Pull in Suricata changes

2025-12-07 09:42:46 +01:00 · 2021-02-19 11:01:15 -05:00
parent 4a510df205
commit b4b449aa14
19 changed files with 237 additions and 101 deletions
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -15,6 +15,6 @@
    { "set":         { "field": "ingest.timestamp",        "value": "{{@timestamp}}"  } },
    { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
-    { "pipeline": { "name": "suricata.{{dataset}}" } }
+    { "pipeline": { "if": "ctx?.dataset != null", "name": "suricata.{{dataset}}" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.dns
+++ b/salt/elasticsearch/files/ingest/suricata.dns
@@ -7,8 +7,13 @@
    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers",			"ignore_missing": true 	} },
-
+    { "rename": 	{ "field": "message2.dns.flags", 		"target_field": "dns.flags",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.qr", 		"target_field": "dns.qr",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rd", 		"target_field": "dns.recursion.desired",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.ra", 		"target_field": "dns.recursion.available",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rcode", 		"target_field": "dns.response.code",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers.data",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.CNAME", 		"target_field": "dns.answers.name",			"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.fileinfo
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -1,8 +1,18 @@
 {
  "description" : "suricata.fileinfo",
  "processors" : [
+    { "set":      { "field": "dataset",        "value": "file"  } },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.filename", 		"target_field": "file.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.gaps", 		"target_field": "file.bytes.missing",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.magic", 		"target_field": "file.mime_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.md5", 		"target_field": "hash.md5",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.sha1", 		"target_field": "hash.sha1",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.sid", 		"target_field": "rule.uuid",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.size", 		"target_field": "file.size",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.state", 		"target_field": "file.state",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fileinfo.stored", 		"target_field": "file.saved",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.krb5
+++ b/salt/elasticsearch/files/ingest/suricata.krb5
@@ -1,8 +1,15 @@
 {
  "description" : "suricata.krb5",
  "processors" : [
+    { "set":      { "field": "dataset",        "value": "kerberos"  } },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.krb5.msg_type",                "target_field": "kerberos.request_type",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.cname",                "target_field": "kerberos.client",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.realm",                "target_field": "kerberos.realm",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.sname",                "target_field": "kerberos.service",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.encryption",                "target_field": "kerberos.ticket.cipher",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb.weak_encryption",                "target_field": "kerberos.weak_encryption",             "ignore_missing": true  } },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.rdp
+++ b/salt/elasticsearch/files/ingest/suricata.rdp
@@ -3,6 +3,26 @@
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.tx_id", 		"target_field": "rdp.tx_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.event_type", 		"target_field": "rdp.event_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.cookie", 		"target_field": "rdp.cookie",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.version", 		"target_field": "rdp.client_version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.desktop_width", 		"target_field": "rdp.desktop__width",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.desktop__height", 		"target_field": "rdp.desktop__height",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.color_depth", 		"target_field": "rdp.requested_color_depth",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.keyboard_layout", 		"target_field": "rdp.keyboard_layout",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.build", 		"target_field": "rdp.client_build",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.client_name", 		"target_field": "client.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.keyboard_type", 		"target_field": "rdp.keyboard_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.function_keys", 		"target_field": "rdp.function_keys",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.product_id", 		"target_field": "rdp.product_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.capabilities", 		"target_field": "rdp.client_capabilities",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.client.id", 		"target_field": "rdp.client_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.channels", 		"target_field": "rdp.channels",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.server_supports", 		"target_field": "rdp.server_supports",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.rdp.x509_serials", 		"target_field": "rdp.x509_serials",		"ignore_missing": true 	} },
+
+
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.smb
+++ b/salt/elasticsearch/files/ingest/suricata.smb
@@ -3,6 +3,30 @@
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.id", 		"target_field": "smb.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.dialect", 		"target_field": "smb.dialect",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.command", 		"target_field": "smb.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.status", 		"target_field": "smb.status",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.status_code", 		"target_field": "smb.status_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.session_id", 		"target_field": "smb.session_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.tree_id", 		"target_field": "smb.tree_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.filename", 		"target_field": "smb.filename",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.disposition", 		"target_field": "smb.disposition",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.access", 		"target_field": "smb.access",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.created", 		"target_field": "smb.created",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.accessed", 		"target_field": "smb.accessed",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.modified", 		"target_field": "smb.modified ",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.changed", 		"target_field": "smb.changed",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.size", 		"target_field": "smb.size",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.share", 		"target_field": "smb.share",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smb.share_type", 		"target_field": "smb.share_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_dialects", 		"target_field": "smb.client_dialects",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_guid", 		"target_field": "smb.client_guid",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_guid", 		"target_field": "smb.server_guid",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.request.native_us", 		"target_field": "smb.request.native_us",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.request.native_lm", 		"target_field": "smb.request.native_lm",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.response.native_os", 		"target_field": "smb.response.native_os",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.response.native_lm", 		"target_field": "smb.response.native_lm",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.snmp
+++ b/salt/elasticsearch/files/ingest/suricata.snmp
@@ -5,6 +5,8 @@
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.snmp.version", 		"target_field": "snmp.version",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.snmp.community", 		"target_field": "snmp.community",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.pdu_type", 		"target_field": "snmp.pdu_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.vars", 		"target_field": "snmp.vars",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.tftp
+++ b/salt/elasticsearch/files/ingest/suricata.tftp
@@ -3,6 +3,10 @@
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tftp.packet", 		"target_field": "tftp.packet",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tftp.file", 		"target_field": "tftp.file",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tftp.mode", 		"target_field": "tftp.mode",		"ignore_missing": true 	} },
+    
    { "pipeline": { "name": "common" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/suricata.tls
+++ b/salt/elasticsearch/files/ingest/suricata.tls
@@ -1,8 +1,22 @@
 {
  "description" : "suricata.tls",
  "processors" : [
+    { "set":      { "field": "dataset",        "value": "ssl"  } },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.tls.subject",                "target_field": "ssl.certificate.subject",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.serial",                "target_field": "ssl.certificate.serial",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.fingerprint",                "target_field": "ssl.certificate.fingerprint",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.version",                "target_field": "ssl.certificate.version",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3.hash",                "target_field": "hash.ja3",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3.hash.string",                "target_field": "hash.ja3_string",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3s.hash",                "target_field": "hash.ja3s",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.ja3s.hash.string",                "target_field": "hash.ja3s_string",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.notbefore",                "target_field": "x509.certificate.not_valid_before",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.notafter",                "target_field": "x509.certificate.not_valid_after",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.sni",                "target_field": "ssl.server_name",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.issuerdn",                "target_field": "ssl.certificate.issuer",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.tls.session_resumed",                "target_field": "ssl.session_resumed",             "ignore_missing": true  } },
    { "pipeline": { "name": "common" } }
  ]
-}
+}