From c389944e5cb6aa50489b20cd4dd4518950b1c542 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 8 Nov 2022 09:56:53 -0500 Subject: [PATCH 01/18] Initial support for Elastic Package Registry --- salt/allowed_states.map.jinja | 4 ++ salt/elastic-fleet-package-registry/init.sls | 47 ++++++++++++++++++++ salt/kibana/config.map.jinja | 2 + salt/kibana/defaults.yaml | 1 + 4 files changed, 54 insertions(+) create mode 100644 salt/elastic-fleet-package-registry/init.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 949fa5951..899a56b23 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -37,6 +37,7 @@ 'soc', 'kratos', 'elastic-fleet', + 'elastic-fleet-package-registry', 'firewall', 'idstools', 'suricata.manager', @@ -120,6 +121,7 @@ 'soc', 'kratos', 'elastic-fleet', + 'elastic-fleet-package-registry', 'firewall', 'idstools', 'suricata.manager', @@ -140,6 +142,7 @@ 'soc', 'kratos', 'elastic-fleet', + 'elastic-fleet-package-registry', 'firewall', 'manager', 'idstools', @@ -170,6 +173,7 @@ 'soc', 'kratos', 'elastic-fleet', + 'elastic-fleet-package-registry', 'firewall', 'idstools', 'suricata.manager', diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls new file mode 100644 index 000000000..fd29c84b0 --- /dev/null +++ b/salt/elastic-fleet-package-registry/init.sls @@ -0,0 +1,47 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +# Add Group +elasticsagentprgroup: + group.present: + - name: elastic-agent-pr + - gid: 948 + + +# Add user +elastic-agent-pr: + user.present: + - uid: 948 + - gid: 948 + - home: /opt/so/conf/elastic-fleet-pr + - createhome: False + +so-elastic-fleet-package-registry: + docker_container.running: + #- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} + - image: docker.elastic.co/package-registry/distribution:8.4.1 + - name: so-elastic-fleet-package-registry + - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} + - detach: True + - user: 948 + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + - 0.0.0.0:8080:8080 + +append_so-elastic-fleet-package-registry_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-elastic-fleet-package-registry + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index af0e26fd5..8a107c2c9 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -7,6 +7,8 @@ {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} +{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %} + {% if salt['pillar.get']('kibana:secrets') %} {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} {% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index f6bf17e7e..d1c971461 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -31,6 +31,7 @@ kibana: kibanaServer: hostname: localhost fleet: + registryUrl: "" packages: - name: fleet_server version: latest From 8db49feb323bfc7c167dba43e122eff25f51f052 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 16 Nov 2022 08:24:25 -0500 Subject: [PATCH 02/18] Use our docker image --- salt/common/tools/sbin/so-image-common | 1 + salt/elastic-fleet-package-registry/init.sls | 3 +-- salt/top.sls | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index a7fc19801..cfc4ff4ab 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -42,6 +42,7 @@ container_list() { "so-elastalert" "so-elastic-agent" "so-elastic-agent-builder" + "so-elastic-fleet-package-registry" "so-elasticsearch" "so-filebeat" "so-grafana" diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls index fd29c84b0..f14ad47c7 100644 --- a/salt/elastic-fleet-package-registry/init.sls +++ b/salt/elastic-fleet-package-registry/init.sls @@ -22,8 +22,7 @@ elastic-agent-pr: so-elastic-fleet-package-registry: docker_container.running: - #- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} - - image: docker.elastic.co/package-registry/distribution:8.4.1 + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }} - name: so-elastic-fleet-package-registry - hostname: Fleet-package-reg-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/top.sls b/salt/top.sls index 973978537..d9653fca1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -191,6 +191,7 @@ base: {%- if REDIS %} - redis {%- endif %} + - elastic-fleet-package-registry {%- if KIBANA %} - kibana.so_savedobjects_defaults {%- endif %} From 638a3568b0e65d6abf76ae548ce6b1a00ecca806 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 16 Nov 2022 21:11:21 +0000 Subject: [PATCH 03/18] Update ingest node pipelines for ICS/SCADA protocols --- salt/elasticsearch/files/ingest/zeek.bacnet | 14 +++++++++ .../files/ingest/zeek.bacnet_discovery | 16 ++++++++++ .../files/ingest/zeek.bacnet_property | 16 ++++++++++ .../files/ingest/zeek.bsap_ip_header | 10 +++++++ .../files/ingest/zeek.bsap_ip_rdb | 20 +++++++++++++ .../files/ingest/zeek.bsap_ip_unknown | 9 ++++++ .../files/ingest/zeek.bsap_serial_header | 17 +++++++++++ .../files/ingest/zeek.bsap_serial_rdb | 11 +++++++ .../files/ingest/zeek.bsap_serial_rdb_ext | 13 ++++++++ .../files/ingest/zeek.bsap_serial_unknown | 9 ++++++ salt/elasticsearch/files/ingest/zeek.cip | 19 ++++++++++++ .../files/ingest/zeek.cip_identity | 21 +++++++++++++ salt/elasticsearch/files/ingest/zeek.cip_io | 13 ++++++++ salt/elasticsearch/files/ingest/zeek.conn | 1 + .../files/ingest/zeek.dnp3_objects | 13 ++++++++ .../files/ingest/zeek.ecat_aoe_info | 17 +++++++++++ .../files/ingest/zeek.ecat_arp_info | 15 ++++++++++ .../files/ingest/zeek.ecat_coe_info | 14 +++++++++ .../files/ingest/zeek.ecat_dev_info | 18 +++++++++++ .../files/ingest/zeek.ecat_foe_info | 14 +++++++++ .../files/ingest/zeek.ecat_log_address | 14 +++++++++ .../files/ingest/zeek.ecat_registers | 15 ++++++++++ .../files/ingest/zeek.ecat_soe_info | 14 +++++++++ salt/elasticsearch/files/ingest/zeek.enip | 16 ++++++++++ .../files/ingest/zeek.modbus_detailed | 14 +++++++++ .../ingest/zeek.modbus_mask_write_register | 14 +++++++++ .../zeek.modbus_read_write_multiple_registers | 16 ++++++++++ salt/elasticsearch/files/ingest/zeek.opcua | 30 +++++++++++++++++++ .../files/ingest/zeek.opcua_activate_session | 18 +++++++++++ .../files/ingest/zeek.opcua_browse | 16 ++++++++++ .../ingest/zeek.opcua_browse_description | 16 ++++++++++ .../zeek.opcua_browse_response_references | 22 ++++++++++++++ .../files/ingest/zeek.opcua_browse_result | 11 +++++++ .../files/ingest/zeek.opcua_create_session | 19 ++++++++++++ .../zeek.opcua_create_session_endpoints | 21 +++++++++++++ .../zeek.opcua_create_session_user_token | 11 +++++++ .../ingest/zeek.opcua_create_subscription | 15 ++++++++++ .../files/ingest/zeek.opcua_get_endpoints | 10 +++++++ .../zeek.opcua_get_endpoints_description | 21 +++++++++++++ .../zeek.opcua_get_endpoints_user_token | 11 +++++++ .../ingest/zeek.opcua_opensecure_channel | 15 ++++++++++ .../files/ingest/zeek.opcua_read | 10 +++++++ .../ingest/zeek.opcua_read_nodes_to_read | 16 ++++++++++ .../files/ingest/zeek.opcua_read_results | 12 ++++++++ .../files/ingest/zeek.opcua_read_results_link | 10 +++++++ .../ingest/zeek.opcua_status_code_detail | 21 +++++++++++++ 46 files changed, 688 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet_discovery create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet_property create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_header create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_header create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext create mode 100644 salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown create mode 100644 salt/elasticsearch/files/ingest/zeek.cip create mode 100644 salt/elasticsearch/files/ingest/zeek.cip_identity create mode 100644 salt/elasticsearch/files/ingest/zeek.cip_io create mode 100644 salt/elasticsearch/files/ingest/zeek.dnp3_objects create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_aoe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_arp_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_coe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_dev_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_foe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_log_address create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_registers create mode 100644 salt/elasticsearch/files/ingest/zeek.ecat_soe_info create mode 100644 salt/elasticsearch/files/ingest/zeek.enip create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus_detailed create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_activate_session create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_description create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_browse_result create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_create_subscription create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_results create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_read_results_link create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet b/salt/elasticsearch/files/ingest/zeek.bacnet new file mode 100644 index 000000000..d4484aa4a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet @@ -0,0 +1,14 @@ +{ + "description" : "zeek.bacnet", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } }, + { "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery new file mode 100644 index 000000000..a2b155bf1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery @@ -0,0 +1,16 @@ +{ + "description" : "zeek.bacnet_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } }, + { "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } }, + { "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_property b/salt/elasticsearch/files/ingest/zeek.bacnet_property new file mode 100644 index 000000000..9a39ae5a0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property @@ -0,0 +1,16 @@ +{ + "description" : "zeek.bacnet_property", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } }, + { "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } }, + { "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header new file mode 100644 index 000000000..59f7bca04 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header @@ -0,0 +1,10 @@ +{ + "description" : "zeek.bsap_ip_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb new file mode 100644 index 000000000..6490e0aa9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb @@ -0,0 +1,20 @@ +{ + "description" : "zeek.bsap_ip_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } }, + { "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } }, + { "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub.function", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown new file mode 100644 index 000000000..2e94f55b5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_ip_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header new file mode 100644 index 