mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
FIX: Populate http.status_message field #3408
This commit is contained in:
doug
70
salt/elasticsearch/files/ingest/http.status
Normal file
70
salt/elasticsearch/files/ingest/http.status
Normal file
@@ -0,0 +1,70 @@
|
|||||||
|
{
|
||||||
|
"description" : "http.status",
|
||||||
|
"processors" : [
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 100", "field": "http.status_message", "value": "Continue" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 101", "field": "http.status_message", "value": "Switching Protocols" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 102", "field": "http.status_message", "value": "Processing" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 103", "field": "http.status_message", "value": "Early Hints" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 200", "field": "http.status_message", "value": "OK" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 201", "field": "http.status_message", "value": "Created" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 202", "field": "http.status_message", "value": "Accepted" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 203", "field": "http.status_message", "value": "Non-Authoritative Information" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 204", "field": "http.status_message", "value": "No Content" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 205", "field": "http.status_message", "value": "Reset Content" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 206", "field": "http.status_message", "value": "Partial Content" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 207", "field": "http.status_message", "value": "Multi-Status" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 208", "field": "http.status_message", "value": "Already Reported" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 226", "field": "http.status_message", "value": "IM Used" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 300", "field": "http.status_message", "value": "Multiple Choices" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 301", "field": "http.status_message", "value": "Moved Permanently" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 302", "field": "http.status_message", "value": "Found" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 303", "field": "http.status_message", "value": "See Other" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 304", "field": "http.status_message", "value": "Not Modified" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 305", "field": "http.status_message", "value": "Use Proxy" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 306", "field": "http.status_message", "value": "(Unused)" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 307", "field": "http.status_message", "value": "Temporary Redirect" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 308", "field": "http.status_message", "value": "Permanent Redirect" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 400", "field": "http.status_message", "value": "Bad Request" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 401", "field": "http.status_message", "value": "Unauthorized" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 402", "field": "http.status_message", "value": "Payment Required" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 403", "field": "http.status_message", "value": "Forbidden" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 404", "field": "http.status_message", "value": "Not Found" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 405", "field": "http.status_message", "value": "Method Not Allowed" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 406", "field": "http.status_message", "value": "Not Acceptable" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 407", "field": "http.status_message", "value": "Proxy Authentication Required" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 408", "field": "http.status_message", "value": "Request Timeout" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 409", "field": "http.status_message", "value": "Conflict" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 410", "field": "http.status_message", "value": "Gone" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 411", "field": "http.status_message", "value": "Length Required" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 412", "field": "http.status_message", "value": "Precondition Failed" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 413", "field": "http.status_message", "value": "Payload Too Large" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 414", "field": "http.status_message", "value": "URI Too Long" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 415", "field": "http.status_message", "value": "Unsupported Media Type" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 416", "field": "http.status_message", "value": "Range Not Satisfiable" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 417", "field": "http.status_message", "value": "Expectation Failed" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 421", "field": "http.status_message", "value": "Misdirected Request" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 422", "field": "http.status_message", "value": "Unprocessable Entity" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 423", "field": "http.status_message", "value": "Locked" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 424", "field": "http.status_message", "value": "Failed Dependency" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 425", "field": "http.status_message", "value": "Too Early" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 426", "field": "http.status_message", "value": "Upgrade Required" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 427", "field": "http.status_message", "value": "Unassigned" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 428", "field": "http.status_message", "value": "Precondition Required" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 429", "field": "http.status_message", "value": "Too Many Requests" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 430", "field": "http.status_message", "value": "Unassigned" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 431", "field": "http.status_message", "value": "Request Header Fields Too Large" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 451", "field": "http.status_message", "value": "Unavailable For Legal Reasons" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 500", "field": "http.status_message", "value": "Internal Server Error" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 501", "field": "http.status_message", "value": "Not Implemented" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 502", "field": "http.status_message", "value": "Bad Gateway" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 503", "field": "http.status_message", "value": "Service Unavailable" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 504", "field": "http.status_message", "value": "Gateway Timeout" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 505", "field": "http.status_message", "value": "HTTP Version Not Supported" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 506", "field": "http.status_message", "value": "Variant Also Negotiates" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 507", "field": "http.status_message", "value": "Insufficient Storage" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 508", "field": "http.status_message", "value": "Loop Detected" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 509", "field": "http.status_message", "value": "Unassigned" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 510", "field": "http.status_message", "value": "Not Extended" } },
|
||||||
|
{ "set": { "if": "ctx.http.status_code == 511", "field": "http.status_message", "value": "Network Authentication Required" } }
|
||||||
|
]
|
||||||
|
}
|
||||||
@@ -1,17 +1,18 @@
|
|||||||
{
|
{
|
||||||
"description" : "suricata.http",
|
"description" : "suricata.http",
|
||||||
"processors" : [
|
"processors" : [
|
||||||
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
|
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
|
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.hostname", "target_field": "http.virtual_host", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.hostname", "target_field": "http.virtual_host", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.http_user_agent", "target_field": "http.useragent", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.http_user_agent", "target_field": "http.useragent", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.url", "target_field": "http.uri", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.url", "target_field": "http.uri", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.http_content_type", "target_field": "file.resp_mime_types", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.http_content_type", "target_field": "file.resp_mime_types", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.http_refer", "target_field": "http.referrer", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.http_refer", "target_field": "http.referrer", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.http_method", "target_field": "http.method", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.http_method", "target_field": "http.method", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.protocol", "target_field": "http.version", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.protocol", "target_field": "http.version", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.status", "target_field": "http.status_code", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.status", "target_field": "http.status_code", "ignore_missing": true } },
|
||||||
{ "rename": { "field": "message2.http.length", "target_field": "http.request.body.length", "ignore_missing": true } },
|
{ "rename": { "field": "message2.http.length", "target_field": "http.request.body.length", "ignore_missing": true } },
|
||||||
|
{ "pipeline": { "if": "ctx.http?.status_code != null", "name": "http.status" } },
|
||||||
{ "pipeline": { "name": "common" } }
|
{ "pipeline": { "name": "common" } }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user