CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/2.4/dev' into dockerips

Browse Source
This commit is contained in:
m0duspwnens
2022-11-22 14:17:19 -05:00
parent b05839bb93 f9cc7888f4
commit b95a83b016
71 changed files with 963 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4.0 ## Security Onion 2.4
Security Onion 2.4.0 is here! Security Onion 2.4 is here!
## Screenshots ## Screenshots

4
salt/allowed_states.map.jinja
View File

@@ -37,6 +37,7 @@
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
'elastic-fleet-package-registry',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -120,6 +121,7 @@
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
'elastic-fleet-package-registry',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -140,6 +142,7 @@
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
'elastic-fleet-package-registry',
'firewall', 'firewall',
'manager', 'manager',
'idstools', 'idstools',
@@ -170,6 +173,7 @@
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elastic-fleet',
'elastic-fleet-package-registry',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',

1
salt/common/tools/sbin/so-image-common
View File

@@ -42,6 +42,7 @@ container_list() {
"so-elastalert" "so-elastalert"
"so-elastic-agent" "so-elastic-agent"
"so-elastic-agent-builder" "so-elastic-agent-builder"
"so-elastic-fleet-package-registry"
"so-elasticsearch" "so-elasticsearch"
"so-filebeat" "so-filebeat"
"so-grafana" "so-grafana"

46
salt/elastic-fleet-package-registry/init.sls Normal file
View File

@@ -0,0 +1,46 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# Add Group
elasticsagentprgroup:
group.present:
- name: elastic-agent-pr
- gid: 948
# Add user
elastic-agent-pr:
user.present:
- uid: 948
- gid: 948
- home: /opt/so/conf/elastic-fleet-pr
- createhome: False
so-elastic-fleet-package-registry:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
- name: so-elastic-fleet-package-registry
- hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
- detach: True
- user: 948
- extra_hosts:
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings:
- 0.0.0.0:8080:8080
append_so-elastic-fleet-package-registry_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet-package-registry
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

14
salt/elasticsearch/files/ingest/zeek.bacnet Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.bacnet",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.bvlc_function", "target_field": "bacnet.bclv.function", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_type", "target_field": "bacnet.pdu.type", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.invoke_id", "target_field": "bacnet.invoke.id", "ignore_missing": true } },
{ "rename": { "field": "message2.result_code", "target_field": "bacnet.result.code", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.bacnet_discovery Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.bacnet_discovery",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor", "target_field": "bacnet.vendor", "ignore_missing": true } },
{ "rename": { "field": "message2.range", "target_field": "bacnet.range", "ignore_missing": true } },
{ "rename": { "field": "message2.object_name", "target_field": "bacnet.object.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.bacnet_property Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.bacnet_property",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "bacnet.is.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_number", "target_field": "bacnet.instance.number", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_service", "target_field": "bacnet.pdu.service", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "bacnet.object.type", "ignore_missing": true } },
{ "rename": { "field": "message2.property", "target_field": "bacnet.property", "ignore_missing": true } },
{ "rename": { "field": "message2.array_index", "target_field": "bacnet.array.index", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.bsap_ip_header Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.bsap_ip_header",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } },
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

20
salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb Normal file
View File

@@ -0,0 +1,20 @@
{
"description" : "zeek.bsap_ip_rdb",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.header_size", "target_field": "bsap.header.legnth", "ignore_missing": true } },
{ "rename": { "field": "message2.mes_seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.res_seq", "target_field": "bsap.response.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.data_len", "target_field": "bsap.data.lenght", "ignore_missing": true } },
{ "rename": { "field": "message2.sequence", "target_field": "bsap.function.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.app_func_code", "target_field": "bsap.application.function", "ignore_missing": true } },
{ "rename": { "field": "message2.node_status", "target_field": "bsap.node.status", "ignore_missing": true } },
{ "rename": { "field": "message2.func_code", "target_field": "bsap.application.sub.function", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_count", "target_field": "bsap.variable.count", "ignore_missing": true } },
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.variable.value", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "bacnet.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.bsap_ip_unknown",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.bsap_serial_header Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.bsap_serial_header",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.ser", "target_field": "bsap.message.serial.number", "ignore_missing": true } },
{ "rename": { "field": "message2.dadd", "target_field": "bsap.destination.address", "ignore_missing": true } },
{ "rename": { "field": "message2.sadd", "target_field": "bsap.source.address", "ignore_missing": true } },
{ "rename": { "field": "message2.ctl", "target_field": "bsap.control.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.sfun", "target_field": "bsap.source.function", "ignore_missing": true } },
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.type_name", "target_field": "bsap.message.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.bsap_serial_rdb",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } },
{ "rename": { "field": "message2.variables", "target_field": "bsap.vector.variables", "ignore_missing": true } },
{ "rename": { "field": "message2.variable_value", "target_field": "bsap.vector.value", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.bsap_serial_rdb_ext",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } },
{ "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } },
{ "rename": { "field": "message2.extfun", "target_field": "bsap.extenstion.function", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.extenstion.function.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.bsap_serial_unknown",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