000000000..8647e94c8 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header @@ -0,0 +1,17 @@ +{ + "description" : "zeek.bsap_serial_header", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } }, + { "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } }, + { "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb new file mode 100644 index 000000000..71e0ad9e1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb @@ -0,0 +1,11 @@ +{ + "description" : "zeek.bsap_serial_rdb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } }, + { "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } }, + { "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext new file mode 100644 index 000000000..9809d68a0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext @@ -0,0 +1,13 @@ +{ + "description" : "zeek.bsap_serial_rdb_ext", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, + { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, + { "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown new file mode 100644 index 000000000..2b9331c93 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown @@ -0,0 +1,9 @@ +{ + "description" : "zeek.bsap_serial_unknown", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip new file mode 100644 index 000000000..22f678594 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -0,0 +1,19 @@ +{ + "description" : "zeek.cip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } }, + { "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } }, + { "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } }, + { "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } }, + { "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity new file mode 100644 index 000000000..092f63fa7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -0,0 +1,21 @@ +{ + "description" : "zeek.cip_identity", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } }, + { "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } }, + { "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } }, + { "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } }, + { "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } }, + { "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } }, + { "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } }, + { "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io new file mode 100644 index 000000000..4a66d83bf --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -0,0 +1,13 @@ +{ + "description" : "zeek.cip_io", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, + { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, + { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 5e3ae9c79..4cca15896 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -17,6 +17,7 @@ { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_objects b/salt/elasticsearch/files/ingest/zeek.dnp3_objects new file mode 100644 index 000000000..c78ae9e1f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dnp3_objects @@ -0,0 +1,13 @@ +{ + "description" : "zeek.dnp3_objects", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, + { "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } }, + { "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } }, + { "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info new file mode 100644 index 000000000..c5f9b9dc3 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -0,0 +1,17 @@ +{ + "description" : "zeek.ecat_aoe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } }, + { "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } }, + { "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info new file mode 100644 index 000000000..cbc3676ab --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_arp_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } }, + { "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info new file mode 100644 index 000000000..79721c920 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_coe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } }, + { "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } }, + { "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info new file mode 100644 index 000000000..aab20781b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info @@ -0,0 +1,18 @@ +{ + "description" : "zeek.ecat_dev_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } }, + { "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } }, + { "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } }, + { "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } }, + { "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } }, + { "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } }, + { "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } }, + { "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } }, + { "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info new file mode 100644 index 000000000..11df775a9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_foe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address new file mode 100644 index 000000000..ad0ee161f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_log_address", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers new file mode 100644 index 000000000..d0a11ba83 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -0,0 +1,15 @@ +{ + "description" : "zeek.ecat_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } }, + { "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } }, + { "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info new file mode 100644 index 000000000..bddc40efa --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info @@ -0,0 +1,14 @@ +{ + "description" : "zeek.ecat_soe_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, + { "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } }, + { "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } }, + { "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } }, + { "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip new file mode 100644 index 000000000..456eb99d7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -0,0 +1,16 @@ +{ + "description" : "zeek.enip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } }, + { "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } }, + { "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_status", "target_field": "enip.status.code", "ignore_missing": true } }, + { "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } }, + { "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_detailed b/salt/elasticsearch/files/ingest/zeek.modbus_detailed new file mode 100644 index 000000000..723027679 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_detailed @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_detailed", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register new file mode 100644 index 000000000..b03ff569a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register @@ -0,0 +1,14 @@ +{ + "description" : "zeek.modbus_mask_write_register", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } }, + { "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } }, + { "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers new file mode 100644 index 000000000..e60c593fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers @@ -0,0 +1,16 @@ +{ + "description" : "zeek.read_write_multiple_registers", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } }, + { "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } }, + { "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } }, + { "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua b/salt/elasticsearch/files/ingest/zeek.opcua new file mode 100644 index 000000000..78e44c47c --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua @@ -0,0 +1,30 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session new file mode 100644 index 000000000..466e34236 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_activate_session @@ -0,0 +1,18 @@ +{ + "description" : "zeek.opcua.activate_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse b/salt/elasticsearch/files/ingest/zeek.opcua_browse new file mode 100644 index 000000000..80cd86fd5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description new file mode 100644 index 000000000..56d6ac655 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_description @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua.browse_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } }, + { "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references new file mode 100644 index 000000000..07cec4813 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references @@ -0,0 +1,22 @@ +{ + "description" : "zeek.opcua_browse_response_references", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result new file mode 100644 index 000000000..7b29284f9 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_browse_result @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_browse_result", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_create_session new file mode 100644 index 000000000..637e5a7bb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session @@ -0,0 +1,19 @@ +{ + "description" : "zeek.opcua_create_session", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints new file mode 100644 index 000000000..2bee814b6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token new file mode 100644 index 000000000..ef621a5ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_create_session_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription new file mode 100644 index 000000000..372e6b4fd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_create_subscription @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_create_subscription", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } }, + { "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } }, + { "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } }, + { "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints new file mode 100644 index 000000000..a7b2b2f85 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_get_endpoints", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description new file mode 100644 index 000000000..c84a9f16a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_get_endpoints_description", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token new file mode 100644 index 000000000..854c35cf0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_get_endpoints_user_token", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel new file mode 100644 index 000000000..4e8fb483a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel @@ -0,0 +1,15 @@ +{ + "description" : "zeek.opcua_opensecure_channel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read b/salt/elasticsearch/files/ingest/zeek.opcua_read new file mode 100644 index 000000000..e5d1c15fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read new file mode 100644 index 000000000..a531531ef --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read @@ -0,0 +1,16 @@ +{ + "description" : "zeek.opcua_read_nodes_to_read", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_read_results new file mode 100644 index 000000000..28c417eba --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_results @@ -0,0 +1,12 @@ +{ + "description" : "zeek.opcua_read_results", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link new file mode 100644 index 000000000..0a1edc57b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_read_results_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_read_results_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail new file mode 100644 index 000000000..0d4ae984a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_stats_code_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, + { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } }, + { "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } }, + { "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 449703744280bf5df6272681c6950e62df997d6f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Nov 2022 20:03:54 -0500 Subject: [PATCH 04/18] Use bg:True to send cmd to background --- salt/soc/init.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 8356bd1d8..94cad69c8 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -84,7 +84,8 @@ salt-relay: cmd.run: - env: - SOC_PIPE: /opt/sensoroni/salt.pipe - - name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &' + - name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1' + - bg: True - unless: ps -ef | grep salt-relay | grep -v grep so-soc: From 7cd5d625d121bd14934803e43ab1709131cdf4d0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 16 Nov 2022 20:45:50 -0500 Subject: [PATCH 05/18] temporarily remove salt-pipe for debug purposes --- salt/soc/init.sls | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 94cad69c8..28453fbf9 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -80,13 +80,7 @@ socusersroles: - require: - sls: manager.sync_es_users -salt-relay: - cmd.run: - - env: - - SOC_PIPE: /opt/sensoroni/salt.pipe - - name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1' - - bg: True - - unless: ps -ef | grep salt-relay | grep -v grep + so-soc: docker_container.running: From c572848ece40326cfe45e45aecd1c11cb849020e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 17 Nov 2022 08:06:24 -0500 Subject: [PATCH 06/18] temporarily remove filecheck for debug purposes --- salt/strelka/init.sls | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index e3477dd9e..d0c48fd55 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -134,12 +134,6 @@ filecheck_script: - group: 939 - mode: 755 -filecheck_run: - cmd.run: - - name: 'python3 /opt/so/conf/strelka/filecheck' - - bg: True - - runas: socore - - unless: ps -ef | grep filecheck | grep -v grep filcheck_history_clean: cron.present: From 0ffef75d7baf9da289de330caabbb8871c00f60e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 17 Nov 2022 09:50:41 -0500 Subject: [PATCH 07/18] Move background jobs to cron --- salt/soc/defaults.yaml | 2 +- salt/soc/files/bin/salt-relay.sh | 2 +- salt/soc/init.sls | 12 ++++++++++-- salt/strelka/init.sls | 5 +++++ 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 278a02342..0f41c32f2 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -83,7 +83,7 @@ soc: bucket: telegraf verifyCert: false salt: - saltPipe: /opt/sensoroni/salt.pipe + saltPipe: /opt/sensoroni/salt/pipe sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 514f1e616..c4d0d0037 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -6,7 +6,7 @@ PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} -SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt.pipe} +SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt/pipe} function log() { echo "$(date) | $1" diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 28453fbf9..64ebdc671 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -27,6 +27,12 @@ soclogdir: - group: 939 - makedirs: True +socsaltdir: + file.directory: + - name: /opt/so/conf/soc/salt + - user: 939 + - group: 939 + - makedirs: True socconfig: file.managed: @@ -80,7 +86,9 @@ socusersroles: - require: - sls: manager.sync_es_users - +salt-relay: + cron.present: + - name: 'ps -ef | grep salt-relay | grep -v grep || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &' so-soc: docker_container.running: @@ -96,7 +104,7 @@ so-soc: - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - - /opt/so/conf/soc/salt.pipe:/opt/sensoroni/salt.pipe:rw + - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw - /opt/so/saltstack:/opt/so/saltstack:rw {%- if salt['pillar.get']('nodestab', {}) %} - extra_hosts: diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index d0c48fd55..0706cda66 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -134,6 +134,11 @@ filecheck_script: - group: 939 - mode: 755 +filecheck_run: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - user: socore + - minute: 9 filcheck_history_clean: cron.present: From 