Merge branch 'dev' into feature/so-rules

.github/workflows/leaktest.yml

@@ -1,6 +1,6 @@
 name: leak-test
 
-on: [push,pull_request]
+on: [pull_request]
 
 jobs:
   build:

salt/common/tools/sbin/so-image-common

@@ -30,6 +30,7 @@ container_list() {
 
   if [ $MANAGERCHECK == 'so-import' ]; then
     TRUSTED_CONTAINERS=(
+      "so-acng"
       "so-elasticsearch"
       "so-filebeat"
       "so-idstools"

salt/elasticsearch/files/ingest/suricata.dns

@@ -2,18 +2,20 @@
   "description" : "suricata.dns",
   "processors" : [
     { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.flags", 		"target_field": "dns.flags",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 	"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 	"target_field": "dns.query.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",	"target_field": "dns.id",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 	"target_field": "dns.version",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 	"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrtype", 	"target_field": "dns.query.type_name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.flags", 	"target_field": "dns.flags",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.dns.qr", 		"target_field": "dns.qr",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dns.rcode", 		"target_field": "dns.response.code",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers.data",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.CNAME", 		"target_field": "dns.answers.name",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rcode", 	"target_field": "dns.response.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.A", 	"target_field": "dns.answers.data",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.CNAME", 	"target_field": "dns.answers.name",		"ignore_missing": true 	} },
+    { "pipeline": 	{ "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld"			} },
     { "pipeline": { "name": "common" } }
   ]
-}
+}

salt/elasticsearch/files/ingest/suricata.fileinfo

@@ -2,17 +2,18 @@
   "description" : "suricata.fileinfo",
   "processors" : [
     { "set":      { "field": "dataset",        "value": "file"  } },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fileinfo.filename", 		"target_field": "file.name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fileinfo.gaps", 		"target_field": "file.bytes.missing",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fileinfo.magic", 		"target_field": "file.mime_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.filename", 	"target_field": "file.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.gaps", 		"target_field": "file.bytes.missing",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.magic", 		"target_field": "file.mime_type",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.md5", 		"target_field": "hash.md5",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.sha1", 		"target_field": "hash.sha1",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.sid", 		"target_field": "rule.uuid",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.size", 		"target_field": "file.size",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.state", 		"target_field": "file.state",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.stored", 		"target_field": "file.saved",		"ignore_missing": true 	} },
+    { "set":		{ "if": "ctx.network?.protocol != null", 	"field": "file.source",	"value": "{{network.protocol}}"  	} },
     { "pipeline": { "name": "common" } }
   ]
-}
+}

salt/elasticsearch/files/ingest/suricata.ftp

@@ -1,14 +1,14 @@
 {
   "description" : "suricata.ftp",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code",	"target_field": "server.reply_code",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 	"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",				"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 	"target_field": "ftp.argument",				"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 	"target_field": "ftp.data_channel_destination.port",	"ignore_missing": true 	} },
     { "pipeline": { "name": "common" } }
   ]
 }

salt/elasticsearch/files/ingest/suricata.tls

@@ -1,22 +1,22 @@
 {
   "description" : "suricata.tls",
   "processors" : [
-    { "set":      { "field": "dataset",        "value": "ssl"  } },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename":         { "field": "message2.tls.subject",                "target_field": "ssl.certificate.subject",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.serial",                "target_field": "ssl.certificate.serial",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.fingerprint",                "target_field": "ssl.certificate.fingerprint",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.version",                "target_field": "ssl.certificate.version",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.ja3.hash",                "target_field": "hash.ja3",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.ja3.hash.string",                "target_field": "hash.ja3_string",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.ja3s.hash",                "target_field": "hash.ja3s",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.ja3s.hash.string",                "target_field": "hash.ja3s_string",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.notbefore",                "target_field": "x509.certificate.not_valid_before",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.notafter",                "target_field": "x509.certificate.not_valid_after",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.sni",                "target_field": "ssl.server_name",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.issuerdn",                "target_field": "ssl.certificate.issuer",             "ignore_missing": true  } },
-    { "rename":         { "field": "message2.tls.session_resumed",                "target_field": "ssl.session_resumed",             "ignore_missing": true  } },
+    { "set":      	{ "field": "dataset",        			"value": "ssl"  								} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.tls.subject",              "target_field": "ssl.certificate.subject",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.serial",               "target_field": "ssl.certificate.serial",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.fingerprint",          "target_field": "ssl.certificate.fingerprint",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.version",              "target_field": "ssl.version",				"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3.hash",             "target_field": "hash.ja3",				"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3.hash.string",      "target_field": "hash.ja3_string",			"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3s.hash",            "target_field": "hash.ja3s",				"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3s.hash.string",     "target_field": "hash.ja3s_string",			"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.notbefore",            "target_field": "x509.certificate.not_valid_before",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.notafter",             "target_field": "x509.certificate.not_valid_after",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.sni",			"target_field": "ssl.server_name",			"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.issuerdn",		"target_field": "ssl.certificate.issuer",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.session_resumed",	"target_field": "ssl.session_resumed",			"ignore_missing": true  } },
     { "pipeline": { "name": "common" } }
   ]
-}
+}

salt/elasticsearch/files/ingest/zeek.dns

@@ -23,7 +23,7 @@
     { "rename": 	{ "field": "message2.TTLs", 		"target_field": "dns.ttls",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.rejected", 	"target_field": "dns.query.rejected",		"ignore_missing": true 	} },
     { "script": 	{ "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()",	"ignore_failure": true  } },
-    { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld" } },
+    { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
     { "pipeline":       { "name": "zeek.common"											} }
   ]
 }