From adbc7436b6d8efce80f564f422e4006b3fb8e8d9 Mon Sep 17 00:00:00 2001
From: doug <doug.burks@gmail.com>
Date: Thu, 11 Mar 2021 16:42:20 -0500
Subject: [PATCH] FIX: Populate http.status_message field #3408

---
 salt/elasticsearch/files/ingest/http.status   | 70 +++++++++++++++++++
 salt/elasticsearch/files/ingest/suricata.http | 17 ++---
 2 files changed, 79 insertions(+), 8 deletions(-)
 create mode 100644 salt/elasticsearch/files/ingest/http.status

diff --git a/salt/elasticsearch/files/ingest/http.status b/salt/elasticsearch/files/ingest/http.status
new file mode 100644
index 000000000..7ec3ea209
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/http.status
@@ -0,0 +1,70 @@
+{
+  "description" : "http.status",
+  "processors" : [
+	{ "set": { "if": "ctx.http.status_code == 100",    "field": "http.status_message", "value": "Continue" } },
+	{ "set": { "if": "ctx.http.status_code == 101",    "field": "http.status_message", "value": "Switching Protocols" } },
+	{ "set": { "if": "ctx.http.status_code == 102",    "field": "http.status_message", "value": "Processing" } },
+	{ "set": { "if": "ctx.http.status_code == 103",    "field": "http.status_message", "value": "Early Hints" } },
+	{ "set": { "if": "ctx.http.status_code == 200",    "field": "http.status_message", "value": "OK" } },
+	{ "set": { "if": "ctx.http.status_code == 201",    "field": "http.status_message", "value": "Created" } },
+	{ "set": { "if": "ctx.http.status_code == 202",    "field": "http.status_message", "value": "Accepted" } },
+	{ "set": { "if": "ctx.http.status_code == 203",    "field": "http.status_message", "value": "Non-Authoritative Information" } },
+	{ "set": { "if": "ctx.http.status_code == 204",    "field": "http.status_message", "value": "No Content" } },
+	{ "set": { "if": "ctx.http.status_code == 205",    "field": "http.status_message", "value": "Reset Content" } },
+	{ "set": { "if": "ctx.http.status_code == 206",    "field": "http.status_message", "value": "Partial Content" } },
+	{ "set": { "if": "ctx.http.status_code == 207",    "field": "http.status_message", "value": "Multi-Status" } },
+	{ "set": { "if": "ctx.http.status_code == 208",    "field": "http.status_message", "value": "Already Reported" } },
+	{ "set": { "if": "ctx.http.status_code == 226",    "field": "http.status_message", "value": "IM Used" } },
+	{ "set": { "if": "ctx.http.status_code == 300",    "field": "http.status_message", "value": "Multiple Choices" } },
+	{ "set": { "if": "ctx.http.status_code == 301",    "field": "http.status_message", "value": "Moved Permanently" } },
+	{ "set": { "if": "ctx.http.status_code == 302",    "field": "http.status_message", "value": "Found" } },
+	{ "set": { "if": "ctx.http.status_code == 303",    "field": "http.status_message", "value": "See Other" } },
+	{ "set": { "if": "ctx.http.status_code == 304",    "field": "http.status_message", "value": "Not Modified" } },
+	{ "set": { "if": "ctx.http.status_code == 305",    "field": "http.status_message", "value": "Use Proxy" } },
+	{ "set": { "if": "ctx.http.status_code == 306",    "field": "http.status_message", "value": "(Unused)" } },
+	{ "set": { "if": "ctx.http.status_code == 307",    "field": "http.status_message", "value": "Temporary Redirect" } },
+	{ "set": { "if": "ctx.http.status_code == 308",    "field": "http.status_message", "value": "Permanent Redirect" } },
+	{ "set": { "if": "ctx.http.status_code == 400",    "field": "http.status_message", "value": "Bad Request" } },
+	{ "set": { "if": "ctx.http.status_code == 401",    "field": "http.status_message", "value": "Unauthorized" } },
+	{ "set": { "if": "ctx.http.status_code == 402",    "field": "http.status_message", "value": "Payment Required" } },
+	{ "set": { "if": "ctx.http.status_code == 403",    "field": "http.status_message", "value": "Forbidden" } },
+	{ "set": { "if": "ctx.http.status_code == 404",    "field": "http.status_message", "value": "Not Found" } },
+	{ "set": { "if": "ctx.http.status_code == 405",    "field": "http.status_message", "value": "Method Not Allowed" } },
+	{ "set": { "if": "ctx.http.status_code == 406",    "field": "http.status_message", "value": "Not Acceptable" } },
+	{ "set": { "if": "ctx.http.status_code == 407",    "field": "http.status_message", "value": "Proxy Authentication Required" } },
+	{ "set": { "if": "ctx.http.status_code == 408",    "field": "http.status_message", "value": "Request Timeout" } },
+	{ "set": { "if": "ctx.http.status_code == 409",    "field": "http.status_message", "value": "Conflict" } },
