diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids new file mode 100644 index 000000000..25d24926c --- /dev/null +++ b/salt/elasticsearch/files/ingest/common.nids @@ -0,0 +1,17 @@ +{ + "description" : "common.nids", + "processors" : [ + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } }, + { "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/search?query={{rule.gid}}-{{rule.uuid}}" } }, + { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, + { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, + { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule_ruleset", "value": "Snort GPL" } }, + { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, + { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, + { "remove": { "field": ["rule_type", "rest_of_rulename"], "ignore_failure": true } }, + { "pipeline": { "name": "common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/common_nids b/salt/elasticsearch/files/ingest/common_nids deleted file mode 100644 index 4fffab7c1..000000000 --- a/salt/elasticsearch/files/ingest/common_nids +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description" : "common_nids", - "processors" : [ - { "convert": { "field": "sid", "type": "integer" } }, - { "set": { "if": "ctx.sid < 1000000", "field": "signature_info", "value": "https://www.snort.org/search?query={{gid}}-{{sid}}" } }, - { "set": { "if": "ctx.sid > 1999999", "field": "signature_info", "value": "https://doc.emergingthreats.net/{{sid}}" } }, - { "remove": { "if": "ctx.sid > 2999999", "field": "signature_info" } }, - { "set": { "if": "ctx.priority == '1'", "field": "severity", "value": "High" } }, - { "set": { "if": "ctx.priority == '2'", "field": "severity", "value": "Medium" } }, - { "set": { "if": "ctx.priority == '3'", "field": "severity", "value": "Low" } }, - { "dissect": { "field": "alert", "pattern" : "%{rule_type} %{category} ", "ignore_failure": true } }, - { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule_type", "value": "Snort GPL" } }, - { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule_type", "value": "Emerging Threats" } }, - { "lowercase": { "field": "category", "ignore_failure": true } }, - { "pipeline": { "name": "common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/sguild_nids b/salt/elasticsearch/files/ingest/sguild_nids deleted file mode 100644 index c7bcdc418..000000000 --- a/salt/elasticsearch/files/ingest/sguild_nids +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description" : "sguild_nids", - "processors" : [ - { - "dissect": { - "field": "message", - "pattern" : "%{} %{} %{} Alert Received: %{} %{priority} %{classification} %{interface} {%{alerttime}} %{} %{} {%{alert}} %{source_ip} %{destination_ip} %{protocol} %{source_port} %{destination_port} %{gid} %{sid} %{rev} ", - "on_failure": [ { "drop" : { } } ] - } - }, - { "set": { "if": "ctx.protocol == '1'", "field": "protocol", "value": "ICMP" } }, - { "set": { "if": "ctx.protocol == '6'", "field": "protocol", "value": "TCP" } }, - { "set": { "if": "ctx.protocol == '17'", "field": "protocol", "value": "UDP" } }, - { "remove": { "if": "ctx.source_ip == '{}'", "field": "source_ip" } }, - { "remove": { "if": "ctx.destination_ip == '{}'", "field": "destination_ip" } }, - { "remove": { "if": "ctx.protocol == '{}'", "field": "protocol" } }, - { "remove": { "if": "ctx.source_port == '{}'", "field": "source_port" } }, - { "remove": { "if": "ctx.destination_port == '{}'", "field": "destination_port" } }, - { "set": { "field": "type", "value": "snort" } }, - { "rename": { "field": "@timestamp", "target_field": "timestamp", "ignore_missing": true } }, - { "date": { "field": "alerttime", "target_field": "@timestamp", "formats": ["yyyy-MM-dd HH:mm:ss"], "ignore_failure": true } }, - { "remove": { "field": "alerttime", "ignore_missing": true } }, - { "pipeline": { "name": "common_nids" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/snort b/salt/elasticsearch/files/ingest/snort deleted file mode 100644 index b841ca917..000000000 --- a/salt/elasticsearch/files/ingest/snort +++ /dev/null @@ -1,21 +0,0 @@ -{ - "description" : "snort", - "processors" : [ - { - "dissect": { - "field": "message", - "pattern" : "[%{gid}:%{sid}:%{rev}] %{alert} [Classification: %{classification}] [Priority: %{priority}]: <%{interface}> {%{protocol}} %{source_ip_port} -> %{destination_ip_port}", - "on_failure": [ { "drop" : { } } ] - } - }, - { "split": { "field": "source_ip_port", "separator": ":", "ignore_failure": true } }, - { "split": { "field": "destination_ip_port", "separator": ":", "ignore_failure": true } }, - { "rename":{ "field": "source_ip_port.1", "target_field": "source_port", "ignore_failure": true } }, - { "rename":{ "field": "destination_ip_port.1", "target_field": "destination_port", "ignore_failure": true } }, - { "rename":{ "field": "source_ip_port.0", "target_field": "source_ip", "ignore_failure": true } }, - { "rename":{ "field": "destination_ip_port.0", "target_field": "destination_ip", "ignore_failure": true } }, - { "remove":{ "field": "source_ip_port", "ignore_failure": true } }, - { "remove":{ "field": "destination_ip_port", "ignore_failure": true } }, - { "pipeline": { "name": "common_nids" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 5a0cfc4df..e372b1645 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -7,9 +7,6 @@ { "rename":{ "field": "rule.signature_id", "target_field": "rule.uuid", "ignore_failure": true } }, { "rename":{ "field": "rule.signature_id", "target_field": "rule.signature", "ignore_failure": true } }, { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, - { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, - { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, - { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, - { "pipeline": { "name": "common" } } + { "pipeline": { "name": "common.nids" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.tunnels b/salt/elasticsearch/files/ingest/zeek.tunnels index 4cc7c8d5e..bb4c18268 100644 --- a/salt/elasticsearch/files/ingest/zeek.tunnels +++ b/salt/elasticsearch/files/ingest/zeek.tunnels @@ -3,15 +3,6 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "log.id.uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel.type", "ignore_missing": true } }, { "rename": { "field": "message2.action", "target_field": "event.action", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 89d1a9466..7ebe6afbd 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -7,7 +7,7 @@ output { if [module] =~ "ossec" { elasticsearch { - pipeline => "%{module}.%{dataset}" + pipeline => "%{module}" hosts => "{{ ES }}" index => "so-ossec-%{+YYYY.MM.dd}" template_name => "so-ossec"