7f7e5474edba1e16623fa6919eeef3547e0e4dd2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 17 Nov 2022 10:43:05 -0500 Subject: [PATCH 08/18] Add more logging for filecheck monitoring, and ensure scripts are accessible to salt-relay --- salt/soc/files/bin/salt-relay.sh | 1 + salt/strelka/filecheck/filecheck | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index c4d0d0037..238e8ec29 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -7,6 +7,7 @@ PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt/pipe} +PATH=${PATH}:/usr/sbin function log() { echo "$(date) | $1" diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck index 3d498ce62..35bcc7f79 100644 --- a/salt/strelka/filecheck/filecheck +++ b/salt/strelka/filecheck/filecheck @@ -65,6 +65,8 @@ if __name__ == "__main__": event_handler =CreatedEventHandler() observer = Observer() + + logging.info("Starting filecheck") observer.schedule(event_handler, extract_path, recursive=True) observer.start() try: @@ -72,4 +74,6 @@ if __name__ == "__main__": time.sleep(1) except KeyboardInterrupt: observer.stop() - observer.join() \ No newline at end of file + observer.join() + + logging.info("Exiting filecheck") \ No newline at end of file From ed9aa5b73f81b9535ddff6cce02a13664c48a829 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 17 Nov 2022 10:48:53 -0500 Subject: [PATCH 09/18] Ensure filecheck is up by checking every minute --- salt/strelka/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 0706cda66..155126f91 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -138,7 +138,6 @@ filecheck_run: cron.present: - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - user: socore - - minute: 9 filcheck_history_clean: cron.present: From 05b9a067fd04e08ec5ac9b4fc9f011ea73c9f2e1 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 17 Nov 2022 16:03:21 +0000 Subject: [PATCH 10/18] Add additional ICS/SCADA ingest node pipelines --- salt/elasticsearch/files/ingest/zeek.profinet | 13 +++++++++++++ .../files/ingest/zeek.profinet_dce_rpc | 15 +++++++++++++++ salt/elasticsearch/files/ingest/zeek.s7comm | 15 +++++++++++++++ salt/elasticsearch/files/ingest/zeek.s7comm_plus | 11 +++++++++++ salt/elasticsearch/files/ingest/zeek.stun | 15 +++++++++++++++ salt/elasticsearch/files/ingest/zeek.stun_nat | 13 +++++++++++++ salt/elasticsearch/files/ingest/zeek.wireguard | 11 +++++++++++ 7 files changed, 93 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.profinet create mode 100644 salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc create mode 100644 salt/elasticsearch/files/ingest/zeek.s7comm create mode 100644 salt/elasticsearch/files/ingest/zeek.s7comm_plus create mode 100644 salt/elasticsearch/files/ingest/zeek.stun create mode 100644 salt/elasticsearch/files/ingest/zeek.stun_nat create mode 100644 salt/elasticsearch/files/ingest/zeek.wireguard diff --git a/salt/elasticsearch/files/ingest/zeek.profinet b/salt/elasticsearch/files/ingest/zeek.profinet new file mode 100644 index 000000000..e9d69c0dc --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.profinet @@ -0,0 +1,13 @@ +{ + "description" : "zeek.profinet", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.operation_type", "target_field": "profinet.operation_type", "ignore_missing": true } }, + { "rename": { "field": "message2.block_version", "target_field": "profinet.block_version", "ignore_missing": true } }, + { "rename": { "field": "message2.slot_number", "target_field": "profinet.slot_number", "ignore_missing": true } }, + { "rename": { "field": "message2.subslot_number", "target_field": "profinet.subslot_number", "ignore_missing": true } }, + { "rename": { "field": "message2.index", "target_field": "profinet.index", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc new file mode 100644 index 000000000..e89fd7d95 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc @@ -0,0 +1,15 @@ +{ + "description" : "zeek.profinet_dce_rpc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.version", "target_field": "profinet.version", "ignore_missing": true } }, + { "rename": { "field": "message2.packet_type", "target_field": "profinet.packet_type", "ignore_missing": true } }, + { "rename": { "field": "message2.object_uuid", "target_field": "profinet.object_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.interface_uuid", "target_field": "profinet.interface_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.activity_uuid", "target_field": "profinet.activity_uuid", "ignore_missing": true } }, + { "rename": { "field": "message2.server_boot_time", "target_field": "profinet.server.boot_time", "ignore_missing": true } }, + { "rename": { "field": "message2.operation", "target_field": "profinet.operation", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm b/salt/elasticsearch/files/ingest/zeek.s7comm new file mode 100644 index 000000000..646c6bec3 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } }, + { "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } }, + { "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } }, + { "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_plus b/salt/elasticsearch/files/ingest/zeek.s7comm_plus new file mode 100644 index 000000000..a6acd1b35 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_plus @@ -0,0 +1,11 @@ +{ + "description" : "zeek.s7comm_plus", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.stun