+	{ "set": { "if": "ctx.http.status_code == 410",    "field": "http.status_message", "value": "Gone" } },
+	{ "set": { "if": "ctx.http.status_code == 411",    "field": "http.status_message", "value": "Length Required" } },
+	{ "set": { "if": "ctx.http.status_code == 412",    "field": "http.status_message", "value": "Precondition Failed" } },
+	{ "set": { "if": "ctx.http.status_code == 413",    "field": "http.status_message", "value": "Payload Too Large" } },
+	{ "set": { "if": "ctx.http.status_code == 414",    "field": "http.status_message", "value": "URI Too Long" } },
+	{ "set": { "if": "ctx.http.status_code == 415",    "field": "http.status_message", "value": "Unsupported Media Type" } },
+	{ "set": { "if": "ctx.http.status_code == 416",    "field": "http.status_message", "value": "Range Not Satisfiable" } },
+	{ "set": { "if": "ctx.http.status_code == 417",    "field": "http.status_message", "value": "Expectation Failed" } },
+	{ "set": { "if": "ctx.http.status_code == 421",    "field": "http.status_message", "value": "Misdirected Request" } },
+	{ "set": { "if": "ctx.http.status_code == 422",    "field": "http.status_message", "value": "Unprocessable Entity" } },
+	{ "set": { "if": "ctx.http.status_code == 423",    "field": "http.status_message", "value": "Locked" } },
+	{ "set": { "if": "ctx.http.status_code == 424",    "field": "http.status_message", "value": "Failed Dependency" } },
+	{ "set": { "if": "ctx.http.status_code == 425",    "field": "http.status_message", "value": "Too Early" } },
+	{ "set": { "if": "ctx.http.status_code == 426",    "field": "http.status_message", "value": "Upgrade Required" } },
+	{ "set": { "if": "ctx.http.status_code == 427",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 428",    "field": "http.status_message", "value": "Precondition Required" } },
+	{ "set": { "if": "ctx.http.status_code == 429",    "field": "http.status_message", "value": "Too Many Requests" } },
+	{ "set": { "if": "ctx.http.status_code == 430",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 431",    "field": "http.status_message", "value": "Request Header Fields Too Large" } },
+	{ "set": { "if": "ctx.http.status_code == 451",    "field": "http.status_message", "value": "Unavailable For Legal Reasons" } },
+	{ "set": { "if": "ctx.http.status_code == 500",    "field": "http.status_message", "value": "Internal Server Error" } },
+	{ "set": { "if": "ctx.http.status_code == 501",    "field": "http.status_message", "value": "Not Implemented" } },
+	{ "set": { "if": "ctx.http.status_code == 502",    "field": "http.status_message", "value": "Bad Gateway" } },
+	{ "set": { "if": "ctx.http.status_code == 503",    "field": "http.status_message", "value": "Service Unavailable" } },
+	{ "set": { "if": "ctx.http.status_code == 504",    "field": "http.status_message", "value": "Gateway Timeout" } },
+	{ "set": { "if": "ctx.http.status_code == 505",    "field": "http.status_message", "value": "HTTP Version Not Supported" } },
+	{ "set": { "if": "ctx.http.status_code == 506",    "field": "http.status_message", "value": "Variant Also Negotiates" } },
+	{ "set": { "if": "ctx.http.status_code == 507",    "field": "http.status_message", "value": "Insufficient Storage" } },
+	{ "set": { "if": "ctx.http.status_code == 508",    "field": "http.status_message", "value": "Loop Detected" } },
+	{ "set": { "if": "ctx.http.status_code == 509",    "field": "http.status_message", "value": "Unassigned" } },
+	{ "set": { "if": "ctx.http.status_code == 510",    "field": "http.status_message", "value": "Not Extended" } },
+	{ "set": { "if": "ctx.http.status_code == 511",    "field": "http.status_message", "value": "Network Authentication Required" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.http b/salt/elasticsearch/files/ingest/suricata.http
index 2d12a435d..cc2bf459e 100644
--- a/salt/elasticsearch/files/ingest/suricata.http
+++ b/salt/elasticsearch/files/ingest/suricata.http
@@ -1,17 +1,18 @@
 {
   "description" : "suricata.http",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_user_agent", 	"target_field": "http.useragent",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_content_type", 	"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_method", 	"target_field": "http.method",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",	"ignore_missing": true 	} },
+    { "pipeline": 	{ "if": "ctx.http?.status_code != null",	"name": "http.status"							} },
     { "pipeline": { "name": "common" } }
   ]
-}
\ No newline at end of file
+}