19
salt/elasticsearch/files/ingest/zeek.cip Normal file
View File

@@ -0,0 +1,19 @@
{
"description" : "zeek.cip",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } },
{ "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_service", "target_field": "cip.service", "ignore_missing": true } },
{ "convert": { "field": "cip.service", "type": "string", "ignore_missing": true } },
{ "rename": { "field": "message2.cip_status", "target_field": "cip.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.class_id", "target_field": "cip.request.path.class.id", "ignore_missing": true } },
{ "rename": { "field": "message2.class_name", "target_field": "cip.request.path.class.name", "ignore_missing": true } },
{ "rename": { "field": "message2.instance_id", "target_field": "cip.request.path.instance.id", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id", "target_field": "cip.request.path.attribute.id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.cip_identity Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.cip_identity",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } },
{ "rename": { "field": "message2.socket_address", "target_field": "cip.socket.address", "ignore_missing": true } },
{ "rename": { "field": "message2.socket_port", "target_field": "cip.socket.port", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor_id", "target_field": "cip.vendor.id", "ignore_missing": true } },
{ "rename": { "field": "message2.vendor_name", "target_field": "cip.vendor.name", "ignore_missing": true } },
{ "rename": { "field": "message2.device_type_id", "target_field": "cip.device.type.id", "ignore_missing": true } },
{ "rename": { "field": "message2.device_type_name", "target_field": "cip.device.type.name", "ignore_missing": true } },
{ "rename": { "field": "message2.product_code", "target_field": "cip.device.product.code", "ignore_missing": true } },
{ "rename": { "field": "message2.revision", "target_field": "cip.device.revision", "ignore_missing": true } },
{ "rename": { "field": "message2.device_status", "target_field": "cip.device.status", "ignore_missing": true } },
{ "rename": { "field": "message2.serial_number", "target_field": "cip.device.serial.number", "ignore_missing": true } },
{ "rename": { "field": "message2.product_name", "target_field": "cip.device.product.name", "ignore_missing": true } },
{ "rename": { "field": "message2.device_state", "target_field": "cip.device.state", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.cip_io Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.cip_io",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "cip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } },
{ "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } },
{ "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } },
{ "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

1
salt/elasticsearch/files/ingest/zeek.conn
View File

@@ -17,6 +17,7 @@
{ "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },

10
salt/elasticsearch/files/ingest/zeek.cotp Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.cotp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_name", "target_field": "cotp.pdu.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.dnp3_objects Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.dnp3_objects",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } },
{ "rename": { "field": "message2.object_type", "target_field": "dnp3.object_type", "ignore_missing": true } },
{ "rename": { "field": "message2.object_count", "target_field": "dnp3.object_count", "ignore_missing": true } },
{ "rename": { "field": "message2.range_low", "target_field": "dnp3.range_low", "ignore_missing": true } },
{ "rename": { "field": "message2.range_high", "target_field": "dnp3.range_high", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.ecat_aoe_info Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.ecat_aoe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.targetport", "target_field": "destination.port", "ignore_missing": true } },
{ "convert": { "field": "destination.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.senderid", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.senderport", "target_field": "source.port", "ignore_missing": true } },
{ "convert": { "field": "source.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.cmd", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.stateflags", "target_field": "ecat.state.flags", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.ecat_arp_info Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.ecat_arp_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_src", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_dst", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.SPA", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.SHA", "target_field": "ecat.sender.hardware.address", "ignore_missing": true } },
{ "rename": { "field": "message2.TPA", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.THA", "target_field": "ecat.target.hardware.address", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_coe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_coe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } },
{ "rename": { "field": "message2.Type", "target_field": "ecat.message.type", "ignore_missing": true } },
{ "rename": { "field": "message2.req_resp", "target_field": "ecat.request.response.type", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } },
{ "rename": { "field": "message2.subindex", "target_field": "ecat.sub.index", "ignore_missing": true } },
{ "rename": { "field": "message2.dataoffset", "target_field": "ecat.data_offset", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