b/salt/elasticsearch/files/ingest/zeek.stun new file mode 100644 index 000000000..f5e7d1baf --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.stun @@ -0,0 +1,15 @@ +{ + "description" : "zeek.stun", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.trans_id", "target_field": "stun.id", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "stun.method", "ignore_missing": true } }, + { "rename": { "field": "message2.class", "target_field": "stun.clas", "ignore_missing": true } }, + { "rename": { "field": "message2.attr_types", "target_field": "stun.attribute.types", "ignore_missing": true } }, + { "rename": { "field": "message2.attr_vals", "target_field": "stun.attribute.values", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.stun_nat b/salt/elasticsearch/files/ingest/zeek.stun_nat new file mode 100644 index 000000000..45f9b3055 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.stun_nat @@ -0,0 +1,13 @@ +{ + "description" : "zeek.stun_nat", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.wan_addrs", "target_field": "stun.wan.addresses", "ignore_missing": true } }, + { "rename": { "field": "message2.wan_ports", "target_field": "stun.wan.ports", "ignore_missing": true } }, + { "rename": { "field": "message2.lan_addrs", "target_field": "stun.lan.addresses", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.wireguard b/salt/elasticsearch/files/ingest/zeek.wireguard new file mode 100644 index 000000000..ac8e56964 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.wireguard @@ -0,0 +1,11 @@ +{ + "description" : "zeek.wireguard", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } }, + { "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } }, + { "rename": { "field": "message2.responses", "target_field": "wireguard.respsonses", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 778ee4b00f1a221b001c4805804499cd1c408da2 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 21 Nov 2022 08:39:18 -0500 Subject: [PATCH 11/18] Simplify version in README.md to just 2.4 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 04dd95d8f..ab2110fab 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.4.0 +## Security Onion 2.4 -Security Onion 2.4.0 is here! +Security Onion 2.4 is here! ## Screenshots From febb781428ce5a4f07563fb60964eb472bb50c11 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 21 Nov 2022 12:10:55 -0500 Subject: [PATCH 12/18] Add ICS/SCADA logs to filebeat defaults.yaml --- salt/filebeat/defaults.yaml | 59 ++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml index 2e13032e6..0103fc82b 100644 --- a/salt/filebeat/defaults.yaml +++ b/salt/filebeat/defaults.yaml @@ -32,4 +32,61 @@ filebeat: - mysql - socks - x509 - \ No newline at end of file + - dnp3_objects + - modbus_detailed + - modbus_mask_write_single_register + - modbus_read_write_multiple_registers + - bacnet + - bacnet_discovery + - bacnet_property + - ecat_registers + - ecat_log_address + - ecat_dev_info + - ecat_aoe_info + - ecat_coe_info + - ecat_foe_info + - ecat_soe_info + - ecat_arp_info + - enip + - cip + - cip_io + - cip_identity + - opcua_binary + - opcua_binary_status_code_detail + - opcua_binary_diag_info_detail + - opcua_binary_get_endpoints + - opcua_binary_get_endpoints_discovery + - opcua_binary_get_endpoints_user_token + - opcua_binary_get_endpoints_description + - opcua_binary_get_endpoints_locale_id + - opcua_binary_get_endpoints_profile_uri + - opcua_binary_create_session + - opcua_binary_create_session_user_token + - opcua_binary_create_session_endpoints + - opcua_binary_create_session_discovery + - opcua_binary_activate_session + - opcua_binary_activate_session_client_software_cert + - opcua_binary_activate_session_locale_id + - opcua_binary_activate_session_diagnostic_info + - opcua_binary_browse + - opcua_binary_browse_description + - opcua_binary_browse_request_continuation_point + - opcua_binary_browse_result + - opcua_binary_browse_response_references + - opcua_binary_browse_diagnostic_info + - opcua_binary_create_subscription + - opcua_binary_read + - cotp + - s7comm + - s7comm_read_szl + - s7comm_upload_download + - s7comm_plus + - tds + - tds_rpc + - tds_sql_batch + - profinet_dce_rpc + - profinet + - profinet_debug + - stun + - stun_nat + - wireguard From 9994d47a434aa2351d3a4ec7834f4983051ecce9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Nov 2022 16:46:47 -0500 Subject: [PATCH 13/18] Add 'ics' tag to events generated from ICS protocol logs --- salt/filebeat/etc/filebeat.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index f38ffd0d7..00146d5d1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -145,6 +145,10 @@ filebeat.inputs: dataset: {{ LOGNAME }} category: network processors: + {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} + - add_tags: + tags: ["ics"] + {%- endif %} - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] @@ -162,6 +166,10 @@ filebeat.inputs: category: network imported: true processors: + {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} + - add_tags: + tags: ["ics"] + {%- endif %} - add_tags: tags: ["import"] - dissect: From fe180d56575c68341c5a83e6dca6a556b6f2f9ea Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Nov 2022 17:02:17 -0500 Subject: [PATCH 14/18] Fix indentation --- salt/filebeat/etc/filebeat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 