47,7 @@ event file_state_remove(f: fa_file) # Delete the file if it didn't pass our requirements check. local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted); - when ( local nukeit = Exec::run([$cmd=nuke]) ) + when [nuke] ( local nukeit = Exec::run([$cmd=nuke]) ) { } return; @@ -58,7 +58,7 @@ event file_state_remove(f: fa_file) local dest = fmt("%scomplete/%s-%s-%s.%s", FileExtract::prefix, f$source, f$id, f$info$md5, extension); # Copy it to the $prefix/complete folder then delete it. I got some weird results with moving when it came to watchdog in python. local cmd = fmt("cp %s/%s %s && rm %s/%s", FileExtract::prefix, orig, dest, FileExtract::prefix, orig); - when ( local result = Exec::run([$cmd=cmd]) ) + when [cmd] ( local result = Exec::run([$cmd=cmd]) ) { } f$info$extracted = dest; diff --git a/setup/automation/README.txt b/setup/automation/README.txt new file mode 100644 index 000000000..8fa208885 --- /dev/null +++ b/setup/automation/README.txt @@ -0,0 +1,3 @@ +These automation files were designed for internal Security Onion testing. + +While you may be able to make them work for your use case, we do not provide free support for them, and support for paying customers is limited to best effort. diff --git a/setup/so-functions b/setup/so-functions index c92b643cc..c992b3f76 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1190,17 +1190,17 @@ installer_prereq_packages() { logCmd "systemctl start NetworkManager" elif [ "$OS" == ubuntu ]; then # Print message to stdout so the user knows setup is doing something - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - retry 50 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 { systemctl enable NetworkManager systemctl start NetworkManager } >> "$setup_log" 2<&1 fi if ! command -v curl > /dev/null 2>&1; then - retry 50 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 fi fi } @@ -1247,23 +1247,23 @@ docker_install() { else case "$install_type" in 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORT') - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 ;; *) - retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 ;; esac if [ $OSVER == "bionic" ]; then service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras elif [ $OSVER == "focal" ]; then service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras fi fi @@ -2296,7 +2296,7 @@ saltify() { logCmd "systemctl enable salt-minion" logCmd "yum versionlock salt*" else - DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 + DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 if [ $OSVER == "bionic" ]; then # Switch to Python 3 as default for bionic @@ -2316,7 +2316,7 @@ saltify() { 'netcat' 'jq' ) - retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || exit 1 # Grab the version from the os-release file local ubuntu_version @@ -2324,7 +2324,7 @@ saltify() { case "$install_type" in 'FLEET') - retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 ;; 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') @@ -2347,12 +2347,12 @@ saltify() { # Add repo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 6 'Installing various dependencies' - retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) # Copy down the gpg keys and install them from the manager @@ -2367,11 +2367,11 @@ saltify() { ;; esac - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi } @@ -2870,8 +2870,8 @@ update_packages() { logCmd "yum repolist" logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" else - retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 + retry 150 20 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 fi } @@ -2946,41 +2946,6 @@ zeek_logs_enabled() { for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done - elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then - printf '%s\n'\ - " - conn"\ - " - dce_rpc"\ - " - dhcp"\ - " - dnp3"\ - " - dns"\ - " - dpd"\ - " - files"\ - " - ftp"\ - " - http"\ - " - intel"\ - " - irc"\ - " - kerberos"\ - " - modbus"\ - " - notice"\ - " - ntlm"\ - " - pe"\ - " - radius"\ - " - rfb"\ - " - rdp"\ - " - sip"\ - " - smb_files"\ - " - smb_mapping"\ - " - smtp"\ - " - snmp"\ - " - ssh"\ - " - ssl"\ - " - syslog"\ - " - tunnel"\ - " - weird"\ - " - mysql"\ - " - socks"\ - " - x509" >> "$zeeklogs_pillar" - # Disable syslog log by default else printf '%s\n'\ " - conn"\ @@ -3007,12 +2972,98 @@ zeek_logs_enabled() { " - smb_mapping"\ " - smtp"\ " - snmp"\ + " - software"\ " - ssh"\ " - ssl"\ " - tunnel"\ " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$zeeklogs_pillar" + " - x509"\ + " - bacnet"\ + " - bacnet_discovery"\ + " - bacnet_property"\ + " - bsap_ip_header"\ + " - bsap_ip_rdb"\ + " - bsap_ip_unknown"\ + " - bsap_serial_header"\ + " - bsap_serial_rdb"\ + " - bsap_serial_rdb_ext"\ + " - bsap_serial_unknown"\ + " - cip"\ + " - cip_identity"\ + " - cip_io"\ + " - cotp"\ + " - dnp3_control"\ + " - dnp3_objects"\ + " - ecat_aoe_info"\ + " - ecat_coe_info"\ + " - ecat_dev_info"\ + " - ecat_foe_info"\ + " - ecat_log_address"\ + " - ecat_registers"\ + " - ecat_soe_info"\ + " - enip"\ + " - modbus_detailed"\ + " - modbus_mask_write_register"\ + " - modbus_read_write_multiple_registers"\ + " - opcua_binary"\ + " - opcua_binary_activate_session"\ + " - opcua_binary_activate_session_client_software_cert"\ + " - opcua_binary_activate_session_diagnostic_info"\ + " - opcua_binary_activate_session_locale_id"\ + " - opcua_binary_browse"\ + " - opcua_binary_browse_description"\ + " - opcua_binary_browse_diagnostic_info"\ + " - opcua_binary_browse_request_continuation_point"\ + " - opcua_binary_browse_response_references"\ + " - opcua_binary_browse_result"\ + " - opcua_binary_create_session"\ + " - opcua_binary_create_session_discovery"\ + " - opcua_binary_create_session_endpoints"\ + " - opcua_binary_create_session_user_token"\ + " - opcua_binary_create_subscription"\ + " - opcua_binary_diag_info_detail"\ + " - opcua_binary_get_endpoints"\ + " - opcua_binary_get_endpoints_description"\ + " - opcua_binary_get_endpoints_discovery"\ + " - opcua_binary_get_endpoints_locale_id"\ + " - opcua_binary_get_endpoints_profile_uri"\ + " - opcua_binary_get_endpoints_user_token"\ + " - opcua_binary_opensecure_channel"\ + " - opcua_binary_read"\ + " - opcua_binary_read_array_dims"\ + " - opcua_binary_read_array_dims_link"\ + " - opcua_binary_read_diagnostic_info"\ + " - opcua_binary_read_extension_object"\ + " - opcua_binary_read_extension_object_link"\ + " - opcua_binary_read_nodes_to_read"\ + " - opcua_binary_read_results"\ + " - opcua_binary_read_results_link"\ + " - opcua_binary_read_status_code"\ + " - opcua_binary_read_variant_data"\ + " - opcua_binary_read_variant_data_link"\ + " - opcua_binary_status_code_detail"\ + " - profinet"\ + " - profinet_dce_rpc"\ + " - profinet_debug"\ + " - s7comm"\ + " - s7comm_plus"\ + " - s7comm_read_szl"\ + " - s7comm_upload_download"\ + " - stun"\ + " - stun_nat"\ + " - tds"\ + " - tds_rpc"\ + " - tds_sql_batch"\ + " - wireguard" >> "$zeeklogs_pillar" + # In the above list, ecat_arp_info was removed because it's not specific to ecat and records all arp traffic. fi + + # We don't want Zeek syslog for production deployments as this can create duplicate logs. + # So we only enable Zeek syslog if EVAL or IMPORT. + if [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then + echo " - syslog" >> "$zeeklogs_pillar" + fi + } diff --git a/setup/so-preflight b/setup/so-preflight index d1fd89b6e..fca878be1 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -65,7 +65,7 @@ check_default_repos() { printf '%s' 'apt update.' | tee -a "$preflight_log" fi echo "" >> "$preflight_log" - retry 50 10 "apt-get -y update" >> $preflight_log 2>&1 + retry 150 20 "apt-get -y update" >> $preflight_log 2>&1 ret_code=$? [[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE' @@ -174,7 +174,7 @@ preflight_prereqs() { if [[ $OS == 'centos' ]]; then : # no-op to match structure of other checks for $OS var else - retry 50 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 + retry 150 20 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 fi return $ret_code diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c60b7e3e..61b9fb27f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1281,38 +1281,117 @@ whiptail_manager_adv_service_zeeklogs() { [ -n "$TESTING" ] && return BLOGS=$(whiptail --title "$whiptail_title" --checklist "Please select logs to send:" 24 75 12 \ - "conn" "Connection Logging" ON \ - "dce_rpc" "RPC Logs" ON \ - "dhcp" "DHCP Logs" ON \ - "dnp3" "DNP3 Logs" ON \ - "dns" "DNS Logs" ON \ - "dpd" "DPD Logs" ON \ - "files" "Files Logs" ON \ - "ftp" "FTP Logs" ON \ - "http" "HTTP Logs" ON \ - "intel" "Intel Hits Logs" ON \ - "irc" "IRC Chat Logs" ON \ - "kerberos" "Kerberos Logs" ON \ - "modbus" "MODBUS Logs" ON \ - "notice" "Zeek Notice Logs" ON \ - "ntlm" "NTLM Logs" ON \ - "pe" "PE Logs" ON \ - "radius" "Radius Logs" ON \ - "rfb" "RFB Logs" ON \ - "rdp" "RDP Logs" ON \ - "sip" "SIP Logs" ON \ - "smb_files" "SMB Files Logs" ON \ - "smb_mapping" "SMB Mapping Logs" ON \ - "smtp" "SMTP Logs" ON \ - "snmp" "SNMP Logs" ON \ - "ssh" "SSH Logs" ON \ - "ssl" "SSL Logs" ON \ - "syslog" "Syslog Logs" ON \ - "tunnel" "Tunnel Logs" ON \ - "weird" "Zeek Weird Logs" ON \ - "mysql" "MySQL Logs" ON \ - "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3) + "conn" "" ON \ + "dce_rpc" "" ON \ + "dhcp" "" ON \ + "dnp3" "" ON \ + "dns" "" ON \ + "dpd" "" ON \ + "files" "" ON \ + "ftp" "" ON \ + "http" "" ON \ + "intel" "" ON \ + "irc" "" ON \ + "kerberos" "" ON \ + "modbus" "" ON \ + "notice" "" ON \ + "ntlm" "" ON \ + "pe" "" ON \ + "radius" "" ON \ + "rfb" "" ON \ + "rdp" "" ON \ + "sip" "" ON \ + "smb_files" "" ON \ + "smb_mapping" "" ON \ + "smtp" "" ON \ + "snmp" "" ON \ + "software" "" ON \ + "ssh" "" ON \ + "ssl" "" ON \ + "syslog" "" ON \ + "tunnel" "" ON \ + "weird" "" ON \ + "mysql" "" ON \ + "socks" "" ON \ + "x509" "" ON \ + "bacnet" "" ON \ + "bacnet_discovery" "" ON \ + "bacnet_property" "" ON \ + "bsap_ip_header" "" ON \ + "bsap_ip_rdb" "" ON \ + "bsap_ip_unknown" "" ON \ + "bsap_serial_header" "" ON \ + "bsap_serial_rdb" "" ON \ + "bsap_serial_rdb_ext" "" ON \ + "bsap_serial_unknown" "" ON \ + "cip" "" ON \ + "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_control" "" ON \ + "dnp3_objects" "" ON \ + "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" OFF \ + "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ + "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ + "ecat_soe_info" "" ON \ + "enip" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ + "opcua_binary" "" ON \ + "opcua_binary_activate_session" "" ON \ + "opcua_binary_activate_session_client_software_cert" "" ON \ + "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ + "opcua_binary_browse" "" ON \ + "opcua_binary_browse_description" "" ON \ + "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ + "opcua_binary_create_subscription" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ + "opcua_binary_read" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ + "opcua_binary_status_code_detail" "" ON \ + "profinet" "" ON \ + "profinet_dce_rpc" "" ON \ + "profinet_debug" "" ON \ + "s7comm" "" ON \ + "s7comm_plus" "" ON \ + "s7comm_read_szl" "" ON \ + "s7comm_upload_download" "" ON \ + "stun" "" ON \ + "stun_nat" "" ON \ + "tds" "" ON \ + "tds_rpc" "" ON \ + "tds_sql_batch" "" ON \ + "wireguard" "" ON 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus diff --git a/sigs/securityonion-2.3.190-20221205.iso.sig b/sigs/securityonion-2.3.190-20221205.iso.sig new file mode 100644 index 000000000..91fb01e41 Binary files /dev/null and b/sigs/securityonion-2.3.190-20221205.iso.sig differ