18
salt/elasticsearch/files/ingest/zeek.ecat_dev_info Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.ecat_dev_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } },
{ "rename": { "field": "message2.revision", "target_field": "ecat.revision", "ignore_missing": true } },
{ "rename": { "field": "message2.dev_type", "target_field": "ecat.device.type", "ignore_missing": true } },
{ "rename": { "field": "message2.build", "target_field": "ecat.build.version", "ignore_missing": true } },
{ "rename": { "field": "message2.fmmucnt", "target_field": "ecat.fieldbus.mem.mgmt.unit", "ignore_missing": true } },
{ "rename": { "field": "message2.smcount", "target_field": "ecat.sync.manager.count", "ignore_missing": true } },
{ "rename": { "field": "message2.ports", "target_field": "ecat.port", "ignore_missing": true } },
{ "convert": { "field": "ecat.port", "type": "integer", "ignore_missing": true } },
{ "rename": { "field": "message2.dpram", "target_field": "ecat.ram.size", "ignore_missing": true } },
{ "rename": { "field": "message2.features", "target_field": "ecat.features", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_foe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_foe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
{ "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } },
{ "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } },
{ "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_log_address Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_log_address",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Log_Addr", "target_field": "ecat.log.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Length", "target_field": "ecat.length", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.ecat_registers Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.ecat_registers",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.dstmac", "target_field": "destination.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.Command", "target_field": "ecat.command", "ignore_missing": true } },
{ "rename": { "field": "message2.Slave_Addr", "target_field": "ecat.slave.address", "ignore_missing": true } },
{ "rename": { "field": "message2.Register_Type", "target_field": "ecat.register.type", "ignore_missing": true } },
{ "rename": { "field": "message2.Register_Addr", "target_field": "ecat.register.address", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.ecat_soe_info Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.ecat_soe_info",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } },
{ "rename": { "field": "message2.incomplete", "target_field": "ecat.function.check", "ignore_missing": true } },
{ "rename": { "field": "message2.error", "target_field": "ecat.error", "ignore_missing": true } },
{ "rename": { "field": "message2.drive_num", "target_field": "ecat.drive.number", "ignore_missing": true } },
{ "rename": { "field": "message2.element_flags", "target_field": "ecat.element.flags", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "ecat.index", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.enip Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.enip",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "enip.is.origin", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_command_code", "target_field": "enip.command_code", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_command", "target_field": "enip.command", "ignore_missing": true } },
{ "rename": { "field": "message2.length", "target_field": "enip.length", "ignore_missing": true } },
{ "rename": { "field": "message2.session_handle", "target_field": "enip.session.handle", "ignore_missing": true } },
{ "rename": { "field": "message2.enip_status", "target_field": "enip.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sender_context", "target_field": "enip.sender.context", "ignore_missing": true } },
{ "rename": { "field": "message2.options", "target_field": "enip.options", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.modbus_detailed Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.modbus_detailed",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
{ "rename": { "field": "message2.quality", "target_field": "modbus.quality", "ignore_missing": true } },
{ "rename": { "field": "message2.values", "target_field": "modbus.values", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.modbus_mask_write_register",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.address", "target_field": "modbus.address", "ignore_missing": true } },
{ "rename": { "field": "message2.and_mask", "target_field": "modbus.and.mask", "ignore_missing": true } },
{ "rename": { "field": "message2.or_mask", "target_field": "modbus.or.maks", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.read_write_multiple_registers",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.unit_id", "target_field": "modbus.unit.id", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.network_direction", "target_field": "modbus.network.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.write_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
{ "rename": { "field": "message2.write_registers", "target_field": "modbus.write.registers", "ignore_missing": true } },
{ "rename": { "field": "message2.read_start_address", "target_field": "modbus.write.start.address", "ignore_missing": true } },
{ "rename": { "field": "message2.read.quality", "target_field": "modbus.read.quality", "ignore_missing": true } },
{ "rename": { "field": "message2.read_registers", "target_field": "modbus.read.registers", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