00146d5d1..10f80beea 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -147,7 +147,7 @@ filebeat.inputs: processors: {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} - add_tags: - tags: ["ics"] + tags: ["ics"] {%- endif %} - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] @@ -168,7 +168,7 @@ filebeat.inputs: processors: {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} - add_tags: - tags: ["ics"] + tags: ["ics"] {%- endif %} - add_tags: tags: ["import"] From d2bc1a5523de9665145f372efa9219a116a3029d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 22 Nov 2022 07:24:54 -0500 Subject: [PATCH 15/18] Fix syntax error for 'ics' tag logic --- salt/filebeat/etc/filebeat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 10f80beea..fc9b4c44e 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -145,7 +145,7 @@ filebeat.inputs: dataset: {{ LOGNAME }} category: network processors: - {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} + {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} - add_tags: tags: ["ics"] {%- endif %} @@ -166,7 +166,7 @@ filebeat.inputs: category: network imported: true processors: - {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %} + {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} - add_tags: tags: ["ics"] {%- endif %} From a38e312df427b89464c073a0888dfae31ee30691 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 22 Nov 2022 13:36:27 +0000 Subject: [PATCH 16/18] Add COTP and TDS ingest pipelines --- salt/elasticsearch/files/ingest/zeek.cotp | 10 ++++++++++ salt/elasticsearch/files/ingest/zeek.tds | 9 +++++++++ salt/elasticsearch/files/ingest/zeek.tds_rpc | 10 ++++++++++ salt/elasticsearch/files/ingest/zeek.tds_sql_batch | 10 ++++++++++ 4 files changed, 39 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.cotp create mode 100644 salt/elasticsearch/files/ingest/zeek.tds create mode 100644 salt/elasticsearch/files/ingest/zeek.tds_rpc create mode 100644 salt/elasticsearch/files/ingest/zeek.tds_sql_batch diff --git a/salt/elasticsearch/files/ingest/zeek.cotp b/salt/elasticsearch/files/ingest/zeek.cotp new file mode 100644 index 000000000..fb4b090cd --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.cotp @@ -0,0 +1,10 @@ +{ + "description" : "zeek.cotp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_name", "target_field": "cotp.pdu.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds b/salt/elasticsearch/files/ingest/zeek.tds new file mode 100644 index 000000000..f9922f52c --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds @@ -0,0 +1,9 @@ +{ + "description" : "zeek.tds", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds_rpc b/salt/elasticsearch/files/ingest/zeek.tds_rpc new file mode 100644 index 000000000..379a1efe5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds_rpc @@ -0,0 +1,10 @@ +{ + "description" : "zeek.tds_rpc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } }, + { "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch new file mode 100644 index 000000000..00174feb6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch @@ -0,0 +1,10 @@ +{ + "description" : "zeek.tds_sql_batch", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } }, + { "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 13faf637702f0ac1080b1df9fd682105340fef87 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 22 Nov 2022 12:07:15 -0500 Subject: [PATCH 17/18] Fix spelling for 'stun.class' field name --- salt/elasticsearch/files/ingest/zeek.stun | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.stun b/salt/elasticsearch/files/ingest/zeek.stun index f5e7d1baf..48f648d74 100644 --- a/salt/elasticsearch/files/ingest/zeek.stun +++ b/salt/elasticsearch/files/ingest/zeek.stun @@ -7,7 +7,7 @@ { "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "stun.id", "ignore_missing": true } }, { "rename": { "field": "message2.method", "target_field": "stun.method", "ignore_missing": true } }, - { "rename": { "field": "message2.class", "target_field": "stun.clas", "ignore_missing": true } }, + { "rename": { "field": "message2.class", "target_field": "stun.class", "ignore_missing": true } }, { "rename": { "field": "message2.attr_types", "target_field": "stun.attribute.types", "ignore_missing": true } }, { "rename": { "field": "message2.attr_vals", "target_field": "stun.attribute.values", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } From 6b77843e524717d91af916b032d504741fc51e1c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 22 Nov 2022 12:07:55 -0500 Subject: [PATCH 18/18] Fix format/speliing for 'enip.status_code' field name --- salt/elasticsearch/files/ingest/zeek.enip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip index 456eb99d7..de4d2a989 100644 --- a/salt/elasticsearch/files/ingest/zeek.enip +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -8,7 +8,7 @@ { "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } }, { "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } }, { "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } }, - { "rename": { "field": "message2.enip_status", "target_field": "enip.status.code", "ignore_missing": true } }, + { "rename": { "field": "message2.enip_status", "target_field": "enip.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } }, { "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } }