Merge pull request #842 from Security-Onion-Solutions/feature/metasuri

Feature/metasuri

salt/elasticsearch/files/ingest/suricata.alert

@@ -1,13 +1,12 @@
 {
   "description" : "suricata.alert",
   "processors" : [
-    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
-    { "rename":{ "field": "message2.comunity_id",       "target_field": "network.comunity_id",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
     { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },
     { "rename":{ "field": "rule.ref",     "target_field": "rule.version", "ignore_failure": true  } },
     { "rename":{ "field": "rule.signature_id",     "target_field": "rule.uuid", "ignore_failure": true  } },
     { "rename":{ "field": "rule.signature_id",     "target_field": "rule.signature", "ignore_failure": true  } },
-    { "pipeline": { "name": "suricata.common" } }
+    { "rename":{ "field": "message2.payload_printable",     "target_field": "network.data.decoded", "ignore_failure": true  } },
+    { "pipeline": { "name": "common" } }
   ]
 }

salt/elasticsearch/files/ingest/suricata.common

@@ -1,15 +1,18 @@
 {
   "description" : "suricata.common",
   "processors" : [
+    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
     { "rename":{ "field": "message2.proto",		"target_field": "network.transport",		"ignore_failure": true 	} },
-    { "rename":{ "field": "message2.flow_id",		"target_field": "event.id",		"ignore_failure": true 	} },
+    { "rename":{ "field": "message2.flow_id",		"target_field": "log.id.uid",		"ignore_failure": true 	} },
     { "rename":{ "field": "message2.src_ip",       "target_field": "source.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.src_port",       "target_field": "source.port",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
     { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
+    { "remove":{ "field": "dataset", 						"ignore_failure": true	} },
+    { "rename":{ "field": "message2.event_type",		"target_field": "dataset",		"ignore_failure": true 	} },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
-    { "remove":         { "field": ["agent"],     "ignore_failure": true                                                                  } },
-    { "pipeline": { "name": "common" } }
+    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
+    { "pipeline": { "name": "suricata.{{dataset}}" } }
   ]
 }

salt/elasticsearch/files/ingest/suricata.dhcp

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dhcp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 		"target_field": "host.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 		"target_field": "dhcp.message_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.type", 		"target_field": "dhcp.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.dnp3

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.dnp3",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.dns

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dns",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers",			"ignore_missing": true 	} },
+
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.fileinfo

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.fileinfo",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.flow

@@ -0,0 +1,9 @@
+{
+  "description" : "suricata.flow",
+  "processors" : [
+    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.ftp

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.ftp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.http

@@ -0,0 +1,17 @@
+{
+  "description" : "suricata.http",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.ikev2

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.ikev2",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.krb5

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.krb5",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.nfs

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.nfs",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.rdp

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.rdp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.sip

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.sip",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.smb

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.smb",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.smtp

@@ -0,0 +1,13 @@
+{
+  "description" : "suricata.smtp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smtp.helo", 		"target_field": "smtp.helo",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.from", 		"target_field": "smtp.from",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.to", 		"target_field": "smtp.to",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.cc", 		"target_field": "smtp.cc",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.attachment", 		"target_field": "smtp.attachment",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.snmp

@@ -0,0 +1,10 @@
+{
+  "description" : "suricata.snmp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.version", 		"target_field": "snmp.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.community", 		"target_field": "snmp.community",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.ssh

@@ -0,0 +1,11 @@
+{
+  "description" : "suricata.ssh",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.proto_version", 		"target_field": "ssh.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.software_version", 		"target_field": "ssh.client",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.server.proto_version", 		"target_field": "ssh.server",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.tftp

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.tftp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.tls

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.tls",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/filebeat/etc/filebeat.yml

@@ -123,10 +123,10 @@ filebeat.inputs:
 
   - type: log
     paths:
-      - /suricata/eve.json
+      - /suricata/eve*.json
     fields:
       module: suricata
-      dataset: alert
+      dataset: common
       category: network
 
     processors:

salt/suricata/files/suricata.yaml

@@ -95,8 +95,8 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
-      rotate-interval: day
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
+      rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above

salt/suricata/files/suricataMETA.yaml

@@ -95,7 +95,7 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
       rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry

salt/top.sls

@@ -86,7 +86,9 @@ base:
     - kibana
     - pcap
     - suricata
+    {%- if BROVER != 'SURICATA' %}
     - zeek
+    {%- endif %}
     {%- if STRELKA %}
     - strelka
     {%- endif %}
@@ -194,7 +196,9 @@ base:
     - kibana
     - pcap
     - suricata
+    {%- if BROVER != 'SURICATA' %}
     - zeek
+    {%- endif %}
     {%- if STRELKA %}
     - strelka
     {%- endif %}