30
salt/elasticsearch/files/ingest/zeek.opcua Normal file
View File

@@ -0,0 +1,30 @@
{
"description" : "zeek.opcua",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } },
{ "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } },
{ "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } },
{ "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } },
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } },
{ "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } },
{ "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } },
{ "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

18
salt/elasticsearch/files/ingest/zeek.opcua_activate_session Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.opcua.activate_session",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.identifier_string", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.encoding", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_policy_id", "target_field": "opcua.policy_id", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_user_name", "target_field": "opcua.user_name", "ignore_missing": true } },
{ "rename": { "field": "message2.ext_obj_password", "target_field": "opcua.password", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_browse Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua.browse",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_browse_description Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua.browse_description",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } },
{ "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } },
{ "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } },
{ "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } },
{ "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } },
{ "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

22
salt/elasticsearch/files/ingest/zeek.opcua_browse_response_references Normal file
View File

@@ -0,0 +1,22 @@
{
"description" : "zeek.opcua_browse_response_references",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } },
{ "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_browse_result Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_browse_result",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

19
salt/elasticsearch/files/ingest/zeek.opcua_create_session Normal file
View File

@@ -0,0 +1,19 @@
{
"description" : "zeek.opcua_create_session",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } },
{ "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.max_req_msg_size", "target_field": "opcua.request.max_message_size", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_create_session_endpoints Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_create_session_user_token Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_create_session_user_token",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.opcua_create_subscription Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.opcua_create_subscription",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_max_keep_alive_count", "target_field": "opcua.max_keepalive", "ignore_missing": true } },
{ "rename": { "field": "message2.max_notifications_per_publish", "target_field": "opcua.max_notifications", "ignore_missing": true } },
{ "rename": { "field": "message2.publishing_enabled", "target_field": "opcua.publish_enabled", "ignore_missing": true } },
{ "rename": { "field": "message2.priority", "target_field": "opcua.priority", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_get_endpoints",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_description Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua_get_endpoints_description",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } },
{ "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } },
{ "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } },
{ "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } },
{ "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.opcua_get_endpoints_user_token Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.opcua_get_endpoints_user_token",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } },
{ "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.opcua_opensecure_channel Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.opcua_opensecure_channel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } },
{ "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } },
{ "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.opcua_read_nodes_to_read Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.opcua_read_nodes_to_read",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } },
{ "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } },
{ "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.opcua_read_results Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.opcua_read_results",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } },
{ "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.opcua_read_results_link Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.opcua_read_results_link",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

21
salt/elasticsearch/files/ingest/zeek.opcua_status_code_detail Normal file
View File

@@ -0,0 +1,21 @@
{
"description" : "zeek.opcua_stats_code_detail",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } },
{ "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } },
{ "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } },
{ "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_code_str", "target_field": "opcua.sub_code_string", "ignore_missing": true } },
{ "rename": { "field": "message2.structure_changed", "target_field": "opcua.structure_changed", "ignore_missing": true } },
{ "rename": { "field": "message2.semantics_changed", "target_field": "opcua.semantics_changed", "ignore_missing": true } },
{ "rename": { "field": "message2.info_type", "target_field": "opcua.info_type", "ignore_missing": true } },
{ "rename": { "field": "message2.info_type_str", "target_field": "opcua.info_type_string", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.profinet Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.profinet",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.operation_type", "target_field": "profinet.operation_type", "ignore_missing": true } },
{ "rename": { "field": "message2.block_version", "target_field": "profinet.block_version", "ignore_missing": true } },
{ "rename": { "field": "message2.slot_number", "target_field": "profinet.slot_number", "ignore_missing": true } },
{ "rename": { "field": "message2.subslot_number", "target_field": "profinet.subslot_number", "ignore_missing": true } },
{ "rename": { "field": "message2.index", "target_field": "profinet.index", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.profinet_dce_rpc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.version", "target_field": "profinet.version", "ignore_missing": true } },
{ "rename": { "field": "message2.packet_type", "target_field": "profinet.packet_type", "ignore_missing": true } },
{ "rename": { "field": "message2.object_uuid", "target_field": "profinet.object_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.interface_uuid", "target_field": "profinet.interface_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.activity_uuid", "target_field": "profinet.activity_uuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_boot_time", "target_field": "profinet.server.boot_time", "ignore_missing": true } },
{ "rename": { "field": "message2.operation", "target_field": "profinet.operation", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.s7comm Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.s7comm",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } },
{ "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } },
{ "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } },
{ "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } },
{ "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } },
{ "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } },
{ "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.s7comm_plus Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.s7comm_plus",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } },
{ "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } },
{ "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

15
salt/elasticsearch/files/ingest/zeek.stun Normal file
View File

@@ -0,0 +1,15 @@
{
"description" : "zeek.stun",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "stun.id", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "stun.method", "ignore_missing": true } },
{ "rename": { "field": "message2.class", "target_field": "stun.class", "ignore_missing": true } },
{ "rename": { "field": "message2.attr_types", "target_field": "stun.attribute.types", "ignore_missing": true } },
{ "rename": { "field": "message2.attr_vals", "target_field": "stun.attribute.values", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.stun_nat Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.stun_nat",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "stun.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.wan_addrs", "target_field": "stun.wan.addresses", "ignore_missing": true } },
{ "rename": { "field": "message2.wan_ports", "target_field": "stun.wan.ports", "ignore_missing": true } },
{ "rename": { "field": "message2.lan_addrs", "target_field": "stun.lan.addresses", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

9
salt/elasticsearch/files/ingest/zeek.tds Normal file
View File

@@ -0,0 +1,9 @@
{
"description" : "zeek.tds",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.tds_rpc Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.tds_rpc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } },
{ "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.tds_sql_batch Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.tds_sql_batch",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } },
{ "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.wireguard Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.wireguard",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true} },
{ "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } },
{ "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } },
{ "rename": { "field": "message2.responses", "target_field": "wireguard.respsonses", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

59
salt/filebeat/defaults.yaml
View File

@@ -32,4 +32,61 @@ filebeat:
- mysql - mysql
- socks - socks
- x509 - x509
- dnp3_objects
- modbus_detailed
- modbus_mask_write_single_register
- modbus_read_write_multiple_registers
- bacnet
- bacnet_discovery
- bacnet_property
- ecat_registers
- ecat_log_address
- ecat_dev_info
- ecat_aoe_info
- ecat_coe_info
- ecat_foe_info
- ecat_soe_info
- ecat_arp_info
- enip
- cip
- cip_io
- cip_identity
- opcua_binary
- opcua_binary_status_code_detail
- opcua_binary_diag_info_detail
- opcua_binary_get_endpoints
- opcua_binary_get_endpoints_discovery
- opcua_binary_get_endpoints_user_token
- opcua_binary_get_endpoints_description
- opcua_binary_get_endpoints_locale_id
- opcua_binary_get_endpoints_profile_uri
- opcua_binary_create_session
- opcua_binary_create_session_user_token
- opcua_binary_create_session_endpoints
- opcua_binary_create_session_discovery
- opcua_binary_activate_session
- opcua_binary_activate_session_client_software_cert
- opcua_binary_activate_session_locale_id
- opcua_binary_activate_session_diagnostic_info
- opcua_binary_browse
- opcua_binary_browse_description
- opcua_binary_browse_request_continuation_point
- opcua_binary_browse_result
- opcua_binary_browse_response_references
- opcua_binary_browse_diagnostic_info
- opcua_binary_create_subscription
- opcua_binary_read
- cotp
- s7comm
- s7comm_read_szl
- s7comm_upload_download
- s7comm_plus
- tds
- tds_rpc
- tds_sql_batch
- profinet_dce_rpc
- profinet
- profinet_debug
- stun
- stun_nat
- wireguard

8
salt/filebeat/etc/filebeat.yml
View File

@@ -145,6 +145,10 @@ filebeat.inputs:
dataset: {{ LOGNAME }} dataset: {{ LOGNAME }}
category: network category: network
processors: processors:
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
- add_tags:
tags: ["ics"]
{%- endif %}
- drop_fields: - drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"] fields: ["source", "prospector", "input", "offset", "beat"]
@@ -162,6 +166,10 @@ filebeat.inputs:
category: network category: network
imported: true imported: true
processors: processors:
{%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
- add_tags:
tags: ["ics"]
{%- endif %}
- add_tags: - add_tags:
tags: ["import"] tags: ["import"]
- dissect: - dissect:

2
salt/kibana/config.map.jinja
View File

@@ -7,6 +7,8 @@
{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %}
{% do KIBANACONFIG.kibana.config.xpack.fleet.update({'registryUrl': 'http://' ~ GLOBALS.manager_ip ~ ':8080'}) %}
{% if salt['pillar.get']('kibana:secrets') %} {% if salt['pillar.get']('kibana:secrets') %}
{% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %}
{% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %} {% do KIBANACONFIG.kibana.config.xpack.security.update({'encryptionKey': pillar['kibana']['secrets']['security']['encryptionKey']}) %}

1
salt/kibana/defaults.yaml
View File

@@ -31,6 +31,7 @@ kibana:
kibanaServer: kibanaServer:
hostname: localhost hostname: localhost
fleet: fleet:
registryUrl: ""
packages: packages:
- name: fleet_server - name: fleet_server
version: latest version: latest

2
salt/soc/defaults.yaml
View File

@@ -83,7 +83,7 @@ soc:
bucket: telegraf bucket: telegraf
verifyCert: false verifyCert: false
salt: salt:
saltPipe: /opt/sensoroni/salt.pipe saltPipe: /opt/sensoroni/salt/pipe
sostatus: sostatus:
refreshIntervalMs: 30000 refreshIntervalMs: 30000
offlineThresholdMs: 900000 offlineThresholdMs: 900000

3
salt/soc/files/bin/salt-relay.sh
View File

@@ -6,7 +6,8 @@
PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_OWNER=${PIPE_OWNER:-socore}
PIPE_GROUP=${PIPE_GROUP:-socore} PIPE_GROUP=${PIPE_GROUP:-socore}
SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt.pipe} SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt/pipe}
PATH=${PATH}:/usr/sbin
function log() { function log() {
echo "$(date) | $1" echo "$(date) | $1"

15
salt/soc/init.sls
View File

@@ -28,6 +28,12 @@ soclogdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
socsaltdir:
file.directory:
- name: /opt/so/conf/soc/salt
- user: 939
- group: 939
- makedirs: True
socconfig: socconfig:
file.managed: file.managed:
@@ -82,11 +88,8 @@ socusersroles:
- sls: manager.sync_es_users - sls: manager.sync_es_users
salt-relay: salt-relay:
cmd.run: cron.present:
- env: - name: 'ps -ef | grep salt-relay | grep -v grep || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
- SOC_PIPE: /opt/sensoroni/salt.pipe
- name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
- unless: ps -ef | grep salt-relay | grep -v grep
so-soc: so-soc:
docker_container.running: docker_container.running:
@@ -105,7 +108,7 @@ so-soc:
- /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
- /opt/so/conf/soc/salt.pipe:/opt/sensoroni/salt.pipe:rw - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
- /opt/so/saltstack:/opt/so/saltstack:rw - /opt/so/saltstack:/opt/so/saltstack:rw
{%- if salt['pillar.get']('nodestab', {}) %} {%- if salt['pillar.get']('nodestab', {}) %}
- extra_hosts: - extra_hosts:

6
salt/strelka/filecheck/filecheck
View File

@@ -65,6 +65,8 @@ if __name__ == "__main__":
event_handler =CreatedEventHandler() event_handler =CreatedEventHandler()
observer = Observer() observer = Observer()
logging.info("Starting filecheck")
observer.schedule(event_handler, extract_path, recursive=True) observer.schedule(event_handler, extract_path, recursive=True)
observer.start() observer.start()
try: try:
@@ -72,4 +74,6 @@ if __name__ == "__main__":
time.sleep(1) time.sleep(1)
except KeyboardInterrupt: except KeyboardInterrupt:
observer.stop() observer.stop()
observer.join() observer.join()
logging.info("Exiting filecheck")

8
salt/strelka/init.sls
View File

@@ -135,11 +135,9 @@ filecheck_script:
- mode: 755 - mode: 755
filecheck_run: filecheck_run:
cmd.run: cron.present:
- name: 'python3 /opt/so/conf/strelka/filecheck' - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- bg: True - user: socore
- runas: socore
- unless: ps -ef | grep filecheck | grep -v grep
filcheck_history_clean: filcheck_history_clean:
cron.present: cron.present:

1
salt/top.sls
View File

@@ -191,6 +191,7 @@ base:
{%- if REDIS %} {%- if REDIS %}
- redis - redis
{%- endif %} {%- endif %}
- elastic-fleet-package-registry
{%- if KIBANA %} {%- if KIBANA %}
- kibana.so_savedobjects_defaults - kibana.so_savedobjects_defaults
{%- endif %} {%- endif %}